External privacy notice
Purpose
This privacy notice explains what personal data we process and how we will use it.
Scope and applicability
This notice applies to visitors, website users, job applicants, members of the public and representatives of organisations that ONR deal with.
ONR employees, workers and contractors should refer to ONR's Internal Privacy Notice.
This notice is formed of two parts:
- Part one provides general information which we must tell everybody.
- Part two provides further information depending on the reason we process your personal information, and who the processing applies to.
Further information
Part One - General information
Part Two - The reasons we process personal data
- Part two – The reasons we process personal data
- Visitors to our website - Cookies
- Managing your consent
- Visitors to our offices
- Raising a concern
- Report bad practices as a whistleblower
- Vetting for industry
- Other points to be aware of in relation to NSV
- Data from third parties
- Being or have been investigated by us for a criminal offence
- Reporting an incident to us
- Public consultations
- Apply for a job or secondment
- Contact the Communications Team - Media enquiries
- Attend an event, seminar or workshop
- Subscribe to our e-newsletter/e-bulletin
- Making an information request
- Communicate with us as a business
- We are inspecting your business
- Legitimate Interests
Part one – General information
The first part of the notice is information we need to tell everybody. In this notice, 'DPA 2018' refers to the Data Protection Act 2018 and 'UK GDPR' refers to the United Kingdom General Data Protection Regulation.
Data Controller and Data Protection Officer
The Office for Nuclear Regulation (ONR) is registered as a Data Controller with the Information Commissioner's Office (ICO) under registration number ZA044386.
A Data Controller decides why, when, what and how personal information will be used.
The ONR Data Protection Officer (DPO) is Charlotte Cooper.
How to contact us
There are many ways you can contact us, including by phone, email, and post. These contact details should be used for all queries to ONR, including any queries you may have about how we use your personal information. Alternatively, you can also contact the DPO direct.
Our postal address:
Office for Nuclear Regulation
Building 4 Redgrave Court
Merton Road
Bootle
L20 7HS
Please mark your envelope 'FAO Data Protection Officer'.
Our email address:
Your data protection rights
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which mean you may not always receive all the information newe process.
Your right to rectification
You have the right to ask us to rectify information that is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.
Your right to data portability
You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you in electronic form. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
If we are processing your information for criminal law enforcement purposes, your rights are slightly different. Please see the relevant section of the notice.
We have one month to respond to you. You are not required to pay any charge for exercising your rights. We may, in exceptional circumstances only, apply a fee for accessing your personal information.
Please contact us at dataprotection@onr.gov.uk if you wish to make a request.
How we get your information
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- You have made a complaint or enquiry to us.
- You have made an information request to us.
- You wish to attend, or have attended, an event.
- You subscribe to our e-newsletter/e-bulletin.
- You have applied for a job or secondment with us.
- You are representing your organisation.
We also receive personal information indirectly, in the following scenarios:
- We have contacted an organisation about a complaint you have made, and they give us your personal information.
- Your personal information is contained in reports of breaches of data protection law ('breach reports') given to us by organisations.
- A complainant refers to you in their complaint correspondence.
- Whistleblowers include information about you in their reporting to us.
- We have gathered personal information as part of a regulatory investigation or intervention.
- From other regulators or law enforcement bodies.
- An employee of ours gives your contact details as an emergency contact or a referee.
Service adjustments
As a public authority and a provider of services to the public, we have a legal duty to comply with the Equality Act (2010).
This means we need to make service adjustments for anyone with a disability who contacts us in any capacity, to eliminate any barriers to accessing our services.
Our lawful basis for processing this information is article 6(1)(c) Legal Obligation of the UK GDPR. Our processing of special category data, such as health information, will be based on article 9(2)(a), which means we need your consent.
We'll create a record of your adjustment requirements. These will give your name, contact details and type of adjustment required, along with a brief description of why it is required. Relevant staff can access this to ensure they are communicating with you in the required way.
How long we keep your data
We will retain your personal data for as long as is necessary for the purpose it was collected, or if we are processing your personal information on the basis of your consent, until such a time that you withdraw your consent. All personal information held by ONR is stored within secure electronic systems or secure locations for physical records. Access to personal information is limited to ONR staff based on business need only, with permission levels being reviewed and updated regularly.
