This General Privacy Notice is to let you know how the Civil Aviation Authority generally uses and looks after your personal information. This includes what you tell us about yourself and what we learn during our relationship with you.
It does not provide exhaustive detail of all aspects of our collection and use of personal information, but our online service portals and individual applications will. However, we are happy to provide any additional information or explanation needed.
Please email FOI.email@example.com or write to the address below for further information.
Find out more about who we are and our role.
Coronavirus (COVID-19) measures
The UK government has introduced measures to stop the spread of coronavirus (COVID-19) through international travel. Further information can be found in the Coronavirus (COVID-19) passenger privacy notice.
The CAA has been granted powers under the Health Protection (Coronavirus, Pre-Departure Testing and Operator Liability)(England)(Amendment) Regulations 2021 to take enforcement action against Airline Operators in relation to coronavirus track and trace and its containment. Airline Operators are required to ensure that all passengers who present at border control in the UK have a completed Passenger Locator Form and a notification of negative test result. Failure to do so is a criminal offence for which The CAA has the power to impose either a Fixed Penalty Notice or take enforcement in the criminal court.
To this extent The CAA is considered to be a competent authority for the purposes of the Data Protection Act 2018 as we have statutory functions for the purposes of the prevention, investigation, detection or prosecution of criminal offences (law enforcement purposes). When acting in this capacity, The CAA will be the controller of personal data.
When carrying out our enforcement activity, CAA staff may request your personal information or the Home Office may provide The CAA with your personal information.
This may consist of:
- your name;
- your address;
- your email address;
- your telephone number;
- your date of birth;
- your passport information;
- your Nationality;
- details of any criminal convictions;
- your Passenger Locator Form (PLF) number and status;
- details of your involvement in an offence for failing to complete a Passenger Locator Form and/or negative test result, including details of any Fixed Penalty Notice or prosecution served on you;
Depending on the nature of the offence this may consist of special categories of personal date such as:
- details of any COVID test results;
- data concerning your health such as a medical condition or disability.
We are relying on the lawful basis that:
- the processing is strictly necessary for law enforcement purposes; or
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- in relation to special categories of personal data, where the processing is strictly necessary for the law enforcement purposes and is necessary for the administration of justice or exercise of a function conferred on The CAA by an enactment or rule of law and is necessary for the reasons of substantial public interest.
Why we process your personal information
We process personal information to enable us to carry out our regulatory duties which may include:
- consideration and investigation of complaints and policy issues,
- formal enforcement actions,
- providing advice and information,
- maintaining our own accounts and records,
- supporting and managing our employees,
- sending promotional communications about the services we provide,
- undertaking research,
- administration of licenses,
- maintenance of a public register,
- internal support functions,
- corporate administration and all activities we are required to carry out as a data controller and a public authority,
- the use of CCTV systems for crime prevention.
We process information relevant to the above reasons/purposes which may include:
- personal details
- family details
- lifestyle and social circumstances
- goods and services
- financial details
- employment and education details
- details of complaints, incidents and grievances
- visual images, personal appearance and behaviour
- responses to surveys
We also process special category personal information that may include:
- physical or mental health details
- racial or ethnic origin
- religious or other beliefs
- political opinions, sexual life
- trade union membership
- offences (including alleged offences)
- criminal and legal proceedings, outcomes and sentences
We process personal information about:
- complainants or their representatives
- subject of a complaint or their representatives
- individuals who we may contact when carrying out a complaint or enquiry
- services providers
- offenders and suspected offenders
- applicants for a licence or registration
- authors, publishers and other creators
- individuals captured by CCTV images
- consultants and advisers
- survey respondents
- journalists and the media
- enquirers (e.g. FOI requesters)
- workers (in addition to employees)
- individuals attending training which we will be helping to organise (e.g. air crew, ground security)
- those working for the companies we regulate (e.g. accountable persons for ATOL holders)
- those seeking different types of approvals from the CAA (e.g. applicants for declarations, certificates etc.)
- applicants for National Security Vetting who work for the aviation industry
If our functions require the processing of Children's data, the Age Appropriate Design Code (The Children's code) is always adhered to.
