Our Island Plan

Privacy Notice – Isle of Man Civil Aviation Administration & Isle of Man Aircraft Registry

The Isle of Man Civil Aviation Administration (IOM CAA) is a division of the Isle of Man Government Department for Enterprise (known as 'DfE'). The Isle of Man Aircraft Registry (IOMAR) is a part of the IOM CAA. This Privacy Notice tells you what to expect when the IOM CAA collects and uses personal information, including how we use our websites.

Notice Issued under DfE Data Protection Policy on 11 May 2026. Subject to annual review.

How we use your information

This Privacy Notice tells you what to expect when the IOM CAA collects personal information on our websites.

It applies to information we collect when people:

This Privacy Notice also provides information on:

  • Why we will process personal information (aka 'the legal basis')
  • How we will securely process personal data;
  • Contact details. 

Visit our Websites

When you make a notification to us

How

When you make a notification to us, submit an occurrence report or make an application for:

  • Registration
  • Permissions
  • Authorisations
  • Variations
  • Exemptions
  • Validations
  • Approvals
  • Mortgage and IDERA services
  • Issuance of any other certificate or document

What

Your name and contact details and if applicable:

  • License
  • Training
  • Photographic identification
  • Nationality
  • Date of birth
  • Medical details in support of your application
  • Notification (this might include special category pertaining to your race or ethnic origin)

Legal Basis

Statutory Obligations resultant from:

  • The Civil Aviation Act 1982 as amended and as applied to the Isle of Man
  • The Airports and Civil Aviation Act 1987 (ATO10 of 1987)

Or in order to fulfil our Public Task to notify you as necessary of any safety, regulatory, industry or registry changes which may affect the continued compliance of your aircraft whilst on the Register, or any information/processes for application/ notification to us.

When you make a payment

How

When you make a payment (including all methods of payment) on The Aircraft Registry Digital Information System (ARDIS)

What

Your name, contact details and any other personal information you provide in order to complete the payment.

Legal Basis

In order to fulfil our Public Task, to process your personal information, in order to complete your payment for services we have provided to you.

When you request a service via ARDIS

How

When you make a service request on The Aircraft Registry Digital Information System (ARDIS)

What

Your name and contact details and any other personal information you provide in order to complete your request.

Legal Basis

We process your information in order to fulfil your request.

Stored and secured

We securely store personal information electronically and manually:

  • Ongoing email communications are stored on our Isle of Man Government email system, Microsoft Outlook; and dependent on the nature of your enquiry, in one of our records management tools – ARDIS or the Isle of Man Government secure network

  • All our online services and websites are secure

Access by

Employees of the IOM CAA, its contracted suppliers for the provision of specific services, and authorised online services users have access.

Shared to

By law we may be required to share some information with other regulatory or enforcement authorities for legitimate interests.

Non-sensitive personal information may be shared in order to support and enable the interaction of aviation activities e.g. with specific airport and/or air traffic control organisations, or with the registered owner, operator, flight operations representative, or nominated airworthiness technical representative for a particular aircraft; with other regulatory authorities for legitimate interests.

Regulatory data and information will not be disclosed to external parties, except to competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties or to comply with a legal obligation or requirement that the IOM CAA may be subject to. Where such provision of information is essential for the proper administration of other IOM government process, the information will only be shared when absolutely necessary and with appropriate protections.

The Civil Aviation (Occurrence Reporting) Order 2020 ('the Occurrence Reporting Order') specifies that the IOM CAA and the IOMAR:

  • Must take such measures as are reasonably necessary to protect from misuse all safety data and safety information obtained by it through occurrence reports and investigations

  • May share safety data or safety information with other civil aviation authorities in the interests of safety

  • Must not disclose safety data or safety information obtained under the Occurrence Reporting Order to another person (other than to another civil aviation authority) except:
    • De-identified data for the purpose of promoting or improving aviation safety; or

    • Where a principle of exception*

*A principle of exception may only be used when there has been an occurrence and one of the following applies:

  • There is evidence that an occurrence reported under the Occurrence Reporting Order was likely to have been caused by gross negligence, wilful misconduct or criminal activity

  • Disclosure of safety data or safety information is necessary for the proper administration of justice; or

  • Release is necessary for the wider purpose of maintaining or improving aviation safety in general, beyond any immediate preventative, corrective or remedial action

In order to apply principles 2 or 3 above, the benefits of releasing the safety data or safety information must outweigh the potential adverse impact (both domestic and international) it would likely have on the future collection and availability of such data and information.