ONR operates a Business Classification Scheme and Disposal Schedule which tells us how long we can keep your information for the purpose it was collected for. At the end of the retention period, your personal information will be disposed of securely.
Sharing your information
We will not share your information with any third parties for the purposes of direct marketing.
We use data processors to provide elements of services for us. We have contracts in place with our data processors.
This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct them to do so. They will ensure secure destruction or transfer to ONR of any personal information as appropriate.
In some circumstances we are legally obliged to share information. For example, under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations.
We might also share information with other regulatory bodies in order to further their, or our, objectives, and for the purposes of law enforcement. In any scenario, we'll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making.
Automated decision making
If we use automated decision making it is described in Part 2 of this notice, under the relevant processing description.
Links to other websites
Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the websites you visit.
Children's information
We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children while handling a complaint or conducting an investigation. The information in the relevant parts of this notice applies to children as well as adults.
This notice has been written in plain language, so it is easy to understand.
Part two – The reasons we process personal data
Visitors to our website - Cookies
The ONR website, and the following subdomains, all use Google Analytics to allow us to measure how the website is used and to improve the service.
ONR subdomains:
Users have to provide consent to enable these analytics cookies.
Managing your consent
Our preferences management tool can be accessed by the 'C' in the bottom right of your screen.
Visitors to our offices
ONR has three sites: Bootle; Cheltenham; and London. We meet visitors at our head office, including:
- dignitaries
- external training providers
- job applicants
- suppliers and tradespeople
- stakeholders
- event attendees
All visitors to our sites must be allocated with a visitor pass by the building operator (as detailed below). If your visit is planned, we will share your name and visit information with reception staff (provided by the building operator) so that a visitor pass can be allocated. You must wear a pass throughout your visit.
All visitors are required to sign in and out at reception and show a form of ID. The ID is for verification purposes only, ONR does not record this information.
The purpose for processing this information is for security and safety reasons.
The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.
Any CCTV used in our offices is not operated by us, so we are not the controller. Please refer to the relevant building landlord.
- Redgrave Court, Bootle – CBRE operate the reception and security desk. CBRE Privacy Notice
- St James House, Cheltenham – Savills manage the building. Savills Privacy Notice
- Windsor House, London – Government Property Agency (GPA) manage the building. GPA Personal Information Charter and Data Privacy Notice
Raising a concern
Purpose and lawful basis for processing
Our purpose is to regulate the nuclear industry in line with our statutory duties under the Energy Act 2013, including inspection and investigation activities.
The lawful basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
If the information you provide us in relation to your complaint contains special category data, such as health, religious or ethnic information the condition we rely on to process it is UK GDPR article 9(2)(g) Substantial Public Interest, and DPA 2018 Schedule 1 part 2(6) Statutory and Government purposes.
What we need
We need information from you to investigate your concern properly, so our complaint forms are designed to prompt you to give us everything we need to understand what's happened.
When we receive a complaint from you, we'll set up a case file. This normally includes your contact details and any other information you have given us about the other parties in your complaint.
What we do with it
We will use your personal information to investigate, and if necessary, act upon your complaint . We compile and publish statistics showing information like the number of complaints we receive, but not in a form that identifies anyone.
No third parties have access to your personal information unless the law allows them to do so. If you don't want information that identifies you to be shared with the organisation you have raised a concern about, we'll try to respect that. However, it is not always possible to handle a concern on an anonymous basis so we'll contact you to discuss this.
If you are acting on behalf of someone making a complaint, we'll ask for information to satisfy us of your identity and if relevant, ask for information to show you have authority to act on someone else's behalf.
Please refer to the section 'How long we keep your data?'
What are your rights?
We are acting in our official capacity to investigate your complaint, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
Please refer to the section 'Your data protection rights.'
Report bad practices as a whistleblower
Purpose and lawful basis for processing
Our purpose is to regulate the nuclear industry in line with our statutory duties under the Energy Act 2013, including inspection and investigation activities.
The lawful basis we rely on to process your personal data is UK GDPR article 6(1)(e), which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
If the information you provide us in relation to your report contains special category data, such as health, religious or ethnic information the condition we rely on to process it is UK GDPR article 9(2)(g), Substantial Public Interest and DPA 2018 Schedule 1 part 2(6), Statutory and Government purposes.
