Skip to main content
Statutory guidance

Sellafield Ltd Privacy Statement

Updated 19 May 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/sellafield-ltd-privacy-statement/sellafield-ltd-privacy-policy

1. General information

Sellafield Ltd are committed to protecting the privacy and security of your personal information.

This privacy notice tells you what to expect Sellafield Ltd, to do with your personal information.

We are registered as a Data Controller with the Information Commissioner’s Office (ICO). Our registration number is Z4738652.

This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

It is important that you read this notice, together with any other privacy notice we may provide when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

2. Data Protection Principles

We will comply with data protection law.  This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
  3. Relevant to the purposes we have told you about and limited only to those purposes
  4. Accurate and kept up to date
  5. Kept only as long as necessary for the purposes we have told you about
  6. Kept securely

We will tell you:

  • the legal basis we rely on to process your information
  • why we process your information
  • how long we keep it for
  • whether we share the information with other organisations and where we intend to transfer it to another country
  • whether we use automated decision-making or profiling against the information you provide to us

3. What type of information we have:

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymised data).

There are certain types of more sensitive personal data (special category data) which require a higher level of protection, such as information about a person’s health or criminal convictions.

We may collect, store, and use the following categories of personal information about you:

  • personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
  • date of birth
  • gender
  • marital status and dependents
  • next of kin and emergency contact information
  • national insurance number
  • bank account details, payroll records and tax status information
  • salary, annual leave, pension and benefits information
  • start date and, if different, the date of your continuous employment
  • leaving date and your reason for leaving
  • location of employment or workplace
  • copy of driving license and car insurance
  • recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
  • employment records (including job titles, work history, working hours, holidays, training records and professional memberships)

Please note, the above list is not exhaustive.

We may also collect, store and use the following more sensitive types of personal data:

  • information about your race or ethnicity, religious beliefs, sexual orientation and political opinions for equality and diversity monitoring purposes
  • trade union membership
  • information about your health, including any medical condition, health and sickness records etc.
  • details of any absences (other than holidays) from work including time on statutory parental leave and sick leave
  • information about criminal convictions and offences, including any criminal conviction information held outside of the UK

Lawful basis:

The lawful basis for processing your personal data depends on the processing activity and we rely on the following lawful basis for processing your personal data under the UK Data Protection Act 2018/UK GDPR:

  • Article 6(1)(a) where we have your consent
  • Article 6(1)(b) which relates to processing necessary for the performance of a contract
  • Article 6(1)(c) so we can comply with our legal obligations as your employer
  • Article 6(1)(d) in order to protect your vital interests or those of another person
  • Article 6(1)(e) for the performance of our public task
  • Article 6(1)(f) for the purposes of our legitimate interest. (In accordance with best practice a Legitimate Interests Assessment (LIA) will always be conducted when this lawful basis is used)

As part of our statutory and corporate functions we may also process special category and criminal conviction data under:

  • Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on Sellafield Ltd or the data subject in connection with employment, social security or social protection.
  • Article 9(2)(f) – for the establishment, exercise or defence of legal claims.
  • Article 9(2)(a) – explicit consent.
  • Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person.
  • Article 9(2)(h) – processing is necessary for the purposes of occupational medicine. Examples include occupational health referrals.
  • we process criminal offence data under Article 10 of the GDPR.

Please see the ‘Your data protection rights’ section for more information on withdrawing your consent.

4. How we collect your information

We may collect your personal data in several different ways:

  • when you register with us for recruitment opportunities
  • when you provide it directly to us, either directly or through the processes that exist across Sellafield Ltd which require you to submit personal data, or via your line management
  • where we collect personal data through the implementation of any of Sellafield Ltd’s policies and procedures
  • where we receive personal data from third parties. Like, recruitment agencies, security screening, medical screening and several government agencies
  • personal data is captured indirectly using email, internet use and mobile devices

4.1 Controller’s contact details

Sellafield Ltd is the controller for the personal information we process about you, unless we tell you otherwise.

