United Kingdom National Nuclear Laboratory (“UKNNL”) is committed to protecting the privacy and security of your personal data.
UKNNL (also referred to as ‘we’, ‘us’ and ‘our’) is the controller and responsible for your personal data.
This privacy notice describes how we collect and uses personal data about you, during and after your visit to us. This privacy notice applies to all visitors to us, on both short-term and extended visits, including academic researchers and students.
This privacy notice supplements any other privacy notices (including on our website) and is not intended to override them.
Your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if any of your personal data you have provided to us changes during your relationship with us.
What personal data do we process about you?
We will collect, store, and use those categories of personal data about you listed in the Schedule to this Privacy Notice.
We will collect personal data about visitors when allowing access to our sites, either by an application submitted in advance, or when you provide information at the time of your visit.
How do we process your personal data?
We will store your personal data on our IT system including our intranet and it will be accessible by our staff.
Our IT system is certified to ISO27001 and Cyber Essentials. Our IT systems are monitored for any malicious activity.
We will only use your personal data when the law allows. Most commonly, we will use your personal data to comply with a legal obligation, or when it is necessary for our legitimate interests (or those of a third party) and your interests and privacy rights do not override those interests.
The bases for our uses of personal data will sometimes overlap and there may be several grounds which justify our use of your personal data. The circumstances in which we will process your personal data and our interests in such processing are listed in the Schedule to this privacy notice.
In limited circumstances, we may ask for your written consent to allow us to process certain particularly sensitive data such as health or biometric data. It is not a condition of your visit with us that you agree to any request for consent from us and you have the right to withdraw your consent for that specific processing at any time.
In what circumstances will we process particularly sensitive personal data?
We may process special categories of personal data (sensitive personal data as set out in the Schedule to this Privacy Notice),
- with your explicit written consent;
- where we need to carry out our legal obligations; or
- where it is needed in the public interest.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
How long will process your personal data?
Whenever we collect or process your personal data, we will only keep it for as long as is necessary for the purposes for which it was collected. At the end of that retention period, your personal data will either be deleted or anonymised.
For day visitors, we will retain your information for up to one month after the visit took place.
If you are on an extended visit, the details of retention periods for different aspects of your personal data are available from the Data Protection Officer (“DPO”) on request (see below).
Who do we share your personal data with?
We will not share your personal data with anyone who does not have a clear need to know.
We may need to share your personal data with government authorities and relevant regulators such as Office for Nuclear Regulation (“ONR”), or to otherwise comply with the law, or for our legitimate business purposes.
We may need to share your personal data with certain customers in order to arrange access to their sites and premises, which require extra security measures or special equipment to be ready in advance (for example Sellafield Limited and Springfield Fuels Limited).
We will sometimes share your personal data, insofar as we are permitted by law to do so, with trusted third parties such as IT companies who support our website and other business systems and delivery partners.
Your rights in connection with your personal data
In certain circumstances and subject to limitations, by law, you have the right to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you, corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
- Object to processing of your personal data where we are relying on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example, if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of certain personal data to another party.
If you want to exercise any of the above rights in relation to your personal data, please contact our DPO in writing (see below). You will not normally need to pay a fee to exercise any of these rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. We may refuse to comply with the request in certain circumstances.
Data Protection Officer
We have appointed a DPO to oversee compliance with data protection legislation. If you have any questions about this privacy notice or how we handle your personal data, please contact the DPO via our webform.
You have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”) or judicial levels. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Schedule
We will collect, store and use the following personal data about you:
- Personal contact details such as name, title, addresses, telephone numbers, and email addresses.
- Nationality.
- Date(s) of visit.
- Your usual place of work / place of study.
- Vehicle registration.
- Copies of ID documentation, such as passport, driving licence, birth certificate.
- Security clearance level (where applicable).
- CCTV footage and other information obtained through electronic means such as swipe card records.
We may also collect, store and use the following special categories of personal data:
- Safeguarding records relating to dosimetry readings.
- Biometric data in relation to visitors who require access to specific hazardous or controlled areas.
The circumstances in which we will process your personal data (and, where applicable, our legitimate interest in such processing) may include:
- Controlling access and security of our sites.
- Provision of any education, training or study opportunities.
- Dealing with legal disputes involving you, or other visitors, employees, workers and contractors, including accidents at work.
- Complying with health and safety obligations, including reports that are made to investigate health and safety incidents, near-misses, and behavioural observations on our automated reporting system.
- Complying with our obligations to government agencies or other regulatory bodies (including ONR).
The circumstances in which we will use your particularly sensitive personal data may include:
We will use biometric data to ensure that visitors are supplied with the correct personal protective equipment, either at our sites or at controlled customer sites, such as Sellafield Limited or Springfield Fuels Limited.