What we need
We need enough information from you to investigate your protected disclosure to us, including any evidence you have to support it.
When we receive a disclosure from you we'll set up a case file containing the details. This normally includes your identity, contact details and any other information you have given us about individuals involved in the disclosure. We will treat the information you provide confidentially.
You can contact us anonymously if you prefer but your details will not be given out when we progress your disclosure, unless you give your permission.
What we do with it
We'll treat the information you provide as confidential and won't disclose it without lawful authority.
If possible, we'll give you feedback about any action we take as a result of your disclosure. However, this feedback will be restricted. We also have a duty of confidence to the organisations we regulate. We are legally prevented from sharing much of the information we hold about them.
We compile and publish statistics showing such information as the number of complaints we receive, but not in a form that identifies anyone.
Please refer to the section 'How long we keep your data?'
What are your rights?
We are acting in our official capacity to investigate your complaint, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
Please refer to the section 'Your data protection rights.'
Vetting for industry
Information we obtained as you have applied for or hold a Baseline Personnel Security Standard (BPSS) or National Security Vetting (NSV) clearance for employment in the regulated civil nuclear industry.
This notice applies to all previous & current NSV applications processed by ONR and UK Security Vetting or its predecessor DBS (Defence Business Services).
Joint data controller arrangements
For the purposes of National Security Vetting, ONR is a Joint Data Controller with UKSV, which is part of the Cabinet Office. Additionally, the Security Service is also a Joint Data Controller for the associated checks of Security Service records. The UK National Security Authority (UK NSA) is also Joint Data Controller for the purpose of completing required checks.
UKSV is the sole service provider for carrying out the checks supporting the National Security Vetting (NSV) process but the decision on whether to grant a security clearance is taken by ONR as the Vetting Authority for the regulated Civil Nuclear industry.
Therefore, if you wish to exercise your rights under data protection legislation, you can choose to contact either ONR's Data Protection Officer, or our counterparts in the UKSV, the Security Service, or the UKNSA.
- Security Vetting Service Contact Details and Privacy Notice: The UKSV Privacy Notice
- The Security Service Contact Details and Privacy Notice: Security Service is a data controller for NSV in respect of the check of Security Service records.
Should you be granted clearance and subsequently move to another post requiring NSV and there is a change of Vetting Authority, the new Vetting Authority may review your clearance and associated checks against the particular security risks that organisation faces.
- UK National Security Authority Contact Details and Privacy Notice: The UK National Security Authority Privacy Notice
Purpose and lawful basis for processing
ONR solely, and jointly with UKSV when carrying out NSV, may process your personal data and that of anyone you name on your application, by virtue of our statutory duties under the Energy Act 2013, Part 13 and in the exercise of official authority vested in ONR under Regulation 9, 17 and 22 of the Nuclear Industries Security Regulations 2003 (NISR).
The lawful basis we rely on to process your personal data is UK GDPR Article 6(1)(e), which allows us to process personal information when this is necessary to perform our public tasks as a regulator. We rely on UK GDPR Article 9 (2) (b) under our obligations as an employer for processing special category data.
Why we need it
ONR will process the personal data for the purpose of making a decision on a BPSS application or an application for an NSV clearance, including any on-going aftercare that may exist or arise. NSV is necessary and proportionate to safeguard the UK's national security. We may also process the data for ancillary purposes, for example, to facilitate an appeal to the Security and Vetting Appeals Panel (SVAP), to fulfil legal and regulatory requirements or, in an anonymised way for business monitoring and planning.
The categories of personal data and what we do with it
Personal data will be processed as described in the 'Statement of HM Government Personnel Security and National Security Vetting Policy', which is included in the NSV questionnaires and as an annex to the document 'Personnel Security Controls '. The categories of personal data processed are described in those documents.
How we protect your personal data and who we share it with
Personal data collected and processed for NSV is very strictly controlled and protected by a high level of physical, cyber and personnel security measures.
NSV personal data is kept separate from other personal data and access is only provided for the purpose of NSV and with those with a 'need to know', such as the ONR decision maker, UKSV, public authorities which maintain criminal records databases and the Security Service.
