Office for Nuclear Regulation

External privacy notice

This privacy notice explains what personal data we process and how we will use it.

This notice is layered. Part One provides general information which we must tell everybody and Part Two provides further information depending on the reason we process your personal information.

You can read the privacy notice below in full or you can click on the links provided to take you directly to each section.

Part One - General information

The first part of the notice is information we need to tell everybody.

Data Controller and Data Protection Officer

The Office for Nuclear Regulation (ONR) is registered as a Data Controller with the Information Commissioner’s Office (ICO) under registration number ZA044386.  A Data Controller decides why, when, what and how personal information will be used.

The ONR Data Protection Officer is Charlotte Cooper.

How to contact us

There are many ways you can contact us, including by phone, email, and post.  These contact details should be used for all queries to ONR, including any queries you may have about how we use your personal information.  Alternatively, you can also contact the Data Protection Officer direct.

Our postal address

Office for Nuclear Regulation
Building 4 Redgrave Court
Merton Road
Bootle
L20 7HS

Please mark your envelope ‘FAO Data Protection Officer’.

Our email addresses

Email: contact@onr.gov.uk

You can contact the Data Protection Officer at dataprotection@onr.gov.uk or via our postal address above. Please mark the envelope ‘Data Protection Officer’.

Supervisory Authority

The Information Commissioner’s Office (ICO) is the UK’s Supervisory Authority.  Further details about the ICO can be found on their website at http://ico.org.uk

How we get your information

Most of the personal information we process is provided to us directly by you for one of the following reasons:

We also receive personal information indirectly, in the following scenarios:

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which mean you may not always receive all the information we process.

Your right to rectification

You have the right to ask us to rectify information that is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.

Your right to data portability

You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you in electronic form. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

If we are processing your information for criminal law enforcement purposes, your rights are slightly different. Please see the relevant section of the notice.

We have one month to respond to you. You are not required to pay any charge for exercising your rights.  We may, in exceptional circumstances only, apply a fee for accessing your personal information.

Please contact us at dataprotection@onr.gov.uk if you wish to make a request.

Service adjustments and retention

As a public authority and a provider of services to the public, we have a legal duty to comply with the Equality Act (2010).

This means we need to make service adjustments for anyone with a disability who contacts us in any capacity, to eliminate any barriers to accessing our services. Our legal basis for processing this information is article 6(1)(c) of the GDPR as we have a legal obligation to provide this. Our processing of special category data, such as health information you give us, will be based on article 9(2)(a), which means we need your consent.

We’ll create a record of your adjustment requirements. These will give your name, contact details and type of adjustment required, along with a brief description of why it is required. Relevant staff can access this to ensure they are communicating with you in the required way.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected, or if we are processing your personal information on the basis of your consent, until such a time that you withdraw your consent.  All personal information held by ONR is stored within secure electronic systems or secure locations for physical records.  Access to personal information is limited to ONR staff based on business need only, with permission levels being reviewed and updated regularly.

ONR operates a Business Classification Scheme and Disposal Schedule which tells us how long we can keep your information for the purpose it was collected for.  At the end of the retention period, your personal information will be disposed of securely.

Sharing your information

We will not share your information with any third parties for the purposes of direct marketing.

We use third parties (data processors) to provide elements of services for us. We have contracts in place with our data processors.

This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct them to do so. They will ensure secure destruction or transfer to ONR of any personal information as appropriate.

In some circumstances we are legally obliged to share information. For example under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations.

We might also share information with other regulatory bodies in order to further their, or our, objectives, and for the purposes of law enforcement. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making.

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the websites you visit.

Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at contact@onr.gov.uk.  We will respond to your query or concern as quickly as possible or, if we need more time, we will provide you with an estimated response time.

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the UK supervisory authority, the Information Commissioner’s Office (ICO). 

Changes to this privacy notice

We keep our privacy notice under regular review to make sure it is up to date and accurate. It was last updated 23 July 2018.

Children's information

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children while handling a complaint or conducting an investigation. The information in the relevant parts of this notice applies to children as well as adults.

This notice has been written in plain language so it is easy to understand.

