ONR's internal privacy notice

Part one – General information

The first part of the notice is information we need to tell everybody. In this notice, ‘DPA 2018’ refers to the Data Protection Act 2018 and ‘UK GDPR’ refers to the United Kingdom General Data Protection Regulation.

Data Controller and Data Protection Officer

The Office for Nuclear Regulation (ONR) is registered as a Data Controller with the Information Commissioner’s Office (ICO) under registration number ZA044386. A Data Controller decides why, when, what and how personal information will be used. The ONR Data Protection Officer (DPO) is Charlotte Cooper.

How to contact us

You can contact us by, email or post.

Our postal address

Office for Nuclear Regulation Building 4 Redgrave Court Merton Road Bootle L20 7HS Please mark your envelope ‘FAO Data Protection Officer’.

Our email address

dataprotection@onr.gov.uk .

Your data protection rights

You can read about your data protection rights in our External Privacy Notice, including your right to complain to ONR, or the Supervisory Authority.

How is your personal information collected?

We collect information from the following sources:

• Directly from you.
• From an employment agency.
• From your employer if you are a secondee.
• From referees, either internal or external, and/or former employers.
• From security clearance providers:
  • Disclosure & Baring Service (DBS) 
  • The UKSV Privacy Notice 
• From Occupational Health or other health providers.
• From Pension administrators and other government departments, for example tax details from HMRC.
• From your Trade Union.
• From our landlords, for the purpose of administering your staff identity card, visitor pass, car park pass, or access to CCTV footage.
• From providers of Staff Benefits.

We also collect personal information during job-related activities throughout the period of you working for us, for example, performance-related information.

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected, or if we are processing your personal information on the basis of your consent, until such a time that you withdraw your consent. All personal information held by ONR is stored within secure electronic systems or secure locations for physical records, with appropriate access controls.

ONR operates a Business Classification Scheme and Disposal Schedule which tells us how long we can keep your information for the purpose it was collected for. At the end of the retention period, your personal information will be disposed of securely.

Lawful basis for processing your personal data

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

• Article 6(1)(a) where you have given us consent to do so
• Article 6(1)(b) which relates to processing necessary of the performance of a contract
• Article 6(1)(c) so we can comply with a legal obligation as your employer
• Article 6(1)(d) in order to protect your vital interests or those of another person
• Article 6(1)(e) for the performance of a task carried out in the public interest, or in the exercise of official authority vested in ONR
• Article 6(1)(f) for the purposes of our legitimate interest

Special category data conditions

Where the information we process is special category data, for example your health data, the additional bases for processing that we rely on are:

• Article 9(2)(b) which relates to carrying out our obligations and exercising your rights in employment and the safeguarding of your fundamental rights
• Article 9(2)(c) to protect your vital interests or those of another person where you are incapable of giving your consent
• Article 9(2)(f) for the establishment, exercise or defence of legal claims
• Article 9(2)(j) for archiving purposes in the public interest

In addition we rely on the processing condition at Schedule 1 part 1 paragraph 1 of the DPA2018. This relates to the processing of special category data for employment purposes. Our Appropriate policy for special category and criminal offence data for law enforcement purposes provides further information about this processing.

Information about criminal convictions

We process information about staff criminal convictions and offences. The lawful basis we rely on the process this data are:

• Article 6(1)(e) for the performance of our public task. In addition, we rely on the processing conditions at Schedule 1 part 1 paragraph 6(2)(a).
• Article 6(1)(b) for the performance of a contract. In addition, we rely on the processing condition at Schedule 1 part 1 paragraph 1.

Our Appropriate policy for special category and criminal offence data for law enforcement purposes provides further information about this processing.

Automated decision making

If we use automated decision making it is described in the next section of this notice, under the relevant processing description. You can read about your rights and automated decision making in ONRs External Privacy Notice.

Data sharing

If we transfer your personal information outside the UK we will do so in a way that complies with the law and the safeguards required.

