Privacy Notice

Version 2.9, May 2026

We may need to handle personal information about you so that we can provide services for you. This privacy notice tells you how we look after that information as well as explaining how you could make a complaint if you feel we are not handling your personal data as we should. The United Kingdom Debt Management Office (UK DMO) is the data controller.

When we ask you for personal information, we will ensure it is:

  • processed lawfully, fairly and safely in a transparent manner
  • collected for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary
  • accurate and, where necessary, kept up to date
  • retained for only as long as necessary
  • processed in an appropriate manner to maintain security

Personal data means any information about an individual from which that person can be identified. There are “special categories” of more sensitive personal data which require a higher level of protection; however, we do not collect special category data.

The kind of information we hold about you

We collect, store and use the following categories of personal data:

  • name, title
  • personal and business contact details such as telephone numbers, addresses and email addresses, and the name of the organisation for which you work
  • signature
  • your image captured on CCTV (if you visit our offices)
  • your MAC address and device name (if you connect to our GovWifi network)

Why we collect your data and what we do with it

Your personal data is being collected as an essential part of the service we provide, so that we can contact you and for statistical purposes. We may also use it to contact you about related matters. We will not use your personal information for marketing purposes or make it available to any other organisation for that purpose.

If we do not have access to your data it may not be possible for us to provide the services to you which you would reasonably expect from us.

The data we collect may be shared with relevant staff in other government departments, agencies, public bodies, and auditors.

We may be required by law to share your data with financial services regulators to assist with their investigations or initiatives and with police, law enforcement and security services for the prevention of crime and the protection of national security.

We do not disclose personal data to anyone else except as set out above.

Your personal data will be maintained in either secured government IT systems here in the UK or in third party organisations in the UK or overseas in which equivalent safeguards apply.

Your personal data are not used for any automated decision making.

Your personal data are used for one or more of the following:

  • Transactions related to the PWLB lending facility, Debt Management Account Deposit Facility (DMADF) and Commissioners for the Reduction of the National Debt (CRND).
  • Gilt or cash management activities where you represent a Gilt-Edged Market Maker (GEMM) or other counterparty.
  • Freedom of Information Act requests, email subscriptions, media and other enquiries.
  • To ensure a safe and crime-free working environment.

How long we keep your personal data

The duration for which we keep your data will differ depending on the type of information and the reason why we collected it from you. In some cases personal information may be retained on a long-term basis.

  • PWLB lending facility: data provided for authorisation purposes are held until superseded by a new instruction and data relating to a loan application are held for six years after the loan maturity date.
  • DMADF: data provided for authorisation purposes are held until superseded by a new instruction and data relating to a deposit application are held for six years after the deposit maturity date.
  • CRND: data provided for authorisation purposes are held until superseded by a new instruction and data relating to an investment are held for six years after the investment date.
  • Voice recording records are kept for five years and then destroyed. Phone calls are recorded for dealing (cash, gilts and fund management), local authority lending such as the PWLB lending facility and settlements.
  • Operational records of the dealing desk, other than voice recordings, are kept for no more than 6 years and then destroyed.
  • Details of your use of GovWifi are retained for 30 days.

Lawful basis

Our lawful bases for processing personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In the case of data collected for monitoring your access to GovWifi from DMO equipment, the lawful basis is our legitimate interest in ensuring the network is used appropriately, securely, and in compliance with applicable laws and policies. In the case of subscriptions to our email services, the lawful basis is your consent at the point you subscribe.

How you can help

It is important that we keep your information accurate and up-to-date and so in return, we ask you to:

  • give us accurate information
  • tell us as soon as possible if there are any changes, such as new contact details

Your rights

The data we are collecting is your personal data, and you have certain rights about what happens to it. You have the right:

  • to see what data we have about you
  • to ask us to stop using your data, but keep it on record
  • to have all or some of your data corrected if it is inaccurate or incomplete
  • to lodge a complaint with the independent Information Commissioner (ICO) if you think we are not handling your data fairly or in accordance with the law.

You can get more details from us on:

  • how to find out what information we hold about you and how to ask us to correct any mistakes
  • agreements we have with other organisations for sharing information
  • circumstances where we can pass on your personal information without telling you (e.g. to prevent and detect crime or to produce anonymised statistics)
  • our instructions to staff on how to collect, use and delete your personal information
  • how we check the information we hold is accurate and up to date

 

How to make a complaint

If you consider any of our actions to have infringed the UK GDPR you can make a complaint to us by emailing dataprotection@dmo.gov.uk, or by writing to:

 

Data Protection,

Records and Information Management

UK Debt Management Office

The Minster Building

21 Mincing Lane

London EC3R 7AG

 

Please provide proof of ID. This should include photographic ID such as a valid passport, driving licence, bus pass or student ID and proof of address such as a utility bill, council tax bill, bank, building society or credit card statement, tenancy agreement or mortgage statement. Please do not send original documents unless we specifically request them.

If submitting a request for someone else, a friend, relative or client you must provide the above ID for yourself and for the person you are representing along with proof of your authority to act, such as a signed letter of consent or a Power of Attorney document.

Please provide sufficient evidence or supporting information to allow us to clearly understand the nature of your complaint and to act on it promptly.

We will acknowledge your request within 30 days of receipt and respond fully as soon as we can and without undue delay. When appropriate, we will keep you informed of progress and, if the investigation is likely to be complex, we will provide an estimated completion date.

Our final response will explain our findings and any remedial actions clearly and in plain English.

 

For more information, to request access to your personal data, or to make a complaint please contact dataprotection@dmo.gov.uk

Or write to:

Data protection

Records and Information Management

UK Debt Management Office

The Minster Building

21 Mincing Lane

London EC3R 7AG

Please visit our Terms of Use page for information on our Cookies Policy.

When we ask you for information, all applicable provisions of the law, including the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) will be applied at all times.

For independent advice about data protection, privacy and data sharing issues or to lodge a complaint, please contact the Information Commissioner at:

Wycliffe House, Wate Lane, Wilmslow, Cheshire SK9 5AF

Phone: 03030 123 1113 or 01625 54 57 45

Website: www.ico.org.uk

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last reviewed on 28 May 2026.