Part Two - The reasons we process personal data

Visitors to our website - Cookies

The ONR website and the following subdomains all use Google Analytics to allow us to measure how the website is used and to improve the service:

Users have to provide consent to enable these analytics cookies.

Managing your consent

Our preferences management tool can be accessed by the 'C' in the bottom right of your screen.

Visitors to our offices

ONR has three sites: Bootle; Cheltenham; and London.  We meet visitors at our head office, including:

All visitors to our sites must be allocated with a visitor pass by the building operator (as detailed below).  If your visit is planned, we will share your name and visit information with reception staff (provided by the building operator) so that a visitor pass can be allocated.  You must wear a pass throughout your visit.

All visitors are required to sign in and out at reception and show a form of ID. The ID is for verification purposes only, ONR does not record this information.

The purpose for processing this information is for security and safety reasons. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

Any CCTV used in our offices is not operated by us, so we are not the controller. It will be under the control of the relevant building landlord.

Redgrave Court, Bootle – CBRE operate the reception and security desk. 

St James House, Cheltenham – Savills manage the building.

Windsor House, London – Government Property Agency (GPA) manage the building.

Raising a concern

Purpose and legal basis for processing

Our purpose is to regulate the nuclear industry in line with our statutory duties under the Energy Act 2013, including inspection and investigation activities.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

If the information you provide us in relation to your complaint contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.

What we need

We need information from you to investigate your concern properly, so our complaint forms are designed to prompt you to give us everything we need to understand what’s happened.

When we receive a complaint from you, we’ll set up a case file. This normally includes your contact details and any other information you have given us about the other parties in your complaint.

Why we need it

We need to know the details of your concern so we can investigate it and fulfil our regulatory function.

What we do with it

We will use your personal information to investigate your complaint and check on our level of service. We compile and publish statistics showing information like the number of complaints we receive, but not in a form that identifies anyone.

No third parties have access to your personal information unless the law allows them to do so. If you don’t want information that identifies you to be shared with the organisation you have raised a concern about, we’ll try to respect that. However, it is not always possible to handle a concern on an anonymous basis so we’ll contact you to discuss this.

If you are acting on behalf of someone making a complaint, we’ll ask for information to satisfy us of your identity and if relevant, ask for information to show you have authority to act on someone else’s behalf.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected.

In most cases, if you have subscribed to an email alert or subscription service, we will keep your personal data for as long as you are subscribed to that service or are required to by law and delete that data once you have requested to be removed. At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We are acting in our official capacity to investigate your complaint, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Report bad practices as a whistleblower

Purpose and legal basis for processing

Our purpose is to regulate the nuclear industry in line with our statutory duties under the Energy Act 2013, including inspection and investigation activities.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

If the information you provide us in relation to your report contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.

What we need

We need enough information from you to investigate your protected disclosure to us, including any evidence you have to support it.

When we receive a disclosure from you we’ll set up a case file containing the details. This normally includes your identity, contact details and any other information you have given us about individuals involved in the disclosure. We will treat the information you provide confidentially.

You can contact us anonymously if you prefer but your details will not be given out when we progress your disclosure, unless you give your permission.

What we do with it

We’ll treat the information you provide as confidential and won’t disclose it without lawful authority.

If possible, we’ll give you feedback about any action we take as a result of your disclosure. However, this feedback will be restricted. We also have a duty of confidence to the organisations we regulate. We are legally prevented from sharing much of the information we hold about them.

We’ll also publish information in a yearly report about any action we take as a result of disclosures by whistleblowers. This won’t, however, contain any information that will identify individual whistleblowers or their employers (including ex-employers).

We will use your personal information to process your complaint and to check on the level of service we provide. We compile and publish statistics showing such information as the number of complaints we receive, but not in a form that identifies anyone.

How long we keep your data.

We will retain your personal data for as long as is necessary for the purpose it was collected.

In most cases, if you have subscribed to an email alert or subscription service, we will keep your personal data for as long as you are subscribed to that service or are required to by law and delete that data once you have requested to be removed. At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We are acting in our official capacity to investigate your complaint, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Vetting for Industry

Information we obtained as you have applied for or hold a Baseline Personnel Security Standard (BPSS) or National Security Vetting (NSV) clearance for employment in the regulated civil nuclear industry.

