Statutory guidance

Sellafield Ltd Privacy Statement

Updated 21 October 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/sellafield-ltd-privacy-statement/sellafield-ltd-privacy-policy

1. General information

This privacy notice tells you what to expect Sellafield Ltd, to do with your personal information.

We will tell you:

  • the legal basis we rely on to process your information
  • why we process your information
  • how long we keep it for
  • whether we share the information with other organisations and where we intend to transfer it to another country
  • whether we use automated decision-making or profiling against the information you provide to us

1.1 Controller’s contact details

Sellafield Ltd is the controller for the personal information we process about you, unless we tell you otherwise.

Our registered office:

Hinton House
Birchwood
Park Avenue
Risley
Warrington
WA3 6GR

Sellafield Ltd Switchboard: +44 (0) 19467 28333

1.2 Data protection officer

Mike Gater - Data Protection Officer - Sellafield Ltd

Contact: Data.Protection.Team@Sellafieldsites.com or via the address above.

Mark correspondence for the attention of ‘Data Protection Officer’.

1.3 How we collect your information

We may collect your personal data in several different ways:

  • when you register with us for recruitment opportunities
  • when you provide it directly to us, either directly or through the processes that exist across Sellafield Ltd which require you to submit personal data, or via your line management
  • where we collect personal data through the implementation of any of Sellafield Ltd’s policies and procedures
  • where we receive personal data from third parties. Like, recruitment agencies, security screening, medical screening and several government agencies
  • personal data is captured indirectly using email, internet use and mobile devices

2. Reasons we collect your information

2.1 Vetting

Our purpose is to provide a personnel vetting service to Sellafield Ltd

The legal basis we use to process your personal Information in relation to this process is article 6 (1) (c) of the General Data Protection Regulation (GDPR), which allows us to process personal Information where it is necessary for the performance of a legal obligation; this information is processed specifically for our obligation under the Nuclear Security Industry Regulations (NISR) 2003 and the Nuclear Installations Act 1965.

What we need

We need enough information from to you to confirm your identity and to make an assessment regarding your suitability to hold a Baseline Personnel Security Standard (BPSS) clearance.

We will ask for your full name and any previous names, details of your current and past employment, home address, contact information, date of birth and nationality including any former or dual nationalities.

To support your application, we will need proof of identify which will allow us to confirm your nationality, date of birth and home address. One form of identification you provide must have your photograph on.

Additionally, you will be required to undergo a criminal convictions record check in support of your application.

For Security Check (SC) and Developed Vetting (DV) clearance we will ask you for your full name, employee identification number, Sellafield network logon ID, location, and contact information. You are also required to sign the form as a declaration.

Why we need it

We need these details to make an assessment with regards to your suitability to hold BPSS level clearance.

Details given to us for SC or DV clearance will be used to make an account for you with the United Kingdom Vetting Services (UKSV), who manage your clearance.

What we do with it

The information you provide to us will be used to create a record for the ongoing management of your clearance.

Additionally, information will be used for pass and site access management as required.

Information will be shared with the Office for Nuclear Regulation (ONR) and the UKSV who both have a national responsibility for the management of security clearances.

Information for SC and DV clearance will be used to make you an account with the UKSV who manage your clearance.

How long we keep it

Information will be kept for 7 years from the date that clearance is no longer required.

Criminal convictions record check is kept for 12 months from the date of receipt.

Information given to us for SC and DV clearance will be kept for twelve months from the date of receipt.

Do we use any data processors?

No.

2.2 Pass office

Our purpose is to provide a pass issuing service.

The legal basis we use to process your personal Information in relation to this process is article 6 (1) (c) of the GDPR, which allows us to process personal Information where it is necessary for the performance of a legal obligation; this information is processed specifically for our obligation under the Nuclear Security Industry Regulations (NISR) 2003.

What we need

We need enough information to issue you with the appropriate pass. For pass applications we will ask for your title, full name, date of birth, employee identification number, home address, nationality including any former or dual nationalities, national insurance number and details of your employment.

For short term workers and visitors, we will ask for the same information as above in addition to any security clearance that you currently hold.

Why we need it

We need enough information to confirm your identity to make sure we are issuing a pass to the appropriate person and the type of pass we are required to issue.

What we do with it

Your application will be shared with your line manager, superintending officer or pass sponsor to complete the pass application process.

The information you provide to us will be used to create a record for the ongoing management of your pass.

How long we keep it

Application forms will be kept for twelve months following the date of receipt.

The record associated with your pass application will be kept for the length that you hold your pass.

Do we use any data processors?

No.

2.3 Human Resources

2.3.1 Performance management

Our purpose is to provide a performance management framework to Sellafield Ltd employees.

The legal basis we use to process your personal Information in relation to this process is article 6 (1) (b) of the GDPR, where processing your Information is necessary for the performance of a contract. This is required for the contract of employment between Sellafield Ltd and yourself.

If the information we record regarding performance contains Special Category Information, the legal basis we rely on to process it is schedule 1 part 1 (1) of the DPA 2018.

What we need

When processing performance management of an individual we will record your full name and the name of your manager, email address, department within the organisation, role within the organisation and location Information related to your place of work. Due to the nature of performance management we will also record details about your work activities and performance.

Why we need it

We need these details to enable managers to effectively manage individual’s performance in the work place.

What we do with it

The information that we record will be used to track and report on performance of employees, teams and organisational units against agreed company and personal objectives.

Aggregated Information may be used and shared with individuals within the organisation; however, this will be done in a way that does not allow for the identification of individuals.

Additionally, Human Resources may use this Information for reporting and analysis.

How long we keep it

Information will be kept for six years after the current financial year in which it was created.

Do we use any data processors?

No.

2.3.2 Reporting of concerns (whistleblowing)

Our purpose is to provide a means for Sellafield Ltd employees, and others, to report serious concerns to the organisation.

The legal basis we use to process your personal data in relation to this process is article 6 (1) (c) of the GDPR, which allows us to process personal data where it is necessary for the performance of a legal obligation; this information is processed specifically for our obligation under the Employments Right Act 1996.

If the information you provide us contains in relation to a concern contains special category data, the legal basis we rely on to process it is article 9 (2) (b) of the GDPR, where we process information in support of your rights in the field of employment.

What we need

We need enough information from to you investigate a concern you are raising to us, inclusive of any information you are providing in support of the concern.

When a concern is received we set up a case file containing the details of your concern. This will contain your full name, role within the organisation, department within the organisation and some contact details. However, you can raise concerns anonymously to the organisation through a third party, Safecall.

Why we need it

We need to know details of your concern to enable the organisation to investigate it further.

What we do with it

The information you provide to us will be treated as confidential and we will not disclose it without authority to do so. To enable us to investigate a concern properly we will usually need to disclose some of the information; we will discuss this with you.

Information related to a case file may be reviewed by our internal audit function for the purposes of providing independent audit against the whistleblowing function. This is reported annually to the Sellafield Ltd Audit Committee.

Additionally, information related to a case file will be shared with the Sellafield Ltd Board at every board meeting. This is anonymised and won’t contain any information that will identify you.

How long we keep it

Information will be kept for 6 years following the last event regarding a case file.

Do we use any data processors?

We use a third-party organisation called Safecall as an additional (external) route for reporting concerns to the organisation. Safecall act as the data processor for reports made to Sellafield Ltd, same where Safecall withholds the details of an individual from the organisation at the individuals request.

Where Safecall withholds information regarding an individual they will act as the data controller. In this instance they will hold data for 12 months, after which only information required for statistical reporting will be retained.

2.3.3 Human organisation factors

Safety culture survey

The purpose of the safety culture surveys are to provide an analysis of the safety culture across the organisation.

The legal basis we rely on to process information relating to safety culture surveys is article 6 (1) (e) of the GDPR, where processing is carried out in the interest of an official authority.

What we need

The information collected as part of a safety culture survey includes your full name, work email address, organisation unit, grade employment status and your opinions regarding the safety of the workplace.

Why we need it

Safety culture surveys are processed to determine the current safety culture across the organisation and to enable identification of areas for improvement.

What we do with it

The data which is collected as part of the safety culture survey is summarised, and from these reports are produced which are then issued across the organisation up to the executive and externally through the Office for Nuclear Regulation (ONR) and the Nuclear Decommissioning Authority (NDA).

How long we keep it

The data which is used for the safety culture surveys are retained for 5 years.

Do we use any data processors?

No.

Workload/stress assessment

The purpose of the workload assessment is intended to enable the organisation to make business decisions in areas that may currently be experiencing high volumes of work, identifying those areas which may require additional support.

The purpose of the stress assessment is for the benefit and welfare of employees who may be experiencing issues in the workplace, identified through a workload assessment. This enables the organisation to provide mitigating action to support individuals in the workplace.

The legal basis we rely on to process information relating to workload and stress assessments is article 6 (1) (c) of the GDPR, which allows us to process information where it is necessary for compliance with a legal obligation; namely Health and Safety at Work etc. Act 1974.

As this information may contain special category data, the legal basis we rely on is Article 9 (2)(b) of the GDPR, which allows us to process information where it’s necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment. This condition is met through Schedule 1, Part 1 (1) of the Data Protection Act 2018.

What we need

The information collected as part of a workload assessment includes your full name, work email address, organisation unit, grade, employment status, working pattern and any relevant medical data.

Why we need it

Workload assessments are undertaken to allow the organisation to make decisions in areas that may currently be experiencing high workloads or where they are expecting significant changes to the working environment.

A stress assessment is undertaken subsequent to a workload assessment and are undertaken to enable the organisation to make changes to the work environment to support individuals.

What we do with it

The data which is collected as part of a workload assessment is used to inform line management through summarised reports. This information is also used to decide whether a stress assessment is required.

The data which is collected as part of a stress assessment also used to inform line management through use of summarised reports, and to make appropriate changes to an individual’s working environment.

How long we keep it

The data which is used for the workload and stress assessments is retained for 3 years following the date of the assessment.

Do we use any data processors?

No.

Welfare checks

The purpose of the welfare check is to understand how individuals are managing in the work environment due to the significant changes in working practices because of the coronavirus (COVID-19) pandemic.

The legal basis we rely on to process information relating to workload and stress assessments is article 6 (1) (c) of the GDPR, which allows us to process information where it is necessary for compliance with a legal obligation; namely Health and Safety at Work etc. Act 1974.

As this information may contain special category data, the legal basis we rely on is Article 9 (2)(b) of the GDPR, which allows us to process information where it is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment. This condition is met through Schedule 1, Part 1 (1) of the Data Protection Act 2018.

What we need

The information collected as part of a welfare check includes your full name, work email address, organisation unit, grade, employment status, working pattern and any relevant medical data.

Why we need it

Welfare checks are undertaken to provide the organisation with an understanding of its employee’s welfare whilst it adapts its working practices in response the pandemic.

What we do with it

The data which is collected as part of a welfare check is used to inform line management through use of summarised reports, and to make appropriate changes to an individual’s working environment.

How long we keep it

The data which is used for the workload and stress assessments is retained for 3 years following the date of the assessment.

Do we use any data processors?

No.

2.4 Information Service Organisation

2.4.1 IT service management

Our purpose is to provide an IT service for individuals who require access to the Sellafield Ltd IT infrastructure.

The legal basis we use to process your personal Information in relation to this process is article 6 (1) (f) of the GDPR, which allows us to process personal Information where it’s necessary for the purposes of our legitimate interests.

What we need

If you wish to raise a request/incident through our IT service we will require your full name, your network log-on ID, contact information and location information. For us to be able to process in some cases, we will require written justification, and details of your line manager or security controller.

If you are raising an incident through the IT service we will also ask for a description of any issues that you have experienced, in addition to the information required above, along with your standard working hours.

Why we need it

We need to know details of your requests to fulfil IT services and resolve any incidents that occur whilst using IT.

What we do with it

The information you provide to us will be used for the purpose of processing requests for IT services. These requests include:

  • IT Account services associated with network accounts
  • computer services, which include the supply of computer hardware, peripherals and access to hardware devices
  • information services associated with access to secure repositories and Information backup
  • email services
  • internet services which allow for general internet access
  • network services associated with network requires, such as the addition or activation of network ports and application of static IP addresses
  • printing services
  • software and application services which allow you to request software packages
  • surplus IT collection services
  • telephony and collaboration services associated with mobile and fixed communication devices and audit and video conferencing
  • additional request types that may be added to the service catalogue.

Details of requests are then stored within the portal as part of our record keeping arrangements.

How long we keep it

This information will be kept for the duration of the contract with our IT service provider.

Do we use any data processors?

We use an organisation called ATOS to process and manage IT service requests.

2.4.2 Sellafield Ltd employee (use of) personal devices

Our purpose is to provide a method of communications and technological capability for Sellafield Ltd employees, where the usual corporate connectivity is unavailable.

The legal basis we use to process your personal information in relation to this process is article 6 (1) (a) of the GDPR, which allows us to process personal information where the individual has consented for us to do so.