Retention

Retention details are held within our Information and Records Management Policy – Retention of Records Procedure. Please contact our Data Protection Officer for more information.

Contact us by email, in person or over the phone or on our web form

We will only ask for your name and contact details. You may choose to provide extra information if you are making an enquiry.

Email mailboxes are accessed only by IOM CAA staff who are able to allocate enquiries out to the team who will be able to address your enquiry or request. Such emails will only be shared outside the Department with your prior knowledge, and only in order to address your enquiry or request.

We securely store personal information electronically and manually:

  • Ongoing email communications are stored on our Isle of Man Government email system, Microsoft Outlook

  • We have two main records management tools, both specifically designed for the type and use of the information recorded; depending on the nature and destination of your communication, your information will likely be stored in either: ARDIS or the Isle of Man Government secure network

In normal circumstances we will only keep a record of this communication in an active area (e.g. emails will be used in Outlook) until the request or enquiry has been fulfilled; after this time, they will be kept in accordance with our document retention policy.

When you make a request under the Code of Practice for Access to Government Information ('Access Code') or Freedom of Information 2015

How

You may decide to write to us to request information in accordance with the Access Code (for information created before 10-Oct-2011) or send us a paper or electronic form in accordance with the Freedom of Information (FoI) Act 2015 (for information created after 10-Oct-2011).

In order to encourage full and open occurrence reporting without fear of the information being misrepresented, the occurrence reporting order specifies that:

  • Safety data and safety information is absolutely exempt information for the purposes of the Freedom of Information Act 2015

  • Except where a principle of exception applies*, safety data or safety information obtained under the Occurrence Reporting Order must not be disclosed for use in civil or criminal proceedings

*See Visit our Website section on principles of exception.

What

In order for us to fulfil your request, you will be asked for your name, address, telephone number or email address (to contact you about your request) any other information to allow us to identify you or your information.

By providing this personal information to us you consent to us using the personal information for the purpose of processing your request. We do not need any other personal information in order to process your request and you should only submit the information requested above.

Information that is provided to the IOM CAA in confidence is absolutely exempt from disclosure under Section 26 of the Freedom of Information Act 2015.

IOM CAA regulatory activity is considered to form part of the functions listed under Section 32(3) of the Freedom of Information Act 2015.

Information under Section 32 of the Freedom of Information Act 2015 is qualified exempt information and subject to a public interest test. Such a test will consider public confidence in aviation safety and the way the IOM CAA regulates.

Legal basis

DfE collects and processes your personal information to allow us to respond to requests for information made under the Freedom of Information Act 2015 or the Access to Government Information Code.

Stored and secured

Access by

  • Access Code: Only the DfE Information Governance and Privacy Team

  • FOI: As the Cabinet Office manage iCasework, the Cabinet Office are joint controllers for this information; iCasework Limited act as a Data Processor on behalf of the Cabinet Office. The Cabinet Office therefore have access to the personal information; iCasework have access to the system in order to maintain it

Shared to

Neither Access Code nor FOI requests are routinely shared with anyone; occasionally the requests themselves may be shared with other Government bodies in order to provide or advise on an answer, but no personal information would be shared. In addition, FOI request responses are routinely added to the Isle of Man Government FOI Request Publication Log online; again, no personal information is included here.

Retention

Your personal information will be held for a period of one year after your request has been closed; on the DfE network for Access Code requests, and on iCasework for FOIs.

When you make a Data Subject Rights request (e.g. a subject access request)

How

Under the Data Protection Act, you have rights as an individual which you can exercise in relation to the information we hold about you. At any point while we are in possession of or processing your personal information, you, the data subject, have the following rights:

  • Access: You have the right to request a copy of the information that we hold about you

  • Rectification: You have a right to correct data that we hold about you that is inaccurate or incomplete

  • Erasure: In certain circumstances you can ask for the data we hold about you to be erased from our records

  • Restriction of processing: Where certain conditions apply, you have a right to restrict the processing of your data

  • Portability: You have the right to have the data we hold about you transferred to another organisation

  • Objection: You have the right to object to certain types of processing such as direct marketing

  • Objection to automated processing: You also have the right to be subject to the legal effects of automated processing including profiling

  • Judicial review: In the event that the DfE refuses your request under rights of access, we will provide you with the reason why. You then have the right to complain as outlined in Complaints.

You can make any of these requests by contacting any member of DfE staff, contractors or our third parties, or by contacting our Data Protection Officer (DPO) directly using the details at the end of this notice. You may wish to speak to the DPO about your request in person or over the phone ahead of making your request.

