Guidance

Privacy notice for users and visitors to buildings managed by Interserve on behalf of the Government Property Agency

Updated 18 February 2019

1. Your data

1.1 Purpose

The purposes for which we are processing your personal data are to provide a Total Facilities management Service for users and visitors. This means using personal data to:

  • operate a helpdesk, Computer Assisted Facilities Management IT system and telephone line to take facilities management calls from users
  • operate a Management Information System and to monitor performance and service failures (including complaints), and to provide reports to the contracting authority
  • provide a reception service, including managing visitors and assisting with any disability / access issues, and first aid issues
  • provide a security service, including CCTV, access control logs, security passes, out of hours records
  • operate a switchboard service, mailroom and reprographics service
  • maintain logs of health, safety and environment breaches and recordable accidents, incidents and near misses relating to the utilisation of all premises
  • support disabled users and visitors, including maintenance of sufficient safe refuge areas for disabled persons, and advice on special needs and works that may be necessary to improve services and the premises for those with special needs
  • operate a room bookings system, car parking booking system, and conference booking service
  • provide catering and vending services, including processing staff payment information
  • collect and use data from third party invoices, workers or contractors
  • assist with accident or incident management, eye testing and disability workplace assessments
  • provide an information technology managed service, including a customer services centre and call failure logging system
  • to provide a protective threat intelligence and protective monitoring solution to corporate ICT
  • provide a telecommunications service

1.2 The data

In providing services to users, the following data will be processed:

  • name
  • job title
  • employer
  • building location
  • email address
  • phone number
  • nature of request or complaint

In addition:

In relation to security services:

  • access log information
  • information about access permissions
  • staff data on passes including images
  • information about alleged or actual criminal activity or misconduct
  • IP addresses
  • ICT threat intelligence information
  • CCTV images and video

In relation to support for disabled users and visitors:

  • health data

In relation to management of accidents or incidents, and accident or near miss logs:

  • health data

In relation to workplace assessments and eye tests:

  • health data

In relation to visitors:

  • name
  • company
  • who they visited
  • time and date

In relation to catering and vending services:

  • staff payment details

In relation to invoices and subcontractors:

  • payments made
  • employer
  • nature of employment

The legal basis for processing your personal data is:

For all data except CCTV, ICT protective monitoring and threat intelligence and visitor logs:

  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case that is GPA’s role in delivering property and workplace solutions across government by managing central government property as a strategic asset.

  • it is necessary for the performance of a contract to which the data subject is a party (i.e. provision of contractual necessities to users as part of their employment contracts)

In relation to CCTV, ICT protective monitoring and threat intelligence and visitor logs:

  • it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, which in this case are the need to protect the security and integrity of users, their belongings and managed buildings.

The legal basis for processing your sensitive health personal data is:

  • it is necessary for the purposes of performing or exercising our obligations or rights as the controller, or your obligations or rights, under employment law

1.4 Recipients

Your personal data will be collected and held by Interserve who provide the Total Facilities Management service. It may also be shared with:

  • your employer
  • the IT supplier who provides the Computer Assisted Facilities Management system
  • the IT supplier who hosts our data
  • G2, the independent auditors of Interserve
  • subcontractors of Interserve where necessary to carry out facilities management functions
  • our IT supplier that provides an information technology managed service
  • the call handling software provider of our information technology managed service supplier

Any data stored on GPA’s IT infrastructure will also be shared with our data processors who provide email, and document management and storage services.

1.5 Retention

Information will be retained for the life of the contract unless it is legally required to retain for longer i.e. asbestos inspection records.

Where personal data have not been obtained from you: Your personal data were obtained by us from your employer.

2. Your rights

You have the right:

  • to request information about how your personal data are processed, and to request a copy of that personal data
  • to request that any inaccuracies in your personal data are rectified without delay
  • to request that any incomplete personal data are completed, including by means of a supplementary statement
  • to request that your personal data are erased if there is no longer a justification for them to be processed
  • in certain circumstances (for example, where accuracy is contested), to request that the processing of your personal data is restricted
  • to object to the processing of your personal data where it is processed for direct marketing purposes
  • to object to the processing of your personal data

3. International transfers

All data will be stored in the UK, except for that below.

Any personal data stored on GPA’s IT infrastructure, and shared with our data processors, may be transferred and stored securely outside the European Union. Where that is the case it will be subject to equivalent legal protection through the use of Model Contract Clauses.

4. Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

5. Contact details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:

Cabinet Office
70 Whitehall
London
SW1A 2AS

Public Enquiries: Online Contact Form

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk