This General Privacy Notice is to let you know how the Civil Aviation Authority (CAA) generally uses and looks after your personal information. This includes what you tell us about yourself and what we learn during our relationship with you.
It does not provide exhaustive detail of all aspects of our collection and use of personal information, but our online service portals and individual applications will. However, we are happy to provide any additional information or explanation needed.
Please email FOI.requests@caa.co.uk or write to the address noted on this page for further information.
There is further information available on who we are and our role.
Why we process your personal information
We process personal information to enable us to carry out our regulatory duties which may include:
- consideration and investigation of complaints and policy issues
- formal enforcement actions
- providing advice and information
- maintaining our own accounts and records
- supporting and managing our employees
- sending promotional communications about the services we provide
- undertaking research
- administration of licenses
- maintenance of a public register
- internal support functions
- corporate administration and all activities we are required to carry out as a data controller and a public authority
- the use of CCTV systems, including Body Worn Video, for crime prevention
The type of personal information we process
We process information relevant to the reasons/purposes mentioned under section ‘why we process your personal information’ which may include:
- personal details
- family details
- lifestyle and social circumstances
- goods and services
- financial details
- employment and education details
- details of complaints, incidents, and grievances
- visual images, personal appearance, and behaviour
- responses to surveys
We also process special category personal information that may include:
- physical or mental health details
- racial or ethnic origin
- religious or other beliefs
- political opinions, sexual life
- trade union membership
- offences (including alleged offences)
- criminal and legal proceedings, outcomes, and sentences
Who information is processed about
We process personal information about:
- customers
- witnesses
- employees
- students
- suppliers
- complainants or their representatives
- subject of a complaint or their representatives
- individuals who we may contact when carrying out a complaint or enquiry
- services providers
- lobbyists
- offenders and suspected offenders
- applicants for a licence or registration
- authors, publishers, and other creators
- individuals captured by CCTV images
- consultants and advisers
- survey respondents
- journalists and the media
- enquirers (for example, FOI requesters)
- workers (in addition to employees)
- individuals attending training which we will be helping to organise (for example, air crew, ground security)
- those working for the companies we regulate (for example, accountable persons for ATOL holders)
- those seeking different types of approvals from the CAA (for example, applicants for declarations, certificates and so on)
- applicants for National Security Vetting who work for the aviation industry
If our functions require the processing of Children's data, the Age-Appropriate Design Code (The Children's code) is always adhered to.
Appropriate Policy document
Appropriate Policy Document – our processing of special categories of personal data and criminal offence data
As part of the CAA’s statutory and corporate functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the UK General Data Protection Regulation (‘GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’).
Special category data
Special category data is defined at Article 9 GDPR as personal data revealing:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data for the purpose of uniquely identifying a natural person;
- Data concerning health; or
- Data concerning a natural person’s sex life or sexual orientation.
Criminal conviction data
Article 10 GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.
This policy document
Some of the Schedule 1 conditions for processing special category and criminal offence data require us to have an Appropriate Policy Document (‘APD’) in place, setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data.
This document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018.
In addition, it provides some further information about our processing of special category and criminal offence data where a policy document isn’t a specific requirement. The information supplements our General Privacy Notice.
Our processing of special category and criminal offence data for law enforcement purposes is not covered in this document. Processing for law enforcement purposes is carried out by us in our capacity as a competent authority and falls under Part 3 of the DPA 2018. For further information please see our Safeguards Policy for sensitive law enforcement processing.
Conditions for processing special category and criminal offence data
We process special categories of personal data under the following GDPR Articles:
- Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the CAA or the data subject in connection with employment, social security or social protection.
Examples of our processing include staff sickness absences.
- Article 9(2)(g) - reasons of substantial public interest.
Schedule 1 of the DPA 2018, Part 2, Paragraph 12 - Regulatory requirements relating to unlawful acts and dishonesty etc
The Civil Aviation Authority is the statutory corporation which oversees and regulates all aspects of civil aviation in the United Kingdom. Our principal functions and duties are set out in primary legislation (the Civil Aviation Act 1982, the Airports Act 1986, the Transport Act 2000 and the Civil Aviation Act 2012) and in secondary legislation (principally the Air Navigation Order 2016). Our processing of personal data in this context is for the purposes of substantial public interest and is necessary for the carrying out of our role.
Examples of our processing include the information we seek or receive as part of investigating a complaint.
- Article 9(2)(j) – for archiving purposes in the public interest.