This means that we are responsible for deciding how we hold and use personal information about you of the information contained in this privacy notice.

Our registered office:

Hinton House
Birchwood
Park Avenue
Risley
Warrington
WA3 6GR

Sellafield Ltd Switchboard: +44 (0) 19467 28333

4.2 Data protection officer

Mike Gater - Data Protection Officer - Sellafield Ltd

Contact: Data.Protection.Team@Sellafieldsites.com or via the address above.

Mark correspondence for the attention of ‘Mike Gater - Data Protection Officer’.

5. Employee section

2.1 Security and vetting

2.1.1 Vetting

Our purpose is to provide a personnel vetting service to Sellafield Ltd.

The legal basis we use to process your personal Information in relation to this process is article 6 (1) (c) of the UK General Data Protection Regulation (UK GDPR), which allows us to process personal Information where it is necessary for the performance of a legal obligation; this information is processed specifically for our obligation under the Nuclear Industries Security Regulations (NISR) 2003 and the Nuclear Installations Act 1965.

What we need:

We need enough information from to you to confirm your identity and to make an assessment regarding your suitability to hold a Baseline Personnel Security Standard (BPSS) clearance.

We will ask for your full name and any previous names, details of your current and past employment, home address, contact information, date of birth and nationality including any former or dual nationalities.

To support your application, we will need proof of identify which will allow us to confirm your nationality, date of birth and home address. One form of identification you provide must have your photograph on.

Additionally, you will be required to undergo a criminal convictions record check in support of your application.

For Security Check (SC) and Developed Vetting (DV) clearance we will ask you for your full name, employee identification number, Sellafield network logon ID, location, and contact information. You are also required to sign the form as a declaration.

Why we need it

We need these details to make an assessment with regards to your suitability to hold BPSS level clearance.

Details given to us for SC or DV clearance will be used to make an account for you with the United Kingdom Vetting Services (UKSV), who manage your clearance.

What we do with it

The information you provide to us will be used to create a record for the ongoing management of your clearance.

Additionally, information will be used for pass and site access management as required.

Information will be shared with the Office for Nuclear Regulation (ONR) and the UKSV who both have a national responsibility for the management of security clearances.

Information for SC and DV clearance will be used to make you an account with the UKSV who manage your clearance.

How long we keep it

Information will be kept for 7 years from the date that clearance is no longer required.

Criminal convictions record check is kept for 12 months from the date of receipt.

Information given to us for SC and DV clearance will be kept for twelve months from the date of receipt.

Do we use any data processors?

No.

2.1.2 Pass office

Our purpose is to provide a pass issuing service.

The legal basis we use to process your personal Information in relation to this process is article 6 (1) (c) of the UK GDPR, which allows us to process personal Information where it is necessary for the performance of a legal obligation; this information is processed specifically for our obligation under the Nuclear Industries Security Regulations (NISR) 2003.

What we need

We need enough information to issue you with the appropriate pass. For pass applications we will ask for your title, full name, date of birth, employee identification number, home address, nationality including any former or dual nationalities, national insurance number and details of your employment.

For short term workers and visitors, we will ask for the same information as above in addition to any security clearance that you currently hold.

Why we need it

We need enough information to confirm your identity to make sure we are issuing a pass to the appropriate person and the type of pass we are required to issue.

What we do with it

Your application will be shared with your line manager, superintending officer or pass sponsor to complete the pass application process.

The information you provide to us will be used to create a record for the ongoing management of your pass.

How long we keep it

Application forms will be kept for twelve months following the date of receipt.

The record associated with your pass application will be kept for the length that you hold your pass.

Do we use any data processors?

No.

2.2 Human resources

2.2.1 Performance management

Our purpose is to provide a performance management framework to Sellafield Ltd employees.

The legal basis we use to process your personal Information in relation to this process is article 6 (1) (b) of the UK GDPR, where processing your Information is necessary for the performance of a contract. This is required for the contract of employment between Sellafield Ltd and yourself.

