Guidance

Privacy notice for users and visitors to buildings managed by Engie on behalf of the Government Property Agency.

Published 12 February 2019

1. Your data

1.1 Purpose

The purposes for which we are processing your personal data are to provide a Total Facilities management Service for users and visitors. This means using personal data to:

• operate a helpdesk, Computer Assisted Facilities Management IT system and telephone line to take facilities management calls from users
• operate a Management Information System and to monitor performance and service failures (including complaints), and to provide reports to the contracting authority
• provide a reception service, including managing visitors and assisting with any disability / access issues, and first aid issues
• provide a security service, including CCTV, access control logs, security passes, out of hours records
• operate a switchboard service, mailroom and reprographics service
• maintain logs of health, safety and environment breaches and recordable accidents, incidents and near misses relating to the utilisation of all premises
• support disabled users and visitors, including maintenance of sufficient safe refuge areas for disabled persons, and advice on special needs and works that may be necessary to improve services and the premises for those with special needs
• operate a room bookings system, car parking booking system, and conference booking service
• provide catering and vending services, including processing staff payment information
• collect and use data from third party invoices, workers or contractors
• assist with accident or incident management, eye testing and disability workplace assessments
• provide a telecommunications service

1.2 The data

In providing services to users, the following data will be processed:

• name
• job title
• employer
• building location
• email address
• phone number
• nature of request or complaint

In addition:

In relation to security services:

• access log information
• information about access permissions
• staff data on passes including images
• information about alleged or actual criminal activity or misconduct
• CCTV images and video

In relation to support for disabled users and visitors:

• health data

In relation to management of accidents or incidents, and accident or near miss logs:

• health data

In relation to workplace assessments and eye tests:

• health data

In relation to visitors:

• name
• company
• who they visited
• time and date

In relation to catering and vending services:

• staff payment details

In relation to invoices and subcontractors:

• payments made
• employer
• nature of employment

1.3 Legal basis of processing

The legal basis for processing your personal data is:

For all data except CCTV and visitor logs:

• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case that is GPA’s role in delivering property and workplace solutions across government by managing central government property as a strategic asset
• it is necessary for the performance of a contract to which the data subject is a party (i.e. provision of contractual necessities to users as part of their employment contracts)

In relation to CCTV and visitor logs:

• it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, which in this case are the need to protect the security and integrity of users, their belongings and managed buildings

The legal basis for processing your sensitive health personal data is:

• it is necessary for the purposes of performing or exercising our obligations or rights as the controller, or your obligations or rights, under employment law

1.4 Recipients

Your personal data will be collected and held by Engie who provide the Total Facilities Management service, and with the Department for Business, Energy and Industrial Strategy whose systems are used to store and collect data.

1.5 Retention

Your personal data will be kept for the duration of the contract, which is 12 years.

Where personal data have not been obtained from you:

Your personal data were obtained by us from your employer.

2. Your rights

You have the right:

• to request information about how your personal data are processed, and to request a copy of that personal data
• to request that any inaccuracies in your personal data are rectified without delay
• to request that any incomplete personal data are completed, including by means of a supplementary statement
• to request that your personal data are erased if there is no longer a justification for them to be processed
• in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
• to object to the processing of your personal data where it is processed for direct marketing purposes
• to object to the processing of your personal data

3. International transfers

All data will be stored in the European Economic Area.

4. Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

5. Contact details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:

Cabinet Office
70 Whitehall
London
SW1A 2AS

Public Enquiries: Online Contact Form

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk