Personal information charter

How the Certification Officer uses information you provide, and the ways in which we protect your privacy.

Certification Officer: Privacy Policy and Data Protection Statement

Your rights relating to the use of your personal data changed in May 2018, with the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 coming into force.


This Privacy Statement explains how and why the Certification Office (“CO”) processes your personal data under these new laws. It covers personal data held manually, electronically and on the Certification Officer’s website which may be accessed via, If you have a query about this Privacy Statement please contact the Data Protection Officer at the contact details below.

How we use your personal data

The CO collects personal data about you to fulfil the legal functions the Certification Officer is charged to deliver under the Trade Union and Labour Relations (Consolidation) Act 1992. The CO holds personal information about you when you make a complaint, raise an issue with the Certification Officer or make enquiries. This is explained below.

Complaints & issues raised against a trade union.

If you make a complaint against a trade union to the Certification Officer, the details on your application form / letter /e-mail are kept on your complaint file (both electronically and manually) and retained by us for a period of three years after the conclusion of the complaint. At this point your details and any related correspondence will be destroyed. We retain your information for this period to allow for any appeals in a higher court and in accordance with our destruction policy. The CO asks you for personal information such as your name, e-mail address, postal address, postcode, job title, daytime and/or mobile phone number, and information about your union membership in order to progress any complaints / issues. You may also voluntarily provide us with personal information about any special needs you may have so that we can try to ensure our services meet your requirements.

General Enquiries

If you make an enquiry about any aspect of the Certification Officer’s power, the details that you provide, including your e-mail address if the enquiry is made via e-mail is retained for one year.

Financial Irregularities investigations

A financial irregularity investigation can be undertaken either leading from a complaint or the Certification Officer coming across information via other sources. Any information, including personal information, e.g. home address, bank statements etc, are kept on the relevant manual and electronic files. The files are retained for 3 years from the date of the final date of correspondence or date of ‘Findings Letter’.
Should an investigation lead to a prosecution, your information may be shared with other statutory bodies.

Making a Freedom of Information (FOI) or Subject Access Request

If you wish to make an FOI or Subject Access Request, your contact details and case history will be collected to process your request and stored for three years. If you wish to make a complaint to the Information Commissioner’s Office (ICO) regarding a decision on a FOI or Subject Access Request, the CO is legally obliged to share your case records, which includes personal data, with the ICO in order to progress your complaint. You may withdraw your complaint at any time.

Use of our website

When you visit our website, we collect your Internet Protocol (IP) address as a unique identifier. We also collect the following:

  • Data about how you use the Certification Officer’s Website,
  • Information about your computer (including your IP address and browser type),
  • Demographic data
  • If you visited the Website by clicking on a link from a different website, we collect the URL of that website
  • Information about your online activity, such as the pages you have viewed and the purchases you have made.

Data collected when you visit our website is covered under the Government Digital Services privacy policy which can be found from the following link

The Certification Officer’s website contains links to other websites, mainly other unions. These websites are not covered by this Privacy Statement and the CO is not responsible for the privacy practices within any of these other websites. You should be aware of this when you leave the website and we encourage you to read the privacy statements of other websites.

Sensitive Personal Information

Some of the information you provide may be sensitive personal data, such as medical information. We will only ever use such sensitive personal data where this is essential to provide advice or to provide one of our statutory services such attending a hearing. We may also use medical information you provide to make reasonable adjustments to help you access our services.

Confidentiality, storage and security of personal data

The CO views the confidentiality and privacy of those using its services as paramount. Any personal information you provide will be held securely, and your personal information will not be sold or traded to another organisation or company. In order to carry out our functions and respond to enquiries effectively, we may sometimes need to share information with Government Departments, law enforcement agencies, and public authorities (such as the Employment Tribunals Service). However, we will only do this where it is permitted by law. Where the CO might share personal data with an external company or service that we employ as part of our work, we will ensure that personal data that we may pass on to them will be held securely and used by them only to provide the services for which it was shared. The CO safeguards the information you provide using physical, electronic and management procedures on use of personal data. Personal electronic data is held in an HMG secure data centre in the UK. Back up services are also performed in a separate HMG Secure Data Centre in the UK.

Lawful basis for processing

Under data protection law, the Certification Officer must have a ‘lawful basis’ to justify the collecting, storing and use of personal data. Where sensitive personal data is used, the Certification Officer also needs to have a second lawful basis to justify the use of your sensitive data. The purpose of most activities where the CO processes personal data, relates to the Certification Officer’s legal duties under the Trade Union and Labour Relations (Consolidated) Act 1992. Our lawful basis for processing personal data is therefore that it is necessary “for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the data controller” (quoted from Article 6(1)(e) of the GDPR). Where we process sensitive personal data, our additional lawful basis to do this depends on the service that CO requires this for. For sensitive personal data that may be processed as part of the Certification Officers powers to investigate and/or prosecute and to respond to FOI and Subject Access Requests, our lawful basis is: “Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity” (Article 9(2)(f) of the GDPR).

Your rights under the data protection law

You have a right to request a copy of the information the CO holds about you and to have any inaccuracies corrected. You may also have the right to have your personal information erased; to restrict our use of your personal data; and object to our processing of your personal data. Please address requests (with a return e-mail address where possible) to

The Data Protection Officer
Certification Office
Lower Ground Floor
Fleetbank House
2-6 Salisbury Square
London EC4Y 8JX


The right to complain to the authority on the use of information, which in the UK is the Information Commissioner’s Office.

Information Commissioner's Office
Wycliffe House
Water Lane


Telephone: 0303 123 1113

Data transfers

Territories outside the European Economic Area (EEA) may not have laws which provide the same level of protection for personal information as those inside the EEA. However, if we process your personal information on servers or use third party service providers based in such territories, we will endeavour to ensure that your personal information is afforded the same level of protection as in the EEA.

Changes to this Privacy statement

If this privacy statement changes in any way, we will place an updated version on this webpage. If you do not agree with the changes we make please do not continue to use the website. Regularly reviewing this webpage ensure you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.