National Highways Digital Network - privacy notice

This privacy notice sits beneath our top level privacy notice and provides information about how personal data is used in relation to our Digital Network.

The notice is addressed to National Highways’ 'Network users'. That is, any individual logging into and accessing National Highways’ 'Digital Network'. (This includes its connected systems, services and data resources.) 

Such data subjects are identified by their user ID.

Description of the personal data processed

Network security 'events' are logged when triggered by the SOC automated warning software. Event logs include:

Identity and access logs

  • Usernames and IDs: Identifiers used to log into systems.
  • Authentication logs: Records of login attempts, including successful and failed logins.
  • Multi-factor authentication (MFA) data: Usage logs of MFA methods (e.g. SMS, app-based).
  • Access control logs: Details of what resources were accessed, when and by whom.

Endpoint and application logs

  • System event logs: OS-level logs showing system behavior and errors.
  • Application logs: Usage patterns, errors, and access within specific software.

Email and communication logs

  • Email metadata: Sender, recipient, timestamps, and subject lines.
  • Chat and collaboration tools: Logs of usage and flagged content.

Audit and compliance logs

  • Change logs: Records of configuration or permission changes.
  • Policy violations: Logs of actions that breach security policies.
  • Incident response logs: Documentation of investigations and resolutions.

Behavioral and monitoring data

  • User behavior analytics: Patterns of usage that may indicate insider threats.

We do not routinely inspect the content of an individual’s personal communications. Access to content occurs only where proportionate and necessary to investigate a suspected threat, policy breach or legal requirement.  In such exceptional cases full recordings of user sessions may be needed for forensic analysis.

The purposes of processing

We process monitoring data to:

  • secure and operate the corporate network and connected systems (detect, prevent and investigate threats; maintain performance and availability)
  • comply with cyber security and incident reporting duties for critical/essential services within the CNI
  • coordinate incident response and produce post incident reviews/audit trails
  • manage access (including conditional access and automated protective controls)

Note: We do not process network users’ personal data for purposes not related to the security and maintenance of the network and its performance. 

We do not process personal data for productivity or time and motion surveillance.

Legal bases of processing your personal data

For lawful processing of your personal data we rely on the following conditions established under GDPR Article 6.1: 

  • Article 6.1b) processing is necessary for compliance with a legal obligation to which the controller is subject.

As a provider of critical infrastructure National Highways is legally obliged to comply with the NIS (Network and Information Systems) Regulations 2018. This includes implementing appropriate cybersecurity measures and meeting the incident reporting requirements.

  • Article 6.1 e) Public Task 

Who has access to your personal data?

Within National Highways

Personal data from event logs will be shared outside the SOC with colleagues within National Highways only as and where strictly necessary for the specified purpose This includes targeted incidents involving potential insider risk investigations, and for legal advice purposes.

In the case of routine internal reporting of major incidents user IDs are removed except where user identification is required to explain specific event or risk

Outside National Highways

Personal data from event logs will not be shared outside National Highways (including its data processors) except where required by competent authorities under NIS/GDPR regulations, and/or where lawfully requested by police or the courts.

How does National Highways protect your data?

National Highways takes the security of your data seriously. We have internal policies and technical controls in place to protect your data against: loss or destruction, misuse and unauthorised access, alteration or disclosure. 

Where National Highways engages third party contractors to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

How long does National Highways keep the personal data?

Where triggered by a security warning, records relating to an individual’s access to, and use of, the digital network will be held for 90 days from the date of the warning. After this, and where it is potentially necessary for cybersecurity purposes, these records are then archived.

Your rights as our data subject

As a data subject, you have a number of rights. 

This includes the right to request the following:

  • To access and obtain a copy of your data
  • Correction of incorrect or incomplete data about you
  • Where the data is no longer necessary for the purposes of processing, you may request that the processing of your data be stopped and your data deleted

If you would like to exercise any of these rights, please contact the Data Protection Officer (DPO).

If you believe that National Highways has not complied with your data protection rights, you should submit a complaint to the DPO.  Your complaint, and our response to it, will be logged and recorded. 

If you are not satisfied with our response to your complaint, you may then make an appeal to the Information Commissioners Office

Law relating to this document

  • Data Protection Act (2018)
  • UK GDPR (2021)
  • NIS (Network and Information Systems) Regulations 2018
  • Data Use and Access Act (2025)
Feedback