General enquiries :
+44 (0)20 7602 6000
Privacy Policy



This page tells you everything you need to know about how CACI protects your personal data and what your rights are in relation to your personal data.


CACI’s business essentially involves on the one hand, providing marketing services to UK and Global consumer brands via its Marketing Solutions Division (“MSD”), on the other hand providing IT solutions and services to private and public sector clients via its Information & Management Solutions Division (“IMS”). The MSD business involves the collection and processing of some personal data about the UK adult population, usually as the data controller, but on occasion as the data processor. The IMS business involves processing personal data for its private and public sector clients, as the data processor. CACI (as data controller) may also obtain your personal data in the context of business-to-business (B2B) marketing. You can find out more about what Marketing does with your data, what data we hold and how to opt out here.


The purpose of this Privacy Policy is to provide information about how CACI (both as data controller and as data processor) collects and/or uses your personal data (essentially, this means any information which identifies or could identify you as an individual, for example your address). Your rights in respect of your personal data are set out in data protection legislation
2.1. CACI as data controller  
We summarise below in our Glossary, how MSD collects and uses your personal data in order to build products such as OCEAN, ACORN and FRESCO, for which CACI is the data controller. These products help our clients better understand their customers and target their marketing more effectively. In general, our legal basis for processing such data is our legitimate interest for direct marketing purposes, which does not affect or harm the rights or freedoms of individuals. You can find out more about what MSD does with your data, what data we hold and how to opt out here.
2.2. CACI as data processor 
We also summarise when and how IMS and MSD handle/process personal data in order to provide a range of software, data services, consultancy and managed services to their clients, who will have their own legal basis for processing. 


3.1. CACI as data controller
Our MSD business division may collect information about you from publicly accessible data sources (such as the Edited Electoral Roll), commercially available data sources (such as lifestyle data or the Royal Mail’s PAF data), as well as open data sources such as the Office for National Statistics which publishes census data, and HM Land Registry. This information can include personal data such as your name, address, date of birth and/or data relating to properties such as house value, number of rooms and the neighbourhood in which you live. Please note that these data sources may change from time to time. 
In addition, in the context of B2B marketing, if you have previously engaged with CACI in the course of (or with a view to) buying our products or services, provided your business contact details to us and/or connected with CACI via social media, we may from time to time contact you by post, email and/or telephone with regards to products or services we think may be of interest to you. We will do so only in accordance with applicable law (PECR). You can find out more about what Marketing does with your data, what data we hold and how to opt out here.
3.2. CACI as data processor
Both our IMS and MSD business divisions may access, handle and/or process data provided to us by certain clients, as directed by them for the provision of services by CACI and as agreed in a contract with them. 


4.1.CACI as data controller
MSD uses the data sources referred to above, along with anonymous market research data to create profiles relating to probable lifestyles and demographic characteristics. We append these profiles to our clients’ customer records by matching to the names and addresses in the OCEAN database (sometimes we allow our resellers and clients to do this themselves). This allows our clients to gain more insight on the customers who use their products and services.
We also share this data with our digital partners, so they can match it to cookies they have collected which may be stored on your browser or device. Our partners use our data products combined with their own cookie based information to target digital and social advertising more effectively as well as using it for analytics, attribution and reporting purposes.
The type of profiling which CACI carries out does not result in any automated decisions being made about you that have a legal or significant effect. 
MSD has a range of clients in sectors such as financial services, not-for-profit, media and retail. Using our data products enables our clients:
  • To match their customer records against our profiles and thereby develop and target more relevant products, services and offers to you
  • To use the data to prospect for new customers using targeted, postal direct marketing 
  • To target their digital and social advertising more effectively
4.2.CACI as data processor 
The IMS support teams for CACI products such as CHILDVIEW, IMPULSE, CYGNUM, INVIEW and SYNERGY may at times be requested by a public sector client to process sensitive data/special categories of data, for the purposes of the client recording and reporting information to certain public authorities. Where CACI hosts the client’s data, it will be on a secure system and in accordance with the ISO 27001 standard. 
In addition, as part of the data services CACI provides to certain clients, the MSD teams process client data for the purposes of appending certain CACI variables or building segmentations.


If you apply for a role at CACI (whether directly or through a recruitment agency, job board or otherwise), we will collect certain personal data (which may include sensitive data/special categories of data) about you (for example, your name, address, employment history etc). We will do so solely for the purpose of ascertaining your suitability for the role in question. The legal basis for processing such personal data is our legitimate interest in connection with recruitment, which is balanced with your interests in applying for the role. Unless you give us your consent, we will not use this personal data for any other purpose and we will not keep your personal data for longer than six months. 


For further information on our cookie policy click here


We ensure that there are appropriate technical controls in place to protect your personal data. All our data is kept in secure servers in the UK. No personal data is transferred outside of the EEA (European Economic Area). 
We undertake regular reviews of who has access to any personal data information that we hold, to ensure it is only accessible by appropriately trained staff and contractors. CACI is certified to ISO 27001 standards.


You have the right to ask us to stop processing your personal data or, where relevant, to withdraw your consent. In order to do so, or if you would like us to remove or correct your data, or to understand what personal data we hold about you or where it comes from, please contact us via the following email address:, or call us on +44 (0)20 7602 6000.
In addition, you may wish to register on the Mailing Preference Service (MPS) to ensure you do not receive any unwanted direct mail. 
You can also contact our Data Protection Officer:
Raj Afghan,
CACI Limited, Kensington Village,
Avonmore Rd,
W14 8TS
You also have the right to complain to the supervisory authority, which in the UK is the ICO (Information Commissioner’s Office).


Except for the purposes of complying with our legal obligations or for operational reasons, we will not hold onto your data for longer than is necessary. Any data that we consider is no longer needed is securely deleted. 


data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
data protection legislation means, from 25 May 2018, the EU General Data Protection Regulation and the UK Data Protection Act 2018 (once enacted); 
PECR means The Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended (note that PECR will soon be replaced by the new EU ePrivacy Regulation); 
personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
sensitive data/special categories of personal data means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.


We may make changes to this Privacy Policy from time to time. We suggest you check this page regularly to see our most up-to-date Privacy 
This Privacy Policy was last updated in May 2018.