The relevant purpose we rely on is Schedule 1 Part 1 paragraph 4 – archiving.
An example of our processing is the transfers we make to the National Archives as part of our obligations under the Public Records Act 1958.
- Article 9(2)(f) – for the establishment, exercise or defence of legal claims.
Examples of our processing include processing relating to any employment tribunal or other litigation.
- Article 9(2)(a) – explicit consent
In circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing.
- Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person.
An example of our processing would be using health information about a member of staff in a medical emergency.
- Article 9(2)(h) – Health or social care
An example of our processing would be using medical diagnosis during issuance of a licence.
We process criminal offence data under Article 10 of the GDPR
Examples of our processing of criminal offence data include vetting individuals we regulate, pre-employment checks and declarations by an employee in line with contractual obligations.
Processing which requires an Appropriate Policy Document
Almost all of the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, plus the condition for processing employment, social security and social protection data, require an APD (see Schedule 1 paragraphs 1 and 5).
This section of the policy is the APD for the CAA. It demonstrates that the processing of special category (‘SC’) and criminal offence (‘CO’) data based on these specific Schedule 1 conditions is compliant with the requirements of the GDPR Article 5 principles.
Description of data processed
We process the special category data about our colleagues that is necessary to fulfil our obligations as an employer. This includes information about their health and wellbeing, ethnicity, photographs and their membership of any trade union.
Our processing for reasons of substantial public interest relates to the data we receive or obtain in order to fulfil our statutory function as a regulator. Further information about this processing can be found in our General Privacy Notice.
We also maintain a record of our processing activities in accordance with Article 30 of the GDPR.
Schedule 1 conditions for processing
Special category data
We process SC data for the following purposes in Part 1 of Schedule 1:
- Paragraph 1(1) employment, social security and social protection.
We process SC data for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:
- Paragraph 6(1) and (2)(a) statutory, etc. purposes
- Paragraph 8(1)equality of opportunity or treatment
- Paragraph 10(1) preventing or detecting unlawful acts
- Paragraph 11(1) and (2) protecting the public against dishonesty
- Paragraph 12(1) and (2) regulatory requirements relating to unlawful acts and dishonesty
Criminal offence data
We process criminal offence data for the following purposes in parts 1 and 2 of Schedule 1:
- Paragraph 1 – employment, social security and social protection
- Paragraph 6(2)(a) – statutory, etc. purposes
- Paragraph 10(1) – Preventing or detecting unlawful acts
Procedures for ensuring compliance with the principles
Accountability principle
We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- The appointment of a data protection officer who reports directly to our highest management level.
- Taking a ‘data protection by design and default’ approach to our activities.
- Maintaining documentation of our processing activities.
- Adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors.
- Implementing appropriate security measures in relation to the personal data we process.
- Carrying out data protection impact assessments for our high risk processing.
We regularly review our accountability measures and update or amend them when required.
Principle (a): lawfulness, fairness and transparency
Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in Schedule 1.
We provide clear and transparent information about why we process personal data including our lawful basis for processing in our general privacy notice, colleague privacy notice and this policy document.
Our processing for purposes of substantial public interest is necessary for the exercise of a function conferred on the CAA by the legislation for which we act as a regulator e.g. The Civil Aviation Act 1982, the Airports Act 1986, the Transport Act 2000 and the Civil Aviation Act 2012 and in secondary legislation (principally the Air Navigation Order 2016).
We act as the regulator in all aspects of civil aviation in the United Kingdom.
Our processing for the purposes of employment relates to our obligations as an employer.
We also process special category personal data to comply with other obligations imposed on the CAA in its capacity as a public authority e.g. the Equality Act.
Principle (b): purpose limitation
We process personal data for purposes of substantial public interest as explained above when the processing is necessary for us to fulfil our statutory functions, where it is necessary for complying with or assisting another to comply with a regulatory requirement to establish whether an unlawful or improper conduct has occurred, to protect the public from dishonesty, preventing or detecting unlawful acts or for disclosure to elected representatives.
We are authorised by law to process personal data for these purposes. We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, providing the processing is necessary and proportionate to that purpose.
If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.
We will not process personal data for purposes incompatible with the original purpose it was collected for.
Principle (c): data minimisation
We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it.
Principle (d): accuracy
Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.
Principle (e): storage limitation
All special category data processed by us for the purpose of employment or substantial public interest is, unless retained longer for archiving purposes, retained for the periods set out in our retention schedules. We determine the retention period for this data based on our legal obligations and the necessity of its retention for our business needs. Our retention schedule is reviewed regularly and updated when necessary.
