Privacy Policy

(A printable version of this privacy policy can be downloaded by clicking here)

Introduction

CSA Catapult is committed to being transparent about how it collects and uses the personal data of all individuals who interact with us in order to meet data protection obligations.

1.1  Why this Statement exists

This privacy statement sets out our commitment to data protection, and individual rights and obligations in relation to personal data. It also aims to ensure that all employees understand the type of personal information that may be held by the company and how this is used.

1.2  Statement Scope

This policy applies to the personal data of all individuals that we interact with on a corporate basis including users of the website, job applicants, employees, partners and suppliers.

For any other information please contact our data controller on datacontroller@csa.catapult.org.uk.

1.3 Data Definitions

“Personal data”is any information that relates to a living individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

“Contact” means information such as:

  • Name and salutation;
  • Postal address;
  • Email address;
  • Telephone number.

“individual” means information such as:

  • Date of birth;
  • Gender;
  • Car registration;
  • Planned leave.

“Employment” means information such as:

  • Qualifications, skills and experience;
  • Employment history, including start and end dates, terms and conditions of employment;
  • Remuneration and benefits;
  • Information about marital status, next of kin, dependents and emergency contacts;
  • Information about nationality and entitlement to work in the UK;
  • Details of schedule (days of work and working hours) and attendance at work;
  • Details of periods of leave taken, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
  • Details of any disciplinary or grievance procedures in which the employee has been involved, including any warnings issued and related correspondence;
  • Assessments of performance, including appraisals, performance reviews and ratings, training, performance improvement plans and related correspondence;

Financialmeans information such as

  • Details of employee bank account and national insurance number.

Technicalmeans information such as:

  • Source, destination and routing information including IP address;
  • Calling Line Identification (CLI);
  • Time and duration;
  • Device information including operating system, manufacturer, applications;
  • Activity included applications used, websites visited and messages sent;
  • Cookies and Other Tracking Technologies.

Contentmeans information such as

  • Any information contained within a communication that has been specifically added by the parties involved in the communication.

“Special categories of personal data”means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

  • Equal opportunities monitoring information, including information about ethnic origin, sexual orientation, health and religion or belief;
  • Information about medical or health conditions, including whether or not an individual has a disability for which CSA Catapult needs to make reasonable adjustments.

“Criminal records data”means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

1.4  Important notice

Although in most cases interactions with CSA Catapult will be with, or addressed to, a named individual, this one to one interaction should not be assumed. We reserve the right to transfer all past, current and further interactions and communications to other individuals, teams, partners or suppliers subject to business requirements and data protection regulations. As such it is not recommended that individuals communicate non-business related information over our systems.

2 Information Collection and Reason for Processing

CSA Catapult collects and processes a range of information about individuals depending on the interactions they have with us.

This information is collected and processed for a number of reasons including:

  • Providing services to staff, customers and suppliers;
  • Securing our systems and information;
  • Complying with legal and regulatory requirements.

Below are some categories of interactions we may engage in, please be aware that an individual’s interactions may cover multiple categories.

2.1 Websites and Portals

When interacting with CSA Catapult’s website, recruitment or other portals that may be available:

Information collected

As our website will be accessed more by individuals that do not have a prior relationship with us, additional details regarding the information collected has been included as compared to other sections.

Cookies and Other Tracking Technologies

We and our authorized partners may use cookies and other information gathering technologies for a variety of purposes. These technologies may provide personal information, information about devices and networks utilized to access our Websites, and other information regarding interactions with our Websites. For detailed information about the use of cookies in the Websites, please read and review the Cookie Policy found here.

Web beacons, tags and scripts may be used on our Websites or in email or other electronic communications we send. These assist us in delivering cookies, counting visits to our Websites, understanding usage and campaign effectiveness and determining whether an email has been opened and acted upon. We may receive reports based on the use of these technologies by our third-party service providers on an individual and aggregate basis.

We may use Local Storage Objects (“LSOs”) such as HTML5 to store content information and preferences. Various browsers may offer their own management tools for removing HTML5 LSOs. Third parties with whom we partner provide certain features on our Websites or to display advertising based upon individuals Web browsing activity using LSOs such as HTML5 and Flash to collect and store information. For further information on how to manage Flash LSOs please click here.

Logs

As is true with most websites and services delivered over the Internet, we gather certain information and store it in log files when individuals interact with our Websites and Services. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, search information, locale and language preferences, identification numbers associated with devices, mobile carrier, and system configuration information. Occasionally, we connect personal information to information gathered in our log files as necessary to improve our Websites and Services. In such a case, we would treat the combined information in accordance with this Policy.

Analytics

We may collect analytic information on Websites usage to help us improve them. We may also share anonymous data about individual’s actions on our Websites with third-party service providers of analytics services.

Reason for processing

The reasons for processing are listed below:

  • Delivery, monitoring and management of the service;
  • Security monitoring;
  • Delivery of services to customers, suppliers and partners.

Basis for Processing

The basis for processing any information collected will be dependent on the method of collection and the reason for processing. The basis for processing information from this communication method will include:

  • Consent;
  • Legitimate interest.