What

In order for us to fulfil your request, you will be asked for the following: your name, address, telephone number or email address (to contact you about your request) and any other information to allow us to identify you or your information.

Shared to

Your personal information for the purposes of a Data Subject Rights request will only be shared if you are requesting one of the above rights be extended to our third parties or contractors that may be processing your personal data on our behalf (i.e. they are our Data Processors). We will contact the data processors to advise them of your request in order for them to fulfil your request also. You will be advised if this is the case.

Retention

Data Subject Rights requests and any disclosure correspondence will be kept for three years following the closure of the request. However, requests where there has been a subsequent appeal (either to the DfE DPO or the Isle of Man Information Commissioner) will be kept for 6 years following the closure of the appeal.

Consenting to the use of Cookies and Passive Technologies on your Browser

What a Cookie is

Cookies and passive technologies are pieces of information that a website transfers to your computer. Cookies can make the web more useful by storing information about your preferences on particular sites, enabling us to provide more useful features for you.

Withdrawing consent to cookie and passive technology use

You can usually manage and disable all cookies and passive technologies directly through your internet browser; you may therefore find it helpful to check the guidance provided by your internet browser provider. The most common providers and links to their guidance on cookies and passive technologies have been provided below:

Cookies we use

Cookies used across multiple sites

Website links:

Cloudflare

  • Cookie name: _crduid

  • Purpose: This cookie is part of our content delivery network. It is used to override any security restrictions based on the IP address you are coming from and protect website availability and performance. This cookie does not store any personally identifiable information about you

  • Expires: 6 years

Google Analytics cookie (_ga)

Google Analytics cookie (_utma)

  • Cookie name: _utma

  • Purpose: Determines the number of unique visitors to the site

  • Expires: 2 years

Google Analytics cookie (_utmb)

  • Cookie name: _utmb

  • Purpose: This works with _utmc to calculate the average length of time you spend on our site

  • Expires: 30 minutes

Google Analytics cookie (_utmc)

  • Cookie name: _utmc

  • Purpose: This works with _utmb to calculate when you close your browser.

  • Expires: when you close your browser

Google Analytics cookie (_utmvz)

  • Cookie name: _utmvz

  • Purpose: This provides information about how you reached the site (e.g. from another website or a search engine).

  • Expires: 6 months

Isle of Man Aircraft Registry

Website link: Isle of Man Aircraft Registry official website

ISA Web Publishing Load Balancing

  • Cookie name: ISAWPLB

  • Purpose: When using an ISA Server to handle load balancing and web requests an ISA server will place cookies to allow ISA server to internally configure routes for internal requests. This cookie is deleted when you close your browser

  • Expires: Session

Google Analytics cookie (_gat)

  • Cookie name: _gat

  • Purpose: Used to throttle request rate

  • Expires: 10 minutes

Isle of Man Civil Aviation Administration

Website link: Isle of Man Civil Aviation Administration official website

Device cookie

  • Cookie name: Device

  • Purpose: If you decide to switch to the mobile site (or to the desktop site from mobile), then we use a cookie to remember this choice in order to serve your preferred layout of the site

  • Expires: 6 months

ISA Web Publishing Load Balancing cookie

  • Cookie name: ISAWPLB

  • Purpose: When using an ISA Server to handle load balancing and web requests an ISA server will place cookies to allow ISA Server to internally configure routes for internal requests. This cookie is deleted when you close your browser

  • Expires: Session

Page Rating cookies

  • Cookie name: PageRating1234

  • Purpose: A cookie is set when you rate a page. The cookie stores the date and time you rated the page. The cookie is used to track which pages have been rated. The number in the name of the cookie is the ID of the page, i.e. 'PageRating6397'

  • Expires: 2 weeks

AddThis cookies

  • Cookie name: Various

  • Purpose: We use AddThis to enable you to share our pages with social media sites such as Facebook. AddThis uses several cookies to generate statistics on social media sharing

  • Expires: 2 years

Aircraft Registry Digital Information System (ARDIS)

Website link: The Aircraft Registry Digital Information System (ARDIS)

Debugging

  • Cookie name: fw-debugxml

  • Purpose: Determines whether XML debugging is allowed

  • Expires: Session

AJAX calls

  • Cookie name: fw-uic2ajax

  • Purpose: Determines whether AJAX calls are allowed

  • Expires: Session

Encrypted User Name

  • Cookie name: u

  • Purpose: Encrypted user name (to authenticate user)

  • Expires: Session

Encrypted password

  • Cookie name: p

  • Purpose: Encrypted password (to authenticate user)