Who the information may be shared with
We sometimes need to share information with other organisations. Where this is necessary we are required to comply with all aspects of the GDPR. What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with:
- data subjects listed above
- family, associates and representatives of the person whose personal data we are processing
- professional advisers and consultants
- services providers (see below)
- credit reference agencies
- debt collection and tracing agencies
- police forces
- private investigators
- current, past or prospective employers and examining bodies
- financial organisations
- central government
- other companies within our group
- financial organisations
- debt collection and tracing agencies
- persons making an enquiry or complaint
- organisation subject to a complaint or assessment,
- prosecuting authorities, courts
- other ombudsman and regulatory authorities
- security organisations including vetting organisations
Unless we are automatically required to share your information by law, or have in place an agreement/contract with a third-party service provider to process information on our behalf or assist the CAA in providing services, we will normally let you know if we need to share or release your information.
Information is only disclosed by the CAA for specified purposes to third parties. This may include, but is not limited to, administrative workers and IT professionals who, during their professional duties, are assisting the CAA with its regulatory functions. The CAA takes the security of your personal information very seriously. Information is only disclosed to third party service providers under a contract and who are subject to a duty of confidentiality and have sufficient security measures in place to protect personal data. If you do not consent to the disclosure of information to third parties as described in this Notice, you may make representations to FOI.firstname.lastname@example.org.
In many circumstances, we will not disclose personal data without consent. However, when we investigate a complaint, for example, we may need to share personal information with the organisation concerned and with other relevant bodies. There are many factors to consider when the CAA decides whether information should be disclosed.
You can email FOI.email@example.com for further information about:
- agreements we have with other organisations for collecting/sharing information;
- circumstances where we can pass on personal data without consent, for example, to prevent and detect crime and to produce anonymised statistics;
- how we comply with the GDPR and other applicable legislation.
It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the data protection act.
Visitors to our website
The CAA website has areas where we capture the details of our users to enable the website service to operate.
This service allows users to set-up an account on the CAA website so that an email can be sent to them when a new or amended publication has been added to one or more subscription categories that are of interest to a user.
Users can manage their account at any time and the user's password is not known to the CAA.
When you download and install our app to your mobile, you will also need to sign up and create an account so that alerts can be pushed to your mobile phone. As with the Publication subscription service, users can manage their account and their password is not known to the CAA.
We have many on-line systems or forms which capture the personal information of applicants according to the service they are applying for. More information on this is available under 'People who apply to us for a service'.
When you contact us
When you call us, we may ask for personal details for verification purposes. We use this information to make sure that we are talking to the right person and to help us locate your information. If you are making a general enquiry we may collect personal details to return your call or to pass on information related to your case/application.
Any email sent to us, including any attachments, may be monitored by the CAA for reasons of security and/or monitoring compliance with CAA policies. Email monitoring or blocking software may also be used. Please be aware that it is your responsibility to ensure that any email you send to us is not in breach of any law or regulation.
To make an enquiry, please contact the relevant department.
When we receive a complaint or report from a person we may create a record containing the identity of the complainant and any other individuals involved.
We will use the personal information we collect to process the complaint or report and to check on the level of service we provide. We do compile reports for internal management oversight, but minimal information is used. We will also publish, in our Annual Report, statistics showing information such as the number of complaints we receive, but not in a form which identifies anyone.
We usually disclose the identity of the complainant to the CAA manager in the area related to the complaint or report. This is necessary where, for example, the accuracy of a person's record is in dispute or a report directly relates to the complainant and an investigation is required. If a complainant doesn't want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in files in line with our retention policies. This means that information will be retained for varied amounts of time from closure depending on the type of complaint or report. It will be retained in a secure environment and access to it will be restricted according to the 'need to know' principle.
Similarly, where enquiries are submitted to us, we will use the information supplied to us to deal with the enquiry, compile internal reports and to check on the level of service we provide.
As the CAA also has a number of other specific complaints policies relevant to different CAA functions, you may wish to take a look at our Making Reports and Complaints page.
