Personal information charter

When we need to handle personal information about you, this is how we look after that information.

NDA privacy notice

The Nuclear Decommissioning Authority (NDA) is committed to protecting the privacy and security of your personal information. This privacy notice sets out the standards you can expect from us when we collect, hold or use your personal information.

We will ensure that we will treat all personal information in accordance with data protection legislation, including the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA).

We are registered as a Data Controller with the Information Commissioner’s Office (ICO). Our registration number is Z9273030. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

It is important that you read this notice, together with any other privacy notice we may provide when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

Our Contact Details

Simon Tucker
Data Protection Officer
Nuclear Decommissioning Authority (NDA)
Herdus House
Westlakes Science & Technology Park
Moor Row
Cumbria
CA24 3HU

Email: dpo@nda.gov.uk

Data protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way;
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  3. Relevant to the purposes we have told you about and limited only to those purposes;
  4. Accurate and kept up to date;
  5. Kept only as long as necessary for the purposes we have told you about;
  6. Kept securely.

What type of information we have

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymised data). There are certain types of more sensitive personal data (special category data) which require a higher level of protection, such as information about a person’s health or criminal convictions. We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
  • Date of birth;
  • Gender;
  • Marital status and dependents;
  • Next of kin and emergency contact information;
  • National Insurance number;
  • Bank account details, payroll records and tax status information;
  • Salary, annual leave, pension and benefits information;
  • Start date and, if different, the date of your continuous employment;
  • Leaving date and your reason for leaving;
  • Location of employment or workplace;
  • Copy of driving license and car insurance;
  • Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process);
  • Employment records (including job titles, work history, working hours, holidays, training records and professional memberships);

Please note, the above list is not exhaustive.

We may also collect, store and use the following more sensitive types of personal data:

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions for equality and diversity monitoring purposes;
  • Trade union membership;
  • Information about your health, including any medical condition, health and sickness records etc.;
  • details of any absences (other than holidays) from work including time on statutory parental leave and sick leave; and
  • Information about criminal convictions and offences, including any criminal conviction information held outside of the UK.

How did we get the information and why do we have it?

Most of the personal information we collect and process is provided to us directly by you. The most common reasons that we will hold your information are if you:

  • are a current or previous NDA employee or contractor (see Employees privacy notice);
  • previously applied or are in the process of applying for work with NDA;
  • subscribe to NDA newsletters or publications;
  • attended an NDA hosted event or course;
  • visited NDA offices recently;
  • applied for funding or a bursary;
  • have submitted an information request under the Freedom of Information Act 2000 or Environmental Information Regulations 2004 (see Freedom of Information request privacy notice), or make a Subject Access Request under Data Protection Act 2018 Subject Access request privacy notice
  • have responded to a consultation document.

Again, this is not an exhaustive set of circumstances. The lawful basis for processing your personal data depends on the processing activity and we rely on the following lawful basis for processing your personal data under the UK Data Protection Act 2018/UK GDPR:

  • Article 6(1)(a) where we have your consent;
  • Article 6(1)(b) which relates to processing necessary for the performance of a contract;
  • Article 6(1)(c) so we can comply with our legal obligations as your employer;
  • Article 6(1)(d) in order to protect your vital interests or those of another person;
  • Article 6(1)(e) for the performance of our public task;
  • Article 6(1)(f) for the purposes of our legitimate interest. (In accordance with best practice a Legitimate Interests Assessment (LIA) will always be conducted when this lawful basis is used)

As part of our statutory and corporate functions we may also process special category and criminal conviction data under:

  • Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the NDA or the data subject in connection with employment, social security or social protection.
  • Article 9(2)(f) – for the establishment, exercise or defence of legal claims.
  • Article 9(2)(a) – explicit consent.
  • Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person.
  • Article 9(2)(h) – processing is necessary for the purposes of occupational medicine. Examples include occupational health referrals;
  • We process criminal offence data under Article 10 of the GDPR.

The Appropriate Policy Document, (Appendix 4 of the NDAs Data Protection policy) sets out how we protect special category and criminal convictions personal data.

Please see the ‘Your data protection rights’ section for more information on withdrawing your consent.

Cookies

Cookies are files saved on your phone, tablet or computer when you visit a website. We use cookies to store information about how you use the GOV.UK website, such as the pages you visit. It does not store any personal information and will not allow us to identify individual users.

Learn more about Cookies and how we store information about how you use the GOV.UK website

What we do with the information

As previously stated, the NDA is the data controller of personal information held by NDA for the purposes of GDPR. A data controller determines the purposes for which, and the manner in which, any personal data is to be processed (either alone or jointly or in common with others). We therefore have the responsibility for the safety and security of all the data we hold.

We may have originally shared your data with third parties, including data processors who process data on our behalf. We make sure that our data processors comply with all relevant requirements under data protection legislation. This is defined in the contractual arrangements. We may have also transferred your personal data outside of the EU. If this was the case you can expect a similar degree of protection in respect of your personal information.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

How we store your information

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Data Protection Officer.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

We will only hold onto your personal information for as long as necessary to fulfil the purposes we collected it for. All records are retained and securely destroyed in accordance with our records retention schedule. Details of retention periods for different aspects of your personal information are available upon request. However, your information may be held beyond the specified retention periods where there is the potential for it to fall under the remit of ongoing government Independent Inquiries.

Your data protection rights

You have a number of rights in relation to your data. These are:

  • the right to be informed when data is collected;
  • the right of access to your data;
  • the right to rectification of your data - to correct inaccurate or incomplete data;
  • the right to erasure of your data (except in certain circumstances) - we will delete your data if requested unless there is a legal obligation to process your data;
  • the right to restrict processing - we can retain as much data is necessary to ensure the restriction is respected in the future;
  • the right to data portability - where we can, where possible, provide your information in a structured, commonly used, machine readable form when asked;
  • the right to object to the processing of data - where you can object to the processing of data for direct marketing or research purposes;
  • rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

You also have a right to withdraw any consent you may have given us to process your data and a right to lodge a complaint with the Information Commissioners Office (ICO). More details on these rights can be found below and on the ICO’s website.

How to complain

If you wish to make a complaint to NDA about the way in which we have processed your personal information please get in touch with our Data Protection Officer via the contact details supplied above.

If you remain dissatisfied with the response received, you have the right to lodge a complaint to the Information Commissioner’s Office (ICO). The ICO is the UK’s independent body set up to uphold information rights, and they can investigate and adjudicate on any data protection related concerns you raise with them. They can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113

ICO website