DfC Privacy Notice

This Privacy Notice from the Department for Communities (DfC) tells our customers and service users how we process your personal data in accordance with our legal obligations under the Data Protection Act (DPA) and the UK General Data Protection Regulation (UKGDPR).

DfC is committed to building trust and confidence in our ability to keep your information secure and this Notice explains how we do this.


Data Controller Data Protection Officer
Department for Communities
Causeway Exchange
1-7 Bedford Street
County Antrim

Tel: 028 9082 9000
Department for Communities
Information Management Branch
Causeway Exchange
1-7 Bedford Street
County Antrim

t: 028 9082 9200
e: dpo@communities-ni.gov.uk
The DfC Data Protection Officer is Karen McMullan

Who we are

Throughout this document, “we”, “us”, “our” and “ours” refer to the Department for Communities (DfC). Department for Communities is the largest of the Northern Ireland Civil Service Departments. DfC has responsibility for: Housing policy, urban regeneration, sport, benefits and pensions, finding employment, finding staff, arts and culture, museums and libraries, support for children, historic environment, voluntary and community, languages, statistics and research, social inclusion, law and legislation, local government policy, the Appeals Service and the Public Records Office NI.

DfC is the parent department for a number of Arm’s Length Bodies – most of these are data controllers in their own right, and are responsible for any personal data that they process.

Where DfC uses contractors or third parties to deliver services they are usually acting as DfC’s data processor, and we are responsible for how they handle your data. 

Your privacy is important

We recognise the importance in keeping all personal and sensitive information secure. The Department for Communities is committed to taking all reasonable steps to ensure that our procedures and security are fit for this purpose. We are committed to ensuring that all personal data is processed lawfully, fairly and in a transparent manner.

COVID 19 – with the outbreak of Covid 19 to allow staff to continue to deliver the Department’s services to our customers it has been necessary to permit staff to work remotely as not all staff are able to work at their usual office locations.  Staff must abide by the same policies and procedures to ensure personal data they process is protected no matter where they are located.  This practice will continue to be kept under review

The law and why we process your information

The following is a broad description of the way the Department as a data controller processes personal information in accordance with our legal obligations under the Data Protection Act (DPA) and the UKGDPR. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any specific privacy notices we have provided, or contact the relevant area of the Department to ask about your personal circumstances.

For us to process your personal information we must have a lawful basis for processing for doing so and at least one of the following conditions must apply:

  1. Consent – Your consent to us processing your information will be based on a clear indication from you that you are agreeable to us processing your information for a specified and clearly defined reason.
  2. Contract – Processing your information is necessary if we have a contract to fulfil with you or if we have to take steps at your request before entering into a contract.
  3. Legal Obligation – Processing your information is necessary in order for us to comply with common law (not including contractual obligations) or statutory obligation.
  4. Vital Interests – Processing your information is vital in protecting someone’s life.
  5. Public task – Processing your information is necessary for the Department to perform a task in the public interest or for our official functions, and the task has a clear basis in law.

The processing that the Department carries out is most likely to fall under conditions 2, 3 and 5 above. The list of relevant legislation from which the DfC derives the power to process personal data is too long and varied to list here but should you require further, more specific information, please see our Public Task Statement or contact us.

Data protection Safeguards Policy

The Department for Communities processes special category data and criminal conviction data on occasion in order to carry out our functions and obligations.

For sensitive personal data, such as information about health, most processing that DfC carries out meets the condition that such processing is “necessary for the purposes of …employment, social security and social protection”.  This is covered in section 10 and Schedule 1 Part 1 of the Data Protection Act 2018 and Article 9(2)(b) of the UKGDPR. 

The Data Protection Act 2018 requires us to have an appropriate policy in place when processing these types of information. This is our appropriate policy document and demonstrates our commitment to keeping personal data safe and secure. 

