Personal information charter

This charter explains how we collect, use and store your personal information, and what we need from you to keep it up to date.


Overview

Active Travel England (ATE) is an executive agency of the Department for Transport (DfT).

ATE is responsible for making walking, wheeling and cycling the preferred choice for everyone to get around. Our objective is for 50% of trips in England’s towns and cities to be walked, wheeled or cycled by 2030.

The data controller for ATE is DfT – a data controller determines the reasons and how personal data is processed. For more information, see the Information Commissioner’s Office (ICO) Data Protection Public RegisterDfT’s registration number is Z7122992.

So that you can use these services, we need to collect, use, store and sometimes share your personal information.

What personal data is

Personal data is information relating to an identified or identifiable natural living person. It lets you identify them either:

  • directly, for example, their name
  • indirectly, for example, their national insurance number

Personal data can include things such as:

  • names
  • identification numbers
  • location data
  • online usernames or ID
  • data about health, genetics, economics, culture, social identity or ethnicity

Your personal data is protected by law. It protects how it is collected, used and stored.

When we need your data

When we need to collect, store or use your personal data, we will:

  • have a good reason to do it and only ask for what we need
  • do so in a fair and transparent way
  • tell you why we need your information and how we’ll use it
  • only use your information how we say we’ll use it, and not in a way you would not expect without asking/telling you first
  • only keep what we need, and will not keep it for longer than we need
  • make sure it’s accurate and up to date, and that nobody has access to it who should not
  • keep it safe and secure

If you use one of our websites, we will share anonymised data with GOV.UK and the Government Digital Service on how you used the site. This will usually be via Google Analytics.

Give us accurate data and tell us when things change

Make sure the data you give us is accurate and let us know if it changes. For example, if you change your:

  • name
  • email address
  • telephone number

If your data is not correct, it could have an impact on you, for example, communications from us may go to your previous email address.

Reasons we can process your personal data

We can only process personal data for one or more of the following reasons:

  • you’ve freely given your consent, it’s clear what you’re consenting to, and how you can withdraw your consent
  • you’ve entered (or intend to enter) into a contract with us
  • for legal reasons
  • to protect someone’s ‘vital interests’ (a matter of life or death)
  • to perform a public task or perform a specific task that’s in the public interest
  • for our own or a third party’s legitimate interests - but only where the personal data is going to be used in ways that are reasonably expected and are not intrusive, or where there are compelling reasons to process it

These reasons are sometimes called ‘lawful bases’.

The reason we process your personal data affects the rights you have over it. We process data to meet our legal obligations and to perform public tasks.

There are further requirements for processing more sensitive, or ‘special category’, personal data.

Your rights

The UK General Data Protection Regulation (GDPR) sets out a number of rights which individuals have over their personal data, allowing you to request copies of your personal data or, in certain circumstances, to have it deleted or modified. These rights are explained fully on the Information Commissioner’s Office website. ATE will ensure that we uphold your rights to the extent that they apply to the way in which we process your personal data.

The right to be informed

The right to be informed is a key part of the transparency requirements of data protection law. It includes various categories of information which would normally be provided in what is known as a ‘privacy information notice’.

Where you provide us with your information directly, you will see a privacy information notice from us which will tell you or provide a link to information on:

  • what information we collect about you and the purpose and legal basis for processing it (including details of the legitimate interests where that is the basis);
  • how will we use the information about you;
  • how long we will retain your information;
  • who we may share your information with;
  • access to your information and correction;
  • how to contact us

The right of access

You can request copies of the personal data that we hold about you at any time by making what is known as a ‘subject access request’. We will respond to a subject access request within one month of receipt.

There is no fee for making a subject access request, but charges may be made where someone asks for further copies of information which they have already received, or in exceptional circumstances, such as where a request is clearly unfounded, excessive or repetitive. We will advise you of your right to complain to the Information Commissioner or to seek a judicial remedy as appropriate.

If you would like to make a subject access request, contact:

Active Travel England
West Offices
Station Rise
York
YO1 6GA

Email: contact@activetravelengland.gov.uk

We aim to respond to your request within one month. We can take up to 3 months to respond if your request is complex. We’ll contact you within the first month to let you know if it’s going to take longer than one month.

We cannot respond to requests made by online portals unless we’re able to verify your identity.

Right to object

You have the right to object to us processing your personal data in any of the following circumstances:

  • where the processing is based on either the legitimate interests or public task condition
  • direct marketing (including profiling)
  • for scientific reasearch, historical research and statistics purposes

Where you object to us processing your personal data based on the legitimate interests or public task condition or scientific and/or historical research and statistical purposes, we will stop processing that information unless we can demonstrate that there are overriding reasons to do so, including where processing is necessary for the conduct of legal claims.

