Guidance

Windrush compensation scheme: privacy information notice

Updated 31 August 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/windrush-compensation-scheme-privacy-information-notice/windrush-compensation-scheme-privacy-information-notice

Data protection law in the UK changed on 25 May 2018. This notice reflects your rights under the new laws and lets you know how we will look after and use your personal information. This includes what you tell us about yourself, what we learn about you as you engage with the Windrush Compensation Scheme, and what others share with us to assist us in determining your claim under the Compensation Scheme, to fulfil their legal obligations or help prevent abuse of the Compensation Scheme and/or prevent and detect crime. It also covers what information we may share with other organisations.

The Home Office has appointed a data protection officer (DPO) to help ensure that we fulfil our legal obligations when processing personal information. You can contact the DPO for more information at DPO@homeoffice.gov.uk.

How we protect your personal information

We have a duty to safeguard and ensure the security of your personal information. We do that by having systems and policies in place to limit access to your information and prevent unauthorised disclosure. Staff who access personal information must have appropriate security clearance and a business need for accessing the information, and their activity is subject to audit and review.

How we gather and use your personal information

We are only allowed to use, gather and share personal information where we have an appropriate legal basis to do so under the UK General Data Protection Regulations (UK GDPR) or the Data Protection Act 2018. The Home Office collects and processes personal information to fulfil its legal and official functions.

The legal basis for the processing of your data will, in most cases, be Article 6(1)(e) of the UK GDPR – that is, that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

At points, for example in verifying your identity, we also process special categories of personal data on the basis of Article 9(2)(g) of the UK GDPR where the processing is necessary for reasons of substantial public interest. This may include information about political beliefs, sexual orientation, religious beliefs and biometrics.

We may also process personal data under Part 3 (law enforcement processing) of the Data Protection Act 2018.

Examples of ways in which we may gather your personal information include when:

  • you make a claim for compensation (online, or on paper)
  • when you call our compensation contact centre
  • we seek to verify your information, documents or identity
  • we receive information from a third party in relation to your claim
  • we receive allegations or intelligence from law enforcement agencies and others involved in preventing crime and fraud
  • we are notified of a relevant criminal conviction
  • we receive a claim from a close family member (online, or on paper) and you are the linked person

We may also request information from third parties. For example, this might be for the purposes of verifying or supplementing information you supplied in support of your compensation claim, or obtaining information needed for a safeguarding purpose. This may involve, for example:

  • contacting the primary claimant if you are claiming as a close family member of a primary claimant
  • obtaining information from other government departments – these may include HM Revenue & Customs (HMRC), Department for Work and Pensions (DWP), Department for Education (DfE), Driver and Vehicle Licensing Agency (DVLA), and Driver and Vehicle Standards Agency (DVSA)
  • obtaining information from credit reference agencies, fraud prevention agencies (for example, Experian) or banks, and local authorities
  • seeking to verify documents, information, or identity in relation to your compensation claim – this may include private and public authorities in other countries and material that is in the public domain
  • contacting local authority services (for example, social services)
  • obtaining information from medical practitioners

We process and hold personal information for the consideration of your compensation claim.

Examples of how we may use your data:

  • to verify your information, documents and identity
  • to confirm details of your claim
  • to engage with your representative, or other relevant individuals
  • to keep in contact with you while we consider your compensation claim
  • to detect and prevent crime
  • for safeguarding purposes
  • to support review processes

We process and hold personal information for the consideration of a claim submitted by a third party.

Examples of how we may use your data:

  • to process a claim made by another primary claimant
  • to process a claim made by a close family member

We safeguard and promote the welfare of children and adults.

Examples of how we may use your data:

  • to ensure that relevant authorities and services are able to provide support to vulnerable individuals and families
  • to support decisions on vulnerable people
  • to identify people at risk

Other organisations that have access to your personal information

A number of organisations from the private, public and charity sectors are either contracted by, or subject to agreement with, the Home Office to provide functions in relation to the consideration of your compensation claim. To do this they may process personal data on our behalf and under our direction.

Examples of these functions where we use other organisations in this way include:

  • to help you to complete your claim form
  • to verify your information, documents and identity
  • to confirm details of your claim
  • to support the compensation process – we may use third parties to process elements of a claim that relate to their business
  • to help provide services in relation to vulnerable people and those seeking protection

Other organisations that we share data with

We may also share data for law enforcement purposes and to prevent fraud and to assist other organisations in delivering their statutory functions.

These include, for example:

  • local authorities and charity organisations to assist them in delivering their statutory duties in particular protecting children and other vulnerable individuals in the community
  • HMRC, DWP, and the NHS in relation to rights to access public services
  • HMRC and DWP to establish and rectify National Insurance records as appropriate, which may lead to revised State Pension entitlements
  • other government departments and agencies as necessary for them to deliver their statutory duties and public functions
  • financial institutions including banks and building societies
  • law enforcement agencies to support the prevention of crime, or for national security purposes – this may include international agencies, for example, Interpol, and national authorities
  • organisations involved in the prevention of fraud – for example Cifas and credit reference agencies

Automated decision-making and profiling

Article 22 of the UK GDPR provides the right not to be subject to a decision made solely on the basis of automated processing which produces legal or other significant effects. Parts of our processing may involve degrees of automation, but complex or adverse decisions will always be taken by a trained officer or caseworker.

We may use personal information, for example from previous applicants, to develop tools that allow us to assess and then process applications in a particular way. This helps us to target our resources and ensure our processing is efficient, allowing us to minimise costs while protecting the public effectively. However, a case officer would still decide these cases. Any profiling must comply with our wider obligations under equality legislation.

Data transfers outside of the European Economic Area

We may transfer personal information to authorities or organisations in countries outside the European Economic Area. When we do, this will be for specific purposes.

These may include, for example, validating aspects of your claim, preventing or detecting of crime or including fraud. When we do this, we seek to take appropriate steps to safeguard your information, for example by agreeing memoranda of understanding. We may rely on the derogation in Article 49(1)(d) of the UK GDPR where necessary.

Contacting you using your personal information

Beyond the normal processing of your application, we may use your personal information (for example, email address and mobile number) to send you prompts. For example, to acknowledge your claim, inform you of progress of your claim, when we need further information from you or to inform you of an outcome of your claim. In addition, we may use your details to seek feedback on the handling of your application to help us improve our services.

How long we keep your personal information for

We are only allowed to keep your personal information for as long as it is necessary for permitted purposes.

Your data will be retained for 6 years at which point it will be reviewed to ascertain whether there is an additional or new need to retain this longer or whether this policy has changed. We shall update this Notice if the retention period is updated to keep you informed.

From time to time the HO is required to retain information longer than the retention period for legal reasons. Where this is the case, your data may be retained beyond the period stated but only for that legal reason. Processing will be limited to complying with that legal obligation.

How to get a copy of your personal information

You can request your personal information.

Under the UK GDPR you also have the right to object to and ask to restrict our use of your personal information, and to ask us to rectify or delete your personal information. However, there may be a number of legal or other official reasons why we need to continue to keep or use your data.

If you want to exercise these rights please email us at:

SubjectAccessRequest@homeoffice.gov.uk

How to complain

You also have the right to complain to the Information Commissioner’s Office about the way we handle your information or respond to your requests for access to your personal information or the exercise of your other rights under the UK GDPR or the Data Protection Act 2018.

Contact details are as follows:

The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Website: https://ico.org.uk/

Back to top