Privacy Policy


This privacy notice sets out the standards that you can expect from the CJSM Service when we manage or hold personal information ('personal data') about you; how you can get access to a copy of your personal data; and what to do if you think the standards are not being met.

CJSM, hosted by MoJ, provides a secure email platform for the safe transfer of information, including personal data. The CJSM service processes personal data for this purpose and so MoJ will not always be the Controller of the data flowing through the service.

The Ministry of Justice is the data controller for the personal information we collect and store about CJSM users. The Service collects and processes personal data, for purposes of maintaining and improving the administration of the Criminal Justice System Secure Mail Service in accordance with applicable data protection legislation. This may include the use of analytics to derive anonymous or aggregated statistics regarding the use of The Service.

The CJSM Terms & Conditions (issued to all users) provide general instructions about the service itself, to which all users must adhere. Service users will often be Data Controllers in their own right, with their own lawful basis for transacting data and information across the CJSM service. As such, service users must also comply with the relevant data protection legislation. In particular, they must ensure personal data is processed lawfully when using the Service.

About personal information

Personal data is information about an individual. It can be a name, address or telephone number. It can also include information about online identifiers, cookies and IP addresses.

We know how important it is to protect customers' privacy and to comply with data protection laws so data should only be disclosed where it is lawful to do so, or with the consent of the data subject.

Purpose of processing and the lawful basis

CJSM users must be able to justify and demonstrate that the case for lawful processing via the service has been made out if challenged. MoJ, as service hosts, provide the service on the understanding that users have the appropriate lawful basis for transacting emails / data.

Personal data processed via the secure CJSM platform may be for criminal law enforcement purposes and/or for general data processing. For MoJ purposes, the most relevant lawful basis for processing will be:

In the case of General Processing (non-criminal law enforcement)

  • GDPR Article 6(1)(c) necessary for compliance with a legal obligation to which the controller is subject;
  • GDPR Article 6(1)(e) necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;

And for Special Categories of Data:

  • GDPR Article 9(2)(c) vital interests, (f) the establishment, exercise or defence of legal claims, and (g) where processing is necessary for reasons of substantial public interest.

Where CJSM users rely on these articles as the lawful basis for the processing via the service, they will have their own legal basis, set out in legislation, or by clear common law or prerogative power for transacting the data over CJSM. The legal basis must be clear, precise and foreseeable to the user, either for a specific purpose or in pursuit of an overall task.

In the case of Law-Enforcement (criminal) Processing

  • DPA 2018 (Part.3) Section.35(2) the processing of personal data is based on law, and either:
    (a) the data subject has given consent to the processing, or;
    (b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority.

And for Special Categories of Data:

  • As required by DPA 2018 (Part.3) Section.35(3), CJSM users must further have a lawful basis under 35(4) requiring consent and an appropriate policy document, or; under 35(5) where the processing is strictly necessary for the law enforcement purpose, meets a Schedule 8 condition and an appropriate policy document is in place.

There may also be circumstances where an Appropriate Policy Document is not required which is for the CJSM user to justify if challenged.

Who the information may be shared with

We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we will comply with all aspects of the data laws. The organisations we share your personal information with are:

  • Egress (Supplier)
  • Bulletproof (in the form of protective monitoring logs)
  • Other CJSM users (CJSM user details will appear in the CJSM webmail portal directory)

Retention period for information collected

The following data retention policies apply to the CJSM Service:

  • Backups of mailboxes are retained for 36 hours
  • Directory and SQL data retained for 30 days
  • System logs are retained for 6 months
  • Message tracking logs for 1 year
  • Applications (Approvals or Rejections) are retained permanently
  • User and Organisation Data is retained while they are active, and then soft deleted.

Access to personal information

You can find out if we hold any personal data about you by making a 'subject access request'. If you wish to make a subject access request please contact:

Offender and ex-offenders
Branston Registry,
Building 16, S & T Store,
Burton Road,
DE14 3EG

All others
Disclosure Team,
Post point 10.38,
102 petty France,

When we ask you for personal data

We promise to inform you why we need your personal data and ask only for the personal data we need and not collect information that is irrelevant or excessive;

  • You can withdraw consent at any time, where relevant;
  • You can lodge a complaint with the supervisory authority;
  • Protect it and make sure no unauthorised person has access to it;
  • Only where appropriate and necessary share it with other organisations for legitimate purposes;
  • Make sure we don't keep it longer than is necessary;
  • Not make your personal data available for commercial use without your consent; and
  • Consider your request to correct, stop processing or erase your personal data.

You can get more details on

  • Agreements we have with other organisations for sharing information;
  • Circumstances where we can pass on personal information without telling you, for example, to help with the prevention or detection of crime or to produce anonymised statistics;
  • Our instructions to staff on how to collect, use or delete your personal information;
  • How we check that the information we hold is accurate and up-to-date;
  • How to make a complaint; and

For more information about the above issues, please contact the MoJ Data Protection Officer;

102 petty France,

For more information on how and why your information is processed please see the information provided when you accessed our services or were contacted by us.


When we ask you for information, we will keep to the law. If you consider that your information has been handled incorrectly, you can contact the Information Commissioner for independent advice about data protection. You can contact the Information Commissioner at:

Information Commissioner's Office
Wycliffe House,
Water Lane,
SK9 5AF,

Tel: 0303 123 1113

CJSM organisations and users understand the conditions on which connection has been granted as set out in the CJSM Terms and Conditions and that the conditions are ongoing and cover any continuous use of the CJSM service. The consequences of failing to comply with the CJSM Terms and Conditions may result in access to the CJSM service being suspended or terminated.