Office for Nuclear Regulation

This website uses non-intrusive cookies to improve your user experience. You can visit our cookie privacy page for more information.

Privacy notice

General information

This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use one of our services.

This notice is layered. So, if you wish, you can easily select the reason we process your personal information and see what we do with it.

We’ll tell you:

?The first part of the notice is information we need to tell everybody.

Controllers and Data Protection Officers contact details

The Information Commissioner’s Office is the controller for the personal information we process, unless otherwise stated.

There are many ways you can contact us, including by phone, email, and post.

Our postal address

Office for Nuclear Regulation
Building 4 Redgrave Court
Merton Road
Bootle
L20 7HS

Tel: 0203 028 0060

Email: contact@onr.gov.uk

Our Data Protection Officer is Charlotte Cooper. You can contact her at dpo@onr.gov.uk or via our postal address above. Please mark the envelope ‘Data Protection Officer’

How we get your information

Most of the personal information we process is provided to us directly by you for one of the following reasons:

We also receive personal information indirectly, in the following scenarios:

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

If we are processing your information for criminal law enforcement purposes, your rights are slightly different. Please see the relevant section of the notice.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

Please contact us at contact@onr.gov.uk if you wish to make a request.

Service adjustments and retention

As a public authority and a provider of services to the public, we have a legal duty to comply with the Equality Act (2010).

This means we need to make service adjustments for anyone with a disability who contacts us in any capacity, to eliminate any barriers to accessing our services. Our legal basis for processing this information is article 6(1)(c) of the GDPR as we have a legal obligation to provide this. Our processing of special category data, such as health information you give us, will be based on article 9(2)(a), which means we need your consent.

We’ll create a record of your adjustment requirements. These will give your name, contact details and type of adjustment required, along with a brief description of why it is required. Relevant staff can access this to ensure they are communicating with you in the required way.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected.

In most cases, if you have subscribed to an email alert or subscription service, we will keep your personal data for as long as you are subscribed to that service or are required to by law and delete that data once you have requested to be removed. At the end of the retention period, your personal data will be disposed of securely.

Sharing your information

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

In some circumstances we are legally obliged to share information. For example under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives, and for the purposes of law enforcement. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at contact@onr.gov.uk and we’ll respond.

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the UK supervisory authority the Information Commissioners Office.

Changes to this privacy notice

We keep our privacy notice under regular review to make sure it is up to date and accurate. It was last updated 23 July 2018.

Children's information

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children while handling a complaint or conducting an investigation. The information in the relevant parts of this notice applies to children as well as adults.

This notice has been written in plane language so it is easy to understand.

Visitors to our website

Analytics and cookies

The main ONR website and the following subdomains all use Google analytics to allow us to measure how the site is used and to improve the service:

Google analytics opt out

To stop Google collecting this information, use the following link to opt out of all Google analytics.

Visitors to our offices

We meet visitors at our head office, including:

If your visit is planned, we’ll send your name and visit information to reception before your visit you will be given visitor badge. You must wear a pass throughout your visit.

We ask all visitors to sign in and out at reception and show a form of ID. The ID is for verification purposes only, we don’t record this information.

The purpose for processing this information is for security and safety reasons. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

Any CCTV used in our offices is not operated by us, so we are not the controller. It will be under the control of the relevant building landlord.

Reasons for contacting us

Raising a concern

Purpose and legal basis for processing

Our purpose is to regulate the nuclear industry in line with our statutory duties under the Energy Act 2013, including inspection and investigation activities.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

If the information you provide us in relation to your complaint contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.

What we need

We need information from you to investigate your concern properly, so our complaint forms are designed to prompt you to give us everything we need to understand what’s happened.

When we receive a complaint from you, we’ll set up a case file. This normally includes your contact details and any other information you have given us about the other parties in your complaint.

Why we need it

We need to know the details of your concern so we can investigate it and fulfill our regulatory function.

What we do with it

We will use your personal information to investigate your complaint and check on our level of service. We compile and publish statistics showing information like the number of complaints we receive, but not in a form that identifies anyone.

No third parties have access to your personal information unless the law allows them to do so. If you don’t want information that identifies you to be shared with the organisation you have raised a concern about, we’ll try to respect that. However, it is not always possible to handle a concern on an anonymous basis so we’ll contact you to discuss this.

If you are acting on behalf of someone making a complaint, we’ll ask for information to satisfy us of your identity and if relevant, ask for information to show you have authority to act on someone else’s behalf.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected.

