Statutory guidance

Sellafield Ltd Privacy Statement

Updated 21 October 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/sellafield-ltd-privacy-statement/sellafield-ltd-privacy-policy

1. 1. General information

Sellafield Ltd are committed to protecting the privacy and security of your personal information.

This privacy notice tells you what to expect Sellafield Ltd to do with your personal information.

We are registered as a data controller with the Information Commissioner’s Office (ICO). Our registration number is Z4738652.

This means that we are responsible for deciding how we hold and use personal information about you.

We are required under data protection legislation to notify you of the information contained in this privacy notice.

It is important that you read this notice, together with any other privacy notice we may provide when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

2. 2. Data Protection Principles

We will comply with data protection law.  This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
  3. Relevant to the purposes we have told you about and limited only to those purposes
  4. Accurate and kept up to date
  5. Kept only as long as necessary for the purposes we have told you about
  6. Kept securely

We will tell you:

  • the legal basis we rely on to process your information
  • why we process your information
  • how long we keep it for
  • whether we share the information with other organisations and where we intend to transfer it to another country
  • whether we use automated decision-making or profiling against the information you provide to us

3. What type of information we have:

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymised data).

There are certain types of more sensitive personal data (special category data) which require a higher level of protection, such as information about a person’s health or criminal convictions. We may collect, store, and use the following categories of personal information about you:

  • personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
  • date of birth
  • gender
  • marital status and dependents
  • next of kin and emergency contact information
  • national insurance number
  • bank account details, payroll records and tax status information
  • salary, annual leave, pension and benefits information
  • start date and, if different, the date of your continuous employment
  • leaving date and your reason for leaving
  • location of employment or workplace
  • copy of driving license and car insurance
  • recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
  • employment records (including job titles, work history, working hours, holidays, training records and professional memberships)

Please note, the above list is not exhaustive.

We may also collect, store and use the following more sensitive types of personal data:

  • information about your race or ethnicity, religious beliefs, sexual orientation and political opinions for equality and diversity monitoring purposes
  • trade union membership
  • information about your health, including any medical condition, health and sickness records etc.
  • details of any absences (other than holidays) from work including time on statutory parental leave and sick leave
  • information about criminal convictions and offences, including any criminal conviction information held outside of the UK

Lawful basis:

The lawful basis for processing your personal data depends on the processing activity and we rely on the following lawful basis for processing your personal data under the UK Data Protection Act 2018/UK GDPR:

  • Article 6(1)(a) where we have your consent
  • Article 6(1)(b) which relates to processing necessary for the performance of a contract
  • Article 6(1)(c) so we can comply with our legal obligations as your employer
  • Article 6(1)(d) in order to protect your vital interests or those of another person
  • Article 6(1)(e) for the performance of our public task
  • Article 6(1)(f) for the purposes of our legitimate interest. (In accordance with best practice a Legitimate Interests Assessment (LIA) will always be conducted when this lawful basis is used)

As part of our statutory and corporate functions we may also process special category and criminal conviction data under:

  • Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on Sellafield Ltd or the data subject in connection with employment, social security or social protection.
  • Article 9(2)(f) – for the establishment, exercise or defence of legal claims.
  • Article 9(2)(a) – explicit consent.
  • Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person.
  • Article 9(2)(h) – processing is necessary for the purposes of occupational medicine. Examples include occupational health referrals.
  • we process criminal offence data under Article 10 of the GDPR.

Please see the ‘Your data protection rights’ section for more information on withdrawing your consent.

4. 3. How we collect your information

We may collect your personal data in several different ways:

  • when you register with us for recruitment opportunities
  • when you provide it directly to us, either directly or through the processes that exist across Sellafield Ltd which require you to submit personal data, or via your line management
  • where we collect personal data through the implementation of any of Sellafield Ltd’s policies and procedures
  • where we receive personal data from third parties. Like, recruitment agencies, security screening, medical screening and several government agencies
  • personal data is captured indirectly using email, internet use and mobile devices

4.1 Controller’s contact details

Sellafield Ltd is the controller for the personal information we process about you, unless we tell you otherwise.

Our registered office:

Hinton House
Birchwood
Park Avenue
Risley
Warrington
WA3 6GR

Sellafield Ltd Switchboard: +44 (0) 19467 28333

4.2 Data protection officer

Mike Gater - Data Protection Officer - Sellafield Ltd

Contact: Data.Protection.Team@Sellafieldsites.com or via the address above.

Mark correspondence for the attention of ‘Data Protection Officer’.