This notice applies to all previous & current NSV applications processed by ONR and UKSV or its predecessor DBS (Defence Business Services).

Joint data controller arrangements

For the purposes of National Security Vetting, ONR is a Joint Data Controller with United Kingdom Security Vetting (UKSV), which is part of the Ministry of Defence.  Additionally, the Security Service is also a Joint Data Controller for the associated checks of Security Service records.  The UK National Security Authority (UK NSA) is also Joint Data Controllers for the purpose of completing required checks.

UKSV is the sole service provider for carrying out the checks supporting the National Security Vetting (NSV) process but the decision on whether to grant a security clearance is taken by ONR as the Vetting Authority for the regulated Civil Nuclear industry. 

Therefore, if you wish to exercise your rights under data protection legislation, you can choose to contact either ONR’s Data Protection Officer, or our counterparts in the UKSV, the Security Service, or the UKNSA.  

ONR Data Protection Officer Contact Details:

Email: dataprotection@onr.gov.uk  

By post: ‘Data Protection Officer’, Office for Nuclear Regulation, Building 4 Redgrave Court, Merton Road, Bootle, L20 7HS.

UK Security Vetting Service Contact Details and Privacy Notice:

The Data Protection Officer responsible for NSV can be contacted via the Ministry of Defence Chief Information Officer at CIO-DPA@mod.uk

The Security Service Contact Details and Privacy Notice:

The Security Service is a data controller for NSV in respect of the check of Security Service records.  It can be contacted via:

The Enquiries Desk
PO BOX 3255
London SW1P 1AE

Should you be granted clearance and subsequently move to another post requiring NSV and there is a change of Vetting Authority, the new Vetting Authority may review your clearance and associated checks against the particular security risks that organisation faces. 

UK National Security Authority Contact Details and Privacy Notice:

The contact details for the data controller’s Data Protection Officer (DPO) at the UK NSA are dpo@cabinetoffice.gov.uk

Purpose and legal basis for processing

ONR solely, and jointly with UKSV when carrying out NSV, may process your personal data and that of third parties by virtue of our statutory duties under the Energy Act 2013, Part 13 and in the exercise of official authority vested in ONR under Regulation 9, 17 and 22 of the Nuclear Industries Security Regulations 2003 (NISR).

The legal basis we rely on to process your personal data is 6(1)(e), which allows us to process personal information of third parties when this is necessary to perform our public tasks as a regulator.

Why we need it

ONR will process your personal data and that of third parties for the purpose of making a decision on a BPSS application or an application for an NSV clearance, including any on-going aftercare that may exist or arise. NSV is necessary and proportionate to safeguard the UK’s national security. We may also process your data for ancillary purposes, for example, to facilitate an appeal to the Security and Vetting Appeals Panel (SVAP), to fulfil legal and regulatory requirements or, in an anonymised way for business monitoring and planning.

The categories of personal data and what we do with it

Your personal data and that of third parties will be processed as described in the ‘Statement of HM Government Personnel Security and National Security Vetting Policy’,  which is included in the NSV questionnaires and as an annex to the document ‘Personnel Security Controls’ available on .gov.uk. The categories of personal data processed are described in those documents.

How we protect your personal data and who we share it with

Personal data collected and processed for NSV is very strictly controlled and protected by a high level of physical, cyber and personnel security measures. Your NSV personal data is kept separate from other personal data and access is only provided for the purpose of NSV and with those with a ‘need to know’, such as the ONR decision maker, UKSV, public authorities which maintain criminal records databases and the Security Service.

Personnel data collected and processed for the confirmation of an internationally held Personnel Security Clearances (PSC) will be shared with the UK National Security Authority (NSA). 

How long we keep it

Your personal data, and that of third parties, will be retained for so long as is necessary for the purpose for which it was collected (safeguarding national security). Personal data collected during the NSV process will normally be retained by ONR for six years from the date that your security clearance expires, lapses or is withdrawn. However, it may be necessary to retain some personal data beyond this period in the interests of national security or to defend legal proceedings which have already commenced.

What are your rights?

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason and the legal basis for processing your personal information. 