  • Expires: Session

Request token

  • Cookie name: __RequestVerificationToken

  • Purpose: Request token (to prevent cross site request forgery)

  • Expires: Session

Web Session ID

  • Cookie name: fw-session

  • Purpose: Determines web session identification

  • Expires: Session

Why will we process personal data (aka 'the legal basis')

We will only process your personal information if a lawful basis exists:

  • Consent: If we rely on your consent to process your information, we will make it obvious what we are asking for consent to do and always tell you how you can withdraw your consent e.g. registering for services, newsletters and competitions

  • Public task: If it is the public interest for us to collect or store e.g. when handling enquiries from members of the public or a statutory duty

  • Statutory obligation: Information Rights requests (e.g. data subject rights requests) are made using provisions within the Data Protection Act 2018. We are unable to fulfil these requests without processing your personal information

How we securely process personal data

All personal information is kept with the highest standards and safeguards in place.

This includes technical security, preventing unauthorised access, undertaking audits and maintaining backups:

  • Emails: Email communications are stored on our Isle of Man Government email system, Microsoft Outlook. We encrypt and protect all our emails in line with government standards. If your email service does not support this encryption, you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law

  • IOM CAA Secure Networks: There are strict access controls in place meaning that only those within specific Divisions can access team folders; in addition, only the teams within the Divisions who are able to access personal information, are those that have a business need to do so. The administration of the IOM CAA secure networks is undertaken by Government Technology Services in the Cabinet Office and PDMS Ltd as an authorised contracted supplier

  • Manual records: We do not routinely store manual records, however, those that are already in storage and any new records we are required to hold manually are either stored onsite or in a third party storage facility with whom we have a data protection agreements in place

Miscellaneous

Under what circumstances can DfE or the IOM CAA contact me

Our aim is never to be intrusive, and we aim to always avoid asking irrelevant or unnecessary questions. Moreover, any information you provide us will always be subject to rigorous measures and procedures to maintain your privacy. You will never be contacted by a means you did not consent to when providing us with your data.

Retention period

We only use personal information for as long as it is needed and will store it for the shortest amount of time possible, in accordance with the law. 

Public Records and Law Enforcement

Your personal information may be permanently retained for research use at the Isle of Man Public Record Office (PRO) if the records containing your personal data are selected for permanent preservation under the Public Records Act 1999. The Isle of Man PRO preserves records of Isle of Man public authorities that are of long-term historic and cultural value. To find out more, please contact the PRO or the DfE DPO.

Your personal information may also be processed by, and therefore shared with, competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. To find our more, please contact the Isle of Man Information Commissioner or the DfE DPO.

Processing special category (sensitive) data and the data of children (under 16s)

We have to put additional measures in place if we plan to process any special category personal data, including ethnic origin or religion; however, DfE and the IOM CAA do not process any special category personal information using our websites. In order to process the personal information of children, we would have to put additional measures in place because they may be less aware of the risks involved. DfE and the IOM CAA do not target any services to children and do not process the personal information of children for marketing purposes, competitions or registering for services or user profiles.

Sending us private message on social media

In addition to this website, DfE and the IOM CAA also have social media platforms. You may choose to provide us with personal information on our social media platforms; we ask that you do also check the platform’s privacy policy and terms of service prior to sending us anything.

Social media message boxes are accessed by the team responsible for that service/product; this includes the Marketing and Business Intelligence Division, who have responsibility for maintaining DfE’s social media platforms. Such messages will only be shared outside DfE with your prior knowledge, and only in order to address your enquiry or request. The Marketing and Business Intelligence Division may at certain times require a third party to manage DfE’s social media; if this happens this policy will be revised.

Contact details

For any privacy enquiries, please feel free to contact our DPO, or the Isle of Man Information Commissioner:

Department for Enterprise Data Protection Officer
St George's Court,
Upper Church Street,
Douglas,
Isle of Man, IM1 1EX

Email: DPO-DfE@gov.im
Telephone: +44 1624 682381

Isle of Man Information Commissioner
Isle of Man Information Commissioner,
P.O. Box 69,
Douglas ,
Isle of Man, IM99 1EQ

Website: inforights.im
Email: ask@inforights.im
Telephone: +44 1624 693260

For more information visit the UK ICO website.

Complaints

In the event that you wish to make a complaint about how your personal information is being processed by the DfE or the IOM CAA (or third parties), or how your complaint has been handled, you have the right to lodge a complaint directly with our DPO in the first instance; as well as the Isle of Man Information Commissioner.

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of DfE’s or the IOM CAA’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the DPO using the above contact details.

Back to top