HSE Privacy Policy Statements

Privacy Notice

This privacy notice tells you how the Health and Safety Executive (HSE) will use your personal information under Data Protection Act 2018 and UK GDPR 2018. It explains what you can expect us to do with your personal information when you use this service or have an interaction with us.

For the purposes of this privacy notice, the data controller is the Health and Safety Executive (HSE), Redgrave Court, Merton Rd, Bootle L20 7HS. A data controller determines how and why personal data is processed.

Purpose

HSE staff will process your personal information when you make contact with us, use one of our services or have any interaction with us.

What data we collect

The data we collect from you includes:

personal data, including your name, email addresses, telephone numbers, date of birth, address and National Insurance number
employment details
memberships of professional bodies
details of profession
questions, queries or feedback you leave, including your email address if you contact us

We may collect cookies if you interact with our website. Please see the Cookies notice for further information.

How we get your information

Most of the personal information we process is provided to us directly by you for one of the following reasons:

you have raised a concern/complaint/enquiry to us
you have made an information request to us
you wish to attend, or have attended, an event
you subscribe to our e-newsletter/e-bulletin
you have applied for a job or secondment with us
you are representing your organisation
you are registered, certificated or licenced by the HSE
you have volunteered for a research programme

We also receive personal information indirectly, in the following scenarios:

we have contacted an organisation about a complaint you have made, and it gives us your personal information in its response
a complainant refers to you in their complaint correspondence
whistle-blowers include information about you in their reporting to us
we have gathered personal information as part of a regulatory investigation or intervention
from other regulators or law enforcement bodies
an employee of ours gives your contact details as an emergency contact or a referee
your information has been passed to us as by a business you work with/for in relation to commercial testing of samples
we have seized personal information as part of an investigation
your data has been entered into a licencing or regulatory data base by your employer/contract holder
you have been involved in the purchase of a product using our website
you have registered on one of our online collaboration or membership services

Why we need your data

We collect your personal data to:

process your application
gather feedback to improve our service
respond to any feedback you send us, if you've asked us to
send email alerts to users who request them
allow you to access government services and make transactions

Our legal basis for processing your data

The legal basis for processing all other personal data is that it's necessary because one of the following applies:

you have given consent to the processing of your personal data for one or more specific purposes
processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract
processing is necessary for compliance with a legal obligation to which the controller is subject
processing is necessary in order to protect your vital interests or that of another natural person
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

HSE will process your information under the relevant basis under Article 6 of UK GDPR.

What we do with your data

HSE may disclose personal information to a range of recipients including those from whom personal data is obtained.

Disclosures of personal information are made case-by-case. Only relevant information, specific to the purpose and circumstances, will be disclosed and with necessary controls in place.

The data we collect may be shared with other government departments, agencies and public bodies. It may also be shared with our technology suppliers, for example our hosting provider.

We will share your data if we are required to do so by law, for example, by court order, or to prevent fraud or other crime. This may include:

the Home Office
courts
another regulatory body who can demonstrate that there is a legitimate purpose for the processing of your personal data

We may also disclose personal information on a discretionary basis for the purpose of legal proceedings or for obtaining legal advice.

How long we keep your data

We will only retain your personal data for as long as it is needed for the purposes set out in this document or for as long as the law requires us to.

Records that contain your personal information processed for your registration will be managed in accordance with the Business Classification Scheme and Disposal Policy.

Children's privacy protection

Our service is not designed for, or intentionally targeted at, children 13 years of age or younger. We do not intentionally collect or maintain data about anyone under the age of 13. However, we may gather a child’s personal information as part of a regulatory investigation or intervention. In these circumstances please see our Law Enforcement Privacy Notice (add link) which specifically covers this scenario.

Where your data is processed and stored

We design, build and run our systems to make sure that your data is as safe as possible at all stages, both while it's processed and when it's stored.

All personal data is stored in the European Economic Area (EEA).

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. Our systems meet appropriate industry and government security standards, and we comply with the relevant parts of legislation relating to data security. We have set up systems and processes to prevent unauthorised access or disclosure of your data - for example, we protect your data using varying levels of encryption.

HSE ensures that appropriate policy, training, technical and procedural measures are in place. These will include ensuring our buildings are secure and protected by adequate physical means. The areas restricted to our staff and staff of partner agencies are only accessible by those holding the appropriate identification and have legitimate reasons for entry.

We carry out regular monitoring and checks to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason.

Our standard operating procedures, and policies contain guidelines as to what use may be made of any personal information. These procedures are reviewed regularly to ensure security is kept up to date.

We also make sure that any third parties that we deal with keep secure all personal data they process on our behalf.

Your rights

You have the right to request:

information about how your personal data is processed
access to that personal data
that anything inaccurate in your personal data is corrected without undue delay
withdraw your consent, where applicable

You can also:

raise an objection about how your personal data is processed
request that your personal data is erased if there is no longer justification for us keeping it
ask that the processing of your personal data is restricted in certain circumstances

Read about your data protection rights. If you have any of these requests, contact us.