Personnel data collected and processed for the confirmation of an internationally held Personnel Security Clearances (PSC) will be shared with the UK National Security Authority (NSA).
Please refer to the section 'How long we keep your data?'
What are your rights?
Under data protection law, you have rights we need to make you aware of.
The rights available to you depend on our reason and the lawful basis for processing your personal information.
Please refer to the section 'Your data protection rights.'
Other points to be aware of in relation to NSV
International data transfers and international organisations
As described above, for important reasons of public interest and national security, it may be necessary for UKSV on behalf of ONR to seek information from referees some of whom may be from international organisations, located in countries where the UK Government has not issued an adequacy decision to confirm that it considers the country provides an adequate level of data protection.
Where the sponsor organisation is an international organisation, for example NATO, or where your clearance is to work for a contractor overseas, we will inform the organisation or contractor whether your clearance is granted, refused or withdrawn. Confirmation of any internationally held Personnel Security Clearances (PSC) will be sought via the UK National Security Authority (NSA).
Decisions based on automated processing
NSV decisions are not based solely on automated processing, including profiling. The decision whether to grant or refuse security clearance is taken individually by ONR's personnel security risk owner.
Failure to provide data
You are required to provide the personal data requested as part of NSV in order to obtain the security clearance necessary for your role, which will be either a contractual requirement or necessary for employment within the regulated civil nuclear industry. If you do not provide the requested data, we will be unable to grant you security clearance and this may impact on your employment.
Data from third parties
Conducting NSV
To conduct the various checks that form part of NSV, it may be necessary to share some of your personal data with the relevant check provider so that they may provide further personal data to us. We only share the minimum amount of personal data necessary to enable the provider to perform the check. In most cases this is limited to basic identifying information (such as your name or date of birth) to ensure that the provider performs the check on the correct individual.
To perform the component NSV checks and reach a security clearance decision, ONR will have access to your data from:
- Your employing department or company (to request access to relevant personnel records)
- Public authorities which maintain criminal records databases
- The Security Service
- Credit reference agencies
- Referees (e.g. supervisors, character and academic referees)
- As the personnel security risk owner, (and to enable us to make a decision on your suitability to hold security clearance or so that we can specify any risk mitigation measures conditional for your clearance), third party personal data may be processed as a result of these checks. For example, this might be details of a referee provided to UKSV.
Being or have been investigated by us for a criminal offence
Purpose and lawful basis for processing
Our purpose is to regulate the nuclear industry in line with our statutory duties under the Energy Act 2013, including inspection and investigation activities.
We investigate and prosecute individuals and organisations for alleged criminal offences committed under the legislation we regulate. Where we are not the competent authority we work in liaison with relevant competent authorities for Law Enforcement such as The Health & Safety Executive and The Police.
We rely on GDPR Article 6 (e), task in the public interest and DPA 2018, Schedule 1, Part 2, Substantial Public Interest Conditions (10) Preventing or Detecting Unlawful Acts and (12) Regulatory requirements relating to unlawful acts.
ONR is the competent authority for the transport of radioactive material (Class 7 dangerous goods) by road, rail and inland waterways within Great Britain for the purpose of Part 3 of the DPA 2018 which applies to the processing of personal data by such authorities for law enforcement purposes. In this case we rely on Schedule 8 1(a) and (b) of the Data Protection Act 2018 to process sensitive personal data.
What we need
When we investigate an alleged criminal offence, we'll compile information and evidence about it. This will include information about the alleged offender(s), investigators, witnesses and informants.
Why we need it
In our role as a regulator, we need to establish whether the legislation we oversee has been breached, so that we can take legal action if appropriate. So, we'll gather relevant information about you to do this.
What we do with it
We will only use your personal information to see whether the legislation has been breached, and for prosecution purposes if we have evidence of a breach.
In some circumstances we may share your personal information with other law enforcement agencies/regulators during an investigation.
If we proceed to take legal action, we'll share this information with our legal counsel, the courts and any co-defendants and their legal representatives.
When we take enforcement action, we may publish the defendant's identity in our Annual Report or in the media. Usually, we do not identify any complainants unless the details have already been made public.
