Data Protection

Third Parties’ Privacy Notice

Magnox Ltd, Oldbury Technical Centre, Oldbury Naite, Thornbury, South Gloucestershire, BS35 1RQ. Registered in England and Wales under Company Number 2264251.

Information Commissioner’s Office registration number is Z7546570.

Magnox Ltd is committed to safeguarding and respecting your privacy. We take privacy, security and complying with data protection and privacy laws seriously.

Magnox Ltd is the ‘data controller’, for the purposes of data protection law. This means that we are responsible for deciding how we hold and use personal data about you. This notice applies to individuals who provide information to Magnox Ltd. This may include visitors to Magnox Ltd sites and contractors working at or with Magnox Ltd, including agency supplied workers, managed service workers and contractors. It does not apply to employees.

This notice sets out how we as the controller, collect and use your personal information; why we use it, with whom we share it, the rights to which you may be entitled and your choices about our use of your personal information.

This notice will be changed from time to time but if we change anything important (for example, the information we collect, how we use it or why) we will highlight those changes to you. If you have any questions please get in touch with our Data Protection Officer at D.P.O@magnoxsites.com or Data Protection Officer, Magnox Ltd, Wylfa Site, Cemaes Bay, Anglesey, LL670DH.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

Data Protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.

What we collect, how we collect it and why we collect information about you?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection.

We collect certain types of information from and/or about you throughout our interaction with you and from third party service providers.  This information may include for example, your name, address, contact details, curriculum vitae, and medical information. We use this information for the activities we have listed in the table enclosed.

Please note that we will not necessarily hold, use or share all of the types of personal data as described in this notice in relation to you. The specific types of data about you that we will hold, use and share will depend on the nature of your relationship with. For example, if you are a visitor to our sites then we will not be holding your CV.

Who do we share your personal data with?

There are certain circumstances where we may share your data with third parties. We will only do so where we have an appropriate legal ground under data protection law which permits us to do so.

Some examples of when your personal information may be shared with third party organisations are as follows:

  • we may share information about you with service providers and they may process personal data for us. They are always required to meet our standards on processing security. We do not allow our third party service providers to use personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
  • we may share your information with the Nuclear Decommissioning Authority (NDA)
  • if we're required to do so by law, or under any regulatory code or practice we follow, or if we are asked to do so by any public or regulatory authority – for example the Police; or Office for Nuclear Regulation (“ONR”) or to defend any legal claims; and/or
  • if your personal data is made anonymous and aggregated, as in such circumstances the information will cease to be personal data.

Transferring data outside of the UK

An overseas transfer of personal data takes place when the data is transmitted or sent to, viewed, accessed or otherwise used in, a different country. Data protection law restricts transfers of personal data to countries outside of the European Economic Area (EEA) because the law in those countries might not provide the same level of protection to personal data as the law in the EEA.

We do not transfer your HR-related personal data to countries outside the EEA.

We will only transfer data to jurisdictions outside the scope of the EU and UK data protection laws where the appropriate safeguards required by these laws are in place.

How long will the data be kept?

We will only keep your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

At the end of that retention period, your data will be deleted. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and applicable legal requirements.

Monitoring

We monitor your usage of our IT and communication systems, such as email, internet, telephone , etc. This is to protect confidential business information and intellectual property and to monitor for inappropriate behavior or use of systems. We also use CCTV and entry and exit gates on Magnox Ltd sites and premises.

Your rights

You may have certain rights in relation to your information including a right to access or to correct the information we hold on you. Some of these rights will only apply in certain circumstances however, such as the right to be forgotten or the right to request that we move your information to another company. They will generally not be available if there are outstanding contracts between us, if you continue to be employed as a contractor on one of our sites, if we required by law to keep the information or if the information is relevant to a legal dispute. If you would like to exercise, or discuss, any of these rights, please get in touch with our Data Protection Officer at D.P.O@magnoxsites.com or Data Protection Officer, Magnox Ltd, Wylfa Site, Cemaes Bay, Anglesey, LL670DH.

