Personal information charter
How the Certification Officer uses information you provide, and the ways in which we protect your privacy.
Certification Officer: Privacy Policy and Data Protection Statement
Exemption
This privacy notice does not apply to personal data collected and used by the Certification Officer, and any officials supporting her, when she is acting in her judicial capacity. Article 14 of the Data Protection Act 2018 contains an exemption in respect of judicial proceedings. Article 14 (2) provides that the “listed UK GDPR provisions do not apply to personal data processed by (a) an individual acting in a judicial capacity or (b) a court or tribunal acting in its judicial capacity.” The Certification Officer acts in a judicial capacity when determining complaints made by process your personal data. It covers personal data, in any format, that the CO may collect, use and retain.
The CO collects, uses and holds personal information about you when you make a complaint, raise an issue or submit an enquiry.
If you have a query about this Privacy Statement please contact the Data Protection Officer via info@certoffice.org
About Personal Data
Personal data is information that relates to a living individual who can be identified from that information. It can include your name, address or telephone number and also more sensitive data like medical history, ethnicity or trade union membership.
We recognise how important it is to protect the privacy of all Certification Officer customers. We will safeguard your personal data and will only disclose it when it is lawful to do so.
How we use your Personal Data
The CO collects personal data about you to discharge her statutory duties set out in the Trade Union and Labour Relations (Consolidation) Act 1992.
This data will usually be collected from you, your representative or your union.
1. Complaints raised against a trade union
If you make a complaint about a trade union, the CO will ask you for personal information such as your name, contact details and information about your union membership.
We retain your personal data for a period of two years after the conclusion of the complaint or at the end of any appeal process in a higher court. At this point your details and any related correspondence is destroyed. It is kept for this period in accordance with our records retention policy. Our retention periods are driven by legislation and/or business need. We assign clearly defined retention periods to information held by us to ensure it is kept for the appropriate length of time.
2. Financial Irregularities
Your personal information may be collected in the course of an investigation into alleged financial irregularities and kept for at least two years. Where an allegation of financial irregularities is found to be substantiated your data will be retained for six years from the date of the final date of correspondence or date of ‘Findings Letter’. At this point all correspondence is destroyed. It is kept for this period in accordance with our records retention policy. Our retention periods are driven by legislation and/or business need. We assign clearly defined retention periods to information held by us to ensure it is kept for the appropriate length of time.
Should during an investigation we have grounds to suspect that a criminal offence may have been committed, or we consider that the matter may be relevant to another statutory body; your information may be shared with them.
3. General Enquiries
If you make an enquiry about any aspect of the CO power, the details that you provide, including your e-mail address if the enquiry is made via e-mail is retained for up to two year.
4. Making a Freedom of Information (FOI) or Subject Access Request
If you make a request under the Freedom of Information Act, or a Subject Access Request, your personal information will be collected in order to process your request and stored for two years.
If you wish to make a complaint to the Information Commissioner’s Office (ICO) regarding a decision on a FOI or Subject Access Request case, the CO is legally obliged to share your case records, which includes personal data, with the ICO.
5. Use of our website
Our website is hosted by the Government Digital Services (GDS). When you visit our website, GDS collect your Internet Protocol (IP) address as a unique identifier. They also collect the following:
- Data about how you use the Certification Officer’s Website;
- Information about your computer (including your IP address and browser type);
- Demographic data;
- If you visited the Website by clicking on a link from a different website, we collect the URL of that website; and
- Information about your online activity, such as the pages you have viewed and the purchases you have made.
Data collected when you visit our website is covered under the Government Digital Services privacy policy which can be found from the following link https://www.gov.uk/help/privacy-policy. You may opt out of receiving News alerts at any time.
The Certification Officer’s website contains links to other websites, mainly other unions. These websites are not covered by this Privacy Statement and the CO is not responsible for the privacy practices within any of these other websites. You should be aware of this when you leave the website and we encourage you to read the privacy statements of other websites.
Special Category Data (Sensitive Personal Information)
Some of the information you provide may be personal data that is particularly sensitive, such as trade union membership, ethnicity or medical information. We will only ever use such sensitive personal data where this is essential to provide advice or to provide one of our statutory services such as attending a hearing. We may also use medical information you provide to make reasonable adjustments to help you access our services (for example, to arrange disabled access to a CO site).
When we ask for your personal data we:
- Will ask only for the personal data we need and not collect information that is irrelevant and excessive.
- Will protect it and make sure no unauthorised person has access to it.
- May share it with other organisations but only where necessary and permitted by law.
Who the information may be shared with
The information you provide will typically be shared with the other parties involved in a case, including their legal representative and the CO’s legal advisers (Government Legal Department).
Where we are required to share personal data, we will comply with all aspects of rules, including data protection laws. The categories of organisation with whom we may be required to share your personal data may include other public bodies within the UK, providers of transcription services, etc.
Unless otherwise agreed, CO’s hearings are held in public, so if information you give is referred to at a hearing then it may become public in that way. Media representatives or other persons can attend and report on public hearings, unless the CO orders otherwise.
Confidentiality, storage and security of personal data
The CO views the confidentiality and privacy of those using its services as paramount. Any personal information you provide will be held securely, and your personal information will not be sold or traded to another organisation or company.
In order to carry out our functions and respond to enquiries effectively, we may sometimes need to share information with government departments, law enforcement agencies, and other public authorities (such as the Employment Appeals Tribunal Service). However, we will only do this where it is permitted by law.
Where the CO shares personal data with an external company or service that we employ as part of our work, we will ensure that personal data that we may pass on to them will be held securely and used by them only to provide the services for which it was shared.
Personal electronic data is held in an HMG secure data centre in the UK. Back up services are also performed in a separate HMG Secure Data Centre in the EU.
Purpose and Lawful basis for processing
Under data protection laws (DPA 2018 and UK GDPR), the Certification Officer must have a ‘lawful basis’ to justify the collecting, storing and use of personal data. Where sensitive personal data is used, the Certification Officer also needs to have a second lawful basis to justify the use of your sensitive data.
The purpose of most activities where the CO processes personal data, relates to the CO’s legal duties under the Trade Union and Labour Relations (Consolidated) Act 1992.
Our lawful basis for processing personal data is therefore that it is necessary “for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the data controller” (quoted from Article 6(1)(e) of the UK GDPR).
For sensitive personal data that may be processed as part of the CO’s powers to investigate and/or prosecute and to respond to FOI and Subject Access Requests, our lawful basis is:
“Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity” (Article 9(2)(f) of the UK GDPR).
Your rights under the data protection law
You have a right to request a copy of the information the CO holds about you and to have any inaccuracies corrected.
You may also have the right to have your personal information erased; to restrict our use of your personal data; and object to our processing of your personal data.
Please address requests (with a return e-mail address where possible) to
The Data Protection Officer - E-mail: info@certoffice.org
The right to complain to the authority on the use of information, which in the UK is the Information Commissioner’s Office.
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
E-mail: casework@ico.org.uk
Data transfers
Territories outside the European Economic Area (EEA) may not have laws which provide the same level of protection for personal information as those inside the EEA. However, if we process your personal information on servers or use third party service providers based in such territories, we will endeavour to ensure that your personal information is afforded the same level of protection as in the EEA.
Changes to this Privacy statement
If this privacy statement changes in any way, we will place an updated version on this webpage. If you do not agree with the changes we make please do not continue to use the website. Regularly reviewing this webpage ensure you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.
Last updated 31 December 2021