Privacy Notice – Isle of Man CAA & Isle of Man Aircraft Registry
The Isle of Man Civil Aviation Administration (IOMCAA) and Isle of Man Aircraft Registry (IOMAR) are a division of the Isle of Man Government Department for Enterprise (known as "DfE"). This Privacy Notice tells you what to expect when the IOMCAA and IOMAR collects and uses personal information, including how we use our websites.
Notice Issued under DfE Data Protection Policy on 1 December 2020; subject to annual review.
How we use your information
This privacy notice tells you what to expect when IOMCAA and IOMAR collects personal information on our websites. It applies to information we collect when people:
- Visit any of our websites, www.gov.im/caa, www.iomaircraftregistry.com, or https://ardis.aircraft.im
- Contact us by email, in person or over the phone
- Submit an occurrence report
- Consent to the use of cookies or passive technologies on your browser
- Make a subject access request or other data subject rights request under the Data Protection Act 2018
- Make a request under the Code of Practice for Access to Government Information (“Access Code”) or Freedom of Information Act 2015
This Privacy Notice also provides information on:
Visit our Websites
| How | What | Special Category data? | Legal basis |
|---|---|---|---|
When you make a notification to us, submit an occurrence report or make an application for:
|
Your name and contact details and if applicable license / training / photographic identification / nationality / date of birth / medical details in support of your application / notification | In certain circumstances, medical details may be collected to satisfy a requirement under the Air Navigation (Isle of Man) Order 2015 as amended for provision of the service requested | Statutory Obligations resultant from:
|
| When you make a payment (including all methods of payment) on https://ardis.aircraft.im | Your name, contact details and any other personal information you provide in order to complete the payment | No | In order to fulfil our Public Task to process your personal information in order to complete your payment for services we have provided to you |
| When you request a service via ARDIS https://ardis.aircraft.im | Your name and contact details and any other personal information you provide in order to complete your request | No | We process your information in order to fulfil your request. |
Stored and secured
We securely store personal information electronically and manually:
- Ongoing email communications are stored on our Isle of Man Government email system, Microsoft Outlook; and dependent on the nature of your enquiry, in one of our
- Records management tools: ARDIS, or the Isle of Man Government secure network.
- All our online services and websites are secure.
Access by
Employees of the IOMCAA, IOMAR and their contracted suppliers for the provision of specific services and authorised online services users have access.
Shared to
By law we may be required to share some information with other regulatory or enforcement authorities for legitimate interests. Non-sensitive personal information may be shared in order to support and enable the interaction of aviation activities e.g. with specific airport and/or air traffic control organisations or with the registered owner, operator, flight operations representative, or nominated airworthiness technical representative for a particular aircraft; with other regulatory authorities for legitimate interests.
The Civil Aviation (Occurrence Reporting) Order 2020 ('the Occurrence Reporting Order') specifies that the IOMCAA and the IOMAR:
- Must take such measures as are reasonably necessary to protect all safety data and safety information obtained by it through occurrence reports and investigations from misuse;
- May share safety data or safety information with other civil aviation authorities in the interests of safety;
- Must not disclose safety data or safety information obtained under the Occurrence Reporting Order to another person (other than to another civil aviation authority) except:
- de-identified data for the purpose of promoting or improving aviation safety; or
- where a principle of exception* applies
*A principle of exception may only be used when there has been an occurrence and one of the following applies:
- There is evidence that an occurrence reported under the Occurrence Reporting Order was likely to have been caused by gross negligence, wilful misconduct or criminal activity;
- Disclosure of safety data or safety information is necessary for the proper administration of justice; or
- Release is necessary for the wider purpose of maintaining or improving aviation safety in general beyond any immediate preventative, corrective or remedial action.
In order to apply principles 2 or 3 above, the benefits of releasing the safety data or safety information must outweigh the potential adverse impact (both domestic and international) it would likely have on the future collection and availability of such data and information.
Retention
Retention details are held within our Information and Records Management Policy – Retention of Records Procedure. Please contact our Data Protection Officer for more information.
Contact us by email, in person or over the phone or on our webform
We will only ask for your name and contact details. You may choose to provide extra information if you are making an enquiry.
Email mailboxes are accessed by only staff of IOMCAA and IOMAR who are able to allocate enquiries out to the team who will be able to address your enquiry or request. Such emails will only be shared outside the Department with your knowing, and only do so in order to address your enquiry or request.
We securely store personal information electronically and manually:
- Ongoing email communications are stored on our Isle of Man Government email system, Microsoft Outlook
- We have two main records management tools both specifically designed for the type and use of the information recorded; depending on the nature and destination of your communication, your information will likely be stored in either: ARDIS or the Isle of Man Government secure network.
In normal circumstances we will only keep a record of this communication in an active area (e.g. emails will be used in Outlook) until the request or enquiry has been fulfilled; after this time they will be kept in accordance with our document retention policy.
When you make a request under the Code of Practice for Access to Government Information ('Access Code') or Freedom of Information 2015
How
You may decide to write to us to request information in accordance with the Access Code (for information created before 10-Oct-2011) or send us a paper or electronic form in accordance with the Freedom of Information (FOI) Act 2015 (for information created after 10-Oct-2011).
In order to encourage full and open occurrence reporting without fear of the information being misrepresented, the Occurrence Reporting Order specifies that:
- Safety data and safety information is absolutely exempt information for the purposes of the Freedom of Information Act 2015; and
- Except where a principle of exception applies*, safety data or safety information obtained under the Occurrence Reporting Order must not be disclosed for use in civil or criminal proceedings.
*A principle of exception may only be used when there has been an occurrence and one of the following applies:
- There is evidence that an occurrence reported under the Occurrence Reporting Order was likely to have been caused by gross negligence, wilful misconduct or criminal activity;
- Disclosure of safety data or safety information is necessary for the proper administration of justice; or
- Release is necessary for the wider purpose of maintaining or improving aviation safety in general beyond any immediate preventative, corrective or remedial action.
In order to apply principles 2 or 3 above, the benefits of releasing the safety data or safety information must outweigh the potential adverse impact (both domestic and international) it would likely have on the future collection and availability of such data and information.
What
In order for us to fulfil your request, you will be asked for your name, address; telephone number or email address (to contact you about your request); any other information to allow us to identify you or your information. By providing this personal information to us you consent to us using the personal information for the purpose of processing your request. We do not need any other personal information in order to process your request and you should only submit the information requested above.
Legal basis
DfE collects and processes your personal information to allow us to respond to requests for information made under the Freedom of Information Act 2015 or the Access to Government Information Code
Stored and secured
- Access Code: DfE manages requests entirely on the secure Government network.
- FOI: electronic requests are automatically submitted to DfE via the secure FOI management system, iCasework; paper requests are sent to DfE’s Information Governance and Privacy Team, where requests are then manually added and managed on iCasework. Here your data will be stored and held as is set out in the Cabinet Office Privacy Policy.
Access by
- Access Code: Only the DfE Information Governance and Privacy Team
- FOI: As the Cabinet Office manage iCasework, the Cabinet Office are joint controllers for this information; iCasework Limited act as a Data Processor on behalf of the Cabinet Office. The Cabinet Office therefore have access to the personal information; iCasework have access to the system in order to maintain it.
Shared to
Neither Access Code nor FOI requests are routinely shared with anyone; occasionally the requests themselves may be shared with other Government bodies in order to provide or advise on an answer, but no personal information would be shared. In addition, FOI request responses are routinely added to the Isle of Man Government FOI Request Publication Log online; again, no personal information is included here.
Retention
Your personal information will be held for a period of one year after your request has been closed; on the DfE network for Access Code requests, and on iCasework for FOIs.
When you make a Data Subject Rights request (e.g. a subject access request)
How
Under the Data Protection Act, you have rights as an individual which you can exercise in relation to the information we hold about you. At any point while we are in possession of or processing your personal information, you, the data subject, have the following rights:
|
Access |
You have the right to request a copy of the information that we hold about you |
|
Rectification |
You have a right to correct data that we hold about you that is inaccurate or incomplete |
|
Erasure |
In certain circumstances you can ask for the data we hold about you to be erased from our records |
|
Restriction of processing |
Where certain conditions apply, you have a right to restrict the processing of your data |
|
Portability |
You have the right to have the data we hold about you transferred to another organisation |
|
Objection |
You have the right to object to certain types of processing such as direct marketing |
|
Objection to automated processing |
You also have the right to be subject to the legal effects of automated processing including profiling |
|
Judicial review |
In the event that the Department for Enterprise refuses your request under rights of access, we will provide you with a reason as to why. You then have the right to complain as outlined in Complaints |
You can make any of these requests by contacting any member of DfE staff, contractors or our third parties, or contacting our Data Protection Officer directly using the details at the end of this notice. You may wish to speak to the Data Protection Officer about your request in person or over the phone ahead of making your request.
