Royal Mail Group’s approach to data protection

Our Data Protection and Privacy Policypdf, 87.13 KB outlines how we manage compliance with data protection laws and is supported by robust processes and procedures. Internal policies are managed by the Company Secretary and reviewed and signed-off by senior executives annually, as part of our governance processes. Our internal policies for information security and data protection are designed to meet the regulatory requirements of UK GDPR, as well as the other data protection requirements with which we must comply, including under postal services legislation. Our Data Protection and Security policies and standards follow industry frameworks and best practice, such as ISO 27001. More details can be found in our Information Security Positioning Statementpdf, 94.66 KB.

For information about what personal data we use, how we process it, and why, see our privacy notice on our website.

Royal Mail Group is advised by experienced lawyers, and regulatory and technical experts, and has in place appropriate and proportional technical and organisations measures to meet its obligations. Royal Mail Group has dedicated Information Security and Data Protection teams who are responsible for providing support to the business in relation to privacy, data protection, information governance and information security. Royal Mail Group has its own dedicated Data Protection Officer in line with its legal obligations.

We strive to ensure the protection of all personal data we hold through our privacy by design practices, so that we maintain our customers’ trust, and confidence from our regulators, when we innovate and use information in new ways to improve our service offerings.
 

Royal Mail Group’s role as a data controller

Royal Mail Group does not process personal data inside the letters and parcels it handles. Where we process personal data for the purposes of sorting, tracking and delivering mail or parcels (including where an organisation provides us with ‘pre-advice’ for delivery purposes) we are the data controller. 

This is supported by the ICO’s guidance which states: 

‘‘…the delivery service will be a controller in its own right regarding any data it holds in connection with its provision of the delivery service. It will obviously be a controller regarding the HR data it processes about its own employees. In addition, to the extent that it records details of the delivery addresses of individuals (the name-and-address information on the items to be delivered), it will be a controller regarding that personal data. If the service arranges timed deliveries or tracking, then any personal data such as individual senders’ and recipients’ names and addresses it records for that purpose will be personal data for which the service is the controller.” 

We sometimes receive data protection questionnaires from customers who have assumed we are acting as their data processor when delivering mail, which in most cases is incorrect. Where we act as a controller, we take on controller responsibilities and therefore do not provide detailed responses to such questionnaires.
 

Mail integrity

Royal Mail takes the security of our customers’ mail very seriously. We have robust approaches to the security of mail and are committed to maintaining our high standards in meeting and exceeding the expectations of our customers. The security and integrity of mail services is regulated by Ofcom and we comply with the Mail Integrity Code of Practice to safeguard the confidentiality of mail and information conveyed.

Ensuring our people are aware of the need for data protection, security, and integrity of mail form a central part of recruitment, induction, training and daily activities. Our vetting standards extend to suppliers.
 

Data retention

Royal Mail Group has a Corporate Retention Schedule and supporting policies and procedures covering data retention requirements, plus secure data disposal/ destruction on expiry to comply with its legal and regulatory obligations.
 

Sub-contractors

Where we sub-contract personal data processing to 3rd party data processors, we require appropriate due diligence to be performed prior to onboarding.  This is to ensure our third party suppliers adhere to and uphold Royal Mail Group’s security and privacy standards. Any issues identified are reported through supplier managers to the Data Protection Office for advice and escalated appropriately.
 

Processing outside of the UK

In addition to International Mail delivery, Royal Mail Group may need to transfer personal data about customers to third parties located outside the UK. Where we do this, we work with our internal lawyers and Procurement teams to put suitable safeguards in place to protect the information transferred.

We are committed to being recognised as the best delivery service in the UK and across Europe. Our Data Protection Officer chairs the International Postal Corporation’s Data Protection Oversight Committee.