Data protection and GDPR
The UK General Data Protection Regulation (GDPR), alongside the Data Protection Act 2018, aims to keep people's personal information safer.
It helps to protect your interests by requiring organisations to manage the information they hold in a particular way, and gives people more say on how their information is used.
Personal information is any data that could identify you as a living person. This could include your email address, a photograph, location data on your phone, a medical record and so on.
What does the GDPR cover?
The GDPR sets out the following categories for special category personal data:
- personal data revealing racial or ethnic origin
- personal data revealing political opinions
- personal data revealing religious or philosophical beliefs
- personal data revealing trade union membership
- genetic data
- biometric data (where used for identification purposes)
- data concerning health
- data concerning a person’s sex life
- data concerning a person’s sexual orientation
- data concerning criminal convictions and offences
We are registered as a data controller with the Information Commissioners Office (ICO) because we collect and process personal information about you.
The ICO publishes certain details in the register of data controllers, which is available to the public for inspection.
To see our entry in the Data Protection Public Register, visit the ICO website.
Our Data Protection Registration Number is ZA896620.
Data protection principles
The data protection principles are:
- process all personal information lawfully, fairly and in a transparent manner
- collect personal information for a specified, explicit and legitimate purpose
- ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected or compatible with this purpose
- ensure the personal information is kept accurate and up to date
- keep your personal information for no longer than is necessary for the purpose(s) that we collected it for
- keep your personal information securely using appropriate technical and/or organisational measures
The lawful bases for processing
At least one of the six lawful bases for processing must apply whenever we process your personal data. A brief explanation is below - for more detail see Article 6 of the GDPR.
- Consent: you have given clear, active, consent for us to process your personal data for a specific purpose
- Contract: the processing is necessary for a contract you have with the us, or because you have asked us to take specific steps before entering into a contract
- Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations)
- Vital interests: the processing is necessary to protect someone’s life
- Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law
- Legitimate interests: the processing is necessary for our legitimate interests (or the legitimate interests of a third party) unless there is a good reason to protect your personal data which overrides those interests
Last updated 19 December 2023