If the information we record regarding performance contains Special Category Information, the legal basis we rely on to process it is schedule 1 part 1 (1) of the DPA 2018.

What we need

When processing performance management of an individual we will record your full name and the name of your manager, email address, department within the organisation, role within the organisation and location Information related to your place of work. Due to the nature of performance management we will also record details about your work activities and performance.

Why we need it

We need these details to enable managers to effectively manage individual’s performance in the work place.

What we do with it

The information that we record will be used to track and report on performance of employees, teams and organisational units against agreed company and personal objectives.

Aggregated Information may be used and shared with individuals within the organisation; however, this will be done in a way that does not allow for the identification of individuals.

Additionally, Human Resources may use this Information for reporting and analysis.

How long we keep it

Information will be kept for six years after the current financial year in which it was created.

Do we use any Data Processors?

No.

2.2.2 Reporting of concerns (whistleblowing)

Our purpose is to provide a means for Sellafield Ltd employees, and others, to report serious concerns to the organisation.

The legal basis we use to process your personal data in relation to this process is article 6 (1) (c) of the UK GDPR, which allows us to process personal data where it is necessary for the performance of a legal obligation; this information is processed specifically for our obligation under the Employments Right Act 1996.

If the information you provide us contains in relation to a concern contains special category data, the legal basis we rely on to process it is article 9 (2) (b) of the GDPR, where we process information in support of your rights in the field of employment.

What we need

We need enough information from to you investigate a concern you are raising to us, inclusive of any information you are providing in support of the concern.

When a concern is received we set up a case file containing the details of your concern. This will contain your full name, role within the organisation, department within the organisation and some contact details. However, you can raise concerns anonymously to the organisation through a third party, Safecall.

Why we need it

We need to know details of your concern to enable the organisation to investigate it further.

What we do with it

The information you provide to us will be treated as confidential and we will not disclose it without authority to do so. To enable us to investigate a concern properly we will usually need to disclose some of the information; we will discuss this with you.

Information related to a case file may be reviewed by our internal audit function for the purposes of providing independent audit against the whistleblowing function. This is reported annually to the Sellafield Ltd Audit Committee.

Additionally, information related to a case file will be shared with the Sellafield Ltd Board at every board meeting. This is anonymised and won’t contain any information that will identify you.

How long we keep it

Information will be kept for 6 years following the last event regarding a case file.

Do we use any data processors?

We use a third-party organisation called Safecall as an additional (external) route for reporting concerns to the organisation. Safecall act as the data processor for reports made to Sellafield Ltd, same where Safecall withholds the details of an individual from the organisation at the individuals request.

Where Safecall withholds information regarding an individual they will act as the data controller. In this instance they will hold data for 12 months, after which only information required for statistical reporting will be retained.

2.2.3 Human organisation factors

Safety Culture Survey

The purpose of the safety culture surveys is to provide an analysis of the safety culture across the organisation

The legal basis we rely on to process information relating to safety culture surveys is article 6 (1) (e) of the UK GDPR, where processing is carried out in the interest of an official authority.

What we need

The information collected as part of a safety culture survey includes your full name, work email address, organisation unit, grade employment status and your opinions regarding the safety of the workplace.

Why we need it       

Safety culture surveys are processed to determine the current safety culture across the organisation and to enable identification of areas for improvement.

What we do with it

The data which is collected as part of the safety culture survey is summarised, and from these reports are produced which are then issued across the organisation up to the executive and externally through the Office for Nuclear Regulation (ONR) and the Nuclear Decommissioning Authority (NDA).

How long we keep it

The data which is used for the safety culture surveys are retained for 5 years.

Do we use any data processors?

No.

Workload / Stress Assessment

The purpose of the workload assessment is intended to enable the organisation to make business decisions in areas that may currently be experiencing high volumes of work, identifying those areas which may require additional support.

