Isle of Man Passport Office Privacy Notice
This privacy notice explains your rights as an individual when using services provided by The Isle of Man Passport Office.
Who we are
The Isle of Man Passport Office is an office within the Isle of Man Treasury, which is a Department of the Isle of Man Government as established under the Government Departments Act 1987 (as amended).
On 20 June 1967, Tynwald approved a resolution to establish an Isle of Man Passport Office to enable overprinted British passports to be issued in the Isle of Man.
The Isle of Man Passport Office is an issuing authority for British passports and issues an Isle of Man variant of the British Passport to those who are eligible. Accordingly, it complies with His Majesty's Passport Office's ('HMPO') issuance policies for British passports.
Isle of Man
+44 1624 685208
The Treasury as the Data Controller
The Treasury is the Data Controller for the Isle of Man Passport Office and has appointed a Data Protection Officer (DPO) to help ensure that we fulfil our legal obligations when processing personal information.
The Treasury is a data controller for the purposes of the Data Protection Act 2018 and the GDPR and LED Implementing Regulations 2018.
Lawful basis for processing your information
The power to issue British passports is derived from the Royal Prerogative. On the Isle of Man, the Lieutenant Governor on behalf of the Crown formally exercises this.
On 14 August 1989, The Lieutenant Governor of the Isle of Man issued an Administrative Direction that determined the Isle of Man Passport Office in the Isle of Man may issue British passports, subject to the nationality and other conditions normally appertaining to the issue of passports, to the undermentioned persons:
- a person resident in the Isle of Man or
- a person who is born in the Isle of Man and who is resident in the United Kingdom; for example a student at University or
- a person whom His Excellency the Lieutenant Governor considers there are exceptional grounds for example a person born overseas to parents who were Isle of Man born, and were serving in the RAF or Navy at the time the child was born and the child was then brought up in the Isle of Man and went to University in the United Kingdom
The powers of the Lieutenant Governor do not extend to the issue of passports to British nationals resident overseas where the Royal Prerogative is exercised by the Home Secretary exclusively.
Personal data is processed lawfully under Article 6 (1) (c) and/or (e) of the Data Protection (Application of the GDPR) Order 2018 (SD 2018/0143) (the 'Applied GDPR')
Article 6 (1) (c) relates to the lawful processing of personal data for compliance with legal obligations to which the data controller is subject. Article 6 (1) (e) relates to the lawful processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
The Applied GDPR places restrictions on the processing of sensitive data known as Special Category Data. We will process Special Category data such as biometric, nationality and genetic data under Article 9 of the Applied GDPR. Biometric and nationality data is processed under Article 9 (2) (g) - substantial public interest.
Where customers have decided to voluntarily submit evidence of genetic relationships in support of an application it will be processed with the explicit consent of all parties under Article 9 (2)(a) consent.
Under Applied GDPR Schedule 2 Part 2 (6)(2d) – Substantial Public Interest Conditions. Tynwald, statutory and government purposes: The exercise of a function of the Crown, a Department or a Statutory Board.
How we gather your personal information
The personal information we hold about you is gathered when:
- You make an application for a passport
- You corroborate an applicant’s identity on a passport application
- You attend a passport interview. You may be asked to attend an interview to confirm your identity
- We require further information from you or a third party to support your application for a passport
- We receive information about a parental order, adoption or gender recognition certificate
- We require further information from you in connection with a passport, for example, if you apply for a birth, marriage or death entry to be corrected
How we use your information
Your information will be used to comply with our legal obligations or to carry out necessary tasks in the public interest, specifically, to enable us to:
- Verify your identity and nationality in order to make a decision on your passport application and assist in its delivery
- Decide whether to issue, refuse or withdraw a passport
- Verify information about your passport once it has been made
- Complete our response to any queries or comments you may have
- Improve our customer services
- Information will be recorded as part of dealing with any applications or queries you make – for example, case notes on how we make a decision on your passport application
Your data can also be used to help prevent and detect crime, provide statistical analysis and to assist with the training of Passport Officers.