Why we process your information

  • The payment of social security benefits, grants loans and pensions.
  • The collection and payment of Child Maintenance
  • To provide help with training and employment
  • Research and statistics
  • Developing policy and delivering programmes in areas such as housing, employment, historic environment, public records and uniting communities
  • Processing grants for funding
  • To provide you with information about our services
  • When making public appointments
  • Archiving in the public interest
  • Processing payments, recovering overpayments and debt and fraud prevention
  • Supporting and managing our employees
  • Supplying information for use in public consultations
  • For official communications and publicity materials
  • The use of CCTV and camera systems for crime prevention and detection
  • To comply with our obligations to you

The types of personal information which we process

  • Names, addresses, dates of birth, national insurance number, title, gender, community background, marital status.
  • An identification number.
  • Employment history, job title, employer address, payroll number, salary.
  • Email addresses
  • How, when and where you use our web services along with your IP address.
  • Social Media identifiers and how you interact with us on social media.
  • Bank details and financial history
  • Information on pension schemes if it effects benefit entitlement.
  • Benefit overpayment details.
  • Transcripts of fraud interviews
  • Medical information supplied by you.
  • Photographs and visual images for a range of purposes including identifying historic buildings, promoting our services or for fraud prevention
  • CCTV images
  • Records of when you contact us or we contact you – this could be voice recordings of telephone calls, copies of written communication, forms filled in by you or notes of face to face meetings.
  • Records deposited privately in PRONI under the terms of the Public Records Act (NI) 1923.
  • Criminal offences, convictions or other related security information

We also process sensitive classes of information that may include:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Offences and alleged offences
  • Trade union membership
  • Genetic data
  • Biometric data 
  • Health details
  • Sexual life and sexual orientation

Where we may collect your information from if there is a lawful basis to do so

  • Information supplied by you, or someone appointed by you, in writing, face to face, by telephone or online. This includes information put into the public domain by you.
  • Someone who is acting on your behalf in a statutory capacity (eg someone appointed by a court)
  • Other Northern Ireland Departments including Arm’s Length Bodies (eg NI Housing Executive) and other local public authorities eg local councils
  • Department for Work and Pensions or other UK Government bodies (eg Her Majesty’s Revenue and Customs)
  • Public bodies or courts from other jurisdictions  
  • International bodies (eg United Nations High Commissioner for Refugees)
  • Contractors appointed by us (contractors are also bound by GDPR).
  • Private sector bodies such as banks, student loan providers and credit reference agencies for the purposes of fraud prevention and increasing benefit uptake.
  • Charities and Trusts with whom we have data sharing agreements
  • Data matches from the Comptroller and Auditor General as a result of the National Fraud Initiative

Who we may share your information with if there is a lawful basis to do so

We sometimes need to share the personal information we process with the individuals themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA)

  • Someone appointed by you to act on your behalf or someone who has statutory authority to act for you
  • Other NI Departments including Arm’s Length Bodies and other local authorities
  • Department for Work and Pensions or other UK Government bodies and local authorities
  • Public bodies from other jurisdictions
  • Contractors appointed by us
  • Charities and Trusts with whom we have data sharing agreements
  • Housing Associations
  • Employment Agencies and potential employers
  • Criminal justice partners such as the PSNI
  • Financial sector organisations such as banks and credit reference agencies
  • Private sector such as landlords

We may need to share information with these organisations for more than one reason and not all your personal information may need to be shared each time. We aim to minimise the personal information shared and the instances of sharing to what is needed for the specific purpose and in line with the Data Protection Act.

Do we use 'automated decision making'?

Most of the decisions DfC makes that affect you – for example whether or not you are entitled to a benefit – can be reviewed or appealed, even if the decisions are made automatically.  Any “automated decisions” for a particular benefit will just apply the entitlement rules for that benefit, and will usually involve some input by DfC staff as well. 

The Department also uses statistical profiling to identify individuals who are potentially in need of social support; for example, individuals may be selected to receive an invite for a free benefit entitlement check.  Participation is not mandatory and no decisions regarding benefit entitlement are taken solely on the basis of this processing. 


We use CCTV on our buildings to maintain the security of property, premises and staff, and for the prevention and investigation of crime. For these reasons the information processed may include visual images, personal appearance and behaviours.

If you choose not to give personal information

We only process personal information where it is necessary to do so. If you choose not to disclose personal information this may impact on our ability to provide you with some of our services. If you choose not to give us information we will explain if this is likely to mean that we cannot deliver on our obligations to you. Please note if you do not tell us about changes that affect any benefit that DfC is paying you, you may be prosecuted or other sanctions applied.


