Privacy notice
National Highways has fully committed to compliance with the UK General Data Protection Regulation (UK-GDPR).
We collect and handle a variety of personal data so that we can deliver services to our customers and anyone using England’s motorways and major A roads.
This privacy notice applies to any personal data collected by us or on our behalf, by any format – phone, letter, email, online or face to face.
We collect and handle data to:
- provide the service you’ve asked for – for example, if you have a query that you need a response to, or if you use our crossing on the Dartford Tunnel
- process payments for our crossings
- stay in contact with you – for example, if you sign up to one of our newsletters to get information about traffic updates or are involved in our consultation exercises
- fulfil legal obligations
- provide information to central government, when the law says we need to
- assess our performance, ensure value for money, and set targets for departments
- provide information to the Office of Rail and Road and to Transport Focus, which are our regulatory authorities.
This top level privacy notice works in conjunction with service level notices, which are linked from pages where you submit personal data to access a particular service.
What legally allows us to collect and handle information about you?
There are six options available to us to legally ‘process’ your personal data. For each service we make it clear to you which option(s) we have chosen in our service-level privacy notices.
The most common for us will be ‘legal obligation’ or ‘public task’ because our focus is delivering services to you that are required, or permitted, by other existing laws or Cabinet Office guidance.
Other options that we use are ‘contract’ (for example we have employment contracts for our staff) and, in emergencies, we may use ‘vital interests’ where it is a matter of life and death to use or share data.
We may require your ‘consent’ for us to process your personal data. If that’s the case, we’ll let you know at the point of data collection and we’ll remind you that you have the right to withdraw your consent at any time.
Who do we share your data with?
Within National Highways
We share data internally across our departments. In some cases, two or more departments are jointly responsible for delivering a service, so they all need to access data. In these cases we make sure that the sharing is reasonable, is in line with data protection law, and respects your rights.
We may hold a central basic contact record for you in our Customer Contact Centre, so that we can provide a better service to you, use public funds as efficiently as possible, and have the most up-to-date contact details for you across services to support your right to accurate data.
Outside National Highways
We ask a number of companies to collect, store or handle your information on our behalf to help us to deliver our services – for example our ICT system providers, or contractors who complete our on-road projects. We remain responsible for your information and ensure that the right safeguards are in place through measures such as contract clauses.
For some services, we share data with other agencies such as the NHS or charities. In some of these cases we remain responsible for your data, and in other cases the responsibility is shared.
We ensure that the right safeguards are in place to keep your information safe and will always tell you more about this when the data is collected. More detail is provided in the privacy notice for each service.
We’re obliged by law to share some data with central government and other agencies. Where possible we make this anonymous and only share statistics.
If this data is at an individual level, we’ll let you know when we collect it. Where your consent is required to transfer information, this will be made clear to you.
Where it is necessary to share data with third parties for research purposes, we’ll aim to make this data anonymous to ensure that individuals cannot be identified.
There are times where we legally need to share your data with other parties, for example, if a court order asks for it.
There may be exceptional cases where we feel compelled to share your data for a reason that outweighs your right to privacy in order to detect and prevent fraud and crime.
This list is not exhaustive, but we’ll never share your information if it’s not legal to do so, and will always consider your rights, and whether there is another way of achieving our aim, before doing so.
How long can we keep your data?
Some of the things we consider when deciding how long to keep data for are:
- how long we need it to deliver the service to you
- how long other laws tell us to keep it for
This means that different services, and sometimes different activities within the same service, will need to keep data for different lengths of time.
Please review the service-level privacy policies for details on how long your data will be kept for.
How do we ensure that your data is safe?
We use a range of systems to store and process data about our customers. We have a mixture of:
- on-site servers, held in secure buildings that meet the highest standards for security. These undergo regular audits to ensure compliance with national and international standards
- off-site arrangements with companies where we’ve audited their security to ensure that it meets our standards
- database products that require secure log-in, access to which is restricted by our IT teams
- network access that requires either a user name and password, or a combination of this and a code generated from a mobile device
- buildings that have access only through staff passes, and secure files stored in areas that are further restricted by passes and keys
- off-site storage for archive files which are monitored by closed-circuit television (CCTV), with access through secure passes
Systems are only available through strictly controlled security processes. We ensure that only the right people have access to systems, through centrally controlled management of systems.
What are your rights?
Data protection law gives you several rights relating to the way that we use your data and the way that you access it. These won’t all apply all of the time - we explain this below.
The right to know what happens with your data
You have the right to be informed about:
- what data we process about you
- for what reasons we process the data
- who we share it with
- how long we will do this for
- your rights
- how to complain
This notice is part of us informing you, but we’ll try to do this in a number of ways.
The right to access your data
You have a right to access information we hold about you, through a subject access request.
The right to correct inaccurate data
You have the right to have information corrected or completed if it’s incomplete. We aim to have complete data for our customers, so please make us aware as soon as possible if something is wrong or missing.
The right to have your data deleted
You have the right to ask us to erase your data. This is not an absolute right and if we have a lawful reason to continue to hold your information, we’ll continue to do so. The reasons behind this will be explained in our response to your request.
The right to ask us to limit the way we use your data, or to stop entirely
You have the right to ask us to restrict the processing of your data. This may apply if:
- data about you is not accurate
- there’s no legal reason for us to process the data about you, but you choose not to ask for erasure
When data processing is restricted, it means we can continue to securely store it but use of it is restricted (with some specific exceptions).
You have the right to object to us processing your data at all, but often if we do this you’ll no longer be able to receive the related service, and this will often be overridden by our legal obligations as a business.
The right to data portability
You have a right to ask for data that you provide us with to be transferred to another service provider. This won’t apply to most of our services.
Rights relating to automated decision making and profiling
Currently National Highways doesn’t use any automated decision making or profiling systems. This means that any decision that will affect you is made by a human.
We’ll always consider privacy and our customers’ rights if we introduce new systems that involve profiling or automated decision making, and we’ll make our customers aware of projects like this. You have the right to ask for a human to reconsider an automated decision.
Contact us
National Highways is a data controller, registered with the Information Commissioner’s Office (ICO).
You can email our Data Protection Officer if you have any queries about your data.
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
Or you can visit the Information Commissioner’s Office website or email casework@ico.org.uk.
Second level privacy notices
These notices give more detailed information about specific situations where we collect your personal data:
- Closed circuit television (CCTV)
- Customer Contact Centre and other enquiries
- Designated Funds
- Digital Visitor Briefing
- Electronic surveys
- Emergency Traffic Management Incursion Project
- Highways Accident Reporting Tool (HART)
- Innovation and research
- Job candidates
- Lower Thames Crossing
- Mobile phone and seatbelt detection – trial (ends March 2025)
- Noise Insulation Scheme
- Planned Engineering Works
- Post collision fatal reporting
- Road schemes (major projects)
- Roadworks deep dive improvement plan – review of overnight roadworks
- Route Strategy Initial Overview Reports - online feedback form
- Safety campaign emails