When using our website, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally. See our cookies policy for more information.
Your data could also be used as follows:
You may be contacted about the services we offer and to get your opinion about how such services should be run in the future. Customer research companies appointed by the Isle of Man Passport Office to carry out surveys on our behalf may contact you.
Training and Assurance
We may use your personal information when training our staff – primarily when training those conducting interviews or dealing with customers over the telephone. We will also review your personal information as a necessary part of conducting audits to ensure that our staff are carrying out their duties effectively and in accordance with the law.
Testing our systems
We prefer to use 'dummy' or anonymised data for testing our IT systems but exceptionally, we may need to use some of your personal information to assist in testing our systems effectively where no other reasonable alternative exists. In such circumstances, we ensure that the security and integrity of your data is not put at risk.
In order to review the effectiveness of our services, we will collate information to measure and judge our performance. Wherever possible, we will use anonymised data to achieve this but some of your personal information may be involved in conducting such analysis where no reasonable alternative exists.
The data provided in applications may also be used to identify fraud patterns and develop fraud risk indicators. Passport photographs submitted with passport applications may be compared against other passport photographs to prevent and detect identity fraud and may be shared with other agencies to fulfil their aims and objectives where there is a legal gateway to do so.
Customer Service Messaging
We may contact you directly to request further information about your application, remind you that your passport is due to expire, or ask you about the services we provide.
In some cases, we will send you a text, email or letter acknowledging receipt of an application, confirming successful completion of an application or to confirm an appointment, when you have provided us with a mobile telephone number or email address. We may also attempt to send you a text, email or letter to remind you when your passport is ready for collection or reaching the end of its validity.
Images in Publications and Projects Data subjects that volunteer or give permission to the Isle of Man Passport Office to use their photographs in publications or projects will be asked for.
consent to use their image. Consent is provided under Article 6 (1) (a) of the Applied GDPR and data subjects can withdraw consent at any time.
What personal information is held on your passport
Your passport will contain the following personal information:
- Passport number
- First name(s)
- Date of birth
- Place of birth
- Digitised image (photograph)
- Signature (if recorded digitally)
Your personal information and digitised image are located on the personal details page of the passport. The page is in two parts. The upper part is for visual inspection, while the lower part consists of two lines of print which can be read by special passport-reading equipment at immigration controls – it contains no additional information compared to what is listed on the page already. It simply repeats this information in a way that can be easily read by such equipment. Depending on how old your passport is, it will either contain a digitised image of your signature or you would have been required to sign your passport upon receipt.
In 2006, the Isle of Man Passport Office introduced the e-passports, which include a chip. The chip stores your digitised image and the personal information printed on the personal details page of your passport, there is no personal information held on the chip that you cannot see already.
Once information has been placed on the chip, it cannot be amended. When the chip is being read by passport reading equipment, the information on the chip is protected against third parties reading the information from a distance (known as 'eavesdropping' or 'skimming') by an advanced digital encryption technique.
How we share your information
The Isle of Man Passport Office has an obligation to check and verify the information you provide in your application. This may include checks of publicly available information but in some cases, where it is necessary and relevant, information you provide may be shared with third parties.
This will only be done where there is an obligation to do so in accordance with Her Majesty's Isle of Man Passport Office policy. We will do this to allow us to:
- process and make a decision on your application
- verify the information and documentation you have provided is correct
- help prevent and detect crime (for example fraud, immigration offences)
- Third parties include, for example:
- UK Home Office
- law enforcement agencies
- fraud prevention agencies
- the countersignatory you named on your application
- people linked to your passport application e.g. your partner/family
- people who can verify the information in your application
- UK Home Office
The Isle of Man Passport Office may also share data with other government departments, law enforcement agencies and local authorities to help fulfil their aims and objectives.
Information shared with third parties may not be used for any other purpose other than that which it was lawfully and proportionally requested.