You are not required to pay a charge for exercising your rights. We may, in limited and exceptional circumstances only, apply a fee for accessing your personal information. 

Please contact us at dataprotection@onr.gov.uk if you wish exercise any of your rights.

You also retain the right to complain to the Information Commissioner’s Office (ICO), the UK’s Supervisory Authority, if you are unhappy about the processing of your personal data or if you feel that we have not exercised your rights appropriately.  Contact details for the ICO can be found on their website at www.ico.org.uk

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which mean you may not always receive all the information we process.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to processing if we are using your personal information under one of our public tasks, in certain circumstances.

Other points to be aware of in relation to NSV

International data transfers and international organisations

As described above, for important reasons of public interest and national security, it may be necessary for UKSV on behalf of ONR to seek information from referees some of whom may be from international organisations, EU member states, or located in countries where the EU Commission has not issued an adequacy decision to confirm that it considers the country provides an adequate level of data protection.

Where the sponsor organisation is an international organisation, for example NATO, or where your clearance is to work for a contractor overseas, we will inform the organisation or contractor whether your clearance is granted, refused or withdrawn.  Confirmation of any internationally held Personnel Security Clearances (PSC) will be sought via the UK National Security Authority (NSA).

Decisions based on automated processing

NSV decisions are not based solely on automated processing, including profiling. The decision whether to grant or refuse security clearance is taken individually by ONR’s personnel security risk owner.

Failure to provide data

You are required to provide the personal data requested as part of NSV in order to obtain the security clearance necessary for your role, which will be either a contractual requirement or necessary for employment within the regulated civil nuclear industry.  If you do not provide the requested data, we will be unable to grant you security clearance and this may impact on your employment.

Data from third parties

Conducting NSV

To conduct the various checks that form part of NSV, it may be necessary to share some of your personal data with the relevant check provider so that they may provide further personal data to us. We only share the minimum amount of personal data necessary to enable the provider to perform the check. In most cases this is limited to basic identifying information (such as your name or date of birth) to ensure that the provider performs the check on the correct individual.

To perform the component NSV checks and reach a security clearance decision, ONR will have access to your data from:

Being or have been investigated by us for a criminal offence

Purpose and legal basis for processing

Our purpose is to regulate the nuclear industry in line with our statutory duties under the Energy Act 2013, including inspection and investigation activities.

We rely on Schedule 8 1(a) and (b) of the Data Protection Act 2018 to process your personal data. This relates to processing ‘necessary for the exercise of a function conferred on a person by an enactment or rule of law, and is necessary for reasons of substantial public interest’. This is part of our regulatory function.

What we need

When we investigate an alleged criminal offence, we’ll compile information and evidence about it.

Why we need it

In our role as a regulator, we need to establish whether the legislation we oversee has been breached, so that we can take legal action if appropriate. So we’ll gather relevant information about you to do this.

What we do with it

We will only use your personal information to see whether the legislation has been breached, and for prosecution purposes if we have evidence of a breach.

In some circumstances we may share your personal information with other law enforcement agencies/regulators during an investigation.

If we proceed to take legal action, we’ll share this information with our legal counsel, the courts and any co-defendants and their legal representatives.

When we take enforcement action, we may publish the defendant’s identity in our Annual Report or in the media. Usually we do not identify any complainants unless the details have already been made public.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

Personal data about criminal convictions and offences falls under Part 3 of the Data Protection Act 2018 for ‘law enforcement purposes’. There are specific rights for this type of personal data.

The law enforcement purposes are stated in the legislation as ‘the purposes for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’

You have a right to access your personal data held by or for us. You also have a right to get inaccurate data rectified and incomplete data completed, and for your personal data to be erased in certain circumstances.

Do we use any data processors?

Yes – we may use external legal counsel for court proceedings.

Public Consultations

Nuclear Reactors (Environmental Impact Assessment for Decommissioning) Regulations 1999 (EIADR)

Purpose and legal basis for processing

Under the EIADR, all nuclear power stations and other nuclear reactors require consent from ONR to commence decommissioning. As part of the pre-application opinion, and the application for consent processes, ONR is required to consult with the statutory consultation bodies (including the appropriate environmental agency and local highway and planning authorities). During this consultation period ONR may receive responses from members of the public and other groups with an interest in the environmental aspects of a proposed decommissioning project.