In most cases, if you have subscribed to an email alert or subscription service, we will keep your personal data for as long as you are subscribed to that service or are required to by law and delete that data once you have requested to be removed. At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We are acting in our official capacity to investigate your complaint, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Report bad practices as a whistleblower

Purpose and legal basis for processing

Our purpose is to regulate the nuclear industry in line with our statutory duties under the Energy Act 2013, including inspection and investigation activities.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

If the information you provide us in relation to your report contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.

What we need

We need enough information from you to investigate your protected disclosure to us, including any evidence you have to support it.

When we receive a disclosure from you we’ll set up a case file containing the details. This normally includes your identity, contact details and any other information you have given us about individuals involved in the disclosure. We will treat the information you provide confidentially.

You can contact us anonymously if you prefer but your details will not be given out when we progress your disclosure, unless you give your permission.

What we do with it

We’ll treat the information you provide as confidential and won’t disclose it without lawful authority.

If possible, we’ll give you feedback about any action we take as a result of your disclosure. However, this feedback will be restricted. We also have a duty of confidence to the organisations we regulate. We are legally prevented from sharing much of the information we hold about them.

We’ll also publish information in a yearly report about any action we take as a result of disclosures by whistleblowers. This won’t, however, contain any information that will identify individual whistleblowers or their employers (including ex-employers).

We will use your personal information to process your complaint and to check on the level of service we provide. We compile and publish statistics showing such information as the number of complaints we receive, but not in a form that identifies anyone.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected.

In most cases, if you have subscribed to an email alert or subscription service, we will keep your personal data for as long as you are subscribed to that service or are required to by law and delete that data once you have requested to be removed. At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We are acting in our official capacity to investigate your complaint, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Being or have been investigated by us for a criminal offence

Purpose and legal basis for processing

Our purpose is to regulate the nuclear industry in line with our statutory duties under the Energy Act 2013, including inspection and investigation activities.

We rely on Schedule 8 1(a)and (b) of the Data Protection Act 2018 to process your personal data.  This relates to processing ‘necessary for the exercise of a function conferred on a person by an enactment or rule of law, and is necessary for reasons of substantial public interest’. This is part of our regulatory function.

What we need

When we investigate an alleged criminal offence, we’ll compile information and evidence about it.

Why we need it

In our role as a regulator, we need to establish whether the legislation we oversee has been breached, so that we can take legal action if appropriate. So we’ll gather relevant information about you to do this.

What we do with it

We will only use your personal information to see whether the legislation has been breached, and for prosecution purposes if we have evidence of a breach.

In some circumstances we may share your personal information with other law enforcement agencies/regulators during an investigation.

If we proceed to take legal action, we’ll share this information with our legal counsel, the courts and any co-defendants and their legal representatives.

When we take enforcement action, we may publish the defendant’s identity in our Annual Report or in the media. Usually we do not identify any complainants unless the details have already been made public.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

Personal data about criminal convictions and offences falls under Part 3 of the Data Protection Act 2018 for ‘law enforcement purposes’. There are specific rights for this type of personal data.

The law enforcement purposes are stated in the legislation as ‘the purposes for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’

You have a right to access your personal data held by or for us. You also have a right to get inaccurate data rectified and incomplete data completed, and for your personal data to be erased in certain circumstances.

Do we use any data processors?

Yes – we may use external legal counsel for court proceedings.

Apply for a job or secondment

Purpose and legal basis for processing

Our purpose for processing this information is to assess your suitability for a role you have applied for.

The legal basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract. The legal basis we rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnic information is article 9(2)(b) of the GDPR, which also relates to our obligations in employment  and the safeguarding of your fundamental rights and article 9(2)(h) for assessing your work capacity as an employee. And Schedule 1 part 1(1) and (2)(a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.

What will we do with the information you give us?

We’ll use all the information you provide during the recruitment process to progress your application with a view to offering you an employment contract with us, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide with any third parties for marketing purposes.

We’ll use the contact details you give us to contact you to progress your application. We’ll use the other information you provide to assess your suitability for the role.

What information do we ask for, and why?

We do not collect more information than we need to fulfill our stated purposes and will not keep it longer than necessary.

The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it may affect your application if you don’t.

Application stage

If you use our online application system, your details will be collected by a data processor on our behalf (please see below).

We ask you for your personal details including name and contact details. We’ll also ask you about previous experience, education and for answers to questions relevant to the role. Our recruitment team will have access to all this information.