  • You can ask us to confirm if we are processing your information
  • You can ask for access to your information
  • You can ask to correct your information if it's wrong
  • You can ask us to delete your information (the right to be forgotten), but only in certain cases
  • You can ask us to restrict how we use your information, but only in certain cases
  • You can ask us to help you move your information to other companies, but only in certain cases
  • You can object to us processing your information based on legitimate interests, but only in certain cases
  • You can object to processing your information in relation to direct marketing
  • You can ask us to stop using your personal information, but only in certain cases
  • You have the right to complain to the Information Commissioners Office (ICO)

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Data Security  

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We also require that our suppliers protect such information from unauthorised access and disclosure. Procedures are in place to deal with suspected data security breach and we will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

 

Type of personal data we collect about you includes:

We use this information for certain activities including to;

Legal ground for processing this data;

Information if you communicate with us such as your contact information, details of your communications with us; the details of our messages to you

•     Answer queries or concerns

  • In our legitimate business interest to
    • Understand public feedback and responding to communications
  • Where we have obtained your explicit consent

 

Information when you visit our site;

Title

Full Name

Home Address Contact Number

National Insurance

Date of Birth

Nationality

Employer Name

Identifications such as passport, driving licences

 

•     To allow site access

  • Legal Obligation – ATCSA
  • In our legitimate business interest to;
    • manage the security of nuclear sites and premises

Information obtained as a result of a criminal records check

•     complete our security checks,

•     comply with our regulatory obligations in relation to the Office of Nuclear Regulator (ONR)

Legal Obligation - ACTSA

Performance of the contract

In our legitimate business interest to;

required for individuals to work on our sites

ensure safety and security of nuclear sites and premises;

ensure the suitability of an individual in relation to relevant roles;

maintain appropriate records for the purposes of defending legal claims;

and in all cases is carried out only under the control of an official authority

Information we collect from your employer;

Your contact details

Health / Dosimetry/ Medical data

Identification information such as passports, driving licences etc,

Curriculum Vitae

•     to ensure personnel are suitably qualified and experienced for the work being carried out

 

 

  • Legal Obligation ATCSA, MSA, IANA
  • In our legitimate business interest to;
    • comply with relevant laws, regulations, industry codes and government instructions,
    • to resolve any complaints we may receive
    • maintain appropriate records for defending legal claims
    • Processing is necessary for purposes of preventative or occupational medicine, for assessment of your working capacity, medical diagnosis, or health or social care or treatment

Name, address,

Date of Birth

Payment / Benefits information

 

•     to ensure we can contact you

•     to ensure that you are paid

  • It’s necessary to perform our duties under a contract with your employer
  • In our legitimate business interest to;
    • maintain appropriate records for defending legal claims

 

Information about your role, workplace performance

•     which member of Magnox staff you report to

•     your role title

•     your attendance record

•     training skills and experience

  • In our legitimate interest to;
    • manage the performance of our workers
    • manage attendance at work

 

 

Working hours and arrangements

•     paying you correctly,

•     monitoring in line with legal requirements regarding working time

•     managing attendance,

•     day to day operational management

  • Legal obligation WTD
  • In our legitimate interest to;
    • manage working hours/ arrangements
    • ensure effective business operations
    • maintain appropriate records for defending legal claims

Training, skills and Qualifications

•     to facilitate, book and provide training;

•     ensuring you are appropriately; qualified and trained for current or potential roles;

  • Legal obligation NIA
  • In our legitimate interest to
    • ensure that workers have appropriate qualifications,
    • maintain appropriate records for defending legal claims

 

Information about your fitness for work; your attendance record,   dosimetry records,  drug and alcohol test results, work place assessments

•     Asses your fitness for work

•     compliance with health and safety requirements,

•     to make reasonable adjustment where necessary

 