The purpose of the stress assessment is for the benefit and welfare of employees who may be experiencing issues in the workplace, identified through a workload assessment. This enables the organisation to provide mitigating action to support individuals in the workplace.

The legal basis we rely on to process information relating to workload and stress assessments is article 6 (1) (c) of the UK GDPR, which allows us to process information where it is necessary for compliance with a legal obligation; namely Health and Safety at Work etc. Act 1974.

As this information may contain special category data, the legal basis we rely on is Article 9 (2)(b) of the UK GDPR, which allows us to process information where it  is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment. This condition is met through Schedule 1, Part 1 (1) of the Data Protection Act 2018.

What we need

The information collected as part of a workload assessment includes your full name, work email address, organisation unit, grade, employment status, working pattern and any relevant medical data.

Why we need it

Workload assessments are undertaken to allow the organisation to make decisions in areas that may currently be experiencing high workloads or where they are expecting significant changes to the working environment.

A stress assessment is undertaken subsequent to a workload assessment and are undertaken to enable the organisation to make changes to the work environment to support individuals.

What we do with it

The data which is collected as part of a workload assessment is used to inform line management through summarised reports. This information is also used to decide whether a stress assessment is required.

The data which is collected as part of a stress assessment also used to inform line management through use of summarised reports, and to make appropriate changes to an individual’s working environment.

How long we keep it

The data which is used for the workload and stress assessments is retained for 3 years following the date of the assessment.

Do we use any data processors?

No.

2.3 Information Service Organisation

2.3.1 IT service management

Our purpose is to provide an IT service for individuals who require access to the Sellafield Ltd IT infrastructure.

The legal basis we use to process your personal Information in relation to this process is article 6 (1) (f) of the UK GDPR, which allows us to process personal Information where it’s necessary for the purposes of our legitimate interests.

What we need

If you wish to raise a request/incident through our IT service we will require your full name, your network log-on ID, contact information and location information. For us to be able to process in some cases, we will require written justification, and details of your line manager or security controller.

If you are raising an incident through the IT service we will also ask for a description of any issues that you have experienced, in addition to the information required above, along with your standard working hours.

Why we need it

We need to know details of your requests to fulfil IT services and resolve any incidents that occur whilst using IT.

What we do with it

The information you provide to us will be used for the purposes of processing requests for IT services. These requests include:

  • IT Account services associated with network accounts
  • computer services, which include the supply of computer hardware, peripherals and access to hardware devices
  • information services associated with access to secure repositories and Information backup
  • email services
  • internet services which allow for general internet access
  • network services associated with network requires, such as the addition or activation of network ports and application of static IP addresses
  • printing services
  • software and application services which allow you to request software packages
  • surplus IT collection services
  • telephony and collaboration services associated with mobile and fixed communication devices and audit and video conferencing
  • additional request types that may be added to the service catalogue

Details of requests are then stored within the portal as part of our record keeping arrangements.

How long we keep it

This information will be kept for the duration of the contract with our IT service provider.

Do we use any Data Processors?

We use an organisation called ATOS to process and manage IT service requests.

2.3.2 Sellafield Ltd employee (use of) personal devices 

Our purpose is to provide a method of communications and technological capability for Sellafield Ltd employees, where the usual corporate connectivity is unavailable.

The legal basis we use to process your personal Information in relation to this process is article 6 (1) (a) of the UK GDPR, which allows us to process personal Information where the individual has consented for us to do so.

What we need

For the service requirement, only the minimum data will be collected for this purpose. We will require your full name, your network log-on ID, contact information (Personal Telephone number, Personal e-mail address – as applicable to the service) and location information.

Why we need it

We need to know these details in order to enable you to access the Corporate network and therefore access to corporate communications and systems.

What we do with it

The information you provide to us will be used for the purposes of two factor authentication when logging into the Sellafield Ltd IT services. These include:

  • IT Account services associated with network accounts;
  • Email services;
  • Internet services which allow for general internet access;

Details are stored in the Azure Active Directory.

