This Privacy Notice explains how we use information about you and how we protect your privacy. It also describes the rights you have as to how we handle your personal data.
We comply with all aspects of the UK’s data protection legislative framework, which includes the European General Data Protection Regulation (GDPR), the Privacy and Electronic Communications (EC Directive) Regulations (PECR) and the Data Protection Act, as amended and updated from time to time (the Relevant Legislation).
We are a Data Controller as we determine the purposes and means of the processing of personal information. Our ICO (Information Commissioner’s Office) registration number is Z356493.
We have a Data Protection Officer who makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact the Data Protection Officer at firstname.lastname@example.org or by calling 03000 065 3000 and asking to speak to the Data Protection Officer.
We carry out a wide range of different services, from regulation, to flood warning to providing advice. Each service has its own specific privacy notice detailing who we may share your information with and why. Each service related privacy notice explains the legal reason that provides the basis for handling your personal data.
Do you know what personal data is?
Personal data can be anything that identifies and relates to a living person. This can include information that, when put together with other information, can then identify a person. For example, this could be your name and contact details.
Did you know that some of your personal data might be ‘special’ or ‘sensitive’?
Some personal data is ‘special’ or ‘sensitive’ which means that it needs more protection. It’s often information you would not want widely known and is very personal to you. This is likely to include anything that can reveal your:
- Sexuality and sexual health
- Religious or philosophical beliefs
- Physical or mental health
- Trade union membership
- Political opinion
- Genetic/biometric data
- Criminal history
Whose personal data do we handle?
We will process personal data relating to a wide variety of individuals including the following:
- Staff, contractors, consultants and advisers of NRW including volunteers, agents, temporary and casual workers, suppliers and students
- Individuals who purchase any of our products
- Individuals who use any of our services
- Individuals voluntarily passing information to NRW or requesting information, eg complainants
- Former and potential members of staff and beneficiaries
- Individuals identified in the course of our investigations or regulatory enquiries and activities
- External stakeholders and partners
- Individuals captured by CCTV images
What types of personal data do we handle?
We may process personal data relating to or consisting of the following:
- Personal details such as name, address, contact details and biographical details
- Lifestyle and social circumstances
- Financial details
- Skill and interests
- Employment details, education and training details
- Goods or services provided
- CCTV images
- Licenses or permits held
- Information relating to health and safety
- Details of any enquiry submitted to us
- Details of any complaint, claim, incident, civil litigation and/or accident
Why do we need your personal data?
We may need to use some information about you to:
- Carry out our regulatory and statutory duties
- Manage our land
- Respond to environmental incidents
- Investigate complaints, provide advice and information
- Send promotional communications about the services we
- Help a wide range of people use the environment as a learning resource
- Collaborate with the public, private and voluntary sectors to improve our natural environment
- Gather evidence, monitor our environment, commission and undertake research, develop our knowledge, and as a public records body
- Employ staff, as well as support other employment through contract work, staff administration, occupational health and welfare
- Manage public relations, journalism, advertising and media
- Manage finance and contracts
- Internally review, account and audit
- Manage property and estates, including the procurement, lease and sales of assets
- Manage vehicles and transport
- Manage information technology systems
- Provide legal services
- Licensing and registration
- Conduct research, including surveys and consultations
- Manage health and safety and security
- Manage events and for marketing
- Prevent and/or detect crime (including matters of national security)
- Conduct any legal duty or responsibility of NRW
Who do we share personal data with?
We may disclose personal data to a variety of recipients, including those from whom personal data is obtained.
Sometimes we have a legal duty to provide personal data to other organisations or individuals when required or permitted to do so by, or under, any act of legislation, by any rule of law, and by court order. We may also disclose personal data for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
We use a range of organisations to either store personal data or help deliver our services to you. Where we have these arrangements, there is always an agreement in place to make sure that the organisation complies with their legal requirements.
If required, we will complete a privacy impact assessment (PIA) before we share personal data with other organisations, to make sure we protect your privacy and comply with the law.
Where do we obtain and share personal data from?
We may obtain personal data from a wide variety of sources, including but not limited to the following:
- Central government, governmental agencies and departments
- Law enforcement and security agencies and bodies
- HM Revenue and Customs
- Licensing authorities
- Legal representatives
- Prosecuting authorities
- Private sector organisations working with the police in anti-crime strategies
- Voluntary sector organisations
- Individuals themselves, relatives, guardians or other persons associated with the individual
- Current, past or prospective employers of the individual
- Healthcare, social and welfare advisers or practitioners
- Education, training establishments and examining bodies
- Business associates and other professional advisors
- Employees and agents of NRW
- Suppliers, providers of goods or services
- Financial organisations and advisors
- Credit reference agencies
- Survey and research organisations
- Trade, employer associations and professional bodies
- Local government
- Voluntary and charitable organisations
- Ombudsmen and regulatory authorities
- The media; social media
- Data Processors working on behalf of NRW
- Our Website and Apps
- Telephone calls received, texts, writing by post or email, or communicating via online channels, such as social media
- Health and Safety Executive
- The National Fraud Initiative
- The Cabinet Office
- IT providers
- Bodies or individuals working on our behalf (eg Engineering and IT contractors, legal advisors, or survey organisations, etc)
- L law enforcement and security agencies
How the law allows us to use your personal data
There are a number of legal reasons why we may need to collect and use your personal data. We are only allowed to collect and use personal data where:
- You have given consent
- You have entered into a contract with us
- It is necessary to perform our statutory duties
- It is necessary to protect someone in an emergency
- It is required by law
- It is necessary for employment purposes
- It is necessary to deliver the services we provide
- It is necessary for legal cases
- It is necessary to protect public health or the environment
- It is necessary for archiving, research, or statistical purposes
We only use what we need
We will only collect and use personal data if we need it to deliver a service or meet a legal requirement.
If we don’t need personal data, we’ll either not record it or we won’t ask you for it. For example, in a survey, we may not need your contact details, so we’ll only collect your survey responses.
If we use your data for research and analysis, we’ll always keep you anonymous or use a different name unless you’ve agreed that your personal data can be used for that research.
We don’t sell your personal data to anyone else
GDPR gives you a number of rights to be informed about the personal data that we receive and use.
How do we protect your personal data?
We take the security of all personal data under our control very seriously. We will take reasonable steps to comply with our legal obligations. We will ensure that appropriate policy, training, technical and procedural measures are in place to protect our manual and electronic information systems from data loss and misuse. These measures can include:
- Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’
- Pseudonymisation, meaning that we’ll use a different name so we can hide parts of your personal data from view. This means that someone outside of NRW could work on your information for us without ever knowing it was yours
- Controlling access to systems and networks to stop people who are not allowed to view your personal data from getting access to it
- Training our staff to make them aware of how to handle personal data and how and when to report when something goes wrong
- Regular testing of our technology and ways of working including keeping up to date on the latest security updates
How long do we keep your personal data?
We keep personal data as long as is necessary for the particular purpose or purposes for which it is held. Our information is held in accordance with our Retention, Review and Disposal schedule, copies of which can be seen.