Personal information charter

How we treat your personal information and how to check what details we hold.

---

Intellectual
Property
Office

Overview

The Intellectual Property Office is responsible for operating and maintain the intellectual property system in the UK and for promoting the UKs interests in the development of the international Intellectual Property Rights system.

We provide advice and support to anyone wishing to protect their IP, such as a Patent, Trade Mark or Design and support enforcement by encouraging a shift in attitudes towards infringement and the enforcement of IP.

Find out more about the services we provide.

So that you can provide these services, we need to collect, use, store and sometimes share your personal information.

What personal information and data is

Personal data is information about a living person. It lets you identify them either:

• directly, for example, their name
• indirectly, for example, their email address

Personal data can include things such as:

• names
• identification numbers
• location data
• online usernames or ID
• data about health, genetics, economics, culture or social identity

Your personal data is protected by law. It protects how it is collected, used and stored.

When we need your information and data

When we need to collect, store or use your personal information, we will:

• have a good reason to do it and only ask for what we need
• do so in a fair and transparent way
• tell you why we need your information and how we’ll use it
• only use your information how we say we’ll use it, and not in a way you would not expect without asking/telling you first
• only keep what we need, and will not keep it for longer than we need
• make sure it’s accurate and up to date, and that nobody has access to it who should not
• keep it safe and secure

Give us accurate data and tell us when things change

Make sure the information you give us is accurate and let us know if it changes. For example, if you change your:

• name
• address
• telephone number

Your sensitive (special category) information

We follow extra rules when we collect, use and store more sensitive personal data. This is called ‘special category’ data. It includes things like race, ethnic origin, trade union membership, health and sexual orientation.

Criminal law enforcement

When we process personal data to enforce criminal law, we categorise individuals so that their role is clear, for example, witness, victim, suspect or convicted criminal.

We also say whether the information is opinion or fact and keep detailed logs of how we handle the data.

Reasons we can process your personal data

We can only process personal data for one or more of the following reasons:

• you’ve freely given your consent, it’s clear what you’re consenting to, and how you can withdraw your consent
• you’ve entered (or intend to enter) into a contract with us
• for legal reasons
• to protect someone’s ‘vital interests’ (a matter of life or death)
• to perform a public task or perform a specific task that’s in the public interest
• for our own or a third party’s legitimate interests - but only where the personal data is going to be used in ways that are reasonably expected and are not intrusive, or where there are compelling reasons to process it

These reasons are sometimes called ‘conditions’ or ‘legal bases’.

The reason we process your personal data affects the rights you have over it. We process data to meet our legal obligations and to perform public tasks.

Your rights over your personal data

By law, you have the right to:

• view your data - you can access your personal data free of charge and in digital format
• be informed - you should know and understand what happens with your data and why
• be forgotten - without a ‘compelling reason’ to keep your data, we must delete it
• move your data - you can obtain and reuse your personal data with other services
• limit how your data is used - you can block and put restrictions on how your data used, if it’s inaccurate or unnecessary
• say no - you can stop direct marketing and data processing when there’s no ‘compelling reason’ to do it
• make changes to your data - you can update any data about you that’s out of date or false, without delay
• human-made decision making - you can stop automated decisions being made about you, if it has legal or significant consequences

Contact our Data Protection Manager to use any of these rights.

Personal information rights at IPO
Data Protection Manager
Intellectual Property Office
Concept House
Cardiff Road
Newport
NP10 8QQ

Email dpo@ipo.gov.uk

Telephone 01633 814419

Monday to Friday, 8am to 4pm

What we do to keep your data safe and secure

When we introduce new technology or new policies and processes, we consider your privacy from the start. We’ll carry out a data protection impact assessment (DPIA) when it will help.

We always carry out a DPIA when we:

• use new technologies
• consider there is a high risk to your rights and freedoms

If a risk is found and we cannot find a way to reduce the impact or likelihood of the risk happening, we’ll ask the Department for Business, Innovation and Energy (as the department that oversees us) and the Information Commissioner for advice.

How to keep your data secure

We protect your personal data from unauthorised access, accidental loss, destruction and damage.

We carry out regular reviews and audits to make sure the way we collect, use and store personal data meets the security policy framework.

We also arrange for IT health checks and penetration testing to be carried out on our systems. This is done by independent CHECK approved individuals. These people:

• have a contract with us
• may have access to your personal data
• must follow our policy on the acceptable use of IT and communications equipment - they agree to do this before they carry out any work

We only transfer your personal data overseas if there are appropriate safeguards in place to protect it.

Training and guidance, we give to our staff

We train all our staff about the importance of protecting personal and other sensitive information.

All staff who join the IPO are required to undertake training as part of their induction and all staff must complete mandatory training at least every two years. This is supplemented by ongoing awareness and advice on matters relating to data protection matters that arise in our day-to-day activities

All civil servants have to follow the Civil Service code. This has 4 core values of integrity, honesty, objectivity and impartiality. These values apply to how we handle personal data.

Data breach notification

We do everything we can to keep your personal data secure.