Please refer to the section 'How long we keep your data?'
What are your rights?
If we are processing your data under The DPA 2018 Part 3 your rights are defined in DPA 2018 Part 3, Chapter 3 and we will apply those requirements to any request you make.
Please refer to the section 'Your data protection rights.'
Do we use any data processors?
Yes – we may use external legal counsel for court proceedings.
Reporting an incident to us
Purpose and lawful basis for processing
Our purpose is to regulate the nuclear industry in line with our statutory duties under the Energy Act 2013, including inspection and investigation activities.
The lawful basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
If the information provided to us in relation to an incident contains special category data, such as health information or medical treatment, the condition we rely on to process it is UK GDPR article 9(2)(g) Substantial Public Interest, and DPA 2018 Schedule 1 part 2(6) Statutory and Government purposes.
What we need
We need information from you to review the incident, therefore the form to notify us of an incident is designed to prompt you to give us the minimal amount of personal data to enable us to understand what has happened whilst ensuring we do not collect excessive personal data.
When we receive a notification from you or other parties, we'll set up an incident notification number. This normally includes your contact details and any other information you, or the other party, have provided about the incident.
What we do with it
We will use your personal information to review, and if necessary, act upon the incident. We compile and publish statistics showing information like the number of incidents we receive, but not in a form that identifies anyone.
No other parties have access to your personal information unless the law allows them to do so. If you don't want information that identifies you to be shared with the organisation where the incident took place, we'll try to respect that. However, it is not always possible to act upon a notification of an incident on an anonymous basis.
If you are acting on behalf of someone else, we'll ask for information to satisfy us of your identity and if relevant, ask for information to show you have authority to act on that persons behalf.
Please refer to the section 'How long we keep your data?'
What are your rights?
We are acting in our official capacity to investigate an incident, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
Please refer to the section 'Your data protection rights.'
Public consultations
Purpose and lawful basis for processing
We will undertake Public Consultations because the law requires it, or as part of our duties as a regulator. ONR is required to consult with the statutory consultation bodies (including the appropriate environmental agency and local highway and planning authorities). During this consultation period ONR may receive responses from members of the public and other groups with an interest in the environmental aspects of a proposed decommissioning project.
The consultation process will require the storage and processing of personal data in order to demonstrate consultation responses have been recorded and reflected in ONR's Pre-Application opinion and consent decision.
The lawful basis for the processing of personal data as part of the consultation is therefore provided by the following articles of GDPR:
- GDPR Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject.
- GDPR Article 6(1)(e) processing is necessary for the performance of a task carried in the public interest or in the exercise of official authority vested in the controller.
What we need
ONR store consultation comments from members of the public. The personal data collected will include and be limited to:
- Name
- Email address (home or other postal address if an email address is not provided)
- Comments
Why we need it
ONR needs to gather and store the personal information of individuals who provide comments during an EIADR consultation in order to demonstrate that they have been recorded and considered in the pre-application opinion (PAO) or EIADR assessment, and also the contact details of members of the public in order to notify them that the PAO report, or Project Assessment Report (PAR) detailing its decision on the EIADR consent has been published.
What we do with it
ONR provides the licensee with copies of consultation responses throughout the consultation process, these will be anonymised and will not include personal information of those who have provided comments. Personal information is stored to enable ONR to contact respondents if necessary.
Please refer to the section 'How long we keep your data?'
What are your rights?
We process personal data in our capacity as a regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
Please refer to the section 'Your data protection rights.'
Apply for a job or secondment
Purpose and lawful basis for processing
Our purpose for processing this information is to assess your suitability for a role you have applied for.
The lawful basis we rely on for processing your personal data is UK GDPR article 6(1)(b) processing necessary to perform a contract or to take steps at your request, before entering a contract. The condition we rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnic information is article 9(2)(b) of the GDPR, which also relates to our obligations in employment and the safeguarding of your fundamental rights and article 9(2)(h) for assessing your work capacity as an employee. And DPA 2018 Schedule 1 part 1(1) and (2)(a) and (b) which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.
What will we do with the information you give us?
We'll use all the information you provide during the recruitment process to progress your application with a view to offering you an employment contract with us, or to fulfil legal or regulatory requirements if necessary.