The consultation process will require the storage and processing of personal data in order to demonstrate consultation responses have been recorded and reflected in ONR’s Pre-Application opinion and consent decision.

The legal basis for the processing of personal data as part of the consultation is therefore provided by the following articles of GDPR:

What we need

ONR will need to store consultation comments from members of the public. The personal data collected will include and be limited to:

Why we need it

ONR needs to gather and store the personal information of individuals who provide comments during an EIADR consultation in order to demonstrate that they have been recorded and considered in the pre-application opinion (PAO) or EIADR assessment, and also the contact details of members of the public in order to notify them that the PAO report, or Project Assessment Report (PAR) detailing its decision on the EIADR consent has been published. 

What we do with it

ONR provides the licensee with copies of consultation responses throughout the consultation process, these will be anonymised and will not include personal information of those who have provided comments. Personal information is stored to enable ONR to contact respondents if necessary.

How long we keep it

This data will be retained for 18 years, at which point it will be destroyed.

What are your rights?

We process personal data in our capacity as a regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Apply for a job or secondment

Purpose and legal basis for processing

Our purpose for processing this information is to assess your suitability for a role you have applied for.

The legal basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract. The legal basis we rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnic information is article 9(2)(b) of the GDPR, which also relates to our obligations in employment and the safeguarding of your fundamental rights and article 9(2)(h) for assessing your work capacity as an employee. And Schedule 1 part 1(1) and (2)(a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.

What will we do with the information you give us?

We’ll use all the information you provide during the recruitment process to progress your application with a view to offering you an employment contract with us, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide with any third parties for marketing purposes.

We’ll use the contact details you give us to contact you to progress your application. We’ll use the other information you provide to assess your suitability for the role.

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary.

The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it may affect your application if you don’t.

Application stage

If you use our online application system, your details will be collected by a data processor on our behalf (please see below).

We ask you for your personal details including name and contact details. We’ll also ask you about previous experience, education and for answers to questions relevant to the role. Our recruitment team will have access to all this information.

You will also be asked to provide equal opportunities information and information relating to your socio-economic background [including parental occupation]. This is not mandatory – if you don’t provide it, it won’t affect your application. We won’t make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. Any information you provide will be used to produce and monitor equal opportunities statistics.

Shortlisting

When our hiring manager shortlists applications for interview, they will not be provided with your name or contact details or with your equal opportunities information if you have provided it.

Assessments

We may ask you to participate in tests; complete occupational personality profile questionnaires; attend an interview; or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by us in line the Business Classification Scheme and Disposal Schedule

You will be required to provide proof of identification and any qualifications you have told us about in support of your application.  We will take a photocopy of this information and only retain it upon an offer of employment.  The information will be disposed of securely for all unsuccessful candidates, in line with the Business Classification Scheme and Disposal Schedule.

Conditional offer

If we make a conditional offer of employment, we’ll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity and reliability.

You must therefore provide:

If we make a final offer, we’ll also ask you for the following:

Before on just after appointment

Some roles with in ONR require a National Security Vetting (NSV) this will be clear on the advert or job description (or both). If you are required to have a National Security Vetting prior to the commencement of your role, it will be managed between ONR and United Kingdom Security Vetting (UKSV) .

Secondments

We also offer opportunities for people to come and work with us on a secondment basis. We accept applications from individuals or organisations who think they could benefit from their staff working with us.

Applications are sent directly to us. Once we have considered your application, if we are interested in speaking to you further, we’ll contact you using the details you give.

We may ask you to provide more information about your skills and experience or invite you to an interview.

If you are seconded to us, you will be expected to adhere to a confidentiality agreement and code of conduct, which will be agreed with your organisation.

We may also ask you to complete our pre-employment checks or to obtain security clearance via the National Security Vetting process – both of which are described in this notice. Whether you need to do this will depend on the type of work you will be doing for us.

We ask for this information so that we fulfil our obligations to avoid conflicts of interest and to protect the information we hold.

How long is the information kept for?

We will retain your personal data for as long as is necessary for the purpose it was collected. For recruitment this period is 3 years.

