Royal Mail Group’s approach to data protection

Our Data Protection and Privacy Policypdf, 519.55 KB Data Protection and Privacy Policy outlines  how we manage compliance with data protection laws and is supported by robust processes and procedures. Internal policies are managed by the Company Secretary and reviewed and signed-off by Royal Mail Group’s Audit and Risk Committee annually, as part of our governance processes. Our internal policies for information security and data protection are designed to meet the regulatory requirements of UK GDPR, as well as the other data protection obligations with which we must comply, including under postal services legislation. Our Data Protection and Information Security policies and standards follow industry frameworks and best practice, such as ISO 27001. More details can be found in our Info Sec Statementpdf, 89.71 KB.

For information about what personal data we use, how we process it, and why, see our Crystal Clear accredited Customer Privacy Notice on our website.

Royal Mail Group is advised by experienced lawyers, and regulatory and technical compliance experts, and has in place appropriate and proportional technical and organisations measures to meet its obligations. Royal Mail Group has dedicated Cyber Security and Data Protection teams who are responsible for providing support to the business in relation to privacy, data protection, information governance and information security. Royal Mail Group has its own dedicated Data Protection Officer in line with its legal obligations.

Royal Mail Group takes its role as a data controller seriously. Royal Mail Group proactively engages with the ICO to ensure its practices and handling of privacy enquiries is done in the right way and protects the rights and freedoms of individuals. This open communication benefits our customers and colleagues, the ICO and ensures efficient management by Royal Mail Group.

Royal Mail Group’s role as a data controller

Royal Mail Group does not process personal data inside the letters and parcels it handles. Where we process personal data for the purposes of sorting, tracking and delivering mail or parcels (including where an organisation provides us with ‘pre-advice’ for delivery purposes) we are the data controller. 

This is supported by the ICO’s guidance which states: 

‘‘…the delivery service will be a controller in its own right regarding any data it holds in connection with its provision of the delivery service. It will obviously be a controller regarding the HR data it processes about its own employees. In addition, to the extent that it records details of the delivery addresses of individuals (the name-and-address information on the items to be delivered), it will be a controller regarding that personal data. If the service arranges timed deliveries or tracking, then any personal data such as individual senders’ and recipients’ names and addresses it records for that purpose will be personal data for which the service is the controller.” 

We sometimes receive data protection questionnaires from customers who have assumed we are acting as their data processor when delivering mail, which in most cases is incorrect. Where we act as a controller, we take on controller responsibilities and therefore do not provide detailed responses to such questionnaires.

Mail integrity

Royal Mail Group takes the security of our customers’ mail very seriously. We have robust approaches to the security of mail and are committed to maintaining our high standards in meeting and exceeding the expectations of our customers. The security and integrity of mail services is regulated by Ofcom and we comply with the Mail Integrity Code of Practice to safeguard the confidentiality of mail and information conveyed.

Ensuring our people are aware of the need for data protection, security, and integrity of mail form a central part of recruitment, induction, training and daily activities, including our vetting standards extend to suppliers.

Data retention

Royal Mail Group has a Corporate Retention Schedule and supporting policies and procedures covering data retention requirements of the different record series we hold, plus secure data disposal/ destruction on expiry to comply with its legal and regulatory obligations.

Privacy by Design

Royal Mail Group’s approach to Privacy by Design and by Default requires all projects to complete a Privacy Impact Assessment which ensures privacy requirements are embedded in everything we do. We take steps to design data protection into what we do to ensure that personal data is protected in every step of its journey. This is supported by a set of Privacy by Design requirements which must be adhered to by any new project handling personal data. These requirements are aligned to guidance from the ICO and have been authored by privacy professionals within the business.

Privacy Assurance

To support our privacy by design and by default approach, Royal Mail Group has an assurance program to ensure the technical and organisational measures that are in place to protect personal data continue to be are fit for purpose and operationally effective. Royal Mail Group’s privacy assurance function adopts a risk based approach to assuring Royal Mail Group’s systems, supply chain, subsidaries and business unit activities handling personal data. Working in line with ICO guidance and industry best practice, Royal Mail Group holds itself and its partners to account to protect all personal data and adhere to its compliance responsibilities.

Sub-contractors

Where we sub-contract personal data processing to 3rd party data processors, we require appropriate due diligence to be performed prior to onboarding. This is to ensure our third-party suppliers adhere to and uphold Royal Mail Group’s security and privacy standards. This process is managed by Procurement, Cyber Security and Data Protection teams and any issues identified are reported through supplier managers to the Data Protection Office for advice and appropriate treatment and remediation.

Processing outside of the UK

In addition to International Mail delivery, Royal Mail Group may need to transfer personal data about customers to third parties located outside the UK. Where we do this, we conduct transfer risk assessments and work with our internal lawyers, Cyber security experts and Procurement teams to put suitable safeguards in place to protect the information transferred including standard contractual clauses and supplementary measures. We are committed to being recognised as the best delivery service in the UK and across Europe. Our Data Protection Officer is a member of the International Postal Corporation’s Data Protection Oversight Committee.

Policies and Standards

Royal Mail Group ensures that it consistently applies best practice across the organisation when handling personal data. A set of policies surrounding privacy and information security govern how it’s people, third parties and systems manage and protect personal data. These policies are supported by detailed standards which have been created by industry experts building trust into the heart of the design.

Data Protection Training

All employees joining Royal Mail Group are required to complete data protection induction training within three weeks of joining the business and thereafter annual refresher training. On an annual basis, employees are required to attest to having read, understood and agree to comply with the information in the training courses which is underpinned by our Data Protection and Information Security policies. The completion rate for 2022-2023 annual e-learning data protection and information security training was 98.1%. Our aspiration is 100% and our target is 96% because at any one time there are colleagues absent due to maternity leave, long-term sickness, or new joiners who are still working through their induction. Royal Mail Group’s award winning Data Protection and Information Security Awareness and Education program, Think Secure, runs business-wide campaigns and tailored training for teams throughout the year to refresh knowledge and remind all colleagues of their responsibilities and our secure privacy practices.