Personal information charter
This information charter sets out the standards you can expect when we collect, hold or use your personal information.
We will ensure that we will treat all personal information in accordance with data protection legislation, including the General Data Protection Regulation (GDPR) and Part 3 (law enforcement processing) of the Data Protection Act 2018.
Who we collect data on
The personal information we collect relates to:
- members of the public
- those writing on behalf of business or organisations
- Members of Parliament
- Members of the European Parliament
- members of the devolved administrations
- constituent or third party information
- individuals which have submitted requests for information under the Freedom of Information Act (the FOI Act), the Environmental Information Regulations (EIRs) and Data Subject Access Requests
What data we collect
For the purposes of the GDPR we will process the information that you include in your correspondence or provide when you telephone us:
- email address
- telephone number
Legal basis for processing the data
Where the processing takes place under the provisions of the GDPR, the legal basis for it is that: the processing is necessary for the performance of a task carried out in the public interest, in the exercise of official authority vested in the data controller or to comply with a legal obligation placed on the data controller. Processing carried out for law enforcement purposes will comply with the legal requirements of Part 3 of Data Protection Act 2018.
Special data categories
Where you (the data subject) include in your correspondence some special categories of data it will be necessary for us to process this information.
The legal basis for processing special category data is that: the processing is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department. Processing of special category data carried out for law enforcement purposes will comply with the legal requirements of Part 3 of Data Protection Act 2018.
Purpose for processing data
Personal information is processed for the purpose of completing a public task, to ensure that you receive a response within a set timeframe:
- Environmental Information Regulations (EIR) requests
- Data Subject Access Request (DSAR)
- Freedom of Information (FoI) requests
- general correspondence and enquiries
- internal reporting and analysis
Personal information will also be processed for law enforcement purposes, in accordance with Part 3 of the Data Protection Act 2018.
Who we share data with
Your personal data will only be shared with relevant staff in HM Treasury and other organisations for the purposes listed above. External parties include other government departments, agencies, public bodies and devolved administrations.
Personal Information is stored but not actively shared with:
- Fivium – HM Treasury’s case management service provider for Ecase
- NTT – HM Treasury’s IT infrastructure service and public enquiry line provider
How long we hold data
In ordinary circumstances, we will retain your data for the periods outlined below, after which time it will be destroyed unless needed to fulfil additional requirements in respect of the public task or legal obligations, for example information needed for inquiries or legal proceedings.
|Processing Type||Retention Period|
|EIR requests||3 years|
|DSAR requests||6 years|
|FoI requests||3 years|
|Ministerial correspondence||6 years|
|Official correspondence and telephone enquiries||3 years|
You have the right to:
- request information about how your personal data are processed, and to request a copy of that personal data
- request that any inaccuracies in your personal data are rectified without delay
- in certain circumstances (for example, where accuracy is contested) request that the processing of your personal data is restricted
- object to the processing of your personal data where it is processed for direct marketing purposes
Where to submit a data subject access request (DSAR)
If you would like to enact your rights, you can do so by submitting a Data Subject Access Request at:
HM Treasury Data Protection Unit
1 Horse Guards Road
You can also email email@example.com.
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner's Office
You can also email firstname.lastname@example.org and phone on 0303 123 1113.
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
The data controller for your personal data is HM Treasury. The contact details for the data controller are:
1 Horse Guards Road
You can also email email@example.com and phone on 020 7270 5000.
The contact details for the data controller’s Data Protection Officer (DPO) are:
Data Protection Officer
1 Horse Guards Road
You can also email at firstname.lastname@example.org.