The Emergency Planning College/Serco Limited ("the EPC", "We" or "Us") is committed to ensuring that your personal information is protected and that we are being transparent about the information we hold about you.
When we handle personal data about you, we do so subject to the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 and any other applicable laws relating to the protection of personal data and the privacy of individuals (all as amended, updated or replaced from time to time).
Our website may provide links to third party websites. The EPC is not responsible for the conduct of third party companies linked to the website and you should refer to the privacy notices of these third parties as to how they may handle your personal information.
2. Who We Are
The Emergency Planning College (the EPC) is owned by the Cabinet Office and managed for and on their behalf by Serco Limited, with company number 00242246 and having its registered office at Serco House, 16 Bartley Wood Business Park, Bartley Way Hook, Hampshire, RG27 9UY.
When Serco and the Cabinet Office process your personal data, we are responsible for looking after and protecting your data (either independently or jointly). Serco is registered as a data controller with the UK’s Information Commissioner's Office and our registration number is Z574698.
3. Principles Of Data Protection
To help you understand how we handle your personal information more clearly, below is a summary of the privacy principles which guide how we use your personal information. These principles provide that personal data should be:
- used lawfully, fairly and in a transparent way;
- collected for lawful reasons that have been clearly explained to you;
- relevant to the purposes you have been told about and limited only to those purposes;
- kept accurate and up to date;
- shared only as has been explained to you, when you ask Us to or when legally required to;
- kept only as long as necessary for the purposes you have been told about; and kept securely and protected.
4. How Your Personal Data Is Collected
The circumstances by which we may collect personal data about you includes when:
- the personal data is provided to Us by you (e.g. when you sign up to our mailing list or you contact us);
- the personal data is collected in the normal course of our relationship with you (e.g. when booking on a course with us);
- the personal data has been made public by you (e.g. contacting the EPC via a social media platform) or obtained from a publicly accessible source (e.g. Companies House);
- the personal data is received by Us from third parties (e.g. marketing agencies to which you subscribe, employers booking you on a course);
- the personal data is collected via our IT systems (e.g. our website, CCTV surveillance and cookies);
- and the personal data is created by us, such as records of your communications with the EPC.
6. Personal Data Collected
The personal data you provide to Us or that are collected by Us is used for service and operational purposes, for example booking courses, processing payments, protecting yourself and others. The categories of personal information about you which we may collect, store and use includes:
- Personal details: title, full name, business or home address, telephone numbers, email address, nationality, language/dialect spoken, job role, vehicle details, travel assistance requirements.
- Family and Friends Information: dependents and contact details.
- Public Identifiers: signatures, passport details, social media handles, photographs, video recordings (identifying physical characteristics) and any personal data collected through cookies.
- Financial Details: purchase transaction history, card payment details.
- Travel Information: travel and accommodation itinerary information.
- Correspondence: social media postings, general correspondence.
- Preferences: consents, permissions, or preferences that you have specified, such as whether you wish to subscribe to our mailing list or agree to our terms and conditions.
- Incident History: health and safety accidents, security incidents, accident information, complaints communications, insurance claims history.
- Sensitive Personal Data: health and medical information, racial or ethnic origin, religion.
- Website Access Details: your computers unique identifier (e.g. IP Address), the date and time you accessed the website, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, passwords to access alerts preferences.
You do not have to provide your personal information to us. However, if you do not provide your personal information which we ask for we may not be able to: process any booking for you; or provide our services to you; or respond to enquires that you may have.
7. Purposes And Use of Personal Data
The main purposes for using your personal information is (where applicable):
- to facilitate the delivery of the requested services (including updates) offered by the EPC;
- to provide function and event services;
- to exercise our legal rights with respect to our contract with you; and
- to improve and monitor the operation of our website.
We use information held about you in the following ways:
- to process you bookings;
- to inform you of similar training and services at the EPC in the future;
- to administer our records and website;
- to prevent unauthorised access and changes to systems;
- to improve the quality of service and ensure business policies are adhered to;
- to investigate incidents and detect and prevent crime;
- to provide a safe working environment;
- to promote our services and on occasion, conduct research; and
- to gather and provide information in the event of an audit or investigation by regulatory bodies.
In some cases, your personal information may be aggregated and anonymised where relevant to the service usage, performance, and delivery. This may be extracted and used by Us, Cabinet Office or our ‘third party’ providers (listed within section 12 below) for business purposes, which are aimed to review and improve the services We provide.
8. When Is Special Category Personal Data Collected And Used?
Special category personal information is particularly sensitive personal information as defined by the UK GDPR. We may from time to time request that you provide special category personal information or you may choose to share such information with us, such as details about specific medical conditions or dietary requirements.
