HSE Privacy Policy Statement

Contents

General information

This privacy notice tells you what you can expect us to do with your personal information when you make contact with us, use one of our services or have an interaction with us as a regulator.

This notice is layered. So, if you wish, you can easily select the reason we process your personal information and see what we do with it.
We'll tell you:

  • Why we are able to process your information
  • What purpose we are processing it for
  • Whether you have to provide it to us
  • How long we store it for
  • Whether there are other recipients of your personal information
  • Whether we intend to transfer it to another country, and
  • Whether we do automated decision-making or profiling.

The first part of the notice is information we need to tell everybody.

HSE and Data Protection Officers contact details

The Health and Safety Executive (HSE) is the controller for the personal information we process, unless otherwise stated.

There are many ways you can contact us, including by phone, email, and post.

Our postal address

Health and Safety Executive
Redgrave Court
Merton Road
Bootle
L20 7HS

Tel: 0203 028 3547
Email:[email protected]

Our Data Protection Officer is Malwina Leszczynska. You can contact them at [email protected] or via our postal address above. Please mark the envelope 'Data Protection Officer'.

How we get your information

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You have raised a concern/complaint/enquiry to us.
  • You have made an information request to us.
  • You wish to attend, or have attended, an event.
  • You subscribe to our e-newsletter/e-bulletin.
  • You have applied for a job or secondment with us.
  • You are representing your organisation.
  • You are registered, certificated or licenced by the HSE.
  • You have volunteered for a research programme.

We also receive personal information indirectly, in the following scenarios:

  • We have contacted an organisation about a complaint you have made, and it gives us your personal information in its response.
  • A complainant refers to you in their complaint correspondence.
  • Whistle-blowers include information about you in their reporting to us.
  • We have gathered personal information as part of a regulatory investigation or intervention.
  • From other regulators or law enforcement bodies.
  • An employee of ours gives your contact details as an emergency contact or a referee.
  • Your information has been passed to us as by a business you work with/for in relation to commercial testing of samples.
  • We have seized personal information as part of an investigation.
  • Your data has been entered into a licencing or regulatory data base by your employer/contract holder.
  • You have been involved in the purchase of a product using our website.
  • You have registered on one of our online collaboration or membership services.

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

If we are processing your information for criminal law enforcement purposes, your rights are slightly different. Please see the Investigations for law enforcement purposes section of the notice.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

Please contact us at [email protected] if you wish to make a request.

Service adjustments and retention

As a public authority and a provider of services to the public, we have a legal duty to comply with the Equality Act (2010).

This means we need to make service adjustments for anyone with a disability who contacts us in any capacity, to eliminate any barriers to accessing our services. Our legal basis for processing this information is article 6(1)(c) of the GDPR as we have a legal obligation to provide this. Our processing of special category data, such as health information you give us, will be based on article 9(2)(a), which means we need your consent.

We'll create a record of your adjustment requirements. These will give your name, contact details and type of adjustment required, along with a brief description of why it is required. Relevant staff can access this to ensure they are communicating with you in the required way.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

If you have subscribed to an email alert or subscription service, we will keep your personal data for as long as you are subscribed to that service or are required to by law and we will delete that data if you have requested it to be removed.

Sharing your information

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct, in accordance with appropriate data retention policies.

In circumstances where we are a joint controller this notice will outline how we will manage your data and the other party will also explain how they manage your data.

In some circumstances we are legally obliged to share information. For example, under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations. We might also share information with other regulatory bodies or law enforcement agencies in order to further their, or our, objectives. In any scenario, we'll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.

In our capacity as UK regulator for enforcing health and safety in the workplace, there are some circumstances where we must cooperate with and help other supervisory authorities in the EEA, in handling complaints, investigations and to regulate the movement of materials (e.g. explosives and chemicals) This may lead to sharing personal information if it is relevant to these tasks.

We may also share your information in the event of the non-payment of a Civil Monetary Penalty. If the debt remains outstanding after the specified timeframe for payment, no payment plan is in place or an agreed payment plan is not being adhered to, we may initiate formal proceedings to recover the full amount of the unpaid penalty. As a result, the HSE will share personal data with the litigation and recovery specialists it instructs in order for them to identify assets and undertake recovery action through the courts.

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit. Please also see disclaimer advice.

Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, you can make a complaint to HSE and we'll respond.

If you remain dissatisfied, you can make a complaint to the UK supervisory authority the Information Commissioners Office about the way we process your personal information.

Changes to this privacy notice

We keep our privacy notice under regular review to make sure it is up to date and accurate. It was last updated 06 March 2019.

Children's information

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given or collect information about children while handling a complaint or conducting an investigation. The information in the relevant parts of this notice applies to children as well as adults.

How you can contact us

Calling us

When you call us we collect Calling Line Identification (CLI) information. This is the phone number you are calling from (if it's not withheld). We hold a log of the phone number, date, time and duration of the call.  In addition, when you call 0300 003 1647 (reporting a health and safety issue), 0300 003 1747 (seeking advice), or 0345 300 9923 (RIDDOR) we audio record the call itself. Other HSE staff may also listen in during your call or listen to the recording for training or quality assurance purposes We hold this information for 90 days.

