Privacy notice

Privacy notice

Highways England has fully committed to compliance with the General Data Protection Regulations (GDPR) following implementation on 25 May 2018.

We collect and handle a variety of personal data so that we can deliver services to our customers and anyone using England’s motorways and major A roads.

This privacy notice applies to any personal data collected by us or on our behalf, by any format – phone, letter, email, online, or face to face.

We collect and handle data to:

  • provide the service you’ve asked for – for example, if you have a query that you need a response to, or if you use our crossing on the Dartford Tunnel
  • process payments for our crossings
  • stay in contact with you – for example, if you sign up to one of our newsletters to get information about traffic updates or are involved in our consultation exercises
  • fulfil legal obligations
  • provide information to central government, when the law says we need to
  • assess our performance, ensure value for money, and set targets for departments
  • provide information to the Office of Rail and Road and to Transport Focus, which are our regulatory authorities.



There are six options available to us to legally ‘process’ your personal data. For each service we make it clear to you which option(s) we have chosen in our lower level privacy notices.

The most common for us will be ‘legal obligation’ or ‘public task’ because our focus is delivering services to you that are required, or permitted, by other existing laws or Cabinet Office guidance.

Other options that we use are ‘contract’ (for example we have employment contracts for our staff) and, in emergencies, we may use ‘vital interests’ where it is a matter of life and death to use or share data.

It may be the case that we require your ‘consent’ for us to be able to process your personal data. If that’s the case, we’ll let you know at the point of data collection and we’ll remind you that you have the right to withdraw your consent at any time.


Within Highways England

We share data internally across departments. In some cases, two or more departments are jointly responsible for delivering a service, so they all need to access data. In these cases we make sure that the sharing is reasonable, is in line with data protection law, and respects your rights.

We may hold a central basic contact record for you in our Customer Contact Centre, so that we can provide a better service to you, use public funds as efficiently as possible, and have the most up-to-date contact details for you across services to support your right to accurate data.

Outside Highways England

We ask a number of companies to collect, store or handle your information on our behalf to help us to deliver our services – for example our ICT system providers, or contractors who complete our on-road projects. We remain responsible for your information and ensure that the right safeguards are in place through measures such as contract clauses.

For some services, we share data with other agencies such as the NHS or charities. In some of these cases we remain responsible for your data, and in other cases the responsibility is shared.

We ensure that the right safeguards are in place to keep your information safe and will always tell you more about this when the data is collected. More detail is provided in the privacy notice for each service.

We are obliged by law to share some data with central government and other agencies. Where possible we make this anonymous and only share statistics.

If this data is at an individual level, we will let you know when we collect it. Where your consent is required to transfer information, this will be made clear to you.

Where it is necessary to share data with third parties for research purposes, we will aim to make this data anonymous to ensure that individuals cannot be identified.

There are times where we legally need to share your data with other parties, for example, if a court order asks for it.

There may be exceptional cases where we feel compelled to share your data for a reason that outweighs your right to privacy to detect and prevent fraud and crime.

This list is not exhaustive, but we will never share your information if it is not legal to do so, and will always consider your rights, and whether there is another way of achieving our aim, before doing so.



Some of the things we consider when deciding how long to keep data for are:

  • how long we need it to deliver the service to you
  • how long other laws tell us to keep it for

This means that different services, and sometimes different activities within the same service, will need to keep data for different lengths of time.

Please review the service-level privacy policies for details on how long your data will be kept for.



We use a range of systems to store and process data on our customers. We have a mixture of:

  • on-site servers, held in secure buildings that meet the highest standards for security. These undergo regular audits to ensure compliance with national and international standards
  • off-site arrangements with companies where we have audited their security to ensure that it meets our standards
  • database products that require secure log-in, access to which is restricted by our IT teams
  • network access that requires either a user name and password, or a combination of this and a code generated from a mobile device
  • buildings that have access only through staff passes, and secure files stored in areas that are further restricted by passes and keys
  • off-site storage for archive files which are monitored by closed-circuit television (CCTV), with access through secure passes

Systems are only available through strictly controlled security processes. We ensure that only the right people have access to systems, through centrally controlled management of systems.



Data protection law gives you different rights relating to the way that we use your data and the way that you access it. These won’t all apply all of the time- we explain this below.

The right to know what happens with your data

You have the right to be informed about what data we process about you, for what reasons, who we share it with, how long we will do this for, your rights, and how to complain. This notice is part of us informing you, but we will try to do this in a number of ways.

The right to access your data

You have a right to access information we hold about you, through a subject access request.

The right to correct inaccurate data

You have the right to have information corrected or completed if it is incomplete. We aim to have complete data for our customers, so please make us aware as soon as possible if something is wrong or missing.

The right to have your data deleted

You have the right to ask us to erase your data. This is not an absolute right and if we have a lawful reason to continue to hold your information, we will continue to do so. The reasons behind this will be explained in response to your request.

The right to ask us to limit the way we use your data, or to stop entirely

You have the right to ask us to restrict the processing of your data. This may apply if:

  • data about you is not accurate
  • there is no legal reason for us to process the data about you, but you choose not to ask for erasure

When it’s restricted it means we can continue to securely store it but use of it is restricted (with some specific exceptions).

You have the right to object to us processing your data at all, but often if we do this you will no longer be able to receive the related service, and this will often be overridden by the legal obligations that we have as a business.

The right to data portability

You have a right to ask for data that you provide us with to be transferred to another service provider. This won’t apply to most of our services.

Rights relating to automated decision making and profiling

Currently Highways England doesn’t use any automated decision making or profiling systems. This means that any decision that will affect you is made by a human.

We will always consider privacy and our customers’ rights if we introduce new systems that involve profiling or automated decision making, and we will make our customers aware of projects like this. You have the right to ask for a human to reconsider an automated decision.


Contact us

Highways England is a data controller, registered with the Information Commissioner’s Office (ICO).

You can email our Data Protection Officer Graham Woodhouse if you have any queries about your data.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

Or you can visit the Information Commissioner’s Office website or email casework@ico.org.uk.