  • Legal obligation - IRR
  • In our legitimate interest to
    • plan and manage work employees with health conditions,
    • maintain appropriate records for the purposes of defending legal claims,
  • Processing is necessary for purposes of preventative or occupational medicine, for assessment of your working capacity, medical diagnosis, or health or social care or treatment

Health and safety information which may contain identification of individuals

•     conducting risk assessments;

•     raising learning capture reports,

•     recording and investigating incidents and accidents,

•     establishing safety measures to mitigate identified risks;

•     providing a safe working environment;

•     sharing learning,

•     keeping required records

  • Legal obligation - HASAWA
  • In our legitimate interest to;
    • ensure individuals are able to perform their duties in a safe environment for the efficient operation of the business
    • maintain appropriate records for the purposes of defending legal claims,

 

CCTV footage

•     primarily for security purposes,

•      we may also use CCTV footage when investigating allegations of misconduct

 

  • Legal obligation – ATCSA
  • In our legitimate interest to;
    • deal effectively with allegations of misconduct
    • to maintain the security of our premises
    • maintain appropriate records for the purposes of defending legal claims,

Turnstile and security /access system

•     maintaining safe and secure sites /premises

•     to detect discrepancies /check for any inaccurate or potentially fraudulent time booked/charged

  • Legal obligation – ATCSA
  • In our legitimate interest to;
    • maintain security of our premises,
    • for audit and assurance purposes
    • maintain appropriate records for the purposes of defending legal claims,

Information provided to us in relation to business related driving; driving licenses

vehicle information,

insurance documentation,

 

•     ensure you are   permitted to drive

•     to ensure that adequate insurance in place

•     to ensure health and safety

  • Legal Obligation - RTA
  • In our legitimate interest to;
    • ensure the safety and security of individuals undertaking business related driving
    • maintain appropriate records for the purposes of defending legal claims,

 

Information we collect in our travel systems

•     to facilitate work related travel, accommodation,

•     to monitor usage for commercial negation purposes

 

  • In our legitimate interest to;
    • enable individuals to book travel and accommodation
    • to locate individuals if necessary for work or health and safety purposes
    • maintain appropriate records for the purposes of defending legal claims,

Information we collect in relation to our work/-related systems and equipment and technology, such as computers/ telephones phones/ internet / applications;/ Magnox People, email, Sharepoint, Lync, user inputted information etc

•     to allow you to access systems which allow you in the course of your role to contact and communicate with people internally and externally,

•     to identify the user or author,

•     to allow help desk services and support to be provided to users,

•     to audit IT applications,

•     to analyse   IT costs per user/location,

•     to monitor the security and integrity of our business communications systems (e.g. protection from hackers, malware, etc.),

•     to monitor inappropriate use and transfers

•     prevent excessive personal use of company resources

 

  • In our legitimate interest to;
    •  maintain operations, security and integrity of business systems,
    • allow business communications, provide an audit trail of work-related discussions / communications,
    • assist IT helpdesk teams to resolve user problems,
    •  to assess usage and efficiency of systems and providers,
    • to monitor inappropriate use of work systems, prevent excessive use of business resources for personal purposes,
    • maintain appropriate records for the purposes of defending legal claims,

 

Personal data contained within work products such as (e.g job related emails, internal directories, minutes of meetings, forms, checksheets, handover logs, documents, presentations, reports)

•     performance of job duties by you and your colleagues;

•     identifying the user or author

  • In our legitimate interest to ;
    • carry out the company business
    • maintain appropriate records for the purposes of defending legal claims,

 

 

ATCSA – Anti-Terrorism, Crime and Security

MSA – Modern Slavery Act

IANA - Immigration, Asylum and Nationality Act

WTD – Working Time Directive

NIA – Nuclear Installations Act, Site Licence Conditions

IRR – Ionising Radiation Regulation

HASAWA – Health and Safety at Work Act

RTA – Road Traffic Act