If we have collected your data for law enforcement purposes the above rights may not apply. Please see our Law Enforcement Privacy Notice for details of your rights in these circumstances.

Contact us

The Health and Safety Executive (HSE) is the controller for the personal information we process, unless otherwise stated.

There are many ways you can contact us, including by phone, email, and post.

Further information on how to contact HSE

Our postal address
Health and Safety Executive
Redgrave Court
Merton Road
Bootle
L20 7HS
Telephone: 0203 028 3547
Email: [email protected]

Our Data Protection Officer is Malwina Leszczynska. You can contact them at [email protected] or via our postal address above. Please mark the envelope 'Data Protection Officer'.

Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, you can make a complaint to HSE and we'll respond.

If you remain dissatisfied, you can make a complaint to the Information Commissioners Office (the UK supervisory authority) about the way we process your personal information.

Changes to this privacy notice

We keep our privacy notice under regular review to make sure it is up to date and accurate. It was last updated on 3rd June 2024.

Privacy Notice for Investigations for Law Enforcement

For investigations for law enforcement purpose, is provided by the Health and Safety Executive (HSE).

This privacy notice tells you how the Health and Safety Executive will use your personal information under Part 3 Data Protection Act 2018 (DPA) and EU Law Enforcement Directive. It explains what you can expect us to do with your personal information when you use this service or have an interaction with us.

For the purposes of this privacy notice, the data controller is the Health and Safety Executive (HSE), Redgrave Court, Merton Rd, Bootle L20 7HS.

Purpose

HSE staff will process your personal information primarily for the purpose of inspections and investigations in support of law enforcement. As part of our statutory functions, we investigate and prosecute individuals and organisations for alleged criminal offences committed under the legislation we regulate (The Health and Safety at Work Act 1974 and other regulations).

Under Schedule 7(28) of the DPA 2018, the Health and Safety Executive are named as a Competent Authority. A Competent Authority is any other person if, and to the extent that, they have statutory functions to exercise public authority or public powers for the law enforcement purposes under Part 3 of the DPA 2018.

These purposes are set out at Part 3 Chapter 1 section 31 of the DPA 2018 and are the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security. Our processing is either done because it is necessary for the performance of a task relating to one of these purposes or with the consent of the individual.

We process personal data for the purposes of law enforcement of the legislation for which we are regulator in the following areas:

inspections
criminal investigations
intelligence
financial recovery

Our processing can also include sensitive processing which means processing special category data for law enforcement purposes. Where this is the case, we rely on either the consent of the individual or, provided the processing is strictly necessary for the law enforcement purposes, on a condition set out in Schedule 8 of the DPA 2018. Our Appropriate Policy Document explains about our processing (including sensitive processing) for law enforcement purposes, our procedures for complying with the data protection principles and our policies for retention and erasure of any personal data.

What data we collect

When we investigate an alleged criminal offence, we gather information and evidence which might include information about victims, suspects, witnesses, and other individuals relevant to the circumstances and events.

The data we may collect from you includes:

personal data, including your name, email addresses, telephone numbers, date of birth, address and National Insurance Number
sound, video and visual images including photographs and CCTV Footage
your vehicle details such as make, model, colour and vehicle registration mark
financial details including bank details
intelligence material
complaint, incident and accident details including past conviction details
location data
employment details including job title, membership of professional bodies and details of your profession

Special category personal data may include personal data revealing:

racial or ethnic origin
Trade Union membership
physical or mental health

How we get your information

Most of the personal information we process is provided to us directly by you through the investigation and inspection process.

We also receive personal information indirectly by someone who has provided your data as part of their interactions with us during our investigation. These could be::

victims
suspects
witnesses
intelligence sources
complainants, including information such as correspondence and enquiries
consultants and other professional experts
other members of public

Why we need your data

We may collect your personal data to:

conduct criminal investigations
collect intelligence to inform our enforcement actions

In our role as a competent authority, we need to establish whether offences have been committed so that we can take legal action if appropriate. When we gather information relevant to our investigation this might include information about you.

Our legal basis for processing your data

We will only use personal data when the law allows us to and where it is necessary and proportionate to do so. The legal basis for processing personal data is that:

it is necessary for the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security

We may reuse information originally collected for law enforcement processing, for general purposes, for instance to support other HSE business purposes. We may also use law enforcement data for other compatible purposes, such as research. Where this is the case, we will comply with UK GDPR Article 89(1) provisions to ensure lawfulness.

We process special category personal data including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, for the following purposes:

it is necessary for the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security
you have given consent for your personal data to be processed

For example, where we process data revealing racial or ethnic origin, the processing is necessary for the purpose of providing the same level of service where there may be language As required by law, any processing of special category data for law enforcement purposes will meet at least one Condition listed in Schedule 8 of the Data Protection Act 2018.