2.2 Social media

Where an individual communicates with CSA Catapult using private or direct messages via social media, their contact details and the contents of the message will be stored by the service provider and may be copied to our internal systems either in part or in full.

Information collected

  • Contact and technical information contained within and related to the message;
  • Message content including attachments.

Reason for processing

The reasons for processing are listed below:

  • Delivery, monitoring and management of the transmission service;
  • Security monitoring;
  • Delivery of services to customers, suppliers and partners.

Basis for Processing

The basis for processing any information collected will be dependent on the method of collection and the reason for processing. The basis for processing information from this communication method will include:

  • Consent;
  • Legitimate interest.

2.3 Telephone and Conferencing

When an individual calls CSA Catapult or joins any of our conference or video calls it should be assumed that the content of the call is being recorded (either electronically or by the means of manual notes).

We will collect technical information and details about the call. We use this information to route the call to the correct person and to deliver better services. Where we have an existing business relationship we may additionally match and store this information with contact information contained within our other systems such as Customer Relationship Management.

Voicemails will be recorded and distributed using our e-mail systems.

Information collected

  • Contact and technical information contained within and related to the message;
  • Message content including attachments.

Reason for processing

The reasons for processing are listed below:

  • Delivery, monitoring and management of the transmission service;
  • Security monitoring;
  • Delivery of services to customers, suppliers and partners.

Basis for Processing

The basis for processing any information collected will be dependent on the method of collection and the reason for processing. The basis for processing information from this communication method will include:

  • Consent;
  • Contract;
  • Legal Obligation.

2.4 Email and Messaging

When CSA Catapult receive a message, where possible it will be forwarded to the individual or group named in the message. However be aware that under certain circumstances messages may be delivered or forwarded to other groups or individuals within the organisation as appropriate. Due to this, please consider carefully what information is included in communications.

Information collected

  • Contact and technical information contained within and related to the message;
  • Message content including attachments.

Reason for processing

The reasons for processing are listed below:

  • Delivery, monitoring and management of the transmission service;
  • Security monitoring;
  • Delivery of services to customers, suppliers and partners.

Basis for Processing

The basis for processing any information collected will be dependent on the method of collection and the reason for processing. The basis for processing information from this communication method will include:

  • Consent;
  • Contract;
  • Legal Obligation.

2.5 Visitors to our office

CSA Catapult does not currently operate a CCTV system, but our building provider does.

Some information may be shared with our building provider to allow all parties to manage visits and to secure the building. This information will normally be restricted to contact information but may include some personal information.

Where visitors access our guest Wi-Fi, additional technical information will be collected.

Information collected

The information collected will fall into the following categories:

  • Contact information related to the visitor;
  • Individual information related to providing services as part of the visit;
  • Special category information related to providing services as part of the visit;
  • Technical information related to use of our IT services.

Reason for processing

The main reasons for processing are listed below:

  • Delivery, monitoring and management of the transmission service;
  • Security;
  • Health and safety;
  • Delivery of services.

Basis for Processing

The basis for processing any information collected will be dependent on the method of collection and the reason for processing. The basis for processing information from this communication method will include:

  • Consent;
  • Contract;
  • Legal Obligation;
  • Vital Interest.

2.6 People who make a complaint

When CSA Catapult receive a complaint from an individual we create a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information collected to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information such as the number of complaints we receive, but not in a form which identifies individuals.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a record is in dispute. If a complainant doesn’t want information identifying them to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Similarly, where enquiries are submitted to us we will only use the information supplied to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

When we take enforcement action against someone, we may publish the identity of the defendant in our Annual Report or elsewhere. Usually we do not identify any complainants unless the details have already been made public.

Information collected

The information collected will fall into the following categories:

  • Contact information;
  • Individual information.

Reason for processing

The main reasons for processing are listed below:

  • Service Delivery.

Basis for Processing

The basis for processing any information collected will be dependent on the method of collection and the reason for processing. The basis for processing information from this communication method will include:

  • Legitimate interest.

2.7 Suppliers

Where CSA Catapult consumes or purchases services from a supplier we may hold information related to individuals within that organisation. This information is held so that we can contact the most appropriate person to deliver our requirements.

Information collected

The information collected will fall into the following categories:

  • Contact information.

Reason for processing

The main reasons for processing are listed below:

  • Delivery, monitoring and management of the supplier relationship.

Basis for Processing

The basis for processing any information collected will be dependent on the method of collection and the reason for processing. The basis for processing information from this communication method will include:

  • Contract;
  • Legitimate Interest;

2.8 Business Partners and Customers

Where CSA Catapult have an existing or potential business relationship with companies and individuals we may collect and process the following information. This information will enable us to provide a better service to our partners and customers by identifying the most appropriate relationships on a per project basis.

Information collected

The information collected will fall into the following categories:

  • Contact information;

Reason for processing

The main reasons for processing are listed below:

  • Delivery, monitoring and management of the partner relationship.

