• Data Protection Act 1998

    The Data Protection Act 1998 (DPA) gives you a number of rights in relation to the processing of your personal data, including the right of access to a copy of the personal data the CAA holds about you, known as a Subject Access Request.


    So that we are sure we are providing the information to the correct person, we will require a copy of a form of photo identification such as your passport or driving licence if you make a request.


    We will respond to a Subject Access Request no later than 40 calendar days following the date of receipt of all the information necessary to deal with the request.


    There are exemptions to the right of access to your personal information, such as when the material also includes a third party’s personal information. Should any or all of the information you have requested be exempt, we will tell you which exemption(s) have been applied and why.


    If you are not satisfied with how the CAA has handled your personal data please let us know and we will try and resolve the problem. Should you remain dissatisfied, you can complain to the Information Commissioner.

    Fees and Charges

    The CAA does not normally charge a fee for a Subject Access Request, except in the case of medical records.

  • Data protection security statement

    CAA information security policy and procedures provide appropriate technical and organisational measures, that safeguard against the unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data (the Seventh Data Principle). In particular, these policies cover:-

    • The secure management of information
    • Controlled access to information
    • Business Continuity
    • Information Management & Privacy
    • Information Rights, and
    • IT Security

    On occasions when third party organisations process personal or sensitive personal data on behalf of the CAA appropriate contractual arrangements will be made.

    A request for access to personal data by the data subject is a 'Subject Access request' under the terms of the Data Protection Act.  Access to personal information about another person (third party data) can be exempt from disclosure, if necessary we will contact the data subject, and discuss the request and determine if it can be lawfully met.