Guidance

Army Personnel and Campaign Office privacy notice (accessible version)

Updated 28 February 2019

British Army: Headquarters Home Command, Personnel Campaign Office.

Purpose of this document

The purpose of this privacy notice is to explain your rights, give you information you are entitled to, and set out the standards you can expect when we ask for, hold or share your personal information under the Data Protection Act 2018. It also covers what we ask of you, to help us keep information up to date.

This privacy notice applies to any personal data processed by or on behalf of the Army’s Personnel Campaign Office.

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) form the legal framework for protecting your personal data. The Personnel & Engagement Campaign is committed to protecting your privacy and we will only collect or process your data in compliance with the Data Protection Principles set out in the GDPR. These say that the personal data we hold about you must be:

  • used lawfully, fairly and in a transparent way
  • collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
  • relevant to the purposes we have told you about and limited only to those purposes;
  • accurate and kept up to date
  • kept in a form which permits you to be identified for only as long as is necessary for the purposes we have told you about
  • kept securely.

The Ministry of Defence is the data controller for all personal data that we hold about you for the purposes of the DPA 2018 and the GDPR. Contact details can be found in section 11 of this Notice.

2. The personal data we collect and use

In order to meet the purpose, set out at section 4 below, we need to collect and use “personal data” about you. Examples of personal data are – name, address, date of birth and anything else which could be used to identify you personally. We may ask you for different types of personal data, including biometric data such as facial images, or health data, which are known as “special category data”.

The legal basis under which we collect and process your personal data is Article 6(1)(e) of the GDPR: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the MOD. Specifically, we collect and process personal data for the exercise of our own and associated public functions, which include:

  • enabling us to deliver our Military and Defence functions
  • establishing entitlements of benefits and services that we provide
  • maintaining and administering Her Majesty’s Armed Forces
  • promoting and advertising our services.

Where we process special categories of data for these purposes, the legal basis for doing so is additionally:

  • Article 9 (2) (h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, or the provision of health care or treatment)
  • Article 9(2) (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

4. The purposes for which your personal data will be used

Your personal data is being collected to enable the Personnel Campaign Office to deliver its primary objectives of engaging with society and to enable a sustainably manned Army that is valued, respected and understood by society. The Personnel Campaign Office will only contact you under the premise of informing you about activities and opportunities that you may be interested in attending, or have already expressed interest in. We may also process and record your personal data for general statistical purposes, including evidencing the services we provide, but this data will be anonymised.

We may also use data we hold about you to:

  • assist in verifying your identity
  • fulfil other legal requirements.

The data that we collect may be shared with our subsidiary teams within the MOD, and other third-party MOD providers involved in engagement, for the above purposes.

5. Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so.

6. Keeping your personal data safe and secure

We will keep your personal data safe and secure by complying with the data protection principles set out above and by:

  • making sure nobody has access to it who shouldn’t
  • ensuring that your personal information is not available for commercial use without your permission
  • making sure all our staff who handle personal data are appropriately trained in the importance of protecting personal and other sensitive data. Anyone working with large volumes of personal data receives more in-depth training and takes refresher training each year. Managers who have formal responsibilities for large datasets receive additional training.

7. Who we share your personal data with

We may share personal data within our organisation or with other bodies if it would be compatible with the purpose for which we collected it, and/or where we need to, or are permitted to do so by law.

This may include sharing your personal data with:

  • other government departments and agencies
  • police and other law enforcement agencies
  • MOD service providers.

8. How long we store your personal data

We will only keep your data for as long as is necessary to provide you with a service or in the exercise of our own and associated public functions. Wherever possible, you will be informed of the retention period at the time the data is collected. We may keep some data for longer, to meet other legal requirements, including to answer requests for information from ongoing or impending public inquiries. After the retention period has elapsed all data will be destroyed securely in line with MOD data destruction policy. Our records management and data retention policy is available online Defence information, knowledge, digital and data policy commitments.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

For further information about retention periods please email cio-dpa@mod.gov.uk.

9. What we ask of you

We ask you to:

  • give us accurate data
  • tell us as soon as possible if you no longer wish for us to hold your data
  • inform us if there are any changes to your personal data, such as name or email address, of if any of the data we hold is incorrect.

This helps us to keep your data reliable and up to date.

10. Your rights

Under the DPA 2018, you have the following rights with regards to your personal data:

  • the right to be informed about the collection and use of your personal data
  • the right of access to your personal data and supplementary information
  • the right to have inaccurate personal data rectified or completed if it is incomplete
  • the right to restrict processing in certain circumstances
  • the right to object to processing in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to complain to the Information Commissioner.

There are some exceptions to the rights referred to above. Details of such restrictions will be provided to you if relevant.

Further information can be found at the Information Commissioners Office website.

How to find out what personal data we hold about you

As set out above, you have the right to be informed that we are processing your personal data. In most circumstances, we will let you know at the time the data is collected. However, in certain circumstances, for example where the data is not obtained directly from you but from a third party, we will inform you of this complying with the requirement under the DPA 2018.

However, if you want to find out if we or any of our agencies hold any personal data about you, or want to make any corrections, you can make a ‘subject access request’ (SAR) under the DPA 2018. If we do hold data about you, we will:

  • give you a description of it
  • tell you why we are holding it
  • tell you to whom it has, or will be disclosed; in particular, if it has been disclosed to international organisations
  • let you have a copy of the data in a form that is as clear and understandable as possible.

Please be as specific as you can about the data you want, and, if it isn’t obvious, explain why you expect us to hold your personal data. Information about how to make a Subject Access Request (SAR).

Guidance is also available on how to ask for your personal data held by MOD.

There are a small number of cases where we do not have to give you the information you have asked for. For example, if we are using data for the purposes of investigating, preventing or detecting crime, or apprehending or prosecuting offenders where to do so would be likely to prejudice those purposes. In cases where it is known the police are investigating, or prosecuting offences, we will ask for their view on whether providing you with the information would prejudice their activities.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we are allowed under the law to charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we can refuse to comply with the request in such circumstances.

11. Complaints, Objections and Contacts

If you wish to exercise any of your rights in respect of your personal data, have any concerns with the way it is being handled, or wish to make a complaint, please contact the MOD Data Protection Officer at:

MOD Information Rights Team
Ground floor, Zone D
Main Building
Whitehall
London
SW1A 2HB

Email: cio-dpa@mod.uk

We will acknowledge your complaint within 5 working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response. If you are still not satisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

The details for ICO can be found below:

Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 08456 30 60 60 or 01625 54 57 45 Fax: 01625 524510

Website: http://ico.org.uk

If you are happy for your data to be extracted and used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared or are dissatisfied with any aspect of this Privacy Notice, then please contact the MOD Information Rights team listed above

Changes to this Privacy Notice

We reserve the right to update this Privacy Notice at any time and we will provide you with a new Privacy Notice when we make any substantial updates. We will also notify you in other ways from time to time about the processing of your personal data.

If you have any questions about this Privacy Notice, please email the Information Rights Team:cio.dpa@mod.gov.uk.