Other rights

Other rights you may have are:

  • a right to rectification if your personal data is inaccurate
  • a right to erasure, a right to restrict processing, a right to data portability
  • rights in relation to automated decision making

Whilst these rights are unlikely to apply to the kind of processing that DfT and its executive agencies routinely carry out, if you think they may apply and want to know more, please refer to the Information Commissioner’s Office website. Any request you make to ATE to exercise these rights will receive appropriate consideration, within the timescales required by data protection law.

Contact our data protection team to use any of these rights.

Forms

If you fill in an online or paper application form, there will usually be a separate privacy notice with the form.

Where a privacy notice has not yet been added to the form, we still follow all the rules and processes set out in this personal information charter to keep your personal data safe and secure.

Emails and letters

When you write to us, we’ll use your personal data to look into the issue you’ve raised and send you a reply.

We usually keep a record of your email or letter for 2 years. We do keep some for longer if the service or system has a policy that says it has to be kept for longer.

Distribution lists

We keep a number of distribution lists to communicate with interested parties as part of our functions as a government agency, where you have given your consent or for legitimate interests.

Each list is only used for the purpose that the individuals on the list were told about at the time we collected their information or that you gave your consent for.

When we share your data

We may share personal data within our organisation or with other bodies where we are permitted to do so by law.

There are some cases where we can pass on your data without telling you, for example to prevent or detect crime, or in order to produce anonymised statistics .

In all cases, whether data is shared internally or externally, we will be governed by data protection law.

What we do to keep your data safe and secure

Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset, and where beneficial will carry out a Data Protection Impact Assessment (DPIA). A DPIA will be carried out in all cases where the proposed processing could result in a high risk to your rights and freedoms.

If a risk is found and we cannot find a way to reduce the impact or likelihood of the risk happening, we’ll ask the DfT (as the department that oversees us) and the ICO for advice.

You can request a copy of any DPIA we’ve carried out. ).

How we keep your data secure

We protect your personal data from unauthorised access, accidental loss, destruction and damage.

We carry out regular reviews and audits to make sure the way we collect, use and store personal data meets government security standards.

We also arrange for IT health checks and penetration testing to be carried out on our systems. This is done by independent CHECK approved individuals.

These people:

  • have a contract with us
  • may have access to your personal data
  • must follow our policy on the acceptable use of IT and communications equipment - they agree to do this before they carry out any work

We only transfer your personal data overseas if there are appropriate safeguards in place to protect it.

We will test changes to our systems using dummy data. Where this is not possible, we will look at other options. If the only option is to test using your personal data, we shall:

  • ensure the system has had an IT health check and any risks have been identified and addressed to a tolerable level
  • seek approval from relevant senior staff within ATE
  • only test with the minimum amount of your personal data
  • only use ATE staff or contracted supplier staff to test with live data and consider whether they need enhanced security clearance before doing so
  • securely remove your data from testing as soon as it has been completed

Training and guidance we give to our staff

We train all our staff about the importance of protecting personal and other sensitive data.

Anyone who routinely accesses personal data as part of their job has to do more in-depth training, and staff with formal responsibility for large datasets take extra training. This makes sure they have a clear understanding of what they need to do to keep the data under their control safe and secure.

Anyone who routinely accesses personal data as part of their job has to do more in-depth training, and staff with formal responsibility for large datasets take extra training. This makes sure they have a clear understanding of what they need to do to keep the data under their control safe and secure.

All civil servants have to follow the Civil Service code. This has 4 core values of integrity, honesty, objectivity and impartiality. These values apply to how we handle personal data.

Data breach notification

We do everything we can to keep your personal data secure.

We’ll tell the Information Commissioner’s Office straight away (and always within 72 hours) if we become aware of a data breach. We’ll do this if the breach creates a risk to your rights and freedoms, including:

  • financial loss
  • breach of confidentiality
  • discrimination
  • damage to your reputation
  • significant social or economic damage

We’ll tell you straight away if we think there’s a high risk to you. We will:

  • give you our data protection manager’s contact details
  • explain the likely consequences of the breach
  • tell you what measures we’ve taken or plan to address the breach, including any steps taken to limit potential damaging effects

If we cannot contact you directly, we’ll try to make you aware through other means, such as a public announcement.

Complain about how we’ve handled your data

Write to our ATE Data Protection team to complain about the way we’ve handled your personal data.

Data Protection Team

Active Travel England
West Offices
Station Rise
York
YO1 6GA

Email: contact@activetravelengland.gov.uk

We will acknowledge your complaint within 5 working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response.

If you want to complain about our response

Complain to the Information Commissioner if you’re not happy with the way we responded to your complaint about how we handled your data. They provide independent advice about data protection, privacy and data sharing issues. They provide independent advice about data protection, privacy and data sharing issues.