Notice

OPRED Energy Portal: privacy notice

Published 10 December 2020

The Offshore Petroleum Regulator for Environment and Decommissioning (OPRED) based in Aberdeen is part of the Department for Energy Security and Net Zero (DESNZ). OPRED respects your privacy and is committed to protecting your personal information.

This privacy notice tells you how we look after your personal information and your rights in relation to your personal information and how the law protects you, regarding the Energy Portal.

When you create an account and use the Energy Portal to carry out activities, we may collect certain personal information from you.

For information you submit to the portal:

  • DESNZ is the data controller
  • DESNZ is the data processor

Your data

Personal data only includes information relating to natural persons who can be:

  • identified or who are identifiable directly from the information in question
  • indirectly identified from that information in combination with other information

It does not include data that is truly anonymised. Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of General Data Protection Regulation (GDPR).

We may collect, use, store and transfer different kinds of personal information:

  • identity data which includes your first, middle and/or surname, username or similar identifier and title
  • contact data which includes your postal and/or email address and telephone numbers
  • technical data which includes internet protocol (IP) address, log in details, operating system and platform and other technology on devices you use to access the website
  • profile data which includes your username and password, applications submitted by you, preferences, feedback and consultation responses
  • usage data which includes information about how you use the website
  • communication data which includes information on emails and updates you have subscribed (opted-in) to receive from us

We do not collect any special categories of personal information such as detail about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, information about your genetic or biometric data.

We may process limited information in relation to trade union membership, health, criminal convictions and offences being investigated.

It is important that the personal information we hold about you is accurate and up to date. Please let us know if your personal information changes while we hold information about you.

How your personal information is collected

We use different methods to collect personal information from and about you through:

  • direct interactions such as creating an account in the Energy Portal, or submitting an application
  • automated technologies or interactions. We may automatically collect technical data about your equipment, browsing actions and patterns. We collect this information by using cookies.

How we use your personal information

We will only use your personal information when the law allows us to. Most commonly we will use your personal information in the following circumstances:

  • for the purposes of discharging our statutory functions including environmental regulatory activities such as granting of permits, consents and authorisations
  • undertaking regulatory investigations where we need to:
    • establish whether there has been a breach of a regulatory obligation
    • establish, exercise or defend legal rights
    • improve our services
  • to send communications about OPRED which you have subscribed to

We may rely on consent as the lawful basis for processing your personal information. You have the right to withdraw your consent as the basis on which we process your personal information. If you wish to withdraw your consent for processing for a particular purpose, please contact the Data Protection Officer. The withdrawal of consent will not affect the lawfulness of the data processing before your consent was withdrawn and withdrawal of consent will not affect our ability to process your personal information where we do not rely on consent.

Cookies

The Energy Portal uses cookies. The Energy Portal only sets ‘session cookies’ for the benefit of session management, for example to remember your progress through a form such as an application.

Change of purpose

We will only use your personal information for the purposes for which we collect it. We can only use the personal data for a new purpose if either this is compatible with our original purpose, we get consent, or we have a clear obligation or function set out in law. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact the Data Protection Officer.

If we need to use your personal information for an unrelated purpose, we will tell you and explain the lawful basis which we consider allows us to do so.

We may process your personal information without your knowledge or consent in compliance where required to do so by law.

Data retention

The information you provide will be retained by the department in line with best practice guidance and standards provided by the National Archives.

Data collected by the Energy Portal may be retained indefinitely. The Portal needs to maintain a minimum amount of personal information (name, email address, company name, work contact number) on its past users. This information is retained for historic audited actions in the Energy Portal database as these are linked to the user that performed the action.

Disclosure of your personal information

We may need to share your personal information with third parties including:

  • government departments and other regulatory bodies for the purposes of enabling them and us to carry out our respective legal and statutory functions
  • third parties who we may engage to process personal information on our behalf. We require all third parties to respect the privacy of your personal information and to treat it in accordance with the law. We do not allow third parties to use your personal information for their own purposes and only permit them to process your personal information for a special purpose and in accordance with our instructions

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

We will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

Data security

We are committed to doing all that we can to keep your data secure. We protect your personal information against unauthorised access, unlawful use, accidental loss, corruption or destruction.

We use technical measures such as firewalls and password protection to protect your data and the systems they are held in.

We limit access to your personal information to employees, agents, contractors and other third parties with a business need to know. They will only process your personal information in accordance with our instructions and are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data breach and will notify you and the Information Commissioner’s Office as required.

International transfers

From time to time we may need to transfer your personal information to other countries, for example where personal information is being stored securely in the cloud and the servers are in another country.

If we send your personal information outside the European Economic Area (EEA), we will ensure the country your personal information is transferred to affords a similar degree of protection by ensuring one of the following safeguards is implemented:

Transferring your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission.

Your rights

You have the right to request:

  • information about how your personal data is processed
  • a copy of that personal data
  • that anything inaccurate in your personal data is corrected immediately
  • that any incomplete personal data is completed, including by means of a supplementary statement

You can also:

  • raise an objection about how your personal data is processed
  • request that your personal data is erased if there is no longer a justification for it
  • withdraw consent you have provided for the processing of your personal information
  • ask that the processing of your personal data is restricted in certain circumstances

To request your personal information or exercise any of your other rights, contact the Data Protection Officer.

Fees

In most cases we cannot charge a fee to comply with a subject access request. However, we can charge a ‘reasonable fee’ for the administrative costs of complying with the request if:

  • it is manifestly unfounded or excessive
  • an individual requests further copies of their data following a request

We would base the reasonable fee on the administrative costs of complying with the request. If we decide to charge a fee, we will let you know promptly. In these circumstances, we do not need to comply with the request until we have received the fee.

Information we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that your personal information is not disclosed to a third party who has no right to receive it.

We may also ask for information that we reasonably need to find the personal data covered by the request. This will help us identify and target potential data holders.

Time limit to respond

We must comply with a request without undue delay and at the latest within one month of receipt of your request. We can extend the time to respond by a further 2 months if the request is complex or we have received several requests from the individual. We will let you know within one month of receiving your request and explain why the extension is necessary.

Contact us or make a complaint

Contact the DESNZ Data Protection Officer (DPO) if you:

  • have any questions about anything in this document
  • think that your personal data has been misused or mishandled

Contact the DESNZ DPO:

DESNZ Data Protection Officer
Department for Energy Security and Net Zero
3-8 Whitehall Place
London
SW1A 2EG

You can also make a complaint to the Information Commissioner (supervisory authority), who is an independent regulator.

Information Commissioner's Office

Email icocasework@ico.org.uk

Contact form https://ico.org.uk/glo...

Telephone 0303 123 1113

Textphone 01625 545 860

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.