Where we do collect and handle special category personal information, we will only handle that information in accordance with applicable law, including where:
- we have your explicit consent, including where you voluntarily provide Us with that information.
- the law permits Us to do so, to comply with our legal obligations or to exercise specific legal rights;
- you have clearly made the information public;
- processing is necessary for the establishment, exercise or defence of legal claims; or
- processing is necessary for reasons of substantial public interest.
9. Direct Marketing
We may use your personal information to send you updates (by email) about our services including exclusive offers, promotions or products that we believe will be of interest to you where you have consented to such communication.
We have a legitimate interest in processing your personal information for promotional purposes. This means we do not always need your consent to send you promotional communications. However, where consent is needed, we will ask for this separately and clearly.
You can subscribe to our marketing list by visiting https://www.epcresilience.com/communications-sign-up .
We will treat your personal information with the upmost respect and never sell your information for marketing purposes, or share with other organisations without your prior permission. We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you.
Where applicable, you may opt out of receiving marketing communications by:
- using the unsubscribe option included on all the EPC marketing correspondence; or
- contacting us via the EPC website or sending us an email to firstname.lastname@example.org. Please ensure your correspondence is marked ‘Unsubscribe: Marketing Contact List’ and include your full name, email and telephone number to ensure your details are fully suppressed from our direct marketing system.
If you choose not to receive updates about our services, we will be unable to keep you informed of any new products, exclusive offers, events or promotions that may interest you.
We currently have closed circuit television (CCTV) operating on our premises for the primary legitimate purposes of: (i) public and staff safety and welfare; (ii) security; and (iii) crime prevention, detection and deterrence. For these reasons, the information processed may include visual images of personal appearance and behaviours of staff, guests and general members of the public who were in the immediate vicinity of the area under surveillance.
We display signs to inform visitors and staff that they are under surveillance and may be video recorded. This information is kept in secure environments and access is restricted to designated staff, and use shall be in compliance with the EPC security and privacy policies.
11. Legal Basis For Using Your Personal Information
We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do so. The purposes for which we may use your personal data and the legal basis on which we may perform such processing are set out below.
- we have obtained your prior consent e.g. consent to receive marketing materials;
- we need to use your personal information to take steps before and after entering into a contract with you. For example we need your contact details when making a booking;
- to provide the services or information that you have requested from Us (e.g. processing or resolving any matters connected with your booking, handling operational issues or engagement with customer services).
- our use is necessary for the complying with our legal obligations (e.g. in response to requests from government law enforcement authorities conducting an investigation or to comply with professional, legal and regulatory obligations that apply to our business e.g. health and safety obligation and requirements to ensure the safety and wellbeing of our workers and our customers (and any third parties) including where necessary for the purpose of safeguarding against the impact of a health-related issue (for example, coronavirus or some other epidemic, pandemic, or disease or outbreak), or in respect of any measures we are required to take from time to time during a national or international emergency);
- where it is necessary for our legitimate interests or those of a third party (to the extent that your interests and fundamental rights do not override those interests), such as:
- to provide the requested products and services to you;
- maintaining adequate booking records;
- to detect and protect against fraud and crime;
- to make sure we are following our own internal procedures so we can deliver the best services;
- promotional and market research purposes; o for security and safety purposes;
- for monitoring service quality (including managing, facilitating and/or improving the provision of our services to you) and business procedure compliance;
- establishing, exercising or defending our legal rights in the event of a claim;
- monitoring operational efficiency of the website; and/or
- managing and operating our IT systems and ensuring security of those systems;
- for business development, management and analysis or quality assurance purposes such as improving efficiency, training and quality control of our products and services including the usage of anonymised data for reviewing attendance data and management data;
- for accounting and auditing purposes;
- to meet our contractual obligations under the EPC contract with the Cabinet Office (e.g. delivery of services commissioned by, or feedbacks/complaints etc. to, the Cabinet Office); and
- in connection with a business transaction such as merger, restructuring or sale of the business.
12. Sharing Your Personal Information With Others
We will only disclose personal information to a third party in very limited circumstances, where we are permitted or required to do so by law. The third parties to whom we provide your personal data include:
- other organisations within the Serco group of companies, where such disclosure is necessary to provide you with our services or to manage our business;
- third parties we use to help deliver our products and services to you, (e.g. banks and payment providers);
- third parties (e.g. our customers or the Cabinet Office) with which we have a contractual relationship related to delivery of the EPC training and other services;
- other third parties we use to help Us run our business, (e.g. marketing agencies, IT support service providers, analysis experts, communication platform providers);
- third parties approved by you e.g. when you request your details to be transferred;
- our professional advisers (e.g. law firms, insurers and brokers); and/or
- Government, regulatory and law enforcement bodies where we are required in order:
- to comply with our legal obligations;
- to exercise our legal rights (e.g. pursue or defend a claim); and
- for the prevention, detection and investigation of crime.
We may transfer your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is an operational or management change of the EPC. In such cases, we will take the appropriate steps to make sure that such transfer is in accordance with the applicable data protection law(s).
Less commonly, we may process and share your personal data where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent.
We also impose data protection obligations on contracted third parties to ensure they can only use your data to provide services to the EPC for the purposes listed above. These third parties cannot pass your details onto any other parties unless instructed by the EPC or they are also acting as a data controller, in which case they are responsible for ensuring compliance with data protection laws.
13. Transferring Your Personal Information Globally
We (and our subcontractors who operate to deliver the services to you on our behalf) do not currently transfer, store or otherwise process personal data outside the United Kingdom (UK). However, if Our or the Cabinet Office’s business needs change or the services require processing outside of the UK, we take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests.
Where personal data needs to be transferred to, and stored at, or processed/accessed from, a destination outside the UK or the European Economic Area ("EEA") (for example, in the USA), our standard practice is to:
- Put in place binding corporate agreements, which will include the relevant adopted standard contractual clauses for transferring personal information outside the UK or EEA, to ensure that your information is safeguarded.
- Ensure that the country in which your personal information will be handled has been recognised as providing an adequate level of legal protection, or where we are satisfied that alternative arrangements are in place to protect your privacy rights.
- Carefully validate any requests for information from law enforcement or regulators before disclosing the information.
We will co-operate with any regulators as required by law to ensure that we remain transparent about the way we handle your personal information.
If you would like further information about the handling of your personal information, please contact us at email@example.com.
14. Security of Your Personal Information
The EPC takes precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction. We protect electronic data using a variety of security measures including (but not limited to), where applicable:
- password access;
- data back-up;
- placing confidentiality requirements on employees and service providers and providing training to ensure that your personal data is handled correctly;
- destroying or permanently anonymising personal information if it is no longer needed for the purposes it was collected; and
- secure physical storage units for hard copy files with appropriate security restrictions, preventing damage, and unauthorised access to your personal information.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted by you to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
15. How Long Do We Keep Your Personal Information?
Listed below are the general criteria we use to determine how long we will keep your personal information, where upon we will either delete or anonymise the data:
- We will continue to keep your personal information while we are providing goods and services, or if we have an ongoing relationship with you (e.g. you hold an account with us, we are delivering a contract, you are a supplier to Us or you have an ongoing complaint).
- When you register to receive updates about our services, we will retain these details until you notify us that you no longer wish to receive such communications (e.g. unsubscribing) (please refer to section 9 above).
- We retain CCTV recordings centrally for up to 28 days, and for a longer period if they are relevant to an incident, complaint, investigation, legal proceedings or for as long as legally required by regulatory bodies and law enforcement agencies.
- We will retain purchase orders, invoices and receipts for six (6) years (where the information is no longer needed or the six (6) years have passed, we will ensure that it is disposed of in a secure manner).
- We will retain contracts for a minimum of six (6) years (unless it is required for a longer period)
- We will retain course / event information as part of an archive for as long as necessary to provide evidence for requests which may be made by regulatory bodies and law enforcement agencies or you ask for them to be removed from the archive.
- We will retain general correspondence and papers (including emails) received by Us (excluding complaints and investigations) for 6 years.
In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with contractual, legal, regulatory, tax, accounting requirements.
16. Your Legal Rights In Respect of Your Personal Information
You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Portability of the personal information you provided us, in certain situations.
- Request erasure of your personal information. This enables you to ask Us to delete or remove personal information where there is no good reason for Us continuing to process it. You also have the right to ask Us to delete or remove your personal information where you have exercised your right to object to processing.
- Object to processing of your personal information by Us or on our behalf for direct marketing (including profiling) and in certain other situations (such as processing carried out for legitimate interests).
- Request the restriction of processing of your personal information. This enables you to ask Us to suspend the processing of personal information about you, for example if you want Us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
- Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent (please refer to section 9 for details about withdrawing consent to marketing).
If you would like to exercise any of these rights, please submit your requests to the Data Protection Champion:
Data Protection Champion, The Emergency Planning College The Hawkhills, Easingwold, York, YO61 3EG.
Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request. We may also charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
Subject to legal and other permissible considerations, we will make every effort to honour your request promptly to inform you if we require further information in order to fulfil your request. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we have to others, or if we are legally entitled to deal with the request in a different way.