Privacy Policy


This privacy notice describes the handling of all personal data we collect, or where DWI is the controller. This includes communications to DWI, whether in soft copy, hard copy or by telephone.

The purpose of this notice is to inform you about what information we collect; how this information is used; if it is disclosed and how we protect your privacy. This policy only relates to the personal data that DWI collects and processes, or otherwise controls. We are not responsible for external organisations that may link to DWI’s web pages. For more information concerning external agencies and stakeholders please visit the relevant privacy statement on their own web pages.

Who we are

The Drinking Water Inspectorate (DWI) is committed to the responsible handling and security of personal data. Your privacy is important to us and protected in law through the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA 2018). To comply with this legislation, we must provide you with information setting out how we process your personal data.

Our website address is:

What is personal data?

Personal data is data which identifies an individual directly or indirectly, in particular by reference to an identifier such as their name or a reference number.

Some personal data is more sensitive in nature and requires more careful handling. GDPR defines “special categories of personal data” which means data relating to a living person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning someone’s sex life or sexual orientation.

When will we collect your information?

The DWI may collect your personal data in a number of ways. Below are some examples

  • Visitors to our website
  • In response to queries you raise
  • Correspondence and other forms of contact with the DWI for general purposes
  • Correspondence and other forms of contact with the DWI in connection with the DWI’s statutory duties as the drinking water quality regulator, for example when a consumer contacts us because they are unhappy with their water supplier’s investigation into a drinking water quality concern.
  • Under certain circumstances, water suppliers provide consumer contact data to the DWI, for example if consumers have complained to their water supplier because of a drinking water quality problem. The DWI may contact affected consumers about the issue to obtain further information.
  • Data submitted by Local Authorities on private water supplies in their area
  • Job applicants and our current and former employees, liaison contacts, contractors and secondees.

For more information on how we handle staff and contractor data please see this separate Privacy Notice.

Why we use your information

We process your personal data in a number of ways in pursuance of our statutory duties as the regulator of public drinking water supplies in England and Wales to provide assurance that they are safe and acceptable to consumers.

Either this Privacy Notice or a separate specific Privacy Notice will be provided to inform you at the point of collection, the reason(s) we need your information, how your information is being collected what we will do with it and who we will share it with. In some cases, we may pass it on to our agents/representatives to do these things on our behalf. The purposes for the processing of your personal information depends on the category of contact you have made. You may be in more than one category, in which case the data you provide in each capacity (e.g. as a job applicant or complainant) is processed for the purpose that relates to the type of contact.

How and when we might share your personal data

We will only share any personal data with third parties as set out in this Privacy Notice or in a separate specific privacy notice. This can be for the purposes of our public tasks (as set out in legislation), sharing personal data with those who process information on our behalf, to comply with a legal requirement or in exceptional circumstances to protect individuals from harm or injury.

We may share your personal data with other departments in the Defra Group, such as the Environment Agency, other Government departments, other regulators and other public bodies, but only where this is necessary for the performance of tasks carried out in the public interest as permitted by legislation (Water Industry Act 1991).  For example with prosecuting lawyers in their role of supporting us when we suspect an offence has taken place under the Water Industry Act 1991 or the Water Supply (Water Quality) Regulations 2016 (England) as amended. Where personal data is provided in the form of a formal witness statement,  it may be made public during court proceedings.  Other personal data may be disclosed to the defence as unused material, as required by law.

Example: Where we are investigating a contact from a consumer who has raised a concern about the response from their water supplier regarding a drinking water quality concern, we will share personal data provided by the customer with the relevant water supplier for the purpose of investigating the matter.

Transfers of personal data outside of the UK, EU and EEA

We do not currently transfer any personal data outside of the EU or EEA.

Information processed through different media

Telephone calls

Telephone calls to and from the DWI are not currently recorded. We do have a voicemail system where messages for call back are received. Once the information has been retrieved for assigning to the relevant DWI Team, they are then deleted from the voicemail system. Callers to the DWI direct line (0330 041 6501) will hear an automated message and a link to this Privacy Notice before they continue their call.


Emails to DWI are normally received by our enquiries inbox ( Emails to our enquiry lines are recorded by name, in order for us to respond and deal with your query. When we respond on a new query for the first time, we will link to this Privacy Notice. Once your enquiry is complete, we will keep your details in accordance with our retention schedule.


When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.


Google’s privacy policy

Protecting your information

Our aim is not to be intrusive, and we will not ask irrelevant or unnecessary questions. The personal information you provide will be subject to rigorous measures and procedures to make sure that it cannot be accessed or disclosed to anyone who should not be able to access it.

How long will we keep data?

Public bodies retain information for various reasons, primarily to ensure accountability. When we no longer need personal data, arrangements are made to securely delete or destroy it. Retention periods are in line with statutory, regulatory, legal, security reasons or for their historic value. This will vary depending on the purpose of its collection, but usually for not more than five years.

How do I ask to see the data we hold about you?

You can ask to see what data we hold about you. This is called a ‘subject access request’. Send your written request to us at the email address below.

On receipt of your request we will acknowledge it and may ask for proof of your identity.

We will respond within one month, and exceptionally extend this by up to two months in complex cases. If we determine that the costs and or resources to provide you with all of the data requested, due to the volume, we may have to refuse your request or ask you to provide a contribution to meet these costs. When you ask to see information we hold it is helpful to include as much information as possible to help us find the data you want, for example, tell us the functions, schemes, or transactions and dates that you want to know about.

Can I withdraw my consent or request my personal data be deleted?

You have the right to request that (1) we no longer process your personal data and (2) request that we delete your personal data at any time. However, agreement may not be assumed as we may have to refuse your request should the data be required to comply with a legal obligation, performance of a contract or public interest task or exercise of official authority. We may also refuse for the purposes of public health purposes, exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research or statistical purposes. Where this is the case and agreement is not required we will advise you of this. Prior to deletion we may anonymise and hold data for data analysis.

What are the consequences if I do not supply the requested personal data?

If you do not supply the requested personal data it is more than likely that the Service you are applying for or wish to use will not be available to you. This may have consequences in terms of non-compliance, for example not complying with specific legislation. We try to ensure that we only collect the minimum personal data that is necessary for us to offer the Service(s) to you.

How to contact us

For day to day use, please look to contact the team you are already communicating with. They are best placed to manage general enquiries or to update the accuracy of your data, or provide you with information. However, if they cannot help you, or you have a complaint about how your data is being handled, please use following contacts, making clear which right you wish to exercise:

To make a complaint about how your personal data has been handled please follow Defra’s complaints process.

To report a data breach contact the Defra Helpline on 03459 33 55 77 (UK) +44 20 7238 6951 (from outside the UK) or online.

For all other enquiries, for example to tell us your details are inaccurate or incomplete, to ask to see the data we hold about you, or to withdraw my consent or request my personal data be deleted, please contact the Defra Helpline:

Defra Helpline

Seacole Building
2 Marsham Street

Contact form

Telephone (UK only) 03459 33 55 77

Telephone (from outside the UK)+44 20 7238 6951

The quickest way to get a response is to call our Helpline which is open Monday to Friday 8:30am to 5pm (find out about call charges at Alternatively you can email us, or write to us at the postal address given above. We aim to reply to emails within fifteen working days.

If you’re unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO) who are the supervisory authority:

Information Commissioner’s Office

Wycliffe House
Water Lane
0303 123 1113

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts. Should you wish to exercise that right full details are available on the Information Commissioner’s website.

Back to top