We’ll tell the Information Commissioner’s Office straight away (and always within 72 hours) if we become aware of a data breach. We’ll do this if the breach creates a risk to your rights and freedoms, including:

• financial loss
• breach of confidentiality
• discrimination
• damage to your reputation
• significant social or economic damage

We’ll tell you straight away if we think there’s a high risk to you. We will:

• give you our data protection manager’s contact details
• explain the likely consequences of the breach
• tell you what measures we’ve taken or plan to address the breach, including any steps taken to limit potential damaging effects

If we cannot contact you directly, we’ll try to make you aware through other means, such as a public announcement.

Complain about how we’ve handled your data

Write to our data protection manager to complain about the way we’ve handled your personal data.

IPO data protection manager
Data Protection Manager
Intellectual Property Office
Concept House
Cardiff Road
Newport
NP10 8QQ

Email dpo@ipo.gov.uk

We’ll send you a full response within 10 working days. If we cannot respond fully in that time, we’ll tell you why and let you know when we can respond in full.

If you want to complain about our response

Complain to the Information Commissioner’s Office. They provide independent advice about data protection, privacy and data sharing issues.

Information Commissioner’s Office

Email: casework@ico.org.uk Telephone 0303 123 1113 Textphone 01625 545860

Privacy notices for our services and activities

Each of our services and activities has a privacy notice. It tells you:

• what personal data is collected, used and stored?
• how long the data is stored for
• why the personal data is collected?
• how the personal data is used

Most of our online services have a privacy notice link at the bottom of the service’s pages. If a service does not yet have a privacy notice link at the bottom of its pages, you can view it here.

• Social media
• Freedom of Information and Subject Access Requests
• Administration of IP Rights
• Contract and consent
• Consultation
• Visitors to Concept House
• Employees of organisations who are tenant at Concept House
• Register for a webinar or live broadcast event at the Intellectual Property Office
• Administrating support funding support to business (IP)
• Procurement Service
• Children

Forms

If you fill in an online or paper application form, there will be link to the relevant privacy notice with the form.

E-mails and letters

When you write to us, we’ll use your personal data to investigate the issue you’ve raised and send you a reply.

Email records are kept for 7 years. We do keep some for longer if the service or system has a policy that says it must be kept for longer.

If your email or letter is about something another government department or agency is responsible for, we will usually pass it to them to reply to you. We will tell you when this happens.

Freedom of Information and Environmental Information Regulations

When you request information under Freedom of Information rules or the Environmental Information Regulations, we may need to consult with other departments to give you a coordinated response.

If your request should have been sent to another organisation, we’ll reply and tell you who to send it to. We will not send your request to the other organisation for you.

Sometimes we need to share your request for information with other organisations who help us run our services. We will not share any information that identifies you.

We keep a record of your request for 5 years. We only keep it for longer if it’s necessary because of an ongoing issue.

Distribution lists

We keep several distribution lists to communicate with our stakeholders as part of our functions as a government agency, where you have given your consent or for legitimate interests.

Each list is only used for the purpose that the individuals on the list were told about at the time we collected their information or that you gave your consent for.

We allow you choose what updates to get and you can manage your preferences and subscribe at any time.

Research

To design services that are easy to use and valued by the people who need them, we need to understand their circumstances, influences and expectations. Research helps us understand this and whether the changes we make improve customer experiences.

The nature of the research determines what personal data is collected about you. When the research project has finished, we remove or anonymise all personal data from the records.

We publish the results of research on GOV.UK, but we make sure you cannot be identified in it.

When we do a research project, you’ll be told about its purpose, what personal data we collect about you, if it will be shared with any other organisation and if it will be combined with other data.

We will:

• rely on the ‘public task’ condition within the General Data Protection Regulation (GDPR) to contact you as part of the research project
• rely on the ‘legitimate interests’ condition within the GDPR to contact you as part of the research project

If you don’t want to take part in research, or if you originally said you wanted to, but have changed your mind and want to stop we will remove your details from our records.

If we do not carry out the research directly ourselves, we’ll share your personal data with research companies we have a contract with to do research for us.

Any other data sharing follows data protection law and includes sharing with law enforcement agencies where necessary to prevent or detect crime.

We keep your personal data in our systems, and the data is stored on UK or European Economic Area (EEA) servers.

When we share your data

We may share personal data within our organisation or with other bodies where we are permitted to do so by law.

In addition, the IP legislation requires us to make information in relation to applications for IP rights and registered rights available to the public. Some of this information, including names and addresses, is made available online.

There are some cases where we can pass on your data without telling you - for example, to prevent or detect crime, or in order to produce anonymised statistics.

In all cases, whether data is shared internally or externally, we will be governed by data protection law.

Public records

A small proportion of our records are transferred to The National Archives, in line with legal obligations for the collection, disposal and preservation of records.

The Public Records Act sets out which records are selected, transferred and preserved. Records defined as ‘public records’ must be openly accessible, unless they’re exempt under the Freedom of Information Act.