Dounreay Site Restoration Limited (DSRL) is committed to protecting the privacy and security of your personal information. This privacy notice sets out the standards you can expect from DSRL when we collect, hold or use your personal information.
We will ensure that we will treat all personal information in accordance with data protection legislation, including the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA).
We are registered as a Data Controller with the Information Commissioner’s Office (ICO). Our registration number is Z1280464. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
It is important that you read this notice, together with any other privacy notice we may provide when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
Our contact details
Data Protection Officer
Mark correspondence for the attention of ‘Data Protection Officer’
Data protection principles
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
- Relevant to the purposes we have told you about and limited only to those purposes
- Accurate and kept up to date
- Kept only as long as is necessary for the purposes you have been told
- Kept securely
What type of information we have
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymised data). There are certain types of more sensitive personal data (special category data) which require a higher level of protection, such as information about a person’s health or criminal convictions. We may collect, store, and use the following categories of personal information about you:
- personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- date of birth
- marital status and dependents
- next of kin and emergency contact information
- National Insurance number
- bank account details, payroll records and tax status information
- salary, annual leave, pension and benefits information
- start date and, if different, the date of your continuous employment
- leaving date and your reason for leaving
- location of employment or workplace
- copy of driving license and car insurance
- recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
- employment records (including job titles, work history, working hours, holidays, training records and professional memberships)
- CCTV images
Please note, the above list is not exhaustive.
We may also collect, store and use the following more sensitive types of personal data:
- information about your race or ethnicity, religious beliefs, sexual orientation and political opinions for equality and diversity monitoring purposes
- Trade union membership
- information about your health, including any medical condition, health and sickness records etc
- details of any absences (other than holidays) from work including time on statutory parental leave and sick leave
- information about criminal convictions and offences
How did we get the information and why do we have it?
The most common reasons that we will hold your information are if you:
- are a current or previous DSRL employee or contractor
- previously applied or are in the process of applying for work with DSRL
- subscribe to DSRL newsletters or publications
- attended a DSRL hosted event or course
- visited DSRL offices recently
- applied for funding or a bursary
- have submitted an information request under the Freedom of Information Act 2000 or Environmental Information Regulations 2004 or make a Subject Access Request under the Data Protection Act
Again, this is not an exhaustive set of circumstances.
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- where we need to perform the contract we have entered into with you
- where we need to comply with a legal obligation
- where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests
We may also use your personal information in the following situations, which are likely to be rare:
- where we need to protect your interests (or someone else’s interests)
- where it is needed in the public interest (or for official purposes)
Please see the ‘Your data protection rights’ section for more information on withdrawing your consent
What we do with the information
As previously stated, DSRL is the data controller of personal information held by DSRL for the purposes of GDPR. A data controller determines the purposes for which, and the way, any personal data is to be processed (either alone or jointly or in common with others). We therefore have the responsibility for the safety and security of all the data we hold.
We may have originally shared your data with third parties, including data processors who process data on DSRL’s behalf. We make sure that our data processors comply with all relevant requirements under data protection legislation. This is defined in the contractual arrangements. If this was the case, you can expect a similar degree of protection in respect of your personal information.
Change of purpose
We will only use your personal information for the purposes for which it was collected, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Do we need your consent?
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent.
How we store your information
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Data Protection Officer.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We will only hold onto your personal information for as long as necessary to fulfil the purposes we collected it for. All records are retained and securely destroyed in accordance with our records retention schedule. Details of retention periods for different aspects of your personal information are available upon request. However, your information may be held beyond the specified retention periods where there is the potential for it to fall under the remit of ongoing government independent inquiries.
Your data protection rights
You have several rights in relation to your data. These are:
- the right to be informed when data are collected
- the right of access to your data
- the right to rectification of your data – to correct inaccurate or incomplete data
- the right to erasure of your data (except in certain circumstances) – we will delete your data if requested unless there is a legal obligation to process your data
- the right to restrict processing – we can retain as much data as is necessary to ensure the restriction is respected in the future
- the right to data portability – where we can, where possible, provide your information in a structured, commonly used, machine readable form when asked
- the right to object to the processing of data – where you can object to the processing of data for direct marketing or research purposes
- rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention
You also have a right to withdraw any consent you may have given us to process your data and a right to lodge a complaint with the ICO. More details on these rights can be found below and on the ICO’s website.
How to complain
If you wish to make a complaint to DSRL about the way in which we have processed your personal information, please get in touch with the Data Protection Officer via the contact details supplied above.
If you remain dissatisfied with the response received, you have the right to lodge a complaint to the Information ICO. The ICO is the UK’s independent body set up to uphold information rights, and they can investigate and adjudicate on any data protection related concerns you raise with them. They can be contacted at:
Information Commissioner’s Office
0303 123 1113