Principle (f): integrity and confidentiality (security)
Electronic information is processed within our secure network. Hard copy information is processed in line with our security procedures.
Our electronic systems and physical storage have appropriate access controls applied.
The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate.
APD review date
This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
This policy will be reviewed annually or revised more frequently if necessary.
Safeguards Policy
Sensitive processing for law enforcement purpose
The CAA are responsible for enforcing UK consumer laws that apply specifically to aviation. This includes legislation relating to price transparency, contract terms, passenger rights during flight disruption and access to air travel for passengers with reduced mobility. We also have concurrent powers with the Competition and Markets Authority (CMA) to enforce general consumer law in the aviation sector. This covers airlines, airports, tour operators and travel agents.
We also have concurrent powers with the Competition and Markets Authority (CMA) to enforce general consumer law in the aviation sector. This covers airlines, airports, tour operators and travel agents.
The CAA also has civil powers to take enforcement action in relation to a range of passenger rights legislation and general consumer law. These powers come from Part 8 of the Enterprise Act 2002, and the CAA can seek undertakings from businesses that require them to comply with the law. If undertakings are not provided, or are breached, the CAA can seek an Enforcement Order from the Court.
As part of the CAA’s statutory functions, we can investigate and prosecute both companies and individuals for breaches of the legislation it is tasked with enforcing, for example breaches of The Air Navigation Order 2016. Investigations into alleged breaches of the law are carried out by the Investigations & Enforcement Team, in accordance with our Code of Practice.
The UK Civil Aviation Authority is a competent authority for the purpose of Part 3 of the Data Protection Act 2018 (DPA 2018) which applies to the processing of personal data by such authorities for law enforcement purposes.
These purposes are set out at section 31 DPA 2018 and include the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security.
Sensitive processing
Part 3 of the DPA 2018 outlines the requirement for an Appropriate Policy Document (APD) to be in place when processing sensitive personal data for law enforcement purposes.
Sensitive processing is defined in Part 3 section 35(8) and is equivalent to GDPR special category data. This includes:
- the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
- the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
- the processing of data concerning health;
- the processing of data concerning an individual’s sex life or sexual orientation.
This policy document
This policy document outlines our sensitive processing for law enforcement purposes and explains:
- Our procedures for securing compliance with the law enforcement data protection principles;
- Our policies as regards the retention and erasure of personal data, giving an indication of how long the personal data is likely to be retained.
Our policy document – our processing of special categories of personal data and criminal conviction data explains our general processing of special category data when our processing is not for the primary purpose of law enforcement. Additional information about our more general processing can also be found in our general privacy notice.
Description of data processed
We carry out sensitive processing for law enforcement purposes during Criminal Investigations into offences committed under the legislation we regulate.
We carry out sensitive processing of all of the categories of data defined in Part 3 section 35(8).
Consent or Schedule 8 condition for processing
We carry out sensitive processing under section 35(3) DPA 2018 only in reliance on the consent of the data subject or where it is strictly necessary for the law enforcement purposes and it meets one of the conditions in schedule 8 of the DPA 2018.
The relevant schedule 8 condition for our processing is Schedule 8 paragraph 1 – statutory purposes.
Where personal data is retained as a public record to be transferred to The National Archives, our condition is Schedule 8 paragraph 9 – that the processing is necessary for archiving purposes in the public interest.
Procedures for ensuring compliance with the principles
Accountability principle
We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- The appointment of a data protection officer who reports directly to our highest management level.
- Taking a ‘data protection by design and default’ approach to our activities.
- Maintaining documentation of our processing activities.
- Adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors.
- Implementing appropriate security measures in relation to the personal data we process.
- Carrying out data protection impact assessments for our high risk processing.
We regularly review our accountability measures and update or amend them when required.
Principle (1): lawfulness and fairness
Processing for law enforcement must be lawful and fair. Sensitive processing is only permissible if it is:
- based on the consent of the data subject - section 35(4);
or
- is strictly necessary for the law enforcement purpose and is based on a Schedule 8 condition - section 35(5).
Our processing of sensitive data for law enforcement purposes satisfies the first Schedule 8 condition that it is necessary for the exercise of a function conferred on the CAA by the legislation for which we act as a regulator e.g. The Civil Aviation Act 1982, the Airports Act 1986, the Transport Act 2000 and the Civil Aviation Act 2012 and is necessary for reasons of substantial public interest. We are required to seek to prevent, detect, investigate and prosecute possible offences contained in the relevant legislation.
