Better Health at Work Award Privacy Notice
At the BHAWA we respect everyone’s right to privacy, and value the trust you place in us by sharing your data with us.
We are committed to:
- collecting and using your data in a way that you would reasonably expect, in line with relevant data protection / privacy legislation
- providing you with clear and transparent information about how we use your personal data, what we use it for and what your rights are in relation to this
- only using your data for the purposes described in this document.
This notice explains:
- what personal data we collect about you and the lawful basis for this
- how we use this data
- how long we keep the data
- who we share your data with
- how we protect your data
- your rights, and how to enact them in relation to the personal data we hold about you.
This privacy notice applies to everyone who shares personal data with the Better Health at Work Award team. It is important you read and understand this notice so you are aware of how and why we use your data.
About the Better Health at Work Award
The Better Health at Work Award is a funded project established to deliver a public health workplace programme on behalf of NEPO and Newcastle City Council.
The Council is the ‘controller’ of the data collected about you - ie they are responsible for deciding how we collect and manage your personal data. They are registered as a data controller with the Information Commissioner's Office.
If you have any queries about how we gather, and use your personal data then you can get in touch with our data protection officer via email on firstname.lastname@example.org (please put ‘for the attention of the data protection officer’ in the subject line of your email) or by post at:
Data Protection Officer
Trades Union Congress
Great Russell Street
Your privacy rights
You have a number of rights (although not all are absolute rights and some may be subject to a few legal exemptions) relating to your personal data. You have the right to:
- be informed about the collection and use of your personal data (e.g. in this privacy notice)
- object to the processing of your data where we are relying on our legitimate interests as the legal basis for processing
- withdraw your consent at any time
- ask us to change incorrect or incomplete data
- ask us to delete your personal data where it is no longer necessary for us to use it, when you have withdrawn consent, or where we have no lawful basis for keeping it
- ask us to restrict the personal data we use about you where you have asked for it to be deleted or where you have objected to our use of it
- ask us to provide you or a third party with some of the personal data we hold about you in a structured, commonly used, electronic form, so it can be easily transferred
- request access to a copy of your personal data, along with information on what personal data we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can make a request free of charge by contacting our Data Protection Officer in writing at the address above. Please provide us with evidence of your identity
- not be subject to a decision based solely on automated processing, including profiling
- make a complaint to us about how we have used your personal data.
To learn more about these rights please see the Information Commissioner’s Office website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
If you would like to exercise any of these rights, please contact the data protection officer by post or email as detailed above. We will need to ask you to confirm your identity before we can deliver on a number of these rights.
The personal data that you supply with your enquiry/complaint may be retained by us for the purposes of processing your enquiry/complaint, and for statistical and audit purposes and will be stored in accordance with our standard procedures.
If you believe that we have not complied with your data protection rights, you can complain to the Information Commissioner’s Office (the regulator for privacy and data protection legislation). The Information Commissioner’s Office (ICO) can be contacted at:
Information Commissioner’s Office
Tel: 0303 123 111
What do we do with the information you give us?
We need to collect and process personal data relating to lead organisational contacts, anyone who registers for and/or undertakes health advocate or other associated BHAWA training, and anyone that is featured in a case study to promote the scheme. This information is used to:
- register your organisation with the award scheme
- register you on a course
- communicate with you about the scheme and/or attending courses
- organise any tailored requirements you have for attending courses such as access requirements
- make a record of your attendance to fulfil our contract with the funder
- manage a contracting relationship with you (e.g. external trainers/ service providers)
- retain a central approved attendees record for emergency situations
- create a case study for our website
- promote learning/CPD opportunities
- distribute e-newsletters and relevant communication materials for those that have opted in to receive such marketing
We may be required to transfer your data outside the European Economic Area. The information you provide is held securely by us and/or our data processors (whether the information is held in an electronic or physical format).
What information do we need to collect from you?
We only collect information that we need to contact you appropriately with regards to BHAWA processes and protocols, ie. Workplace registration/ assessment submission receipt and notification and to manage your registration and attendance at award events/courses and fulfil contract requirements with our funder.
The information we collect could include:
- your name, and contact details, including postal (workplace) and email address, and telephone number(workplace)
- photograph (for case studies / promotional purposes)
- your employer and position
- any accessibility requirements
- information about your work and/or health history to form a case study
- your IP address and how you use our website, captured via Google Analytics
- data on how you respond to emails that we send you
- your image as part of filmed or photographed records of events / case studies
- your social media identity if you ‘opt in’ to the BHAWA closed facebook page
We collect this information from:
- you (if you register yourself)
- your company or sponsoring organisation (if your company or sponsoring organisation registers you)
Data is stored in the TUC’s IT systems (e.g. the TUC’s staff email system and server), in our project website, in survey software (currently SurveyMonkey), in TUC’s email marketing provider (currently Mailchimp) and in our social media platform (currently Facebook). Some data is also stored in hard copy as back-up in a secure setting.
Why do we need to process your personal data?
We process your data under the ‘contract’ lawful basis for processing, for the following purposes:
- to register you and your organisation with the award
- to register you for your course
- to send you information by email to help make your course a successful experience for you
- to respond to queries about your registration and attendance
- to ensure there are reasonable adjustments in place to facilitate your participation at the course (eg in relation to access requirements)
- to fulfil our contract obligations with the funder
In some cases, we need to process data to ensure we are complying with our legal obligations, which are binding on us. We only do this when strictly necessary. We also process your data to respond to and defend against legal claims.
We have a legitimate interest in processing certain personal data. Processing your data under legitimate interest allows us to:
- take photos of groups of people at events to use during and after the event.
- to publish your name and employer in the list of attendees at events
- to seek your feedback on courses/events
- analyse the performance of our online communications about the award, with a view to tailoring communications to be more relevant to different users
- understand opinions voiced about the award scheme online and on social media
Where we rely on our legitimate interests as a reason for processing data, we have considered whether or not those interests are overridden by the rights and freedoms of registrants/attendees and have concluded that they are not.
The following are examples of where we use consent to process your data:
- Update you by email about the award scheme (via email or social media)
Some special categories of personal data, such as information about health or medical conditions, are processed to carry out our obligations in relation to assessment requirements, eg. provision and production of case studies, which require express individual and workplace consent before being shared.
Where we process other special categories of data, such as information about ethnic origin, disability, age, gender identity, sexual orientation and gender, this is for diversity monitoring purposes and is collated workplace data that does not identify individuals. Data that we use for these purposes is separated from your contact details for analysis. You are entirely free to decide whether or not to provide this data and there are no consequences of deciding not to supply the data.
Where we obtain information concerning certain “special categories” of sensitive data such as health information, extra protections apply under the data protection legislation. We will only process this data by your consent, unless we can lawfully process it for another reason permitted by the legislation. You have the right to withdraw your consent to the processing at any time by notifying us in writing.
Who has access to your data?
If you are a delegate we may share your data with your employer, trainer, venues in order to ensure that we meet any security, health and safety and access requirements.
We also share your data with third parties that process data on our behalf as listed below.
Your data may be transferred outside the European Economic Area (EEA) where we have satisfied ourselves that the appropriate safeguards are in place. By submitting your personal data you agree that we may transfer, store and process your information outside of the European Economic Area.
We may need to disclose your information to regulatory bodies, government bodies, or law enforcement agencies. This will be upon request only, and only when required to do so in order to satisfy legal obligations which are binding on us.
How do we protect your data?
We take the security of your data seriously. We have policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by relevant staff or agencies in the proper performance of their duties.
Access to systems that contain personal data are restricted by role and the systems are password protected.
We have a number of data processors involved in processing personal data in relation to the award scheme. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do so in writing. They are obliged to implement appropriate technical and organisational measures to ensure the security of your data. They will not share your personal information with any organisation apart from us. They will only retain your data for the period we instruct.
Mneumonix IT Consultants
28 Sutton Street
If you make an enquiry via the website any contact details you enter are captured and held in order for us to respond to you/ follow-up appropriately.
If you opt in, your email address is contained within the Mailchimp system in order for us to deliver communications about relevant health and wellbeing topics and the award. Here is a link to their privacy notice: https://mailchimp.com/legal/privacy/
If you opt in, your name is contained in our Facebook site which promotes the award. Here is a link to their privacy notice:
How long do we keep your data?
We do not retain your data for longer than is necessary. Our retention periods are:
For the life of the contract award with the funder
Photographs of groups of attendees at award events
For the life of the contract award with the funder
For the life of the contract award with the funder
Mailing list or social media registration
You control when you want to unsubscribe from a mailing list or site
Do we use automated decision-making tools?
Currently no decisions about the Better Health at Work Award activity involves automated decision-making.
Changes to this policy
We keep our privacy notice under regular review. Any changes we make to our privacy notice will be advertised through appropriate channels (e.g. Better Health at Work Award website).
This policy was last updated on August 14th 2018.