The Emergency Planning College ("The EPC", "we" or "us") is committed to ensuring that your personal information is protected and that we are being transparent about the information we hold about you.
2. Who We Are
The Emergency Planning College (The EPC) is owned by the Cabinet Office and managed on their behalf by Serco Limited, with company number 00242246 and having its registered office at Serco House, 16 Bartley Wood Business Park, Bartley Way Hook, Hampshire, RG27 9UY.
3. Principles Of Data Protection
To help you understand how we handle your personal information more clearly, below is a summary of the privacy principles which guide how we use your personal information. These principles provide that personal data should be:
- used lawfully, fairly and in a transparent way;
- collected for lawful reasons that have been clearly explained to you;
- relevant to the purposes you have been told about and limited only to those purposes;
- kept accurate and up to date;
- shared only as has been explained to you, when you ask us to or when legally required to;
- kept only as long as necessary for the purposes you have been told about; and kept securely and protected.
Our website may provide links to third party websites. The EPC is not responsible for the conduct of third party companies linked to the website and you should refer to the privacy notices of these third parties as to how they may handle your personal information.
4. How Your Personal Data Is Collected
The circumstances by which we may collect personal data about you includes when:
- the personal data is provided to us by you (e.g. when you sign up to our mailing list);
- the personal data is collected in the normal course of our relationship with you (e.g. when booking on a course with us);
- the personal data has been made public by you (e.g. contacting The EPC via a social media platform) or obtained from a publicly accessible source (e.g. Companies House);
- the personal data is received by us from third parties (e.g. marketing agencies to which you subscribe, employers booking you on a course);
- the personal data is collected via our IT systems (e.g. our website, CCTV surveillance);
- and the personal data is created by us, such as records of your communications with The EPC.
6. Personal Data Collected
The categories of personal information about you which we may collect and use includes:
- Personal details: title, full name, business or home address, telephone numbers, email address, nationality, language/dialect spoken, job role, vehicle details, travel assistance requirements.
- Family and Friends Information: dependents and contact details.
- Public Identifiers: signatures, passport details, social media handles, photographs, video recordings (identifying physical characteristics).
- Financial Details: purchase transaction history, card payment details.
- Travel Information: travel and accommodation itinerary information.
- Correspondence: social media postings, general correspondence.
- Preferences: consents, permissions, or preferences that you have specified, such as whether you wish to subscribe to our mailing list or agree to our terms and conditions.
- Incident History: health and safety accidents, security incidents, accident information, complaints communications, insurance claims history.
- Sensitive Personal Data: health and medical information, racial or ethnic origin, religion.
- Website Access Details: your computers unique identifier (e.g. IP Address), the date and time you accessed the Website, passwords to access alerts preferences.
7. Purposes And Use of Personal Data
The main purposes for using your personal information is (where applicable):
- to facilitate the delivery of the requested training, exercising and/or advisory services;
- to provide function and event services; and
- to improve and monitor the operation of our website.
We use information held about you in the following ways:
- to process you bookings;
- to inform you of similar training and services at the The EPC in the future;
- to administer our records and website;
- to prevent unauthorised access and modifications to systems;
- to improve the quality of service and ensure business policies are adhered to;
- to investigate incidents and detect and prevent crime;
- to provide a safe working environment;
- to promote our services and on occasion, conduct research; and
- to gather and provide information in the event of an audit or investigation by regulatory bodies.
8. When Is Special Category Personal Data Collected And Used?
Special category personal information is particularly sensitive personal information as defined by the GDPR. We may from time to time request that you provide special category personal information or you may choose to share such information with us, such as details about specific medical conditions or dietary requirements.
Where we do collect and handle special category personal information, we will only handle that information in accordance with applicable law, including where:
- we have your explicit consent – including where you voluntarily provide us with that information.
- the law permits us to do so, to comply with our legal obligations or to exercise specific legal rights;
- you have clearly made the information public;
- processing is necessary for the establishment, exercise or defence of legal claims; or
- processing is necessary for reasons of substantial public interest.
9. Direct Marketing
We may use your personal information to send you updates (by email, telephone or post) about our services including exclusive offers, promotions or products that we believe will be of interest to you.
We have a legitimate interest in processing your personal information for promotional purposes. This means we do not always need your consent to send you promotional communications. However, where consent is needed, we will ask for this separately and clearly.
You can subscribe to our marketing list by visiting http://www.epcresilience.com.
We will always treat your personal information with the upmost respect and never sell your information for marketing purposes, or share with other organisations without your prior permission.. We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you.