In circumstances where we seek consent, we make sure:
- The consent is unambiguous
- The consent is given by an affirmative action
- The consent is recorded as the condition for processing
Principle (2): purpose limitation
We process personal data for all of the law enforcement purposes listed at section 31 DPA 2018. These are the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security. The Civil Aviation Authority is tasked by the Department for Transport to investigate and prosecute breaches of aviation safety rules and some aviation related consumer protection and health and safety requirements.
We are authorised by law to carry out sensitive processing for any of these purposes. We may process personal data collected for one of these purposes (whether by us or another controller), for any of our other law enforcement purposes providing the processing is necessary and proportionate to that purpose.
We will only use data collected for a law enforcement purpose for purposes other than law enforcement where we are authorised by law to do so.
If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.
Principle (3): data minimisation
We do not systematically collect or harvest sensitive personal data for law enforcement purposes. The information we process is necessary for and proportionate to our purposes. It is processed in the context of us carrying out processes which enable us to meet our stated purposes for processing.
Where sensitive personal data is provided to us or obtained by us but is not relevant to our stated purposes, we will erase it.
Principle (4): accuracy
Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.
We, as far as possible, distinguish between personal data based on facts and personal data based on personal assessments or opinions and mark the file to reflect the distinction. There are circumstances where this is not possible.
We, where relevant, and as far as possible, distinguish between personal data relating to different categories of data subject, such as
- People suspected of committing an offence
- People convicted of a criminal offence
- Known or suspected victims of a criminal offence
- Witnesses or other people with information about offences
We only do this where the personal data is relevant to the purpose being pursued.
We do this by marking the file in our records. Should the status of a data subject change our systems allow us to note the reason and amend the file.
We take reasonable steps to ensure that personal data which is inaccurate, incomplete or out of date is not transmitted or made available for any of the law enforcement purposes. We do this by verifying any data before sending it externally. We also provide the recipient with the necessary information we hold to assess the accuracy, completeness and reliability of the data.
If we discover, after transmission that the data was incorrect or should not have been transmitted, we will tell the recipient as soon as possible.
We document our decision to make personal data available for any of the law enforcement purposes.
Principle (5): storage limitation
We have corporate retention schedules and retain information processed for the purposes of law enforcement for 6 years from closure of the matter unless there is a legitimate reason to retain it for longer.
Principle (6): security
Electronic information is processed within our secure network. Hard copy information is processed within our secure premises. Where it is necessary for us to share information with third parties we consider the technical or organisational security measures they have in place before allowing access or transmitting data.
Electronic and hard copy information processed for the law enforcement purposes is only available to staff who carry out the processing for these purposes. Our electronic systems and physical storage have appropriate access controls applied.
The systems we use to process personal data for law enforcement purposes allow us to erase or update personal data at any point in time. They also allow us to log the following information:
- Collection
- Alteration
- Consultation (access)
- Identity of person who accessed
- Disclosures
- Combination of records
- Erasure
APD review date
This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
This policy will be reviewed annually or revised more frequently if necessary.
Who the information may be shared with
Other organisations
We sometimes need to share information with other organisations. Where this is necessary, we are required to comply with all aspects of the General Data Protection Regulation (GDPR).
We have listed the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with:
- data subjects listed above
- family, associates, and representatives of the person whose personal data we are processing
- professional advisers and consultants
- services providers (see on page)
- credit reference agencies
- debt collection and tracing agencies
- police forces
- private investigators
- current, past, or prospective employers and examining bodies
- financial organisations
- central government
- other companies within our group
- suppliers
- financial organisations
- auditors
- persons making an enquiry or complaint
- organisation subject to a complaint or assessment,
- prosecuting authorities, courts
- other ombudsman and regulatory authorities
- security organisations including vetting organisations
Our service providers
Unless we are automatically required to share your information by law or have in place an agreement/contract with a third-party service provider to process information on our behalf or assist the Civil Aviation Authority (CAA) in providing services, we will normally let you know if we need to share or release your information.
Information is only disclosed by the CAA for specified purposes to third parties. This may include, but is not limited to, administrative workers and IT professionals who, during their professional duties, are assisting the CAA with its regulatory functions. The CAA takes the security of your personal information very seriously. Information is only disclosed to third party service providers under a contract and who are subject to a duty of confidentiality and have sufficient security measures in place to protect personal data. If you do not consent to the disclosure of information to third parties as described in this Notice, you may make representations to FOI.requests@caa.co.uk.
