For customers and stakeholders
Privacy Notice
-
Who we are
This Privacy Notice describes how the United Kingdom Accreditation Service Limited and the Clinical Pathology Accreditation (UK) Limited (in this Privacy Notice, “UKAS Group”) collects and uses personal data. It applies to (prospective) customers (including delegates attending public training courses) and (potential) stakeholders of UKAS Group.
- References to “us”, “we”, “our” or “UKAS Group” are to: United Kingdom Accreditation Service Limited, a company registered in England and Wales (company number 03076190); and the Clinical Pathology Accreditation (UK) Limited (company number 02675095), both with registered address at 2 Pine Trees, Chertsey Lane,
Staines-Upon-Thames, Middlesex, England, TW18 3HR, United Kingdom. - The UKAS Group acts as data controller in respect of your personal data that we process. Our Privacy and Data Compliance Officer is Georgia Alsop. If you have any questions about this Privacy Notice and how we use your personal data, please get in touch with us via the contact details below:
Post: Georgia Alsop, Privacy and Data Compliance Officer at United Kingdom Accreditation Services Limited, 2 Pine Trees, Chertsey Lane, Staines-UponThames, TW18 3HRE-mail: [email protected]Telephone: +44 (0) 1784 429000 - This Privacy Notice supersedes any previous Privacy Notice. We may update this Privacy Notice from time to time to ensure that it remains accurate. If we do so, we will provide you with an updated copy of this notice as soon as reasonably possible.
- This Privacy Notice was last updated on: 23 May 2018.
- References to “us”, “we”, “our” or “UKAS Group” are to: United Kingdom Accreditation Service Limited, a company registered in England and Wales (company number 03076190); and the Clinical Pathology Accreditation (UK) Limited (company number 02675095), both with registered address at 2 Pine Trees, Chertsey Lane,
-
What data do we collect?
The personal data that we collect will depend on your relationship with us. Please see below for detailed information regarding the types of information we collect and use about you.
Customers / prospective customers:
- Name, business address, job title, e-mail address, telephone number, and (if applicable) employer name;
- Business CVs provided by customers which may contain personal details such as home address;
- Details of qualifications & training records;
- Details of education (dates & name of institution);
- Names of personal referees as shown on CVs (position, home address and phone);
- Qualifications certificates and number reference which may contain pictures and an individual’s date of birth;
- Opinions on competence; and
- Occasionally we receive Customer case files. Any personal data in these files is generally anonymised but sometimes does contain personal data.
Delegates (customers) attending public training courses:
- Name, address, phone numbers, employer name (if applicable);
- Passport details for the purposes of arranging travel or issuing visitation letters where relevant;
- Information about disability, medical conditions, allergies in order to facilitate course.
Stakeholders /potential stakeholders:
- Name, employer, address, email, job title.
-
Who do we collect your data from?
We collect your personal data:
- Directly from yourself via the information you provide to us; From your company/employer; From third parties, such as:
- Accreditation Scheme owners
- Credit referencing agencies
- Regulatory bodies
- Lead generation companies and mailing houses
- Publicly available sources, such as;
- Social media sites such as LinkedIn, Twitter and Youtube
- Web searches
- Directly from yourself via the information you provide to us; From your company/employer; From third parties, such as:
-
How do we collect your data?
We collect your personal data:
- Face to face when you meet us;
- Via regular mail (in writing);
- By telephone (including call recording);
- By e-mail;
- Via website registration;
- Via customer on boarding or application;
- Via the internet
-
What are the purposes and legal grounds for using your data?
We collect and use your personal data for a number of different purposes:
- To prepare a proposal for you regarding the services we offer;
- To provide you with the services as set out in our Standard Terms of Business and our contract with you or as otherwise agreed with you from time to time;
- To undertake any conformity assessment services we provide to you;
- To deal with any complaints or feedback you may have or are involved with;
- To meet our compliance and regulatory obligations and as required by tax authorities or any competent court or legal authority;
- For marketing to you. Please see the separate section on Marketing below;
- Training and performance monitoring of our staff;
- For the administration and management of our business, including but not limited to organising public training courses, recovering debts and archiving or statistical analysis;
- Seeking advice on our rights and obligations, such as where we require our own legal advice.
For each purpose we must have a legal ground for such processing. In respect of your personal data, the legal grounds we rely on are:
- Our performance of a contract with you;
- Us having an appropriate business need to use your data, and such need does not overly prejudice you;
- You having given your explicit consent for us to use your personal data;
- Us having a legal or regulatory obligation to use your data; and
- The necessity to use your data to establish, exercise or defend our legal rights.