At the end of the retention period, your personal data will be disposed of securely.

How we make decisions about recruitment

Final recruitment decisions are made by hiring managers and members of our recruitment team. We take account of all the information gathered during the application process.

You can ask about decisions on your application by speaking to your contact in our recruitment team or by emailing ONR.Human-Resources@onr.gov.uk

Do we use any data processors?

Yes – we use several processors to provide elements of our recruitment service for us.

We use Hireserve to operate our online application system and to produce anonymised management information about campaigns.

If you accept a final offer from us, some of your personnel records will be held on SOP, which is an internally used HR records system the system is managed by SSCL (Shared Services Connected Ltd).  SSCL also administer ONR’s payroll function.

SSCL Also administers ONR’s payroll.

MyCSP is the administrator of the Civil Service Pension Scheme, of which we are a member organisation. New staff will be auto-enrolled into the pension scheme.  The details provided to MyCSP include your name, date of birth, National Insurance number and salary. Your bank details will not be passed to MyCSP at this time.

We use OHAssist to provide our Occupational Health service.

You will be directed to the OHAssist website to complete a health screening questionnaire. The information you provide will be held by OHAssist, who will give ONR a fit to work certificate or a report with recommendations. You have the right to see the report before it is sent to us, please see the OHAssist website for further details. If you decline for us to see it, this could affect your job offer. If an occupational health assessment is required, this is likely to be carried out by OHAssist.

For senior vacancies, we sometimes advertise through Hays Recruitment. Hays will collect the application information and may ask you to complete a work preference questionnaire that is used to assess your suitability for the role; the results are assessed by recruiters. Information collected by Hays will be kept for 12 months after the end of our agreement with Hays.

Contact the Communications Team - media enquiries

Purpose and legal basis for processing

Our purpose for collecting this information is so we can respond to you and give you information about the legislation we oversee in order for you to publish.

The legal basis we rely on for processing your personal data is public task, under article 6(1)(e) of the GDPR.

What we need

We need enough information from you so we can respond to you. We’ll take your name and number/contact email address and, where relevant, the name of the organisation you represent.

Why we need it

We need to keep a record of who we have spoken with and what has been asked for/provided. If we can’t answer your query/request over the phone, we’ll need your contact information for our response.

What we do with it

We’ll only use your personal information to respond to you and will make a record of our communications with you, both verbal and written.

We’ll also use your contact information to send you our press releases.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected and in accordance with the Business Classification Scheme and Disposal Schedule. At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We are acting in our official capacity as a regulator in providing you with press releases and responding to media enquiries. This means you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

You can however, ask us to stop sending you press releases at any time and we’ll update our records immediately to reflect your wishes.

Do we use any data processors?

Yes, we use Vuelio to manage stakeholder contacts.

Attend an event, seminar or workshop

Purpose and legal basis for processing

Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service.

The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR. When we collect any information about dietary or access requirements we also need your consent (under article 9(2)(a)) as this type of information is classed as special category data.

What we need

We need your personal information to facilitate the event; to provide our delegates with an exceptional service; and to communicate with delegates.  If you wish to attend one of our events, you will be asked to provide your contact information including your organisation’s name and, if offered a place, information about any dietary requirements or access provisions you may need. We may also ask for payment if there is a charge to attend.

Why we need it

We use this information to facilitate the event and provide you with an acceptable service. We also need this information so we can respond to you.

What we do with it If you are not successful in securing a place, we’ll let you know and hold your details on a reserve list in case a place becomes available.

If you are allocated places at an event, we’ll ask for information about any dietary/access requirements. We don’t share this information in any identifiable way with the venue, and we delete it after the event.

We do not publish delegate lists for events and we will not confirm your attendance with a third party without your permission.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We rely on your consent to process the personal data you give us to facilitate the event. This means you have the right to withdraw your consent at any time. If you do that, we’ll update our records immediately to reflect your wishes.

Do we use any data processors?

No

Subscribe to our e-newsletter/e-bulletin

Purpose and legal basis for processing

Our purpose for collecting the information is so we can provide you with a service and let you know about upcoming events.

The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR.

What we need

Your name and email address.

Why we need it

We use your email address to send you our E-newsletter.