In many circumstances, we will not disclose personal data without consent. However, when we investigate a complaint, for example, we may need to share personal information with the organisation concerned and with other relevant bodies. There are many factors to consider when the CAA decides whether information should be disclosed.
You can email FOI.requests@caa.co.uk for further information about:
- agreements we have with other organisations for collecting/sharing information
- circumstances where we can pass on personal data without consent, for example, to prevent and detect crime and to produce anonymised statistics
- how we comply with the General Data Protection Regulation (GDPR) and other applicable legislation
Transfers
It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the data protection act.
Visitors to our website
The Civil Aviation Authority (CAA) website has areas where we capture the details of our users to enable the website service to operate.
For example:
Publication subscription service
This service allows users to set-up an account on the Civil Aviation Authority (CAA) website so that an email can be sent to them when a new or amended publication has been added to one or more subscription categories that are of interest to a user.
Users can manage their account at any time and the user's password is not known to the CAA.
SkyWise (information notification alerts)
SkyWise allows you to stay up-to-date with news, safety alerts, consultations, rule changes, airspace amendments and more from the Civil Aviation Authority (CAA). It replaces our previous information notices and keeps you up to date with information that isn't safety critical, with a more instant, tailored service.
With SkyWise, you can access all our alerts through the website, or have personalised alerts sent to you through with an email subscription.
As with the Publication subscription service, users can manage their account and their password is not known to the CAA.
On-line forms
We have many on-line systems or forms which capture the personal information of applicants according to the service they are applying for. More information is available under 'People who apply to us for a service' on this page.
When you contact us
People who call us
When you call us, we may ask for personal details for verification purposes. We use this information to make sure that we are talking to the right person and to help us locate your information. If you are making a general enquiry, we may collect personal details to return your call or to pass on information related to your case/application.
People who email us
Any email sent to us, including any attachments, may be monitored by the Civil Aviation Authority (CAA) for reasons of security and/or monitoring compliance with CAA policies. Email monitoring or blocking software may also be used. Please be aware that it is your responsibility to ensure that any email you send to us is not in breach of any law or regulation.
To make an enquiry, please contact the relevant department.
People who make a complaint or report to us
When we receive a complaint or report from a person, we may create a record containing the identity of the complainant and any other individuals involved.
We will use the personal information we collect to process the complaint or report and to check on the level of service we provide. We do compile reports for internal management oversight, but minimal information is used. We will also publish, in our Annual Report, statistics showing information such as the number of complaints we receive, but not in a form which identifies anyone.
We usually disclose the identity of the complainant to the Civil Aviation Authority (CAA) manager in the area related to the complaint or report. This is necessary where, for example, the accuracy of a person's record is in dispute, or a report directly relates to the complainant and an investigation is required. If a complainant doesn't want information identifying them to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in files in line with our retention policies. This means that information will be retained for varied amounts of time from closure depending on the type of complaint or report. It will be retained in a secure environment and access to it will be restricted according to the 'need to know' principle.
Similarly, where enquiries are submitted to us, we will use the information supplied to us to deal with the enquiry, compile internal reports and to check on the level of service we provide.
As the CAA also has a number of other specific complaints policies relevant to different CAA functions, you may wish to use further guidance for making reports and complaints.
People who apply to us for a service
We must hold the personal details of the people who have requested a service to provide the service. We keep records of the services provided, such as the issue of a pilot's licence, for the duration of the licence holder's aviation career and/or in accordance with applicable regulations. We are required to keep medical records for specified time periods, according to the class of medical certificate held.
The Civil Aviation Authority (CAA) offers various services to the aviation industry, and we sometimes use third parties to assist the CAA in providing those services noted on this page. However, these third parties are only permitted to use information from applicants to complete those services, such as passenger claims handling or passenger repatriation services.
The CAA is required by law to 'notify' certain specified information to the Information Commissioner (ICO). The ICO compiles this information into a Data Protection Register which it is required by law to publish.
People who apply to work at the CAA
When individuals apply to work at the Civil Aviation Authority (CAA), we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example, where we want to take up a reference or obtain a 'disclosure' from the Disclosure and Barring Service (DBS) we will not do so without informing the applicant beforehand unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held until after the recruitment exercise has been completed. It will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities or for equality and diversity purposes, but no individuals are identifiable from that data.