You will also be asked to provide equal opportunities information. This is not mandatory – if you don’t provide it, it won’t affect your application. We won’t make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. Any information you provide will be used to produce and monitor equal opportunities statistics.

Shortlisting

Our hiring managers shortlist applications for interview. They will not be provided with your name or contact details or with your equal opportunities information if you have provided it.

Assessments

We may ask you to participate in to complete tests or occupational personality profile questionnaires; attend an interview; or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by us.

Conditional offer

If we make a conditional offer of employment, we’ll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity and reliability.

You must therefore provide:

If we make a final offer, we’ll also ask you for the following:

Before on just after appointment

Some roles with in ONR require a National Security Vetting (NSV) this will be clear on the advert or job description (or both). If you are required to have a National Security Vetting prior to the commencement of your role, it will be managed between ONR and United Kingdom Security Vetting (UKSV).

Secondments

We also offer opportunities for people to come and work with us on a secondment basis. We accept applications from individuals or organisations who think they could benefit from their staff working with us.

Applications are sent directly to us. Once we have considered your application, if we are interested in speaking to you further, we’ll contact you using the details you give.

We may ask you to provide more information about your skills and experience or invite you to an interview.

If you are seconded to us, you will be expected to adhere to a confidentiality agreement and code of conduct, which will be agreed with your organisation.

We may also ask you to complete our pre-employment checks or to obtain security clearance via the National Security Vetting process – both of which are described in this notice. Whether you need to do this will depend on the type of work you will be doing for us.

We ask for this information so that we fulfill our obligations to avoid conflicts of interest and to protect the information we hold.

How long is the information kept for?

We will retain your personal data for as long as is necessary for the purpose it was collected. For recruitment this period is 3 years.

At the end of the retention period, your personal data will be disposed of securely.

How we make decisions about recruitment

Final recruitment decisions are made by hiring managers and members of our recruitment team. We take account of all the information gathered during the application process.

You can ask about decisions on your application by speaking to your contact in our recruitment team or by emailing ONR.Human-Resources@onr.gov.uk

Your rights

As an individual, you have certain rights regarding your own personal data.

For more information on your rights, please see ‘Your rights as an individual’.

Do we use any data processors?

Yes – we use several processors to provide elements of our recruitment service for us.

We use CIPHR to operate our online application system and to produce anonymised management information about campaigns.

If you accept a final offer from us, some of your personnel records will be held on SOP, which is an internally used HR records system the system is managed by SSCL (Shared Services Connected Ltd).

SSCL Also administers ONR’s payroll.

Likewise, your details will be provided to MyCSP who is the administrator of the Civil Service Pension Scheme, of which we are a member organisation. You will be auto-enrolled into the pension scheme and the details provided to MyCSP will be your name, date of birth, National Insurance number and salary. Your bank details will not be passed to MyCSP at this time.

We use OHAssist to provide our Occupational Health service.

We’ll send you a link to the questionnaire that will take you to OHAssists website. The information you provide will be held by OHAssist, who will give us a fit to work certificate or a report with recommendations. You are able to request to see the report before it is sent to us. If you decline for us to see it, this could affect your job offer. If an occupational health assessment is required, this is likely to be carried out by OHAssist.

For senior vacancies, we sometimes advertise through Hays Recruitment. Hays will collect the application information and may ask you to complete a work preference questionnaire that is used to assess your suitability for the role; the results are assessed by recruiters. Information collected by Hays will be kept for 12 months after the end of our agreement with Hays.

Contact the Communications Team - media enquiries

Purpose and legal basis for processing

Our purpose for collecting this information is so we can respond to you and give you information about the legislation we oversee in order for you to publish.

The legal basis we rely on for processing your personal data is public task, under article 6(1)(e) of the GDPR.

What we need

We need enough information from you so we can respond to you. We’ll take your name and number/contact email address and, where relevant, the name of the organisation you represent.

Why we need it

We need to keep a record of who we have spoken with and what has been asked for/provided. If we can’t answer your query/request over the phone, we’ll need your contact information for our response.

What we do with it

We’ll only use your personal information to respond to you and will make a record of our communications with you, both verbal and written.

We’ll also use your contact information to send you our press releases.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected. At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We are acting in our official capacity as a regulator in providing you with press releases and responding to media enquiries. This means you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

You can however, ask us to stop sending you press releases at any time and we’ll update our records immediately to reflect your wishes. 