We'll use the contact details you give us to contact you to progress your application. We'll use the other information you provide to assess your suitability for the role.
What information do we ask for, and why?
We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary.
The information we ask for is used to assess your suitability for employment. You don't have to provide what we ask for but it may affect your application if you don't.
Application stage
If you use our online application system, your details will be collected by a data processor on our behalf (please see below).
We ask you for your personal details including name and contact details. We'll also ask you about previous experience, education and for answers to questions relevant to the role. Our recruitment team will have access to all this information.
You will also be asked to provide equal opportunities information and information relating to your socio-economic background [including parental occupation]. This is not mandatory – if you don't provide it, it won't affect your application. We won't make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. Any information you provide will be used to produce and monitor equal opportunities statistics.
Shortlisting
When our hiring manager shortlists applications for interview, they will not be provided with your name or contact details or with your equal opportunities information if you have provided it.
Assessments
We may ask you to participate in tests; complete occupational personality profile questionnaires; attend an interview; or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes.
You will be required to provide proof of identification and any qualifications you have told us about in support of your application. We will take a photocopy of this information and only retain it upon an offer of employment.
Conditional offer
If we make a conditional offer of employment, we'll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity and reliability.
You must therefore provide:
- Your address, contact details, marital status, gender, nationality, national insurance number, work permit details if necessary (via Shared Services Connected Limited) (SSCL Privacy Notice)
- a criminal records declaration to declare any unspent convictions (via the Disclosure and Barring Service) (Disclosure and Barring Service Privacy Notice)
- We'll contact your referees, using the details you provide in your application, directly to obtain references
- We'll also ask you to complete a questionnaire about your health to establish your fitness to work.
- We may also ask you to complete a Personal Protective Equipment (PPE) order form if it is necessary for your role.
If we issue a contract of employment, we'll also ask you for the following:
- bank details (via Shared Services Connected Limited)
- emergency contact details – so we know who to contact in case you have an emergency at work
- any membership of a Civil Service Pension scheme – so we can send you a questionnaire to see whether you are eligible to re-join your previous scheme.
Or we'll provide your information to our partnership pension provider if you don't want to join the Civil Service Pension scheme.
Before or just after appointment
Some roles with in ONR require a National Security Vetting (NSV) this will be clear on the advert or job description (or both).The ONR HR Personnel Vetting team will set you up with an account on the United Kingdom Vetting Service (UKSV) on-line application portal, and issue you with guidance to access this and for completing the application process.
Secondments
We also offer opportunities for people to come and work with us on a secondment basis. We accept applications from individuals or organisations who think they could benefit from their staff working with us.
Applications are sent directly to us. Once we have considered your application, if we are interested in speaking to you further, we'll contact you using the details you give.
We may ask you to provide more information about your skills and experience or invite you to an interview.
If you are seconded to us, you will be expected to adhere to a confidentiality agreement and code of conduct, which will be agreed with your organisation.
We may also ask you to complete our pre-employment checks or to obtain security clearance via the National Security Vetting process – both of which are described in this notice. Whether you need to do this will depend on the type of work you will be doing for us.
We ask for this information so that we fulfil our obligations to avoid conflicts of interest and to protect the information we hold.
Apprenticeships
We sometimes advertise and recruit apprentices through apprenticeship providers. In some circumstances, the provider will complete certain aspects of the recruitment process on behalf of ONR.
Please refer to the section 'How long we keep your data?'
How we make decisions about recruitment
Final recruitment decisions are made by a recruitment panel. We take account of all the information gathered during the application process.
Do we use any data processors?
We use Hireserve to operate our online application system and to produce anonymised management information about campaigns.
We sometimes advertise and recruit staff members through recruitment agencies.
For permanent recruitment we sometimes contact a number of agencies via the Crown Commercial Service framework RM6229 or RM6290, or ESPO.
We sometimes recruit interim staff via the recruitment framework, RM6277, which is hosted by Crown Commercial Services. Further details are available via Non Clinical Staffing - CCS (crowncommercial.gov.uk)
We currently use the following agencies:
Please refer to the section 'How long we keep your data?'