What we do with it

We only use your details to provide the service.

We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter.

You will receive a confirmation email once you have submitted your details and then the newsletters monthly.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We rely on your consent to process the personal data you provide to us for marketing purposes. This means you have the right to withdraw your consent, or to object to the processing of your personal data for this purpose at any time. If you do that, we’ll update our records immediately to reflect your wishes.

Do we use any data processors?

Yes - we use Forfront Limited (e-shot™) to manage subscription lists, preferences and send emails.

Making an information request

Purpose and legal basis for processing

Our purpose for processing your personal data is so we can fulfil your information request to us.

The legal basis for this is article 6(1)(C) of the GDPR, which relates to processing necessary to comply with a legal obligation to which we are subject.

If any of the information you provide us in relation to information request contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.

What we need and why we need it

We need information from you to respond to you and to locate the information you are looking for. This enables us to comply with our legal obligations under the legislation we are subject to:

What we do with it

When we receive a request from you, we’ll set up an electronic case file containing the details of your request. This normally includes your contact details and any other information you have given us. We’ll also store on this case file a copy of the information that falls within the scope of your request.

If you are making a request about your personal data, or are acting on behalf of someone making such a request, then we’ll ask for information to satisfy us of your identity. If it’s relevant, we’ll also ask for information to show you have authority to act on someone else’s behalf.

We’ll use the information supplied to us to process your information request and check on the level of service we provide.

If the request is about information we have received from another organisation – regarding a complaint, for example – we’ll routinely consult the organisation/s concerned to seek their view on disclosure of the material.

We may need to share your information with a regulatory or law enforcement agency.  For example, in the event that you raise a concern with the Information Commissioner’s Office. 

We compile and publish statistics showing information such as the number of requests we receive, but not in a form that identifies anyone.   In addition, we publish our responses to requests for information received under the terms of the Freedom of Information Act and the Environmental Information Regulations in an anonymised format. 

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

You have a right to access your personal data held by or for us. You also have a right to get inaccurate data rectified and incomplete data completed, and for your personal data to be erased in certain circumstances.

Do we use any data processors?

No – we do not use data processors for the above.

Communicate with us as a business

Purpose and legal basis for processing

We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business.

If this relates to interactions regarding our regulatory functions, the legal basis is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

If the interactions relate to suppliers, contracts, buildings management, IT services etc., the legal basis is article 6(1)(b) of the GDPR for the performance of a contract or article 6(1)(f) because the processing is within our legitimate interests as a business.

What we need

When we conduct an Inspection or an advisory visit, we’ll take the name and contact details of your organisation’s main point of contact. We may also take details of other staff members during the visit process.

When we communicate with you regarding our regulatory activity, we may take the name and contact details of your organisation’s main point of contact. We may also take details of other staff members if appropriate.

Why we need it

We use the data collected to complete the inspection/advisory visit and evidence the information provided.

We may also use data collected to inform how we work as a regulator, strengthening further areas of good practice and identifying opportunities to improve ONR’s performance.

What we do with it

We will publish the fact that we have conducted an inspection / advisory visit, but this will not contain any personal data. We may publish a summary of the audit we have completed with you, but this will not contain any personal data.

We may be required to share your personal information with relevant third parties, for example in the event that a crime has been committed or is suspected.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

Do we use any data processors?

ONR uses a data processor (Microsoft) for limited data processing.

We are inspecting your business

Purpose and legal basis for processing

Our purpose for processing this information is to have a contact point at your organisation and to tell you the outcome of the visit.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

What we need

When we conduct an inspection or an advisory visit, we will take the name and contact details of your organisation’s main point of contact. We may also take details of other staff members during the visit process.

Why we need it

We use the data collected to complete the inspection/advisory visit and evidence the information provided.

What we do with it

We will publish the fact that we have conducted an inspection / advisory visit, but this will not contain any personal data. We may publish a summary of the audit we have completed with you, but this will not contain any personal data.

We may be required to share your personal information with relevant third parties, for example in the event that a crime has been committed or is suspected.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

We process personal data in the visit information in our capacity as regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Do we use any data processors?

ONR uses a data processor (Microsoft) for limited data processing.

Internal privacy notice