How long we keep it

This information will be kept for the duration necessary to use MS Azure Multi Factor Authenticator, remote access capability. The removal of your contact information can be enacted at any time you wish.

Do we use any Data Processors?

We use an organisation called ATOS to process and manage IT services.

2.4 Sellafield approved dosimetry service

Our purpose is to provide an approved dosimetry service to radiation workers at Sellafield.

The legal basis we use to process your personal information in relation to this process is article 6 (1) (c) of the UK GDPR, which allows us to process personal Information where it’s necessary for the performance of a legal obligation; this information is processed specifically for our obligation under the Ionising Radiation Regulation 2017 and the Nuclear Installations Act 1965.

The information that you provide to us in relation to this process contains data relating to your health; the legal basis we rely on to process it is article 9(2)(h) of the UK GDPR, where processing is necessary for the assessment of the working capacity of the employee.

What we need

We need enough information from you to confirm your identity and maintain your dose record.

When an application is made to the dosimetry service we will ask for your employee identification number, full name, gender, date of birth, national insurance number and email address. The dose information associated with you will be monitored and recorded routinely for the time you hold a dose meter.

Why we need it

The information you provide in your application is used to create your dose record.

Dose information is monitored and recorded to ensure you are within the acceptable dose level for your personal safety.

What we do with it

Information that is collected through the application process is used to produce a dose record for you. This will be updated regularly with dose information.

Dose information relating to you will be shared with a Dosimetry Centre contact or company contact routinely for the review of dose uptake.

Additionally, the information is used to produce statutory reports that are issued to our regulator, the Health and Safety Executive.

Your information may also be shared with Public Health England (PHE) and the Nuclear Decommissioning Authority (NDA) as part of the National Register for Radiation Workers (NRRW) and the BNFL Epidemiology Study.  This data is used for studies of the cancer incidence and mortality rate of workers in the nuclear industry.

How long we keep it

Dose records are kept for 100 years from the date of last entry.

Do we use any data processors?

We use an organisation called Cavendish Nuclear to process biological samples.

The Personal Dosimetry Service of Public Health England processes all information relating to the issue of a neutron dose meter.

2.5 Occupational Health

Our purpose is to provide an Occupational Health Service to Sellafield Ltd and other key customers.

The legal basis we use to process your personal information in relation to this process are article 6 (1) (c) of the General Data Protection Regulation (UK GDPR), which allows us to process personal information where it is necessary for the performance of a legal obligation; this information is processed specifically in relation to our obligation under The Health and Safety at Work etc. Act 1974 and also article 9(2) (h) where processing is necessary for the assessment of the working capacity of the employee.

What we need

We currently collect and process the following information:

  • Personal details such as name, date of birth, ethnicity
  • Details of how to contact you such as address, telephone number, mobile number, and email address
  • Contact we have with you for example appointments and details of surgery attendances
  • Details and records about your health and treatment you receive including but not limited to:
  • details and records of diagnosis, treatments and medication
  • notes and reports about your health and capacity for work
  • results from your visits, including tests and examinations
  • information about allergies and health conditions
  • information sent to us from other people involved in your care such as your GP, Optician and Hospital Specialists.

Why we need it

We need these details to make an assessment with regards to your medical capacity to work and medical suitability to hold security clearance.

What we do with it

The information you provide to us will be used to create an occupational health record to enable us to:

  • provide ongoing health surveillance where required.
  • provide advice to management regarding medical capacity to work.
  • provide advice to security vetting in relation to medical suitability to hold security clearance.

How long we keep it

Information will be kept for the duration of employment plus 60 years from the date of termination of employment, with the exception of:

  • Random substance misuse test reports which will be kept 12 months from the start of the financial year.
  • Enhanced targeted testing and “for-cause” substance misuse test reports, which will be kept for up to 3 years.
  • Pre-employment medical information will be kept twelve months if employment does not commence.
  • Fit notes, which will be kept 12 months from the start of the financial year.

Do we use any data processors?

We currently use the following organisations to process biological samples:

  • Synlab
  • Health & Safety Laboratories
  • Cavendish Nuclear
  • Health Security Agency
  • West Cumberland Hospital

In addition, we share information with the Sellafield Ltd Approved Dosimetry Service regarding contamination events to enable ongoing management of radiation dose control.

2.6 Management of transport

2.6.1 Single or Yottenfews Occupancy Vehicle Access (SOVA/YOVA)

Our purpose is to establish a process to control and monitor vehicle access to the Sellafield Ltd site for the purposes of helping to achieve the organisation security and strategic objectives.

The legal basis we use to process the personal data is Article 6 (1)(f) of the General Data Protection Regulation ( UK GDPR), which allows us to process personal data where it is necessary for the legitimate interests of the controller.

The legitimate interests of the controller in this instance are to contribute to the organisations security and strategic objectives in maintaining appropriate vehicle access to the Sellafield Ltd site.

Where special category data is processed for the purposes of the medical SOVA application process, the legal basis we rely on is Article 9 (2)(h) of the UK GDPR, where processing is necessary for the purpose of occupational medicine.

What we need:

We need enough information from you to support the SOVA/YOVA process.  We will need your name, contact details, work address and primary/secondary vehicle details.

For the medical SOVA applications, we need details of medical information associated with the requester.

For the Disabled SOVA applications, we need the Disabled Blue Badge expiry date, from the Council.

Equally we may collect details about your personal circumstances for welfare/domestic and child-care arrangement SOVA/YOVA’s.

When applying for a parking permit we need your name, contact details, home address and primary/secondary vehicle details.

Why we need it:        

The SOVA application process allows for modifications to be made to the way in which you can access the site, to accommodate your specific requirements.

The parking permit process allows individuals who meet certain criteria, a pre-paid permit.

What we do with it:

Details of SOVA applications will be reviewed at the SOVA Review Panel to enable a decision to be made about your application.

Medical SOVA applications will be assessed by the Medical SOVA panel who will notify the SOVA Car Governance Request office regarding applications made for medical reasons.

Welfare/domestic SOVA applications will be determined by the Sellafield Case Management department who will notify the SOVA Car Governance Request office regarding applications made for domestic or welfare reasons.

Disabled Badge SOVA data will be used to allow a review of disabled bays required in particular car parks.

Details of SOVA/YOVA applications may also be used to identify your vehicle if a parking/traffic violation has occurred.

Details of SOVA applications may also be used to identify your vehicle if a rail crossing violation has occurred.

Details for the Parking Permits are submitted to Cumberland Council, who then issue a digital Parking Permit.

Digital Parking Permit details are sent to the recipient from the infrastructure.travel.team@sellafieldsites.com

How long we keep it:

SOVA applications will be retained for 1 year where they are processed directly by the SOVA team.

Medical SOVA applications will be held and retained by Sellafield Ltd Occupational Health who will hold them for 1 year.

Disabled SOVA applications will not be retained by the SOVA team.  As the application does not need to go to the SOVA Review Panel.

Parking permit applications will be retained for 1 year where they are processed directly by the Infrastructure Travel Team.

Do we use any data processors?:

No.

6. Your data protection rights

Your right to be informed

You have the right to be informed when and how your personal data is collected and used. As a controller, Sellafield Ltd will provide you with the purpose of processing your personal data, how long the personal data will be retained for and who it will be shared with.

Your right to rectification

You have a right to have your personal data rectified if you believe it is inaccurate or completed if it is currently incomplete.

A request for rectification can be made to Sellafield Ltd verbally or in writing. When a request for rectification is received, Sellafield Ltd will take all reasonable steps to determine the accuracy of the personal data and rectify such data where necessary.

Sellafield Ltd will notify all third parties of any changes if they are recipients of that personal data.

There are specific circumstances where your request for amendments may be refused; however, you will be informed of the justification for the refusal as part of this process.

Your right for removal

You have a right to request that your personal data is erased, called the ‘Right to Erasure’, but is also sometimes called the ‘Right to be Forgotten’.