Contact the Communications Team - Media enquiries
Purpose and lawful basis for processing
Our purpose for collecting this information is so we can respond to you and give you information about the legislation we oversee in order for you to publish.
The lawful basis we rely on for processing your personal data is public task, under UK GDPR article 6(1)(e).
What we need
We need enough information from you so we can respond to you. We'll take your name and number/contact email address and, where relevant, the name of the organisation you represent.
Why we need it
We need to keep a record of who we have spoken with and what has been asked for/provided. If we can't answer your query/request over the phone, we'll need your contact information for our response.
What we do with it
We'll only use your personal information to respond to you and will make a record of our communications with you, both verbal and written.
We'll also use your contact information to send you our press releases.
Please refer to the section 'How long we keep your data?'
What are your rights?
We are acting in our official capacity as a regulator in providing you with press releases and responding to media enquiries. This means you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
You can ask us to stop sending you press releases at any time, and we'll update our records immediately to reflect your wishes.
Please refer to the section 'Your data protection rights.'
Do we use any data processors?
Yes, we use Vuelio to manage stakeholder contacts. Find out more about how Vuelio collects and stores your information
Attend an event, seminar or workshop
Purpose and lawful basis for processing
Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service.
The lawful basis we rely on for processing your personal data is your consent under UK GDPR article 6(1)(a). When we collect any information about dietary or access requirements, we also need your consent under article 9(2)(a)) as this type of information is classed as special category data.
What we need
We need your personal information to facilitate the event; to provide our delegates with an exceptional service; and to communicate with delegates. If you wish to attend one of our events, you will be asked to provide your contact information including your organisation's name and, if offered a place, information about any dietary requirements or access provisions you may need. We may also ask for payment if there is a charge to attend.
Why we need it
We use this information to facilitate the event and provide you with an acceptable service. We also need this information so we can respond to you.
What we do with it
If you are not successful in securing a place, we'll let you know and hold your details on a reserve list in case a place becomes available.
If you are allocated places at an event, we'll ask for information about any dietary/access requirements. We don't share this information in any identifiable way with the venue, and we delete it after the event.
We do not publish delegate lists for events and we will not confirm your attendance with a third party without your permission.
Please refer to the section 'How long we keep your data?'
What are your rights?
We rely on your consent to process the personal data you give us to facilitate the event. This means you have the right to withdraw your consent at any time. If you do that, we'll update our records immediately to reflect your wishes.
Please refer to the section 'Your data protection rights.'
Do we use any data processors?
No
Subscribe to our e-newsletter/e-bulletin
Purpose and lawful basis for processing
Our purpose for collecting the information is so we can provide you with a service and let you know about upcoming events.
The lawful basis we rely on for processing your personal data is your consent under UK GDPR article 6(1)(a).
What we need
Your name and email address.
Why we need it
We use your email address to send you our E-newsletter.
What we do with it
We only use your details to provide the service.
We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter.
You will receive a confirmation email once you have submitted your details and then the newsletters monthly.
Please refer to the section 'How long we keep your data?'
At the end of the retention period, your personal data will be disposed of securely.
What are your rights?
We rely on your consent to process the personal data you provide to us for marketing purposes. This means you have the right to withdraw your consent, or to object to the processing of your personal data for this purpose at any time. If you do that, we'll update our records immediately to reflect your wishes.
Please refer to the section 'Your data protection rights.'
Do we use any data processors?
Yes - we use Forfront Limited (e-shot™) to manage subscription lists, preferences and send emails.
Making an information request
Purpose and lawful basis for processing
Our purpose for processing your personal data is so we can fulfil your information request to us.
The lawful basis for this is UK GDPR article 6(1)(C), which relates to processing necessary to comply with a legal obligation to which we are subject.
If any of the information you provide us in relation to information request contains special category data, such as health, religious or ethnic information the condition we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And DPA 2018 Schedule 1 part 2(6) which relates to statutory and government purposes.
What we need and why we need it
We need information from you to respond to you and to locate the information you are looking for. This enables us to comply with our legal obligations under the legislation we are subject to:
- UK General Data Protection Regulation
- Data Protection Act (2018)
- Freedom of Information Act (2000)
- Environmental Information Regulations
What we do with it
When we receive a request from you, we'll set up an electronic case file containing the details of your request. This normally includes your contact details and any other information you have given us. We'll also store on this case file a copy of the information that falls within the scope of your request.