Why might you share my personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you, where it is necessary for the performance of a task in the public interest or where ONR has a legitimate interest to do so. This will, in some circumstances, involve sharing special categories of personal data and, where relevant, data about criminal convictions/allegations. All service providers and data processors are required to take appropriate security measures to protect your personal information. We do not allow data processors to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our written instructions.

Part two – Reasons why we process your personal data

Information related to your employment

We use the following information to carry out the contract we have with you, provide you with access to business services required for your role and manage our human resources processes:

• Name, title, personal addresses, personal telephone numbers, and personal email addresses.
• Date of birth, gender and National Insurance Number.
• Marital status and dependants.
• Next of kin, emergency contact and death benefit nominee(s) information.
• Employment and educational history, including qualifications, job application, employment references, right to work information, and details of any criminal convictions that you declare.
• Full employment records for your ONR employment, including, where applicable, previous civil service records where you have maintained continuous civil service upon joining ONR (including contract, terms and conditions, job titles, work history, working hours, promotion, absences, attendances, training records and professional memberships).
• Evidence of how you meet the Public Service nationality rules and confirmation of your security clearance. This can include passport details, nationality details and information about convictions/allegations of criminal behaviour.

We use the following service providers to process personal data:

• SSCL - If you accept a final offer from us, some of your personnel records will be held on SOP, a HR records system, which is managed by SSCL (Shared Services Connected Ltd). SSCL also administer ONR’s payroll function.
  • SSCL's privacy notice 
• Hireserve - If you apply for another role at ONR you will be directed to the job portal provided by Hireserve.
  • Hireserve

• For senior vacancies, we sometimes advertise through Hays Recruitment. Hays will collect the application information and may ask you to complete a work preference questionnaire that is used to assess your suitability for the role; the results are assessed by recruiters. Information collected by Hays will be kept for 12 months after the end of our agreement with Hays.
  • Hays's privacy notice 
• National Security Vetting (NSV) - For ongoing Vetting or changes in Vetting requirements we use the National Vetting Service.
  • NSV privacy notice
• Landlords - Any CCTV & Swipe Cards used at ONR offices are not operated by us. It is under the control of the building landlord as follows -
  • Redgrave Court, Bootle – CBRE operate the reception and security desk - CBRE Privacy Notice 
  • St James House, Cheltenham – Savills manage the building - Savills Privacy Notice 
  • Windsor House, London – Government Property Agency (GPA) manage the building - GPA Personal Information Charter and Data Privacy Notice 

Information related to your salary, pension and loans

We use the following information for the payment of your salary, pension and other employment related benefits:

• Information about your job role and your employment contract including: your start and leave dates; salary (including grade and salary band); any changes to your employment contract; working pattern (including requests for flexible working).
• Bank account details, payroll records and tax status information.
• Salary, annual leave, pension and benefits information.
• Location of employment or workplace.
• Relevant proof of identification to verify your identity and personal details (e.g., passport, driving licence)
• Compensation history.

We also process it for the administration of statutory and contractual leave entitlements such as holiday or maternity leave.

We use the following service providers to process personal data:

• MyCSP – if you are a member of the Civil Service Pension Scheme, of which we are a member organisation. New staff will be auto enrolled into the pension scheme. The details provided to MyCSP include your name, date of birth, National Insurance number and salary. Your bank details will not be passed to MyCSP at this time.
  • MyCSP Privacy Notice 
• Card Payments - Worldpay is a merchant services and payment processing provider offering a payment gateway for online transactions. Worldpay is used when making credit/debit payments to ONR. SSCL take payment details on behalf of ONR and share personal transaction details with Worldpay. For further information on how Worldpay process personal transaction data please see Worldpay’s Privacy Statement  which can be found on Worldpay’s corporate website.

Information related to your performance and training

• Performance and appraisal information.
• Disciplinary and grievance information.
• Information which may cause a potential/the perception of a conflict of interest in the course of your employment with ONR e.g., secondary employment, volunteering information etc.
• Information about your use of our information and communications systems.
• Photographs, videos. Please read ONRs Privacy notice on promotional video and photography.