We may need to seek guidance from legal advisers or Her Majesty’s Passport Office to process your application. In some cases, your personal data may be disclosed, but this will be limited to that which is necessary in the particular circumstances.
We will tell you as far as possible if we make a disclosure of your personal data to a third party unless advising you would, or would be likely, to prejudice a crime prevention matter, or the regulatory activities of the recipient or as set out in Article 23 of the Applied GDPR.
- Law enforcement agencies to help prevent and detect crime
- For employment purposes in order to confirm the identity and immigration status of potential employees
- Facilitate passport and consular services overseas
- Financial services to prevent or detect fraud
- Other government agencies to help fulfil their aims and objectives
Data sharing will only take place where there is a lawful basis that permits the data sharing to occur.
Your data may be checked against information from other organisations to prevent or detect crime. If you deliberately give untrue or misleading information to the Isle of Man Passport Office, you could be prosecuted.
Information transferred outside of the Isle of Man
The Isle of Man Passport Office may share information with overseas law enforcement agencies such as Interpol or UK Home Office staff overseas for the purpose of preventing, investigating and prosecuting crime and fraud overseas and in the UK.
The Isle of Man Passport Office may contact applicants, or the persons you have chosen to corroborate your identity who may be located outside of the Isle of Man, directly by email, text, phone or post. The Isle of Man Passport Office cannot assure the integrity of communications or IT systems, which do not form part of the Isle of Man Passport Office services or those of its business partners.
Who has access to your personal information
The Isle of Man Passport Office does not share data unless it is lawful, proportionate and relevant to do so.
As part of our operational processes, your personal information will only be available to those who have a need to see it in order to carry out their duties. We have put in place a range of policies, processes, and system controls in order to enforce this principle. Staff who have access to personal information are subject to Pre-Employment vetting appropriate to their role and are subject to random audit and review.
A number of organisations are contracted by or subject to agreement with Treasury to deliver Isle of Man Passport Office services. To do this, they will often handle your personal data on our behalf and under our instructions. These organisations, as 'data processors', conduct the following work:
Isle of Man Post Office
They provide the scanning service of paper applications for the Passport Office. Also the dispatch and delivery of British passports on the Island and any supporting passport documents where a secure delivery service has not been requested.
Printing passports where an application has been approved by the Isle of Man Passport Office.
Delivering Isle of Man passports to addresses in the UK. FedEx are the data controllers for the customer data they process on our behalf. FedEx may contact customers by email, text or phone call regarding the delivery of your passport.
The Foreign, Commonwealth Development Office Services Supply and maintain the current passport issuing system for full validity passports.
Used to process payments for passport applications.
Supply and maintain the passport issuing system used to issue the 12-month temporary passports.
How we protect your information
We have a duty to safeguard and ensure the security of your personal information. We do that by having systems and policies in place to limit access to your information and prevent unauthorised disclosure.
Staff who access personal information must have appropriate security clearance and a business need for accessing the information, and their activity is subject to audit and review. The Isle of Man Passport Office will:
- keep your information safe and secure in line with our retention periods
- only share your information as detailed above
- only ask for what is needed
Your information will not be used for any purpose that is not connected to your passport application. Get more details on data protection for individuals including how to request your information or how to complain about how your data has been handled.
Where your personal data is held
Databases hosting passport records are located in the Isle of Man and with Her Majesty’s Passport Office.
Our IT systems are subject to security oversight and review in compliance with agreed government standards. A record held in other formats such as paper or microfiche are similarly subject to oversight and review.
Where you have applied for a passport, the information gathered will be destroyed at different times based on the information in question and how long it is necessary to keep it. Such information may be retained for longer where the application was refused or it is required for the purpose of the prevention or detection of crime.
Information about passport deliveries are ordinarily retained for three months for Isle of Man deliveries in order to address any subsequent queries from customers and to retain evidence of delivery or attempted delivery. Such information may be retained for longer where it is required for the purpose of the prevention or detection of crime.