We must hold the personal details of the people who have requested a service to provide the service. We keep records of the services provided, such as the issue of a pilot's licence, for the duration of the licence holder's aviation career and/or in accordance with applicable regulations. We are required to keep medical records for specified time periods, according to the class of medical certificate held.
The CAA offers various services to the aviation industry and we sometimes use third parties to assist the CAA in providing those services (see more below). However, these third parties are only permitted to use information from applicants to complete those services, such as passenger claims handling or passenger repatriation services.
The CAA is required by law to 'notify' certain specified information to the Information Commissioner (ICO). The ICO compiles this information into a Data Protection Register which it is required by law to publish.
When individuals apply to work at the CAA, we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example, where we want to take up a reference or obtain a 'disclosure' from the Disclosure and Barring Service (DBS) we will not do so without informing the applicant beforehand unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held until after the recruitment exercise has been completed. It will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities or for equality and diversity purposes, but no individuals are identifiable from that data.
Once a person has taken up employment with the CAA, we will compile a file relating to their employment. The information contained in this file will be kept secure and will only be used for purposes directly relevant to that person's employment. Once their employment with the CAA has ended, we will retain the file in accordance with the requirements of our retention policy and then delete it. Look here for further information on careers and recruitment.
How we use your information to make automated decisions
We sometimes use systems to make automated decisions about you or your business. This helps to make our services quick, fair and consistent. An individual has rights over automated decisions including asking that we do not make our decision based on the automated outcome alone or ask for a person to review it.
You can contact FOI.firstname.lastname@example.org to ask us.
How long we keep your personal information
We keep your personal information for as long as you have a relationship with us and, thereafter, for specified purposes in line with our legal duties or our public functions, to respond to any questions or complaints, or to maintain records according to European or National aviation rules that apply to us. When you make an application for a service we will tell you how long we expect to retain your personal information and why.
Your individual rights
The General Data Protection Regulation (GDPR) provides you with a number of rights in relation to the processing of your personal data, including the right of access to a copy of the personal data we hold about you, known as a Subject Access Request.
For details on how to access the personal information that we hold about you see our guidance on exercising your individual rights or write to us at this address:
External Information Services
Civil Aviation Authority
Gatwick Airport South
You have the right to question any information we have about you that you think is wrong or incomplete. Please contact us at FOI.email@example.com if you want to do this. If you do, we will take reasonable steps to check its accuracy and correct it.
You have the right to object to our use of your personal information, or to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. This is known as the 'right to object' and 'right to erasure', or the 'right to be forgotten'.
There may be legal or other official reasons why we need to keep or use your data. But please tell us if you think that we should not be using it at FOI.firstname.lastname@example.org.
We may sometimes be able to restrict the use of your data such as if:
- It is not accurate.
- It has been used unlawfully but you don't want us to delete it.
- It is not relevant any more, but you want us to keep it for use in legal claims.
- You have already asked us to stop using your data but you are waiting for us to tell you if we can keep on using it.
This means that it can only be used for certain things, such as legal claims or to exercise legal rights. In this situation, we would not use or share your information in other ways while it is restricted.
If you want to object to how we use your data, or ask us to delete it or restrict how we use it or, please contact us at FOI.email@example.com.
Where we have relied on your consent to process your personal information, you can withdraw your consent at any time. Please contact us if you want to do so.
If you withdraw your consent, we may not be able to provide certain products or services to you. If this is so, we will tell you.
The CAA applies the highest standards when collecting and using personal information. We therefore take any complaints we receive about the processing of personal information very seriously. We encourage people to bring issues to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our information management procedures.
See our guidance on exercising your individual rights for more details.
The CAA's Data Protection Officer (DPO)
The CAA's DPO is:
Head of External Information Services
Civil Aviation Authority
Gatwick Airport South
To contact our DPO, please email FOI.firstname.lastname@example.org. This will ensure that in her absence your enquiry can be dealt with in the most efficient way.
Complain to the Information Commissioner
If you are not satisfied with how the CAA has handled your personal data, please let us know and we will try and resolve the problem. However, you have a right to complain directly to the ICO.
Changes to this Privacy Notice
We keep our Privacy Notice under regular review. This Privacy Notice was last updated on 5 October 2021.