A request for removal can be made to Sellafield Ltd verbally or in writing.

Where personal data has been shared with third parties, Sellafield Ltd will notify them of a request for removal. Where personal data has been made publicly available online, all reasonable steps will be taken to ensure erasure of that personal data.

There are specific circumstances where your request for removal may be refused. All data subjects will be informed of the justification for the refusal as part of this process.

A request for removal will be responded to by Sellafield Ltd within one month of the request submission date.

Your right to restrict processing

You have a right to request the restriction or suppression of processing of your personal data. Such a request can be made verbally or in writing.

This right applies when:

  • you contest the accuracy of your personal data and Sellafield Ltd is in the period of verifying its accuracy
  • the personal data has been processed unlawfully and you oppose erasure and request restriction instead
  • you have objected to processing your personal data and Sellafield Ltd is considering our legitimate interest for processing, where legitimate interests are used as the lawful basis for processing
  • personal data is no longer required but Sellafield Ltd has been requested to retain the data for the purposes of a legal claim

There are specific circumstances where your request for restriction may be refused. You will be informed of the justification for such refusal as part of this process.

A request to restrict processing will be responded to by Sellafield Ltd within one month of the request submission date.

Your right to data portability

The right to data portability allows you to request your personal data on a machine-readable format. This enables you to have your personal data transferred from one controller to another.

Once personal data is provided to you in response to a data portability request, Sellafield Ltd is no longer responsible for any subsequent processing carried out by another individual or organisation.

Appropriate measures will be used to ensure that personal data is transmitted securely.

There are specific circumstances where your data portability request may be refused. You will be informed of the justification for the refusal as part of this process.

A data portability request will be responded to by Sellafield Ltd within one month of the request submission date.

Your right to object

You have the right to object to the processing of your personal data, in certain circumstances. Such a request can be made verbally or in writing.

There are specific circumstances where your request to stop processing your personal data may be refused. You will be informed of the justification for such refusal as part of this process.

A request to stop processing personal data will be responded to by Sellafield Ltd within one month of the request submission date.

You will not be subject to automated processing, including profiling, which would produce significant adverse effects you.

Where automated individual decision-making is used, Sellafield Ltd will implement suitable measures to safeguard your rights and provide a way for you to contest the decision or request human intervention.

Systems that use automated individual decision-making will be reviewed on a regular basis to ensure the integrity of the system.

Your right of access

You have a right to access copies of your personal data, along with ancillary information, held about you within the organisation; a request for such access is called a Subject Access Request.

You are only entitled to your own information and may only have access to a third party’s information if you are acting on their behalf, with suitable legal authority to do so.

When Sellafield Ltd provides you with copies of your information, you will be informed of:

  • the purposes for processing; the categories of personal data held:
  • who the personal data is shared with
  • how long the personal data will be retained
  • your right to request rectification, restriction, erasure and to object to processing of your personal data
  • your right to submit a complaint to the independent supervisory authority
  • whether your information is subject to automated decision-making
  • any safeguarding arrangements for personal data that is transferred to a third country or international organisation

A Subject Access Request will be responded to by Sellafield Ltd within *one month of the request submission date.

There will be no charge for submitting a Subject Access Request.

*NB: a further 2-month extension may be applied to complex requests.

7. How to make a complaint

If you are not satisfied with how Sellafield Ltd has handled a request, you can make a complaint to Data.Protection.Team@sellafieldsites.com

If you remain dissatisfied, you can make a complaint to the UK’s Independent Supervisory Authority, the ICO.

For further details of our Data Protection Complaints process, please click here.

8. How to make requests at Sellafield Ltd

If you wish to make a request in respect of any of your rights provided by data protection law, a request can be made to Data.Protection.Team@Sellafieldsites.com.

Personal data will only be disclosed on receipt of a formal, written request so that your identity can be confirmed and to maintain the confidentiality of the personal data.

Back to top