Records of what passports have been issued and the key information included on such passports are kept for 80 years on the Isle of Man and UK databases.
Such information may be retained for longer where the application was refused or it is required for the purpose of the prevention or detection of crime.
If your information falls within records that have been selected for permanent preservation as part of the Isle of Man’s National Archive, under the Public Records Act 1999, your personal data will be retained for longer.
How long your data is kept for
- Passport Application in paper form with any documents given in support: Paper application including photograph and any copies of any relevant supporting documents are retained no longer than 6 months after the application has been scanned as an image to internal systems
- Scanned copy of paper passport applications: 30 Years from date of issue of passport
- Electronic Passport records held on Passport System Main Index): Retain for 80 years from date of issue
- Failed/withdrawn passport applications: Up to 6 months from date of application
- LS01 form (paper): Retained for 28 days once scanned to HMPO database then destroyed
- Recovered passports sent to IOM Passport Office: If passport contains no evidence of fraud, it is cancelled on the passport system then physically and securely destroyed within 28 days If passport contains evidence of fraud, it is retained for duration of any subsequent criminal investigation
We keep our retention periods under review and will update this section should we make changes.
Your rights in relation to the processing of your personal data
You have the right to be told if the Isle of Man Passport Office holds any personal information about you. These are sometimes known as 'subject access' rights.
The Applied GDPR also gives you other rights about how your personal information is handled. We will help you exercise your data protection rights by complying with the Applied GDPR, including meeting your rights to:
- Request a copy of the personal information we hold about you, subject to a number of exceptions under data protection law
- The personal information will be provided to you in a clear form
- Make sure that the personal information we hold about you is accurate
- Ask for a correction if necessary and where legislation allows
- Expect that your personal information gathered during the passport process is never used for the purpose of direct marketing
- Expect processing of your personal information in a way that is likely to cause you damage or distress is prevented or ceased
- Ask that a decision which would significantly affect you should not be taken by automatic means
The Isle of Man Passport Office do not use automated decision making.
Exemptions to the right to subject access
There may be some cases where we do not provide you with all the information we hold about you. This occurs when some specific exemptions within the Isle of Man General Data Protection Regulation.
For example, we are allowed to refuse requests where providing personal information would be likely to:
- Prejudice the prevention or detection of crime
- Disclose personal information about another person
When we use an exemption set out in legislation, we will let you know about this in our response to your request.
Consideration will be carried out in accordance with the Guides to Information provided by the Information Commissioner’s Office.
Article 23 of the Applied GDPR lists the conditions under which EU member states can restrict the rights of data subjects set out in articles 5, 12 to 22 and 34, by legislative measures. Such measures would be to protect the rights and freedoms of others; for example, in relation to Safeguarding national and public security, enforcement of civil law claims, and protection of judicial independence, among others.
The Isle of Man Passport Office may restrict your right to information if doing so would be a necessary and proportionate measure to:
- avoid obstructing an official or legal inquiry, investigation or procedure
- avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties
- protect public security
- protect national security or
- protect the rights and freedoms of others
In such circumstances the Isle of Man Passport Office will notify you in writing of the following:
- what information has not been provided, and the reasons for this
- your rights of complaint to the Information Commissioner
This requirement to provide information about the exercise of the restriction does not apply if the Treasury decides this would undermine the purpose of applying the restriction. Because of the legal basis by which we process your data, your right to data portability does not apply.
Rectification and Erasure of Data and Restriction of Processing
The Isle of Man Passport Office will do its upmost to ensure it records accurately the information provided on applications.
Under Article 19 of the Applied GDPR, you have the right to obtain from the controller without undue delay, the rectification of inaccurate personal data concerning him or her.
If errors exist, applicants can contact the Isle of Man Passport Office to correct records. Evidence may be requested to support a request for change in order to reduce the risk of crime or fraud. The Isle of Man Passport Office may refuse to amend records where sufficient evidence is not available or where a request is not within its legal jurisdiction.
