Guidance

Privacy notice for the Horizon Shortfall Scheme (HSS)

Published 11 October 2024

This privacy notice explains how the Department for Business and Trade (DBT), as a ‘data controller’, processes the personal data provided directly by postmasters when setting out their Horizon Shortfall Scheme (HSS) claim, a Post Office-administered compensation scheme.

We are providing you with this privacy information as a ‘data controller’ to explain how DBT processes your personal data to enable the efficient administration of the HSS and the processing of claims.

This notice is supplemented by our main privacy notice which provides further information on how DBT processes personal data, and sets out your rights in respect of that personal data.

Personal data that DBT will collect from you

DBT does not hold the relevant information required to assess a HSS claim. Postmasters (current and former) who submit a claim to the scheme will share all relevant information with Post Office only.

DBT will receive and process relevant information from Post Office to ensure the swift processing of claims through the HSS and its dispute resolution process.

DBT, via Post Office, may process the following categories of personal data:

• first names
• surnames (including any previous surnames)
• home addresses
• postcodes
• telephone numbers
• email addresses
• job titles
• Post Office branch name, address and customer account
• start and end dates of appointment
• details about any contract that you hold or held with Post Office
• shortfall details, including amount, dates, treatment by Post Office Limited (POL) and any actions that may have been taken as a result
• your expectations regarding your claim

We may also process the following types of more sensitive personal information: 

• information about your health, including any medical condition, health and sickness records if this is relevant to your application
• information about criminal prosecutions, convictions and offences

As part of this redress scheme DBT may process data for research-related or statistical purposes. DBT will only process data ‘where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ (Article 6 of General Data Protection Regulation (GDPR)). Special category data and sensitive data on criminal convictions will only be processed for research purposes where necessary. Special measures are in place to protect your information and ensure confidentiality is respected (as per Article 9 of GDPR).

Access to, and sharing of, special category and sensitive personal data is restricted. All information is kept in line with DBT policies and regulatory requirements.

As part of this redress scheme, DBT intend to use products or services provided by third parties to carry out research on our behalf.  When DBT use third parties (known as data processors), DBT remains responsible for your personal information as the data controller and we have contractual terms, policies and procedures to ensure confidentiality is respected and that all information is kept in line with regulatory requirements.

Why DBT asks for this information and what happens if it’s not provided

DBT collects this information via Post Office to fulfil its public function of ensuring that Horizon Shortfall Scheme claims are processed swiftly and fairly and that DBT can ensure value for money in Post Office’s administering of the scheme.

As the Horizon Shortfall Scheme is a voluntary scheme. Therefore, information will only be provided if an individual chooses to apply.

The legal basis for processing your personal data

The table below sets out the primary legal bases we rely on for processing the personal data we collect about you.

In some instances, we may process your data further for a compatible purpose and/or on other legal bases. For example, your data may be used for archiving, research and/or statistical purposes. These are compatible purposes for further processing in UK GDPR and your data will be subject to appropriate safeguards if used for such purposes.

Legal basis for processing

Personal data (Article 6(1) UK GDPR)	Special category data and criminal conviction data
Article 6(1)(e) of the UK GDPR and section 8(d) of the Data Protection Act 2018 – processing is necessary for the performance of a task carried out in the public interest, which includes the processing of personal data that is necessary for the exercise of a function of a government department.	For all shared personal data: Article 6(1)(e) of the UK GDPR – processing is necessary for the performance of a task carried out in the public interest (such task being supported by section 103 of the Postal Services Act 2000).
Article 6(1)(e) of the UK GDPR and section 8(d) of the Data Protection Act 2018 – processing is necessary for the performance of a task carried out in the public interest, which includes the processing of personal data that is necessary for the exercise of a function of a government department.	For special category personal data: Article 9(2)(g) of the UK GDPR – processing is necessary for reasons of substantial public interest together with Paragraph 6 of Schedule 1 to the DPA 2018, statutory and government purposes, and Paragraph 33 of Schedule 1 to the DPA 2018, legal claims.
Article 6(1)(e) of the UK GDPR and section 8(d) of the Data Protection Act 2018 – processing is necessary for the performance of a task carried out in the public interest, which includes the processing of personal data that is necessary for the exercise of a function of a government department.	For criminal offence data: Schedule 1, Part 3, Paragraph 6 of the DPA 2018 – processing is necessary for the purpose of the exercise of a function conferred on a person by an enactment or rule of law; or the exercise of a function of the Crown, a Minister of the Crown or a government department, together with Paragraph 33 of Schedule 1 to the DPA 2018, legal claims.

How DBT processes personal data it receives

Information about how your personal data will be managed by Post Office can be found in the Horizon Shortfall Scheme privacy policy published on the HSS website.^{[footnote 1]}

Where possible, DBT will work with Post Office Ltd to ensure that any data shared is anonymised.

Once received your data will be stored within DBT’s internal database managed by the DBT Post Office Compensation team. These databases are restricted to ensure proper and secure storage.

Information sharing

DBT will only share data with third parties in line with the agreed purposes set out above. Where DBT does share data, steps will be taken to ensure this is conducted securely.

We may share personal data you provide:

• with other government departments, public authorities, law enforcement agencies and regulators
• with other third parties where we consider it necessary in order to further our functions as a government department
• in response to information requests, for example, under Freedom of Information (FOI) law or the Environmental Information Regulations (EIR)
• to a court, tribunal or party where the disclosure is necessary in order to exercise, establish or defend a legal claim
• where we are ordered to do so or where we are otherwise required to do so by law
• with third party data processors as governed by contract
• suppliers for the purpose of statistical monitoring and evaluation

You can find out more detailed information about how we share data and further processing in the main privacy notice.

How long will DBT hold your data for

DBT will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

If we decide that we need to process your personal data for a reason which is incompatible with the purposes for which we collected it for, we will contact you to explain why we are doing this and why it is lawful to do so.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Your rights

You have a number of rights available to you under UK data protection legislation, including:

• the right to request copies of the personal data we hold about you
• the right to request that we rectify information about you which you think is inaccurate or incomplete
• the right to request that we restrict your data from further processing (in certain circumstances)
• the right to object to the processing of your data (in certain circumstances)
• the right to data portability (in certain circumstances)
• the right to request that we erasure your data (in certain circumstances)
• the right not to be subject to a decision based on solely automated data processing

You can contact DBT’s Data Protection Officer for further information about how your data has been processed by the department or to make a complaint about how your data has been used. Please contact: data.protection@businessandtrade.gov.uk

You can also submit a complaint to the Information Commissioner’s Office (ICO) at:

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email casework@ico.org.uk

Telephone 0303 123 1113

Textphone 01625 545860

Monday to Friday 9am to 4:30pm

You can find out more about your rights as a data subject, and details of how to contact our Data Protection Officer and the ICO in our main privacy notice.

---

1. https://www.onepostoffice.co.uk/media/112746/hss_applicantprivacynotice_july2023.pdf ↩