Privacy notice

National Highways has fully committed to compliance with the UK General Data Protection Regulation (UK-GDPR).

We collect and handle a variety of personal data so that we can deliver services to our customers and anyone using England’s motorways and major A roads. 

This privacy notice applies to any personal data collected by us or on our behalf, by any format – phone, letter, email, online or face to face. 

We collect and handle data to: 

  • provide the service you’ve asked for – for example, if you have a query that you need a response to, or if you use our crossing on the Dartford Tunnel 
  • process payments for our crossings 
  • stay in contact with you – for example, if you sign up to one of our newsletters to get information about traffic updates or are involved in our consultation exercises 
  • fulfil legal obligations 
  • provide information to central government, when the law says we need to 
  • assess our performance, ensure value for money, and set targets for departments 
  • provide information to the Office of Rail and Road and to Transport Focus, which are our regulatory authorities. 

This top level privacy notice works in conjunction with service level notices, which are linked from pages where you submit personal data to access a particular service.

What legally allows us to collect and handle information about you?

There are six options available to us to legally ‘process’ your personal data. For each service we make it clear to you which option(s) we have chosen in our service-level privacy notices. 

The most common for us will be ‘legal obligation’ or ‘public task’ because our focus is delivering services to you that are required, or permitted, by other existing laws or Cabinet Office guidance. 

Other options that we use are ‘contract’ (for example we have employment contracts for our staff) and, in emergencies, we may use ‘vital interests’ where it is a matter of life and death to use or share data. 

Wmay require your ‘consent’ for us to process your personal data. If that’s the case, we’ll let you know at the point of data collection and we’ll remind you that you have the right to withdraw your consent at any time. 

Within National Highways 

We share data internally across our departments. In some cases, two or more departments are jointly responsible for delivering a service, so they all need to access data. In these cases we make sure that the sharing is reasonable, is in line with data protection law, and respects your rights. 

We may hold a central basic contact record for you in our Customer Contact Centre, so that we can provide a better service to you, use public funds as efficiently as possible, and have the most up-to-date contact details for you across services to support your right to accurate data. 

Outside National Highways 

We ask a number of companies to collect, store or handle your information on our behalf to help us to deliver our services – for example our ICT system providers, or contractors who complete our on-road projects. We remain responsible for your information and ensure that the right safeguards are in place through measures such as contract clauses. 

For some services, we share data with other agencies such as the NHS or charities. In some of these cases we remain responsible for your data, and in other cases the responsibility is shared. 

We ensure that the right safeguards are in place to keep your information safe and will always tell you more about this when the data is collected. More detail is provided in the privacy notice for each service. 

Were obliged by law to share some data with central government and other agencies. Where possible we make this anonymous and only share statistics. 

If this data is at an individual level, well let you know when we collect it. Where your consent is required to transfer information, this will be made clear to you. 

Where it is necessary to share data with third parties for research purposes, well aim to make this data anonymous to ensure that individuals cannot be identified. 

There are times where we legally need to share your data with other parties, for example, if a court order asks for it.  

There may be exceptional cases where we feel compelled to share your data for a reason that outweighs your right to privacy in order to detect and prevent fraud and crime. 

This list is not exhaustive, but well never share your information if its not legal to do so, and will always consider your rights, and whether there is another way of achieving our aim, before doing so. 

Some of the things we consider when deciding how long to keep data for are: 

  • how long we need it to deliver the service to you 
  • how long other laws tell us to keep it for 

This means that different services, and sometimes different activities within the same service, will need to keep data for different lengths of time. 

Please review the service-level privacy policies for details on how long your data will be kept for. 

We use a range of systems to store and process data about our customers. We have a mixture of: 

  • on-site servers, held in secure buildings that meet the highest standards for security. These undergo regular audits to ensure compliance with national and international standards 
  • off-site arrangements with companies where weve audited their security to ensure that it meets our standards 
  • database products that require secure log-in, access to which is restricted by our IT teams 
  • network access that requires either a user name and password, or a combination of this and a code generated from a mobile device 
  • buildings that have access only through staff passes, and secure files stored in areas that are further restricted by passes and keys 
  • off-site storage for archive files which are monitored by closed-circuit television (CCTV), with access through secure passes 

Systems are only available through strictly controlled security processes. We ensure that only the right people have access to systems, through centrally controlled management of systems. 

Data protection law gives you several rights relating to the way that we use your data and the way that you access it. These won’t all apply all of the time - we explain this below. 

The right to know what happens with your data 

You have the right to be informed about: 

  • what data we process about you  
  • for what reasons we process the data  
  • who we share it with  
  • how long we will do this for  
  • your rights  
  • how to complain  

This notice is part of us informing you, but well try to do this in a number of ways. 

The right to access your data 

You have a right to access information we hold about you, through a subject access request. 

The right to correct inaccurate data 

You have the right to have information corrected or completed if its incomplete. We aim to have complete data for our customers, so please make us aware as soon as possible if something is wrong or missing. 

The right to have your data deleted 

You have the right to ask us to erase your data. This is not an absolute right and if we have a lawful reason to continue to hold your information, well continue to do so. The reasons behind this will be explained in our response to your request. 

The right to ask us to limit the way we use your data, or to stop entirely 

You have the right to ask us to restrict the processing of your data. This may apply if: 

  • data about you is not accurate 
  • theres no legal reason for us to process the data about you, but you choose not to ask for erasure 

When data processing is restricted, it means we can continue to securely store it but use of it is restricted (with some specific exceptions). 

You have the right to object to us processing your data at all, but often if we do this youll no longer be able to receive the related service, and this will often be overridden by our legal obligations as a business. 

The right to data portability 

You have a right to ask for data that you provide us with to be transferred to another service provider. This won’t apply to most of our services. 

Rights relating to automated decision making and profiling 

Currently National Highways doesn’t use any automated decision making or profiling systems. This means that any decision that will affect you is made by a human. 

Well always consider privacy and our customers’ rights if we introduce new systems that involve profiling or automated decision making, and well make our customers aware of projects like this. You have the right to ask for a human to reconsider an automated decision. 

Contact us

National Highways is a data controller, registered with the Information Commissioner’s Office (ICO).

You can email our Data Protection Officer if you have any queries about your data.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire     SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

Or you can visit the Information Commissioner’s Office website or email

Second level privacy notices

These notices give more detailed information about specific situations where we collect your personal data: