Data Protection at Royal Mail Group
Data Protection at Royal Mail Group
Royal Mail Group’s approach to data protection
For information about what personal data we use, how we process it, and why, see our privacy notice on our website.
Royal Mail Group is advised by experienced lawyers, and regulatory and technical experts, and has in place appropriate and proportional technical and organisations measures to meet its obligations. Royal Mail Group has dedicated Information Security and Data Protection teams who are responsible for providing support to the business in relation to privacy, data protection, information governance and information security. Royal Mail Group has its own dedicated Data Protection Officer in line with its legal obligations.
We strive to ensure the protection of all personal data we hold through our privacy by design practices, so that we maintain our customers’ trust, and confidence from our regulators, when we innovate and use information in new ways to improve our service offerings.
Royal Mail Group’s role as a data controller
Royal Mail Group does not process personal data inside the letters and parcels it handles. Where we process personal data for the purposes of sorting, tracking and delivering mail or parcels (including where an organisation provides us with ‘pre-advice’ for delivery purposes) we are the data controller.
This is supported by the ICO’s guidance which states:
‘‘…the delivery service will be a controller in its own right regarding any data it holds in connection with its provision of the delivery service. It will obviously be a controller regarding the HR data it processes about its own employees. In addition, to the extent that it records details of the delivery addresses of individuals (the name-and-address information on the items to be delivered), it will be a controller regarding that personal data. If the service arranges timed deliveries or tracking, then any personal data such as individual senders’ and recipients’ names and addresses it records for that purpose will be personal data for which the service is the controller.”
We sometimes receive data protection questionnaires from customers who have assumed we are acting as their data processor when delivering mail, which in most cases is incorrect. Where we act as a controller, we take on controller responsibilities and therefore do not provide detailed responses to such questionnaires.
Royal Mail takes the security of our customers’ mail very seriously. We have robust approaches to the security of mail and are committed to maintaining our high standards in meeting and exceeding the expectations of our customers. The security and integrity of mail services is regulated by Ofcom and we comply with the Mail Integrity Code of Practice to safeguard the confidentiality of mail and information conveyed.
Ensuring our people are aware of the need for data protection, security, and integrity of mail form a central part of recruitment, induction, training and daily activities. Our vetting standards extend to suppliers.
Royal Mail Group has a Corporate Retention Schedule and supporting policies and procedures covering data retention requirements, plus secure data disposal/ destruction on expiry to comply with its legal and regulatory obligations.
Where we sub-contract personal data processing to 3rd party data processors, we require appropriate due diligence to be performed prior to onboarding. This is to ensure our third party suppliers adhere to and uphold Royal Mail Group’s security and privacy standards. Any issues identified are reported through supplier managers to the Data Protection Office for advice and escalated appropriately.
Processing outside of the UK
In addition to International Mail delivery, Royal Mail Group may need to transfer personal data about customers to third parties located outside the UK. Where we do this, we work with our internal lawyers and Procurement teams to put suitable safeguards in place to protect the information transferred.
We are committed to being recognised as the best delivery service in the UK and across Europe. Our Data Protection Officer chairs the International Postal Corporation’s Data Protection Oversight Committee.