What we need

For the service requirement, only the minimum data will be collected for this purpose. We will require your full name, your network log-on ID, contact information (personal telephone number, personal e-mail address – as applicable to the service) and location information.

Why we need it

We need to know these details in order to enable you to access the corporate network and therefore access to corporate communications and systems.

What we do with it

The information you provide to us will be used for the purposes of two factor authentication when logging into the Sellafield Ltd IT services.

These include:

  • IT Account services associated with network accounts
  • email services
  • internet services which allow for general internet access

Details are stored in the Azure Active Directory.

How long we keep it

This information will be kept for the duration necessary to use MS Azure multi factor authenticator, remote access capability. The removal of your contact information can be enacted at any time you wish.

Do we use any data processors?

We use an organisation called ATOS to process and manage IT services.

2.4.3 Knowledge services

Our purpose is to provide knowledge management services to Sellafield Ltd.

The legal basis we use to process your personal Information in relation to this process is article 6 (1) (b) of the GDPR, where processing your Information is necessary for the performance of a contract. This is required for the contract of employment between Sellafield Ltd and yourself.

If the information we record regarding your knowledge contains Special Category Information, the legal basis we rely on to process it is schedule 1 part 1 (1) of the DPA 2018

What we need

We will require your full name, your network log-on ID, contact information, location information and work history at Sellafield Ltd.

For the purposes of increasing knowledge across the business we will also ask for description of any work activities and issues that you have experienced in addition to the information required above.

What we do with it

The data which is collected as part of a knowledge analysis and/or knowledge risk assessment is used to inform line management through summarised reports.

This information is also used to upskill and inform colleagues through knowledge transfer of the knowledge and skills required for them to carry out their roles effectively.

How long we will keep it

This information will be kept for the duration necessary to enact effective knowledge retention and transfer. The removal of your contact information can be enacted at any time you wish.

Do we use any data processors?

We use an organisation called ATOS to process and manage IT services.

2.5 Sellafield Approved Dosimetry Service

Our purpose is to provide an approved dosimetry service to radiation workers at Sellafield.

The legal basis we use to process your personal information in relation to this process is article 6 (1) (c) of the GDPR, which allows us to process personal information where it’s necessary for the performance of a legal obligation; this information is processed specifically for our obligation under the Ionising Radiation Regulation 2017 and the Nuclear Installations Act 1965.

The information that you provide to us in relation to this process contains data relating to your health; the legal basis we rely on to process it is article 9(2)(h) of the GDPR, where processing is necessary for the assessment of the working capacity of the employee.

What we need

We need enough information from you to confirm your identity and maintain your dose record.

When an application is made to the dosimetry service we will ask for your employee identification number, full name, gender, date of birth, national insurance number and email address. The dose information associated with you will be monitored and recorded routinely for the time you hold a dose meter.

Why we need it

The information you provide in your application is used to create your dose record.

Dose information is monitored and recorded to ensure you are within the acceptable dose level for your personal safety.

What we do with it

Information that is collected through the application process is used to produce a dose record for you. This will be updated regularly with dose information.

Dose information relating to you will be shared with a dosimetry centre contact or company contact routinely for the review of dose uptake.

Additionally, the information is used to produce statutory reports that are issued to our regulator, the Health and Safety Executive.

Your information may also be shared with Public Health England and the Nuclear Decommissioning Authority as part of the National Register for Radiation Workers and the BNFL Epidemiology Study. This data is used for studies of the cancer incidence and mortality rate of workers in the nuclear industry.

How long we keep it

Dose records are kept for 100 years from the date of last entry.

Do we use any data processors?

We use an organisation called Cavendish Nuclear to process biological samples.

The Personal Dosimetry Service of Public Health England processes all information relating to the issue of a neutron dose meter.

2.6 Management of transport

2.6.1 Car school

Our purpose is to establish a process to control and monitor vehicle access to the Sellafield Ltd site for the purposes of helping to achieve the organisations security and strategic objectives.

The legal basis we use to process the personal data is Article 6 (1)(f) of the General Data Protection Regulation (GDPR), which allows us to process personal data where it is necessary for the legitimate interests of the controller.

The legitimate interests of the controller in this instance are to contribute to the organisations security and strategic objectives in maintaining appropriate vehicle access to the Sellafield Ltd site.

What we need

We need enough information from to you to create a profile within the Car School Database. We will need your name, contact details, work and home location, car registration and your start and finish times.

Why we need it

The car school process allows for individuals who work across the site to find individuals who may work similar shift patterns or are co-located within the Sellafield site who they can then travel to work with which will allow site access in accordance with organisation policy.

What we do with it

The information you provide will be used to keep a record of the car schools that exist across the Sellafield site.

How long we keep it

A record of your car school and your profile within the car school database will be retained until you no longer required access to the service. Deletion of details associated with your profile can be actioned by yourself at any time.

Do we use any data processors?

No.

2.6.2 Single Occupancy Vehicle Access (SOVA)

Our purpose is to establish a process to control and monitor vehicle access to the Sellafield Ltd site for the purposes of helping to achieve the organisation security and strategic objectives.

The legal basis we use to process the personal data is Article 6 (1)(f) of the General Data Protection Regulation (GDPR), which allows us to process personal data where it is necessary for the legitimate interests of the controller.

The legitimate interests of the controller in this instance are to contribute to the organisations security and strategic objectives in maintaining appropriate vehicle access to the Sellafield Ltd site.

Where special category data is processed for the purposes of the medical SOVA application process, the legal basis we rely on is Article 9 (2)(h) of the GDPR, where processing is necessary for the purpose of occupational medicine.

What we need

We need enough information from to you to support the SOVA process. We will need your name, contact details, and work address.

For the medical SOVA applications, we need details of medical information associated with the requester.

Equally we may collect details about your personal circumstances for welfare/domestic SOVA’s.

Why we need it

The SOVA application process allows for modifications to be made to the way in which you can access the site, to accommodate your specific requirements.

What we do with it

Details of SOVA applications will be reviewed at the SOVA Review Panel to make a decision about your application.

Medical SOVA applications will be determined by the Sellafield Ltd Occupational Health department who will notify the SOVA Review Panel regarding applications made for medical reasons.

Welfare/domestic SOVA applications will be determined by the Sellafield Case Management department who will notify the SOVA Review Panel regarding applications made for domestic or welfare reasons.

How long we keep it

SOVA applications will be retained for 1 year where they are processed directly by the SOVA team.

Medical SOVA applications will be held and retained by Sellafield Ltd Occupational Health who will hold them for 3 years.

Do we use any data processors?

No.

2.7 Occupational Health

Our purpose is to provide an Occupational Health service to Sellafield Ltd and other key customers.

The legal basis we use to process your personal information in relation to this process are article 6 (1) (c) of the General Data Protection Regulation (GDPR), which allows us to process personal information where it is necessary for the performance of a legal obligation; this information is processed specifically in relation to our obligation under

The Health and Safety at Work etc. Act 1974 and also article 9(2) (h) where processing is necessary for the assessment of the working capacity of the employee.

What we need

We currently collect and process the following information:

  • personal details such as name, date of birth, ethnicity
  • details of how to contact you such as address, telephone number, mobile number, and email address
  • contact we have with you for example appointments and details of surgery attendances
  • details and records about your health and treatment you receive including but not limited to:
  • details and records of diagnosis, treatments and medication
  • notes and reports about your health and capacity for work
  • results from your visits, including tests and examinations
  • information about allergies and health conditions
  • information sent to us from other people involved in your care such as your GP, optician and hospital specialists.

Why we need it

We need these details to make an assessment with regards to your medical capacity to work and medical suitability to hold security clearance.

What we do with it

The information you provide to us will be used to create an occupational health record to enable us to:

  • provide ongoing health surveillance where required
  • provide advice to management regarding medical capacity to work
  • provide advice to security vetting in relation to medical suitability to hold security clearance

How long we keep it

Information will be kept for the duration of employment plus 60 years from the date of termination of employment, with the exception of: * random substance misuse test reports which will be kept 12 months from the start of the financial year * pre-employment medical information will be kept 12 months if employment does not start * fit notes, which will be kept 12 months from the start of the financial year

Do we use any data processors?

We currently use the following organisations to process biological samples:

  • Synlab
  • Health & Safety Laboratories
  • Cavendish Nuclear
  • Health Security Agency
  • West Cumberland Hospital

In addition, we share information with the Sellafield Ltd Approved Dosimetry service regarding contamination events to enable ongoing management of radiation dose control.

3. Your data protection rights

3.1 Your right to be informed

You have the right to be informed when and how your personal data is collected and used. As a controller, Sellafield Ltd will provide you with the purpose of processing your personal data, how long the personal data will be retained for and who it will be shared with.

3.2 Your right of access

You have a right to access copies of your personal data, along with ancillary information, held about you within the organisation; a request for such access is called a Subject Access Request.

You are only entitled to your own information and may only have access to a third party’s information if you are acting on their behalf, with suitable legal authority to do so.

When Sellafield Ltd provides you with copies of your information, you will be informed of:

  • the purposes for processing; the categories of personal data held:
  • who the personal data is shared with
  • how long the personal data will be retained
  • your right to request rectification, restriction, erasure and to object to processing of your personal data
  • your right to submit a complaint to the independent supervisory authority
  • whether your information is subject to automated decision-making
  • any safeguarding arrangements for personal data that is transferred to a third country or international organisation

A Subject Access Request will be responded to by Sellafield Ltd within *one month of the request submission date.

There will be no charge for submitting a Subject Access Request.

*NB: a further 2-month extension may be applied to complex requests.

4. Your right to rectification

You have a right to have your personal data rectified if you believe it is inaccurate or completed if it is currently incomplete.

A request for rectification can be made to Sellafield Ltd verbally or in writing. When a request for rectification is received, Sellafield Ltd will take all reasonable steps to determine the accuracy of the personal data and rectify such data where necessary.

Sellafield Ltd will notify all third parties of any changes if they are recipients of that personal data.

There are specific circumstances where your request for amendments may be refused; however, you will be informed of the justification for the refusal as part of this process.

5. Your right for removal

You have a right to request that your personal data is erased, called the ‘Right to Erasure’, but is also sometimes called the ‘Right to be Forgotten’.

A request for removal can be made to Sellafield Ltd verbally or in writing.

Where personal data has been shared with third parties, Sellafield Ltd will notify them of a request for removal. Where personal data has been made publicly available online, all reasonable steps will be taken to ensure erasure of that personal data.

There are specific circumstances where your request for removal may be refused. All data subjects will be informed of the justification for the refusal as part of this process.

A request for removal will be responded to by Sellafield Ltd within one month of the request submission date.

6. Your right to restrict processing

You have a right to request the restriction or suppression of processing of your personal data. Such a request can be made verbally or in writing.

This right applies when:

  • you contest the accuracy of your personal data and Sellafield Ltd is in the period of verifying its accuracy
  • the personal data has been processed unlawfully and you oppose erasure and request restriction instead
  • you have objected to processing your personal data and Sellafield Ltd is considering our legitimate interest for processing, where legitimate interests are used as the lawful basis for processing
  • personal data is no longer required but Sellafield Ltd has been requested to retain the data for the purposes of a legal claim

There are specific circumstances where your request for restriction may be refused. You will be informed of the justification for such refusal as part of this process.

A request to restrict processing will be responded to by Sellafield Ltd within one month of the request submission date.

7. Your right to data portability

The right to data portability allows you to request your personal data on a machine-readable format. This enables you to have your personal data transferred from one controller to another.

Once personal data is provided to you in response to a data portability request, Sellafield Ltd is no longer responsible for any subsequent processing carried out by another individual or organisation.

Appropriate measures will be used to ensure that personal data is transmitted securely.

There are specific circumstances where your data portability request may be refused. You will be informed of the justification for the refusal as part of this process.

A data portability request will be responded to by Sellafield Ltd within one month of the request submission date.

8. Your right to object

You have the right to object to the processing of your personal data, in certain circumstances. Such a request can be made verbally or in writing.

There are specific circumstances where your request to stop processing your personal data may be refused. You will be informed of the justification for such refusal as part of this process.

A request to stop processing personal data will be responded to by Sellafield Ltd within one month of the request submission date.

You will not be subject to automated processing, including profiling, which would produce significant adverse effects you.

Where automated individual decision-making is used, Sellafield Ltd will implement suitable measures to safeguard your rights and provide a way for you to contest the decision or request human intervention.

Systems that use automated individual decision-making will be reviewed on a regular basis to ensure the integrity of the system.

10. How to make requests at Sellafield Ltd

If you wish to make a request in respect of any of your rights provided by data protection law, a request can be made to Data.Protection.Team@Sellafieldsites.com.

Personal data will only be disclosed on receipt of a formal, written request so that your identity can be confirmed and to maintain the confidentiality of the personal data.

11. Your right to complain

If you are not satisfied with how Sellafield Ltd has handled a request, you can make a complaint to Data.Protection.Team@sellafieldsites.com

If you remain dissatisfied, you can make a complaint to the UK’s Independent Supervisory Authority, the ICO.

Back to top