What
In order for us to fulfil your request, you will be asked for the following; your: name; address; telephone number or email address (to contact you about your request); any other information to allow us to identify you or your information
Shared to
Your personal information for the purposes of a Data Subject Rights request will only be shared if your are requesting one of the above rights be extended to our third parties or contractors that may be processing your personal data on our behalf (i.e. they are our Data Processors). We will contact the data processors to advise them of your request in order for them to fulfil your request also. You will be advised if this is the case.
Retention
Data Subject Rights requests and any disclosure correspondence will be kept for three years following the closure of the request. However, requests where there has been a subsequent appeal (either to the DfE Data Protection Officer or the Isle of Man Information Commissioner) will be kept for 6 years following the closure of the appeal.
Consenting to the use of Cookies and Passive Technologies on your Browser
What is a Cookie?
Cookies and passive technologies are pieces of information that a website transfers to your computer. Cookies can make the web more useful by storing information about your preferences on particular sites, enabling us to provide more useful features for you.
Withdrawing consent to cookie and passive technology use
You can usually manage and disable all cookies and passive technologies directly through your internet browser; you may therefore find it helpful to check the guidance provided by your internet browser provider. The most common providers and links to their guidance on cookies and passive technologies have been provided below:
|
Google Chrome |
|
|
Microsoft Internet Explorer |
support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies |
|
Microsoft Edge |
privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy |
|
Mozilla Firefox |
support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences |
|
Apple Safari |
|
|
Opera |
Cookies we use
| Website | Cookie | Name | Purpose | Expires |
|---|---|---|---|---|
| www.iomaircraftregistry.com | Cloudflare | _crduid | This cookie is part of our content delivery network. It is used to override any security restrictions based on the IP address you are coming from and protect website availability and performance. This cookie does not store any personally identifiable information about you. | 6 years |
| ISA Web Publishing Load Balancing | ISAWPLB | When using an ISA Server to handle load balancing and web requests an ISA server will place Cookies to allow ISA Server to internally configure routes for internal requests. This cookie is deleted when you close your browser. | Session | |
| Google Analytics | _ga | Used to distinguish users. You can opt out of Google Analytics cookie. | 2 years | |
| Google Analytics cookies | _gat | Used to throttle request rate. | 10 minutes | |
| Google Analytics cookies | _utma | Determines the number of unique visitors to the site | 2 years | |
| Google Analytics cookies | _utmb | This works with _utmc to calculate the average length of time you spend on our site | 30 minutes | |
| Google Analytics cookies | _utmc | This works with _utmb to calculate when you close your browser | when you close your browser | |
| Google Analytics cookies | _utmvz | This provides information about how you reached the site (e.g. from another website or a search engine) | 6 months | |
| www.gov.im/categories/business-and-industries/civil-aviation-administration-caa | Cloudflare cookie | _crduid | This cookie is part of our content delivery network. It is used to override any security restrictions based on the IP address you are coming from and protect website availability and performance. This cookie does not store any personally identifiable information about you. | 6 years |
| Device cookie | Device | If you decide to switch to the mobile site (or to the desktop site from mobile), then we use a cookie to remember this choice in order to serve your preferred layout of the site. | 6 months | |
| ISA Web Publishing Load Balancing cookie | ISAWPLB | When using an ISA Server to handle load balancing and web requests an ISA server will place Cookies to allow ISA Server to internally configure routes for internal requests. This cookie is deleted when you close your browser. | Session | |
| Page Rating cookies | PageRating1234 | A cookie is set when you rate a page. The cookie stores the date and time you rated the page. The cookie is used to track which pages have been rated. The number in the name of the cookie is the ID of the page, i.e. "PageRating6397". | 2 weeks | |
| AddThis cookies | Various | We use AddThis to enable you to share our pages with social media sites such as Facebook and Twitter. AddThis uses several cookies to generate statistics on social media sharing. | 2 years | |
| Google Analytics cookies | _ga | Used to distinguish users. You can opt out of Google Analytics cookie. | 2 years | |
| _utma | Determines the number of unique visitors to the site | 2 years | ||
| _utmb | This works with _utmc to calculate the average length of time you spend on our site | 30 minutes | ||
| _utmc | This works with _utmb to calculate when you close your browser | End of session | ||
| _utmvz | This provides information about how you reached the site (e.g. from another website or a search engine) | 6 months | ||
| https://ardis.aircraft.im | Debugging | fw-debugxml | Determines whether XML debugging is allowed | Session |
| AJAX calls | fw-uic2ajax | Determines whether AJAX calls are allowed | Session | |
| Encrypted User Name | u | Encrypted user name (to authenticate user) | Session | |
| Encrypted password | p | Encrypted password ( to authenticate user) | Session | |
| Request token | __RequestVerificationToken | Request token (to prevent cross site request forgery) | Session | |
| Web Session ID | fw-session | Determines web session identification | Session |
Why will we process personal data (aka “the legal basis”)
We will only process your personal information if a lawful basis exists:
|
Consent |
if we rely on your consent to process your information, we will make it obvious what we are asking for consent to do and always tell you how you can withdraw your consent e.g. registering for services, newsletters and competitions. |
|
Public task |
if it is the public interest for us to collect or store e.g. when handling enquiries from members of the public |
|
Statutory obligation |
Information Rights requests (e.g. data subject rights requests) are made using provisions within either the Freedom of Information Act 2015 or Data Protection Act 2018. We are unable to fulfil these requests without processing your personal information. |
How will we securely process personal data?