Basis for Processing

The basis for processing any information collected will be dependent on the method of collection and the reason for processing. The basis for processing information from this communication method will include:

  • Contract;
  • Legitimate Interest;

2.9 Job Applicants and Employees

CSA Catapult collects information in a variety of ways. For example, data is collected through application forms, CVs or resumes; obtained from passports or other identity documents such as a driving license; from forms completed by employees at the start of or during employment (such as benefit nomination forms); from correspondence; or through interviews, meetings or other assessments.

In some cases, we collect personal data from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.

Data is stored in a range of different places, including the personnel file, HR management systems and other IT systems (including email system).

Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). Information about trade union membership is processed to allow us to operate check-off for union subscriptions.

Where we process other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that we use for these purposes is anonymised or is collected with the express consent of employees, which can be withdrawn at any time. Employees are free to decide whether or not to provide such data and there are no consequences of failing to do so.

Automated decision-making

Some of our employment decisions are based solely on automated decision-making. Where pre-screening questions are asked, if the predesignated responses are not selected then candidate applications will automatically be excluded by the system and any personal details including CV or application will not be progressed. We may refer to the application if a similar vacancy arises within the following six months and seek to progress a separate application at that point, but thereafter the data will be securely destroyed.

Choosing not to provide personal data

Employees have some obligations under the employment contract to provide us with data. In particular, employees are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. Employees may also have to provide data in order to exercise statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may prevent statutory rights being exercised.

Certain information, such as contact details, right to work in the UK and payment details, have to be provided to enable us to enter a contract of employment. If the information is not provided, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently.

Information collected

The information collected may include information in the following:

  • Contact;
  • Individual;
  • Employment;
  • Financial;
  • Special Category;
  • Criminal Records.

Reason for processing

We need to process data in order to enter into an employment contract with an employee and to meet our obligations under the employment contract. For example, we need to process personal information to provide an employment contract, to make payment in accordance with the employment contract and to administer benefits, pension and insurance entitlements.

In some cases, we need to process data to ensure that it is complying with our legal obligations. For example, we are required to check an employee’s entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled. For certain positions, it is necessary to carry out criminal records checks to ensure that employees are permitted to undertake the role in question.

Basis for Processing

The basis for processing any information collected will be dependent on the method of collection and the reason for processing. The basis for processing information from this communication method will include:

  • Contract;
  • Legal Obligation;
  • Legitimate Interest.

3 Who has access to data?

Depending on the type of data and how individuals interact with CSA Catapult, we may share information internally with appropriate teams and individuals and with third party suppliers who provide systems, services and support.

4 Data Protection

CSA Catapult takes the security of personal data seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. These include

  • Data Protection and Security Policy;
  • Subject Access Request Policy;
  • Information Technology Policy;
  • Document Management Policy.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

5 Data Retention

CSA Catapult retains data in line with a central data register and data retention policy that aligns individual data entities with the source of the information and the basis for processing, after which it will be securely destroyed in line with our data protection policy.

6 Individual rights

As a data subject, individuals have a number of rights in relation to their personal data.

6.1 Subject access requests

Individuals have the right to make a subject access request. If an individual makes a subject access request, CSA Catapult will provide the following information:

  • Whether the individual’s data is being processed and if so why, the categories of personal data concerned and the source of the data (if it is not collected from the individual);
  • To whom the data is or may be disclosed to, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
  • For how long the personal data is stored (or how that period is decided);
  • The individual’s right to rectification or erasure of data, or to restrict or object to processing;
  • The individual’s right to complain to the Information Commissioner if they think we have failed to comply with data protection rights; and
  • Whether we carry out automated decision-making and the logic involved in any such decision-making.

We will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless they agree otherwise.

If the individual requests additional copies, we may charge a fee, which will be based on the administrative cost to us of providing the additional copies.

To make a subject access request, individuals should contact CSA Catapult. To facilitate this, there is a dedicated e-mail address ‘subjectaccessrequest@csa.catapult.org.uk’, however requests can also be submitted in other written or verbal methods. The data controller will always verify the identity of anyone making a subject access request before handing over any information.

We will normally respond to a request within a period of one month from the date it is received. In some cases, such as where we process large amounts of the individual’s data, we may respond within three months of the date the request is received. We will write to the individual within one month of receiving the original request to tell them if this is the case.

If a subject access request is manifestly unfounded or excessive, we are not obliged to comply with it. Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which we have already responded. If an individual submits a request that is unfounded or excessive, we will notify them that this is the case and confirm whether or not we will respond to it.

6.2 Other rights

Individuals have a number of other rights in relation to their personal data. They can request CSA Catapult to:

  • Rectify inaccurate data;
  • Stop processing or erase data that is no longer necessary for the purposes of processing;
  • Stop processing or erase data if their interests override our legitimate grounds for processing data (where we relies on legitimate interests as a reason for processing data);
  • Stop processing or erase data if processing is unlawful; and
  • Stop processing data for a period of time if data is inaccurate or if there is a dispute about whether or not theirinterests override our legitimate grounds for processing data.

To ask us to take any of these steps, the individual should send the request to ‘subjectaccessrequest@csa.catapult.org.uk’.

Each request will be assessed, and we will notify the individual of any actions taken in relation to the request.

Approved V1.0: Internal