Do we use any data processors?

Yes, we use Vuelio to manage stakeholder contacts.

Attend an event, seminar or workshop

Purpose and legal basis for processing

Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service.

The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR. When we collect any information about dietary or access requirements we also need your consent (under article 9(2)(a)) as this type of information is classed as special category data.

What we need

If you wish to attend one of our events, you will be asked to provide your contact information including your organisation’s name and, if offered a place, information about any dietary requirements or access provisions you may need. We may also ask for payment if there is a charge to attend.

Why we need it

We use this information to facilitate the event and provide you with an acceptable service. We also need this information so we can respond to you.

What we do with it

If you are not successful in securing a place, we’ll let you know and hold your details on a reserve list in case a place becomes available.

If you are allocated places at an event, we’ll ask for information about any dietary/access requirements. We don’t share this information in any identifiable way with the venue, and we delete it after the event.

We don’t publish delegate lists for events.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We rely on your consent to process the personal data you give us to facilitate the event. This means you have the right to withdraw your consent at any time. If you do that, we’ll update our records immediately to reflect your wishes.

Do we use any data processors?

No

Subscribe to our e-newsletter/e-bulletin

Purpose and legal basis for processing

Our purpose for collecting the information is so we can provide you with a service and let you know about upcoming events.

The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR.

What we need

Your name and email address.

Why we need it

We use your email address to send you our E-newsletter.

What we do with it

We only use your details to provide the service.

We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter.

You will receive a confirmation email once you have submitted your details and then the newsletters monthly.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We rely on your consent to process the personal data you provide to us for marketing purposes. This means you have the right to withdraw your consent, or to object to the processing of your personal data for this purpose at any time. If you do that, we’ll update our records immediately to reflect your wishes.

Do we use any data processors?

Yes - we use GovDelivery provided by Granicus to manage subscription lists, preferences and send emails.

Granicus has staff based outside the European Economic Area, and stores your data in the US. Granicus is certified under the EU-US Privacy Shield framework.

Making an information request

Purpose and legal basis for processing

Our purpose for processing your personal data is so we can fulfill your information request to us.

The legal basis for this is article 6(1)(C) of the GDPR, which relates to processing necessary to comply with a legal obligation to which we are subject.

If any of the information you provide us in relation to information request contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.

What we need and why we need it

We need information from you to respond to you and to locate the information you are looking for. This enables us to comply with our legal obligations under the legislation we are subject to:

What we do with it

When we receive a request from you, we’ll set up an electronic case file containing the details of your request. This normally includes your contact details and any other information you have given us. We’ll also store on this case file a copy of the information that falls within the scope of your request.

If you are making a request about your personal data, or are acting on behalf of someone making such a request, then we’ll ask for information to satisfy us of your identity. If it’s relevant, we’ll also ask for information to show you have authority to act on someone else’s behalf.

We’ll use the information supplied to us to process your information request and check on the level of service we provide.

If the request is about information we have received from another organisation – regarding a complaint, for example – we’ll routinely consult the organisation/s concerned to seek their view on disclosure of the material.

We compile and publish statistics showing information such as the number of requests we receive, but not in a form that identifies anyone.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We rely on your consent to process the personal data you provide to us for marketing purposes. This means you have the right to withdraw your consent, or to object to the processing of your personal data for this purpose at any time. If you do that, we’ll update our records immediately to reflect your wishes.

Do we use any data processors?

No – we do not use data processors for the above.

Communicate with us as a business

We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business. If this relates to interactions regarding our regulatory functions, the legal basis is article 6(1)(e) of the GDPR. If the interactions relate to suppliers, contracts, buildings management, IT services etc., the legal basis is article 6(1)(c) of the GDPR for any legal obligation or article 6(1)(f) because the processing is within our legitimate interests as a business

We are inspecting your business

Purpose and legal basis for processing

Our purpose for processing this information is to have a contact point at your organisation and to tell you the outcome of the visit.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

What we need

When we conduct an Inspection or an advisory visit, we’ll take the name and contact details of your organisation’s main point of contact. We may also take details of other staff members during the visit process.

Why we need it

We use the data collected to complete the inspection/advisory visit and evidence the information provided.

What we do with it

We may publish a summary of the audit we have completed with you, but this will not contain any personal data. We’ll publish the fact that we have conducted an Inspection / advisory visit, but this will not contain any personal data.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We process personal data in the visit information in our capacity as regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Do we use any data processors?

No

Internal privace notice