Information related to your health and safety and other special category data

Health information, such as pregnancy notifications, medical conditions, absence records, occupational health reports and fit notes. Personal risk assessments, such as a pregnancy risk assessment if you are a new, expectant or breastfeeding mother, or a Stress Recovery Plan if you are experiencing work related stress, or Workplace Passports capturing reasonable adjustments. Health and safety related incidents, accidents or near misses, you or your manager have reported which occurred during the course of your work.

We use the following service providers to process personal data:

• Health Partners Group are an occupational health service. Accessible with consent and via manager referral, they are used during the recruitment phase for pre-employment health checks and for staff in post, on a needs basis to provide professional advice to ONR on reasonable adjustments across the broad spectrum of medical conditions to support you to remain in work.
  • Health Partners privacy notice
• Health Assured Limited are an employee assistance provider which is a source of confidential advice, support and where appropriate, counselling for staff, to support wellbeing at work.
  • Health Assured Limited privacy notice
• Cardinus Risk Management are a compliance risk management solutions company. They provide our DSE and Driver Training platforms, which enables the provision of training, self-assessment and a tool for capturing risk mitigation in these two areas.
  • Cardinus Risk Management Ltd - Privacy Policy

Dosimetry services

• Information you have provided to enable ONR to provide you with a Dosimetry Service (issue, exchange and monitoring of an appropriate dosimeter).
• To monitor, and act upon if necessary, readings from your issued badge for the purpose of ensuring your radiation levels remain within permissible levels.
• For research purposes. ONR entered into a Data Sharing Agreement with Public Health England (PHE), now UKHSA, for the purposes of the National Registry of Radiation Workers (NRRW). Further information about the study and how your personal data is shared is available via the National Registry for Radiation Workers Privacy Notice.

We use the following service provider:

• UK Health Security Agency (UKHSA) is our approved dosimetry service provider. We share information with UKHSA to register you for a device, if required; and to monitor radiation levels.
  • UKHSA Privacy Notice
  • National Registry for Radiation Workers Privacy Notice

Other reasons we may process your personal data

• Information you have provided regarding protected characteristics as defined by the Equality Act for the purposes of equal opportunities monitoring.
• Your responses to staff surveys, if this data is not anonymised.
• Business management and planning, including desk utilisation, accounting and auditing.
• To monitor your business and personal use of our information and communication systems to ensure compliance with our IT policies.
• To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
• To conduct data analytics studies to review and better understand employee retention and attrition rates.
• Dealing with Freedom of Information Act/Environmental Information Regulations requests
• To investigate possible or actual criminal offences or breaches of regulations as part of our statutory duties
• For use in internal communications and external channels (such as social media, website and corporate publications, including newsletters). Further details can be found in the separate privacy notice for promotional video and photography.

Some of the purposes will overlap and there can be several grounds which justify our use of your personal information. We will also collect, store and use the following "special categories" of more sensitive personal information:

• Information about your race or ethnicity, religious beliefs, sexual orientation Information about your health, including any medical condition, health and sickness records.
• Information about criminal convictions/allegations and offences.

When might you share my personal information with other organisations within the Civil Service?

We will share your personal information with other Civil Service organisations as part of our regular reporting activities on departmental performance, in the context of a business reorganisation or restructuring exercise, for system maintenance support and hosting of data; business planning/talent management initiatives, succession planning, statistical analysis; and general management and functioning of the Civil Service. Personal data is also shared with the Office for National Statistics, mainly for statistical purposes.

What about other third parties?

If required, we will share your personal information with a regulator or to otherwise comply with the law.

If you fail to provide personal information

If you fail to provide certain information when requested, we will not be able to fully perform the contract we have entered into with you (such as paying you or providing a benefit), or we could be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Responsibilities

The DPO is responsible for ensuring this Privacy Notice remains up-to-date and accurate, with advice from Information Asset Owners (IAOs) and ONR staff.

Implementation

This Privacy Notice is reviewed periodically. Updates will be made immediately where there is any change to the processing of personal data.