We use this information to understand the demand for our services and to improve how we operate. We may also use the number to call you back if you have asked us to do so, if your call drops, or if there is a problem with the line. We may also use it to check how many calls we have received from it.

We also hold statistical information about the calls we receive for a number of years, but this does not contain any personal data.

Social media

We only use social media to deliver messages and do not gather personal data from this. Please refer to the privacy policy of the social platform you are using.

Emailing us

We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government guidance on email security. Most webmail such as Gmail and Hotmail use TLS by default.

We'll also monitor any emails sent to us, including file attachments, for viruses or malicious software. You must ensure that any email you send is within the bounds of the law.

Visitors to our website

Analytics and cookies

The main HSE website and the following subdomains all use Google analytics to allow us to measure how the site is used and to improve the service:

  • www.hse.gov.uk
  • careers.hse.gov.uk
  • ourknowledge.hse.gov.uk
  • press.hse.gov.uk
  • services.hse.gov.uk

Google analytics opt out

To stop Google collecting this information, use the following link to opt out of all Google analytics.

Visitors to our offices

We meet visitors at our head office, including:

  • dignitaries
  • external training providers
  • job applicants
  • suppliers and tradespeople
  • stakeholders
  • event attendees
  • organisations we may be interviewing in a regulatory capacity

If your visit is planned, we'll send your name and visit information to reception before your visit you will be given visitor badge. You must wear a pass throughout your visit.

We ask all visitors to sign in and out at reception and show a form of ID. The ID is for verification purposes only, we don't record this information.

The purpose for processing this information is for security and safety reasons. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

Any CCTV used in our offices is not operated by us, so we are not the controller. It will be under the control of the relevant building landlord.

Reasons for us holding your Personal Data

Raising a concern

Purpose and legal basis for processing

Our purpose is to regulate Health and Safety in line with our statutory duties under the Health and Safety at work Act 1974, including inspection and investigation activities.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

If the information you provide us in relation to your complaint contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.

What we need

We need information from you to investigate your concern properly, so our complaint forms are designed to prompt you to give us everything we need to understand what's happened.

When we receive a complaint from you, we'll set up a case file. This normally includes your contact details and any other information you have given us about the other parties in your complaint.

Why we need it

We need to know the details of your concern, so we can investigate it and fulfil our regulatory function.

What we do with it

We will use your personal information to investigate your complaint and check on our level of service. We compile and publish statistics showing information like the number of complaints we receive, but not in a form that identifies anyone.

No third parties have access to your personal information unless the law allows them to do so. If you don't want information that identifies you to be shared with the organisation you have raised a concern about, we'll try to respect that. However, it is not always possible to handle a concern on an anonymous basis so may contact you to discuss this.

If you are acting on behalf of someone making a complaint, we'll ask for information to satisfy us of your identity and if relevant, ask for information to show you have authority to act on someone else's behalf.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your data protection rights?

We are acting in our official capacity to investigate your complaint, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

More information on your data protection rights

Report bad practices as a Whistleblower

Purpose and legal basis for processing

Our purpose is to regulate Health and safety in line with our statutory duties under the Health and Safety at work Act 1974, including inspection and investigation activities.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

If the information you provide us in relation to your report contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.

What we need

We need enough information from you to investigate your protected disclosure to us, including any evidence you have to support it.

When we receive a disclosure from you we'll set up a case file containing the details. This normally includes your identity, contact details and any other information you have given us about individuals involved in the disclosure. We will treat the information you provide confidentially.

You can contact us anonymously if you prefer but your details will not be given out when we progress your disclosure, unless you give your permission.

Why we need it

We need to know the details of your complaint so that we can decide on the organisation's compliance with the relevant legislation and fulfil our regulatory function

What we do with it

We'll treat the information you provide as confidential and won't disclose it without lawful authority.

If possible, we'll give you feedback about any action we take because of your disclosure. However, this feedback will be restricted. We also have a duty of confidence to the organisations we regulate. We are legally prevented from sharing much of the information we hold about them.

We'll also publish information in a yearly report about any action we take as a result of disclosures by whistle blowers. This won't, however, contain any information that will identify individual whistle blowers or their employers (including ex-employers).

We will use your personal information to process your complaint and to check on the level of service we provide. We compile and publish statistics showing such information as the number of complaints we receive, but not in a form that identifies anyone.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your data protection rights?

More information on your data protection rights

Acting as a data processor (commercial operations)

When we are processing data on behalf of another business. This could be research, intervention or a testing capacity.

Purpose and legal basis for processing

The HSE can be engaged by business to provide paid for services e.g. Research and sample testing.

The legal basis for processing will be determined by the business we are processing for.

What we need

We only need the data for the purposes we have been engaged. As the Data controller the business which has engaged us will be able to inform you why they need your data.

Why we need it

We require the data to fulfil our contract with the business that has engaged us.

What we do with it

We will use the data to complete the task we have been engaged for. We are not able to process your data for other purposes.

