Data protection and your rights

Who we share your personal data with

Organisations acting on our behalf

We contract third party organisations (suppliers) to process data on our behalf. We will only work with organisations that have equivalent or sufficient security in place to handle personal data, considering the sensitivity of the data. We will always have a contract or agreement in place with the supplier.

Where it is possible to disclose anonymised data we will do so. If personal data needs to be provided, we will only disclose the minimum required.

Suppliers that we use include:

• System and software providers
• Research agencies
• Survey providers
• Film companies
• Copywriters
• Event management platforms
• Marketing platforms
• Photo management platforms
• Transcription service providers
• External legal services
• Building management companies
• Auditors
• Professional advisors or consultants

Organisations not acting on our behalf

We may need to share your personal data with other organisations that will use the data for their own purposes. For example, with a regulator or to otherwise comply with the law.

Sometimes, this will include joint working or data sharing arrangements, for example data sharing with government departments. In these cases, we will always have a data sharing agreement or other appropriate arrangement in place to protect your data.

Usually, we will not disclose information you have provided under our statutory powers to other organisations.

Organisations not acting on our behalf include:

• Government Equalities Office
• National Audit Office
• HM Revenue and Customs
• Barristers, advocates, advisors or other legal professionals
• Courts
• Other regulators
• Parliamentary and Health Ombudsman
• Scottish Public Services Ombudsman
• Central and devolved governments
• Prosecuting authorities
• Local authorities
• Family, friends or carers (e.g. in relation to a complaint)

If we become aware of issues relating to the statutory remit of other regulators, such as the Care Quality Commission, and disclosure to the regulator is in the public interest then we may share data about you with them.

We may also share data in other one-off circumstances such as providing information to the police to assist with their work to prevent or detect crime.

There are also circumstances where we are legally obliged to share information, for example if the courts require us to disclose information to them.

We will only keep your personal data for as long as is necessary.

For more information on how long we keep different types of records, refer to our retention schedule.

You can also contact our Data Protection Officer for further details on how long personal data is retained.

We act appropriately to secure your personal data and protect it against unauthorised or unlawful processing, as well as against its accidental loss, destruction or damage. This includes ensuring both technical and organisation security measures are in place including:

Technical security measures

• using secure servers to store personal data
• using technologies to encrypt data in transit and at rest
• access permissions to restrict access only to staff that need it
• providing access to the minimum personal data necessary
• making the data anonymous, pseudonymised or unidentifiable whenever possible
• regular security testing and assurance

Organisational security measures

• having organisational policies and procedures in place to protect your personal data
• ensuring staff handling personal data receive relevant training
• ensuring formal agreements such as contracts or data sharing agreements are in place with other organisations that work with us and handle personal data
• making sure we check suppliers have good security measures in place before working with them

In most cases, your data remains within the United Kingdom or within the European Economic Area (EEA), which is recognised in UK law as having adequate safeguards in place to protect your data protection rights.

We may transfer your personal data to countries outside of the UK, the European Economic Area (EEA) and / or to an international organisation. If we do this, we will ensure that adequate safeguards are used to secure the data. These are detailed in our data protection policy.

Where organisations that we work with operate globally, or use services outside the UK or EEA, we will take reasonable steps to ensure that safeguards such as model contract clauses are in place to protect your personal data.

For information on data transfers to third countries through our use of cookies, please see our cookie policy.

You have the following rights under data protection legislation in respect of your personal data:

• You have the right to know how we handle, store, use or otherwise process your personal data (‘the right to be informed’).
• You have the right to ask us for copies of your personal data (‘the right of access’).
• You have the right to ask us to rectify data you think is inaccurate or to complete data you think is incomplete (‘the right to rectification’).
• You have the right to ask us to erase your personal data where we do not have an overriding legal obligation or reason to retain it (‘the right to erasure’).
• You have the right to ask us to restrict the processing of your personal data (‘the right to restriction’).
• You have the right to object to the processing of your personal data (‘the right to object’).
• You have the right to ask us to transfer data you gave us to another organisation on your behalf (‘the right to data portability’).

These rights are not absolute and are subject to a number of exemptions. Some rights may also apply only in certain circumstances.

Where you have provided your consent for us to process your personal data, you have the right to withdraw this consent at any time.

To exercise your rights or withdraw your consent, contact our Data Protection Officer.

You can find more information about your rights on the Information Commissioners Office website.