Sending personal information outside of the United Kingdom (UK)

Since the UK left the European Union international transfers are now governed under the UKGDPR rules. If we transfer your information outside of the UK we will only do so in order to follow your instructions or comply with a legal obligation. We will ensure that the receiving jurisdictions commit to protecting your information with standards equivalent to those demanded by the UKGDPR.

Retention of records

The Department will ensure compliance with UKGDPR and DPA by ensuring that effective management of records, from when they are created, how they are stored and used, through to their disposal or archival is in place.

How long we keep your personal information

Some basic information we keep for as long as your National Insurance number exists, details like your name, date of birth, and address.  DfC keeps a record of the periods of benefit claims for seven years.

Most benefit records (the detailed information you provide us with when you claim a benefit) and information provided for other DfC services are kept after the claim ends for the period necessary for any appeals, reviews and other activity to be completed.  Payment records may be kept for longer, usually 6 years if they are relevant to the tax you pay.

Personal data which PRONI has received under the Public Records Act (NI) 1923 has been archived in the public interest, in line with the DPA and UKGDPR.

DfC holds a lot of different kinds of information for a variety of different reasons, so our retention policy is complicated, but we always ensure to keep only what we need for no longer than we need it.

Our legal basis for retaining and disposing of information is set out in our Retention and Disposal Schedule which can be viewed here.

Our relationship with the Department for Work and Pensions (DWP)

The Department for Communities is responsible for many of the same services that DWP provides in England, Wales and Scotland.     

The Department for Communities is the data controller for information about benefits and services they provide in Northern Ireland, but some data controller responsibilities are shared with DWP where we use the same IT systems. 

We also provide some services such as call centres and benefit processing to DWP.  Where we do this we are acting as DWP’s data processor, and DWP remains the data controller. 

What rights do I have?

The UKGDPR provides you with a specific set of legal rights over your personal and sensitive data.

You are entitled to ask us to:

  • Provide you with a copy of your personal information. This allows you to see how and why we are using your information and that we are doing so lawfully. This is commonly known as a Subject Access Request and must be replied to within one month. (This is the Right of Access)
  • Correct your personal information if you think it is wrong or incomplete. We will take reasonable steps to check and correct your information. (Right to Rectification)
  • To erase your personal information and prevent processing in specific circumstances, often referred to as the ‘Right to be Forgotten’. (Right to Erasure)
  • To ‘block’ or suppress the processing of personal data in specific circumstances. (Right to restrict processing)
  • To provide you with your personal data in a format which can be used across different IT environments in specific circumstances. (Right to Data Portability)
  • To accept your objection to your personal data being processed. This applies in certain circumstances. (Right to Object)

You also have the Right to be Informed. This means that when we collect personal information from you we will explain our purposes for processing your personal data, our retention periods for that personal data, and who it will be shared with (which we do in these pages)

You also have rights in relation to automated decision making, including profiling. We do use automated decision making in relation to benefits decision making, however we will tell you if we use automated decision making to make a decision about you and decisions can be appealed.

Not all of these rights apply where your information is being processed for government purposes.  For example, you do not have the right to have your National Insurance number deleted – we are required by law and for tax and benefit purposes to keep this.  

If you wish to exercise any of the rights listed above please contact the Department’s Data Protection Officer using the details above. Please be aware we may need to verify your identity before answering your request.

How to complain if you are not happy with how we process your personal information

If you are unhappy with any aspect of this privacy notice, or how your personal information is being processed, please contact the Department’s Data Protection Officer at the address above in the first instance.

If you are still not happy, you have a right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane

t: 0303 123 1113
e: casework@ico.org.uk
w: https://ico.org.uk/global/contact-us

Changes to this Privacy Notice

We keep our privacy notice under regular review. If we make changes, we will update this notice. Check this notice to make sure you are aware of what information we collect, how we use it and the circumstances we may share it with other organisations.

This privacy notice was last updated in March 2022.

Supplementary Privacy Notices of DfC Business Areas

Individual business areas within the Department have also provided privacy information to explain how and why they collect personal data and how it will be used.

Back to top