The Data Controller will comply with data protection law. This says that the personal data we hold about you must be:

used lawfully, fairly and in the case of data being processed for general, non-law enforcement purposes, in a transparent way
collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
relevant to the purposes we have told you about and limited only to those purposes
accurate and kept up to date
kept only as long as is necessary for the purposes we have told you about
kept and destroyed securely, including ensuring that appropriate technical and security measures are in place to protect your personal data and to protect personal data from loss, misuse, unauthorised access and disclosure

What we do with your data

For the purpose of law enforcement, HSE may disclose personal information to a range of recipients including those from whom personal data is obtained. This includes:

other law enforcement bodies and agencies during an investigation
expert witnesses or specialist investigators working on behalf of HSE
our external legal counsel if we’re considering taking legal action
the courts and any co-defendants and their legal representatives when legal action is taken

Court cases are held in public and so personal data, including special category data, might be made public during proceedings.

When we successfully prosecute someone, we may publish the convicted individual's identity in our Annual Report, on our website or distribute more widely to the media. This will align with any publications already made by the court.

Disclosures of personal information are made case-by-case. Only relevant information, specific to the purpose and circumstances, will be disclosed and with necessary controls in place.

The data we collect may be shared with other government departments, agencies and public bodies. It may also be shared with our technology suppliers, for example our hosting provider.

We will share your data if we are required to do so by law, for example, by court order, or to prevent fraud or other crime. This may include:

the Home Office
courts
another regulatory body who can demonstrate that there is a legitimate purpose for the processing of your personal data

We may also disclose personal information on a discretionary basis for the purpose of legal proceedings or for obtaining legal advice.

We will not:

sell or rent your data to third parties
share your data with third parties for marketing purposes

We will not share your information with any third parties for the purposes of direct marketing.

How long we keep your data

We will only retain your personal data for as long as it is needed for the purposes set out in this document or for as long as the law requires us to.

Records that contain your personal information processed for your registration will be managed in accordance with the Business Classification Scheme and Disposal Policy.

Children's privacy protection

Our service is not designed for, or intentionally targeted at, children 13 years of age or younger. We do not intentionally collect or maintain data about anyone under the age of 13.

Where your data is processed and stored

We design, build, and run our systems to make sure that your data is as safe as possible at all stages, both while it is processed and when it is stored.

All personal data is stored in the European Economic Area (EEA).

How we protect your data and keep it secure

We carry out regular monitoring and checks to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason.

We also make sure that any third parties that we deal with keep secure all personal data they process on our behalf.

Data Subjects Rights

Under UK Data Protection legislation data subjects have a number of rights that can be exercised in relation to personal data we process about you.

We sometimes need to request specific information from you to help us confirm your identity and ensure your authority to exercise the rights.

Right of Access

You can request access to the personal data we hold about you free of charge (other than a reasonable fee if a request for access is clearly unfounded or excessive but we agree to fulfil it anyway). Normally we will provide it within one month of receipt of your request unless an exemption applies.

Right to be Informed

You are entitled to be told how we obtain your personal information and how we use, retain, and store it, and who we share it with. This privacy notice gives you that information, as well as telling you what your rights are under the relevant laws.

Right to Rectification

If we hold personal data about you that is inaccurate or incomplete you have the right to ask us to correct it. You can ask us to correct your personal data by contacting [email protected]. We will reply to you within one month unless the request is complex.

Right to Request Erasure

Under certain circumstances you have the right to ask us to delete your personal data to prevent its continued processing where there is no justification for us to retain it. The circumstances most likely to apply are:

where holding your personal data is no longer necessary in relation to the purpose for which we originally collected and processed it
where you withdraw your consent to us holding your personal data if we are relying on your consent to hold it

Right to Restrict Processing

Under certain circumstances you have the right to ask us to restrict the processing of your personal data. This may be in cases where:

you are contesting the accuracy your personal data while we are verifying the accuracy
your information has been unlawfully processed and you oppose its erasure and have requested a restriction instead
where we no longer require your personal data, but you need it to establish, exercise or defend a legal claim and do not want us to delete it

It is important to note that subject access rights and the rights to rectification, erasure and restriction do not apply to the processing of ‘relevant personal data’ in the course of a criminal investigation or criminal proceedings.

Relevant personal data’ means personal data contained in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority.

Exemptions and restrictions that can, in some circumstances, be legitimately applied to prevent individuals from their rights under subject access they are.

to comply with a legal obligation
for the performance of a task carried out in the public interest or in the exercise of official authority
for the establishment, exercise or defence of legal claims
to exercise the right of freedom of expression and information
for archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to make it impossible to carry out or seriously impair that processing

Right to Object and the Right to Data Portability do not apply to law enforcement processing.