Once a person has taken up employment with the CAA, we will compile a file relating to their employment. The information contained in this file will be kept secure and will only be used for purposes directly relevant to that person's employment. Once their employment with the CAA has ended, we will retain the file in accordance with the requirements of our retention policy and then delete it. There is further information available on careers and recruitment.
How we use your information to make automated decisions
We sometimes use systems to make automated decisions about you or your business. This helps to make our services quick, fair, and consistent. An individual has rights over automated decisions including asking that we do not make our decision based on the automated outcome alone or ask for a person to review it.
You can contact FOI.requests@caa.co.uk to ask us.
Legitimate Interests
We sometimes rely on Legitimate Interests as a lawful basis to process your personal data. It is likely to be most appropriate where we use your data in ways that you would reasonably expect, and which have a minimal privacy impact. The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests, or broader societal benefits.
We rely on Legitimate Interests when communicating with you about any issue that you raise with us or that follows from an interaction between us. To provide further, related, online or email information and ongoing news updates in relation to the identified area of interest. To process purchase transactions for products and services with customers, and to ensure any transaction issues can be dealt with. To protect our websites and infrastructure from cyber-attack or other threats, and to report and deal with any illegal acts.
How long we keep your personal information
We keep your personal information for as long as you have a relationship with us and, thereafter, for specified purposes in line with our legal duties or our public functions, to respond to any questions or complaints, or to maintain records according to European or National aviation rules that apply to us. When you make an application for a service, we will tell you how long we expect to retain your personal information and why.
Your individual rights
The General Data Protection Regulation (GDPR) provides you with a number of rights in relation to the processing of your personal data, including the right of access to a copy of the personal data we hold about you, known as a Subject Access Request.
How to get a copy of your personal information
You can access the personal information that we hold about you or write to us at:
External Information Services
Civil Aviation Authority
Aviation House
Gatwick Airport South
RH6 0YR
Letting us know if your personal information is incorrect
You have the right to question any information we have about you that you think is wrong or incomplete. Please contact us at FOI.requests@caa.co.uk if you want to do this. If you do, we will take reasonable steps to check its accuracy and correct it.
You can ask us to stop using your personal information
You have the right to object to our use of your personal information, or to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. This is known as the 'right to object', 'right to erasure', or the 'right to be forgotten'.
There may be legal or other official reasons why we need to keep or use your data. But if you think that we should not be using it contact: FOI.requests@caa.co.uk.
You can ask us to restrict the use of your personal information
We may sometimes be able to restrict the use of your data such as if:
- It is not accurate.
- It has been used unlawfully but you don't want us to delete it.
- It is not relevant anymore, but you want us to keep it for use in legal claims.
- You have already asked us to stop using your data, but you are waiting for us to tell you if we can keep on using it.
This means that it can only be used for certain things, such as legal claims or to exercise legal rights. In this situation, we would not use or share your information in other ways while it is restricted.
If you want to object to how we use your data or ask us to delete it or restrict how we use it please contact us at FOI.requests@caa.co.uk.
How to withdraw your consent
Where we have relied on your consent to process your personal information, you can withdraw your consent at any time. Please contact us if you want to do so.
If you withdraw your consent, we may not be able to provide certain products or services to you. If this happens, we will tell you.
Data Portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering a contract and the processing is automated.
Complaints or queries about using your information
The Civil Aviation Authority (CAA) applies the highest standards when collecting and using personal information. We therefore take any complaints we receive about the processing of personal information very seriously. We encourage people to bring issues to our attention if they think that our collection or use of information is unfair, misleading, or inappropriate. We would also welcome any suggestions for improving our information management procedures.
You are also entitled to exercise your individual rights.
The CAA's Data Protection Officer (DPO)
The CAA's DPO is:
Chris Whitehurst
Civil Aviation Authority
Aviation House
Gatwick Airport South
RH6 0YR
To contact our DPO, please email FOI.requests@caa.co.uk. This will ensure that in his absence your enquiry can be dealt with in the most efficient way.
Complain to the Information Commissioner
If you are not satisfied with how the Civil Aviation Authority (CAA) has handled your personal data, please let us know and we will try and resolve the problem. However, you have a right to complain directly to the Information Commissioner (ICO).
Changes to this Privacy Notice
We keep our Privacy Notice under regular review. This Privacy Notice was last updated 25 May 2023.
Provide page feedback
Please enter your comments below, or use our usual service contacts if a specific matter requires an answer.
Fields marked with an asterisk (*) are required.