All personal information is kept with the highest standards and safeguards in place. This includes technical security, preventing unauthorised access, undertaking audits and maintaining backups:
- Emails - Email communications are stored on our Isle of Man Government email system, Microsoft Outlook. We encrypt and protect all our emails in line with government standards. If your email service does not support this encryption, you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law
- IOMCAA and IOMAR Secure Networks – There are strict access controls in place meaning that only those within specific Divisions can access team folders; in addition, only the teams within the Divisions who are able to access personal information, are those that have a business need to do so. The administration of the IOMCAA and IOMAR Secure Networks is undertaken by Government Technology Services in the Cabinet Office and PDMS Ltd as an authorised contracted supplier
- Manual records - We do not routinely store manual records, however, those that are already in storage and an new records we are required to hold any manually are either stored onsite or in a third party storage facility with whom we have a data protection agreements in place.
Miscellaneous
Under what circumstances can DfE, IOMCAA or IOMAR contact me?
Our aim is never to be intrusive, and we aim to always avoid asking irrelevant or unnecessary questions. Moreover, any information you provide us will always be subject to rigorous measures and procedures to maintain your privacy. You will never be contacted by a means you did not consent to when providing us with your data.
Retention period
We only use personal information for as long as it is needed and will store it for the shortest amount of time possible, in accordance with the law.
Public Records and Law Enforcement
Your personal information may be permanently retained for research use at the Isle of Man Public Record Office if the records containing your personal data are selected for permanent preservation under the Public Records Act 1999. The Isle of Man Public Record Office preserves records of Isle of Man public authorities that are of long-term historic and cultural value. To find our more, please contact the Public Records Office or the DfE Data Protection Officer.
Your personal information may also be processed by, and therefore shared to, competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. To find our more, please contact the Isle of Man Information Commissioner or the DfE Data Protection Officer.
Processing special category (sensitive) data and the data of children (under 16s)
We have to put additional measures in place if we plan to process any special category personal data, including ethnic origin or religion; however, DfE, IOMCAA and IOMAR do not process any special category personal information using our websites. In order to process the personal information of children, we would have to put additional measures in place because they may be less aware of the risks involved. DfE, IOMCAA and IOMAR do not target any services to children and do not process the personal information of children for marketing purposes, competitions or registering for services or user profiles.
Sending us private message on social media
In addition to this website, DfE, IOMCAA and IOMAR also have social media platforms. You may choose to provide us with personal information on our social media platforms; we ask that you do also check the platform’s privacy policy and terms of service prior to sending us anything.
Social media message boxes are accessed by the team responsible for that service/product; this includes the Marketing and Business Intelligence Division, who have responsibility for maintaining DfE’s social media platforms. Such messages will only be shared outside DfE with your knowing, and only in order to address your enquiry or request. The Marketing and Business Intelligence Division may at certain times require a third party to manage DfE’s social media; if this happens this policy will be revised.
Contact details
For any privacy enquiries, please feel free to contact our Data Protection Officer, or the Isle of Man Information Commissioner:
Department for Enterprise Data Protection Officer
St George's Court
Upper Church Street
Douglas
Isle of Man, IM1 1EX
Email: DPO-DfE@gov.im
Tel: +44 1624 686733
Isle of Man Information Commissioner
Isle of Man Information Commissioner
P.O. Box 69
Douglas
Isle of Man, IM99 1EQ
Web: inforights.im
Email: ask@inforights.im
Tel: +44 1624 693260
Complaints
In the event that you wish to make a complaint about how your personal information is being processed by the DfE, IOMCAA or IOMAR (or third parties), or how your complaint has been handled, you have the right to lodge a complaint directly with our Data Protection Officer in the first instance; as well as the Isle of Man Information Commissioner.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of DfE’s, IOMCAA’s or IOMAR’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the Data Protection Officer using the above contact details.