Where applicable, you may opt out of receiving marketing communications by:
- using the unsubscribe option included on all The EPC marketing correspondence; or
- sending us an email to firstname.lastname@example.org. Please ensure your correspondence is marked ‘Unsubscribe: Marketing Contact List’ and include your full name, email and telephone number to ensure your details are fully deleted from our direct marketing system.
We currently have closed circuit television (CCTV) operating on our premises for the primary legitimate purposes of: (i) public and staff safety; and (ii) crime prevention, detection and deterrence. For these reasons, the information processed may include visual images of personal appearance and behaviours of staff, guests and general members of the public who were in the immediate vicinity of the area under surveillance.
We display signs to inform visitors and staff that they are under surveillance and may be video recorded. This information is kept in secure environments and access is restricted to designated staff and use shall be in compliance with the The EPC security and privacy policies.
We retain CCTV recordings centrally for up to 28 days, and for a longer period if they are relevant to an incident, complaint, investigation, legal proceedings or for as long as legally required by regulatory bodies and law enforcement agencies.
11. Legal Basis For Using Your Personal Information
Data protection and privacy laws requires companies to have a “legal basis” or “lawful ground” to collect and handle your personal information. We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal justification to do this.
- we have obtained your prior consent;
- we need to use your personal information to take steps before entering into a contract with you. For example we need your contact details when making a booking;
- our use is necessary for the complying with our legal obligations;
- where it is necessary for our legitimate interests or those of a third party (to the extent that your interests and fundamental rights do not override those interests), such as:
- to provide the requested products and services to you;
- maintaining adequate booking records;
- to detect and protect against fraud and crime;
- to make sure we are following our own internal procedures so we can deliver the best services;
- promotional and market research purposes;
- for security and safety purposes;
- for monitoring service quality and business procedure compliance;
- establishing, exercising or defending our legal rights in the event of a claim;
- monitoring operational efficiency of the website; and/or
- managing and operating our IT systems and ensuring security of those systems.
12. Sharing Your Personal Information With Others
We will only disclose personal information to a third party in very limited circumstances, or where we are permitted to do so by law. The third parties to whom we provide your personal data include:
- other organisations within the Serco group of companies, where such disclosure is necessary to provide you with our services or to manage our business;
- third parties we use to help deliver our products and services to you, (e.g. banks and payment providers);
- third parties with which we have a contractual relationship related to delivery of The EPC training and other services;
- other third parties we use to help us run our business, (e.g. marketing agencies, IT support service providers, analysis experts, communication platform providers);
- third parties approved by you e.g. when you request your details to be transferred;
- our professional advisers (e.g. law firms, insurers and brokers); and/or
- Government, regulatory and law enforcement bodies where we are required in order:
- to comply with our legal obligations;
- to exercise our legal rights (e.g. pursue or defend a claim); and
- for the prevention, detection and investigation of crime.
We also impose data protection obligations on contracted third parties to ensure they can only use your data to provide services to The EPC for the purposes listed above. These third parties cannot pass your details onto any other parties unless instructed by The EPC.
13. Transferring Your Personal Information Globally
If you would like further information about the handling of your personal information, please contact us at email@example.com.
14. Security of Your Personal Information
The EPC takes precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction. We protect electronic data using a variety of security measures including, where applicable:
- password access;
- data back-up;
- placing confidentiality requirements on employees and service providers and providing training to ensure that your personal data is handled correctly;
- destroying or permanently anonymising personal information if it is no longer needed for the purposes it was collected; and
- secure physical storage units for hard copy files with appropriate security restrictions, preventing damage, and unauthorised access to your personal information.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted by you to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access
15. How Long Do We Keep Your Personal Information?
In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with contractual, legal, regulatory, tax, accounting requirements.
16. Your Legal Rights In Respect of Your Personal Information
You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Portability of the personal information you provided us, in certain situations.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
- Object to processing of your personal information by us or on our behalf for direct marketing (including profiling) and in certain other situations (such as processing carried out for legitimate interests).
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
- Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent (please refer to section 9 for details about withdrawing consent to marketing).
If you would like to exercise any of these rights, please submit your requests to the Data Protection Champion:
Data Protection Champion,
The Emergency Planning College
Telephone: 01347 821406
Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request.
17. Data Protection Officer
Data Protection Officer
18 Bartley Wood Business Park
Alternatively, please email firstname.lastname@example.org or call +44 (0)1256 745900.
You also have the right to contact the Information Commissioner’s Office and file a complaint. (https://ico.org.uk/concerns/ or telephone: 0303 123 1113). The Information Commissioner’s Office will then investigate your complaint accordingly.