5. 4. Your data protection rights

Your right to be informed

You have the right to be informed when and how your personal data is collected and used. As a controller, Sellafield Ltd will provide you with the purpose of processing your personal data, how long the personal data will be retained for and who it will be shared with.

Your right to rectification

You have a right to have your personal data rectified if you believe it is inaccurate or completed if it is currently incomplete.

A request for rectification can be made to Sellafield Ltd verbally or in writing. When a request for rectification is received, Sellafield Ltd will take all reasonable steps to determine the accuracy of the personal data and rectify such data where necessary.

Sellafield Ltd will notify all third parties of any changes if they are recipients of that personal data.

There are specific circumstances where your request for amendments may be refused; however, you will be informed of the justification for the refusal as part of this process.

Your right for removal

You have a right to request that your personal data is erased, called the ‘Right to Erasure’, but is also sometimes called the ‘Right to be Forgotten’.

A request for removal can be made to Sellafield Ltd verbally or in writing.

Where personal data has been shared with third parties, Sellafield Ltd will notify them of a request for removal. Where personal data has been made publicly available online, all reasonable steps will be taken to ensure erasure of that personal data.

There are specific circumstances where your request for removal may be refused. All data subjects will be informed of the justification for the refusal as part of this process.

A request for removal will be responded to by Sellafield Ltd within one month of the request submission date.

Your right to restrict processing

You have a right to request the restriction or suppression of processing of your personal data. Such a request can be made verbally or in writing.

This right applies when:

  • you contest the accuracy of your personal data and Sellafield Ltd is in the period of verifying its accuracy
  • the personal data has been processed unlawfully and you oppose erasure and request restriction instead
  • you have objected to processing your personal data and Sellafield Ltd is considering our legitimate interest for processing, where legitimate interests are used as the lawful basis for processing
  • personal data is no longer required but Sellafield Ltd has been requested to retain the data for the purposes of a legal claim

There are specific circumstances where your request for restriction may be refused. You will be informed of the justification for such refusal as part of this process.

A request to restrict processing will be responded to by Sellafield Ltd within one month of the request submission date.

Your right to data portability

The right to data portability allows you to request your personal data on a machine-readable format. This enables you to have your personal data transferred from one controller to another.

Once personal data is provided to you in response to a data portability request, Sellafield Ltd is no longer responsible for any subsequent processing carried out by another individual or organisation.

Appropriate measures will be used to ensure that personal data is transmitted securely.

There are specific circumstances where your data portability request may be refused. You will be informed of the justification for the refusal as part of this process.

A data portability request will be responded to by Sellafield Ltd within one month of the request submission date.

Your right to object

You have the right to object to the processing of your personal data, in certain circumstances. Such a request can be made verbally or in writing.

There are specific circumstances where your request to stop processing your personal data may be refused. You will be informed of the justification for such refusal as part of this process.

A request to stop processing personal data will be responded to by Sellafield Ltd within one month of the request submission date.

You will not be subject to automated processing, including profiling, which would produce significant adverse effects you.

Where automated individual decision-making is used, Sellafield Ltd will implement suitable measures to safeguard your rights and provide a way for you to contest the decision or request human intervention.

Systems that use automated individual decision-making will be reviewed on a regular basis to ensure the integrity of the system.

Your right of access

You have a right to access copies of your personal data, along with ancillary information, held about you within the organisation; a request for such access is called a Subject Access Request.

You are only entitled to your own information and may only have access to a third party’s information if you are acting on their behalf, with suitable legal authority to do so.

When Sellafield Ltd provides you with copies of your information, you will be informed of:

  • the purposes for processing; the categories of personal data held:
  • who the personal data is shared with
  • how long the personal data will be retained
  • your right to request rectification, restriction, erasure and to object to processing of your personal data
  • your right to submit a complaint to the independent supervisory authority
  • whether your information is subject to automated decision-making
  • any safeguarding arrangements for personal data that is transferred to a third country or international organisation

A Subject Access Request will be responded to by Sellafield Ltd within *one month of the request submission date.

There will be no charge for submitting a Subject Access Request.

*NB: a further 2-month extension may be applied to complex requests.

How to make requests at Sellafield Ltd

If you wish to make a request in respect of any of your rights provided by data protection law, a request can be made to Data.Protection.Team@Sellafieldsites.com.

Personal data will only be disclosed on receipt of a formal, written request so that your identity can be confirmed and to maintain the confidentiality of the personal data.

Your right to Complain

If you are not satisfied with how Sellafield Ltd has handled a request, you can make a complaint to Data.Protection.Team@sellafieldsites.com

For further details of our Data Protection Complaints process, go to - Sellafield Ltd Data Protection Complaints Policy.

Back to top