The personal data collected from applications is used to administer existing services, such as confirming the validity of passports or protecting individuals against fraudulent applications submitted in their identity. The erasure or restricted processing of data collected would have a disproportionate impact upon the ability of the Isle of Man Passport Office to carry out its core functions. However, there may be a number of legal or other official reasons why we need to continue to keep or use your data.
Our commitment to you
Our aim is to safeguard and manage your personal information and ensure that it is held safely and securely. This will ensure that we protect your personal identity and combat fraud and identity theft. We will do that by delivering policies and processes that meet the following key values:
We will provide clear and accessible information about how and why we gather, use, retain and share personal information as well as making customers aware of how to exercise their rights to access or amend their information.
Trusted and secure
We will ensure the security and accuracy of personal information, protecting it from loss or unauthorised disclosure. We will ensure that we manage this effectively, regularly monitoring and improving how our processes work. The overall security of processing is deemed sufficient to protect special category data including nationality, biometric (passport photos, etc.) and children’s data as described in Article 9 (2) (g) of UK GDPR.
Benefit to the citizen
We will ensure that our management of personal information delivers benefits to the law- abiding citizen, either as an individual (e.g. by helping people travel abroad or access a service) or as a member of society (e.g. by helping protect the public). We will only share personal information with others where there is provision in law to provide access to information.
We will only gather personal information needed for carrying out our duties. We will not keep it for any longer than is necessary, ensuring that it is only seen by those who need it to do their jobs. We will only share information with others where the law allows this and we will provide the minimum amount of information needed to achieve the benefit.
Value for money
We will ensure that we manage our data in a cost-effective way to ensure we deliver value for money to those who pay fees for our services.
How to get a copy of your personal information
Article 15 of the Applied GDPR provides for you have a right of access to your personal data and to check the accuracy of that data by making a Subject Access Request.
A subject access request can be made by contacting the Treasury Data Protection Officer (DPO) as follows:
In writing to:
Data Protection Officer
Government Office Buck's Road,
Douglas, Isle of Man,
By Email: DPO-Treasury@gov.im
By telephone: +44 1624 686791
Subject access requests must be responded to promptly and in any event within a maximum of 1 month.
Article 18 of the Applied GDPR provides for you to have the right to ask us to restrict our use of your personal information, for example, where the accuracy is in question, the processing is unlawful or we no longer need your data. There may however, be a number of legal or other official reasons why we need to continue to keep or use your data.
If you want to exercise these rights please write to us at the following address: DPO, Treasury, Government Office, Buck's Road, Douglas, Isle of Man, IM1 3PN.
You will need to provide us with a means of verifying your identity whether you submit a request in writing or verbally. The best way of doing this is to provide a copy of the biometric page of your passport. If you do not have a passport, we will accept a photocopy of your photo card driving licence or another form of official photo ID.
How to complain
Complaints about our processing
The Treasury seeks to meet the highest standards when collecting and using personal data. If you think that our collection or use of your personal data is unfair, misleading or inappropriate, please bring your concern to our attention.
The Information Commissioner
The Information Commissioner is the independent authority responsible for upholding the public's information rights and promoting and enforcing compliance with the Island's information rights legislation.
You have the right to request the Information Commissioner to undertake an assessment as to whether the processing of your personal data has been carried out in accordance with the provisions of the Isle of Man’s data protection legislation.
You also have the right to complain to the Information Commissioner’s Office about the way we handle your information or respond to your requests for access to your personal information or the exercise of your other rights under the Applied GDPR or any of the other data protection legislation in force on the Isle of Man.
Further information can be found on the Information Commissioner's website.
Changes to this Policy
Without notice the Isle of Man Government may necessarily update this privacy notice so you should check it regularly. Continuing to use the Isle of Man Government Website after a change has been made is deemed to be your acceptance of the change.