If you are making a request about your personal data, or are acting on behalf of someone making such a request, then we'll ask for information to satisfy us of your identity. If it's relevant, we'll also ask for information to show you have authority to act on someone else's behalf.
We'll use the information supplied to us to process your information request and check on the level of service we provide.
If the request is about information we have received from another organisation – regarding a complaint, for example – we'll routinely consult the organisation/s concerned to seek their view on disclosure of the material.
We may need to share your information with a regulatory or law enforcement agency. For example, in the event that you raise a concern with the Information Commissioner's Office.
We compile and publish statistics showing information such as the number of requests we receive, but not in a form that identifies anyone. In addition, we publish our responses to requests for information received under the terms of the Freedom of Information Act and the Environmental Information Regulations in an anonymised format.
Please refer to the section 'How long we keep your data?'
What are your rights?
You have a right to access your personal data held by or for us. You also have a right to get inaccurate data rectified and incomplete data completed, and for your personal data to be erased in certain circumstances.
Please refer to the section 'Your data protection rights.'
Do we use any data processors?
No – we do not use data processors for the above.
Communicate with us as a business
Purpose and lawful basis for processing
We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business.
If this relates to interactions regarding our regulatory and other functions, the lawful basis is UK GDPR article 6(1)(e), which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
If this relates to interactions outside of our regulatory and other functions, for example, you are providing ONR with a service, the lawful basis is UK GDPR article 6(1)(f), which allows us to process personal data when it is necessary for the purposes of our legitimate interests.
What we need
When we conduct an Inspection or an advisory visit, we'll take the name and contact details of your organisation's main point of contact. We may also take details of other staff members during the visit process.
When we communicate with you regarding our activities as a regulator, we may take the name and contact details of your organisation's main point of contact for the activity concerned. We may also take details of other staff members if appropriate.
Why we need it
We use the data collected to complete the inspection/advisory visit and evidence the information provided.
We may also use data collected to inform how we work as a regulator, strengthening further areas of good practice and identifying opportunities to improve ONR's performance.
What we do with it
We will publish the fact that we have conducted an inspection / advisory visit, but this will not contain any personal data. We may publish a summary of the audit we have completed with you, but this will not contain any personal data.
We may be required to share your personal information with relevant third parties, for example in the event that a crime has been committed or is suspected.
Please refer to the section 'How long we keep your data?'
What are your rights?
Please refer to the section 'Your data protection rights.'
Do we use any data processors?
ONR uses a data processor (Microsoft) for limited data processing.
We are inspecting your business
Purpose and lawful basis for processing
Our purpose for processing this information is to have a contact point at your organisation and to tell you the outcome of the visit.
The lawful basis we rely on to process your personal data is UK GDPR article 6(1)(e), which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
What we need
When we conduct an inspection or an advisory visit, we will take the name and contact details of your organisation's main point of contact. We may also take details of other staff members during the visit process.
Why we need it
We use the data collected to complete the inspection/advisory visit and evidence the information provided.
What we do with it
We will publish the fact that we have conducted an inspection / advisory visit, but this will not contain any personal data. We may publish a summary of the audit we have completed with you, but this will not contain any personal data.
We may be required to share your personal information with relevant third parties, for example in the event that a crime has been committed or is suspected.
Please refer to the section 'How long we keep your data?'
What are your rights?
We process personal data in the visit information in our capacity as regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
Please refer to the section 'Your data protection rights.'
Do we use any data processors?
ONR uses a data processor (Microsoft) for limited data processing.
Legitimate Interests
Because we may use photography and video for wider purposes than under our duties as a regulator, we collect and maintain a library of images under Article 6(1)(f), Legitimate Interest. For further information please read our separate Privacy Notice relating to promotional video and photography.
Responsibilities
The DPO is responsible for ensuring this Privacy Notice remains up-to-date and accurate, with advice from Information Asset Owners (IAOs) and ONR staff.
Implementation
This Privacy Notice is reviewed periodically.
Updates will be made immediately where there is any change to the processing of personal data.