-
Who do we share your data with?
We may share your personal data with our internal teams/departments via internal reports and via access to central IT systems.
We also disclose your personal data to the third parties listed below:
- Group companies;
- Contractors (to carry out conformity assessments);
- Third parties whom we engage to assist in delivering the services to you, such as IT providers, data storage providers, payroll suppliers and public relations advisers.
- Agents, advisers, intermediaries you advise us to share your data with;
- Our professional advisers where it is necessary for us to obtain advice and assistance, such as lawyers, accountants, auditors;
- Our Peer Evaluators where it is necessary for us to meet our obligations as the UK National Accreditation Body;
- Debt collection agencies and credit referencing agencies; and
- Relevant accreditation scheme owners, regulatory authorities or law enforcement agencies, subject to your agreement via a waiver of confidentiality.
-
Your rights
Under the GDPR you have certain rights in relation to the personal data that we hold about you. You may exercise these rights at any time by contacting us using the contact details set out further below in this section.
Please note that in some cases we may not be able to comply with your request because of our own obligations to comply with other legal or regulatory requirements. However, we will always respond to any request you make and if we cannot comply with your request, we will tell you why.
Your rights are:
-
The right to access your data
You are entitled to a copy of the personal data we hold about you and certain details of how we use it. Your information will usually be provided to you in writing, unless otherwise requested, or where you have made the request by electronic means, in which case the information will be provided to you by electronic means where possible. Subject to certain circumstances, there will not be a charge for dealing with these requests. We have created a Subject Access Request form to assist you making your request, which is available on request.
-
The right to rectification
We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.
-
The right to erasure
In certain circumstances, you have the right to ask us to erase your personal data.
-
The right to restriction of processing
In certain circumstances, you are entitled to ask us to stop using your personal data.
-
The right to data portability
In certain circumstances, you have the right to ask that we transfer any personal data that you have provided to us to another third party of your choice.
-
The right to object to marketing
You can ask us to stop sending you marketing communications at any time.
-
The right to withdraw consent
For certain uses of your personal data, we will ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal data.
-
The right to lodge a complaint with the ICO
You have a right to complain to the Information Commissioner’s Office (ICO) if you believe that any use of your personal data by us is in breach of applicable data protection laws and regulations. Making a complaint will not affect any other legal rights or remedies that you have.
-
-
Marketing
We may also use your personal data to provide you with information about services we provide which may be of interest to you where you have provided your consent for us to do so. This information may include alerts, newsletters and invitations to events or functions. We will communicate this to you in a number of ways including by post, telephone, email or other digital channels.
We are committed to only sending you marketing communications that you have clearly expressed an interest in receiving. If you wish to unsubscribe from marketing communications sent by us, you may do so at any time by contacting us in one of the following ways:
- By registered post – Georgia Alsop, Privacy and Data Compliance Officer at United Kingdom Accreditation Services Limited, 2 Pine Trees, Chertsey Lane, StainesUpon-Thames, TW18 3HR
- By e-mail – [email protected]
- By unsubscribing on our website
-
What is our approach to international data transfers?
Some of the third parties we share personal data with (as set out in this Privacy Notice), may be located outside the UK. In those circumstances, please note that your personal data will only be transferred outside the UK on one of the following bases:
- the country that we send the personal data to is approved as providing an adequate level of protection for personal data;
- the recipient has entered into standard data protection clauses with us, which is one of the safeguards we can use for sending data outside the UK; or you have explicitly consented to such transfer by emailing UKAS ([email protected])
Where we transfer data outside the UK and we are relying on standard data protection clauses we will ensure that we undertake a transfer risk assessment before such transfer is made to ensure the relevant protections in the UK GDPR are not undermined in respect of your data.
Please contact us if you require further information about this, including if you would like a copy of the applicable adequacy decision or standard data protection clauses.
-
How long do we keep your data?
We will only retain your personal data for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations. Please contact us if you would like further information regarding the periods for which your personal data will be stored.
-
What we do to safeguard your data
UKAS is committed to protecting your privacy. Our staff use mobile devices, such as laptops and mobiles that are encrypted. Where we outsource our Information Technology and Communications infrastructure and business systems, we use providers that are ISO/IEC 27001 compliant. We also regularly commission an independent penetration testing provider to confirm the security of our systems, policies and procedures. Our staff receive periodic training on data protection and all our contracts with third parties include relevant confidentiality and data protection provisions.
Please see UKAS’ Security Statement for further information on data security.