We may anonymise the data (remove all personal data) and use it for statistical purposes.

No third parties have access to your personal information unless the law allows them to do so

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the contract with the business who has engaged us, your personal data will be disposed of securely.

What are your data protection rights?

If you approach us as the processor of your data and we are unable to give you the information or take the appropriate actions, we will write to you and pass your information/request over to the data controller.

More information on your data protection rights

Investigations for law enforcement purposes

Purpose and legal basis for processing

As part of our statutory functions, we investigate and prosecute individuals and organisations for alleged criminal offences committed under the legislation we regulate (The health and Safety at work act 1974 and other regulations) The Health and Safety Executive is named as a competent authority for the purpose of Part 3 of the DPA 2018 which applies to the processing of personal data by such authorities for law enforcement purposes.

These purposes are set out at section31 of the DPA 2018 and are the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security. Our processing is either done because it is necessary for the performance of a task relating to one of these purposes or with the consent of the individual.

We process personal data for the purposes of law enforcement of the legislation for which we are regulator in the following three areas:

  • Criminal investigations
  • Intelligence
  • Financial recovery

Our processing can also include sensitive processing which means processing special category data for law enforcement purposes. Where this is the case we rely on either the consent of the individual or, provided the processing is strictly necessary for the law enforcement purposes, on a condition set out in Schedule 8 of the DPA 2018. Our Safeguards Policy explains about our processing (including sensitive processing) for law enforcement purposes, our procedures for complying with the data protection principles and our policies for retention and erasure of any personal data.

What we need

When we investigate an alleged criminal offence, we gather information and evidence which might include information about victims, suspects, witnesses and other individuals relevant to the circumstances and events. This information may include samples and photographic or CCTV information.

Why we need it

In our role as a competent authority, we need to establish whether offences have been committed so that we can take legal action if appropriate. So, we'll gather information relevant to our investigation which might include information about you.

What we do with it

We use your personal information for the purposes of our investigation and, and for prosecution purposes if appropriate.

In some circumstances we may share your personal information with other law enforcement bodies/agencies during an investigation. We may also share it with others such as expert witnesses or specialist investigators working on behalf of the HSE.

If we are considering taking legal action, we'll share this information with our external legal counsel, the courts and any co-defendants and their legal representatives. Court cases are held in public and so personal data, including special category data, might be made public during proceedings.

When we successfully prosecute someone, we may publish the convicted individual's identity in our Annual Report, on our website or distribute more widely to the media.

How long we keep your data

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your data protection rights?

You have a right to access your personal data held by or for us. You also have a right to get inaccurate data rectified and incomplete data completed, and for your personal data to be erased in certain circumstances.

We will provide further information directly to data subjects in specific cases to enable them to exercise their rights. This might be in cases where we are processing your personal data that was collected without your knowledge.

We will not do this where doing so would be prejudicial to our investigation or for other reasons set out in s.44 (4) Data Protection Act 2018.

Do we use any data processors?

Yes – we may use external legal counsel for court proceedings, specialist investigators or testing facilities.

Apply for a job or secondment

Purpose and legal basis for processing

Our purpose for processing this information is to assess your suitability for a role you have applied for.

The legal basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract. The legal basis we rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnic information is article 9(2)(b) of the GDPR, which also relates to our obligations in employment and the safeguarding of your fundamental rights and article 9(2)(h) for assessing your work capacity as an employee. And Schedule 1 part 1(1) and (2)(a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.

What will we do with the information you give us?

We'll use all the information you provide during the recruitment process to progress your application with a view to offering you an employment contract with us, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide with any third parties for marketing purposes.

We'll use the contact details you give us to contact you to progress your application. We'll use the other information you provide to assess your suitability for the role.

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary.

The information we ask for is used to assess your suitability for employment. You don't have to provide what we ask for, but it may affect your application if you don't.

Application stage

If you use our online application system, your details will be collected by a data processor on our behalf.

We ask you for your personal details including name and contact details. We'll also ask you about previous experience, education and for answers to questions relevant to the role. Our recruitment team will have access to all this information.

You will also be asked to provide equal opportunities information. This is not mandatory – if you don't provide it, it won't affect your application. We won't make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. Any information you provide will be used to produce and monitor equal opportunities statistics.

Shortlisting

Our hiring managers shortlist applications for interview. They will not be provided with your name or contact details or with your equal opportunities information if you have provided it.

Assessments

We may ask you to participate in to complete tests or occupational personality profile questionnaires; attend an interview; or a combination of these. Information will be generated by you and by us. For example, you might complete a written test, or we might take interview notes. This information is held by us.

Conditional offer

If we make a conditional offer of employment, we'll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity and reliability.

You must therefore provide:

  • proof of your identity – you will be asked to attend our office with original documents; we'll take copies
  • proof of your qualifications – you will be asked to attend our office with original documents; we'll take copies
  • a criminal records declaration to declare any unspent convictions
  • your email address, which we'll pass to the Government Recruitment Service, which will contact you to complete an application for a Basic Criminal Record check via the Disclosure and Barring Service, or Access NI, which will verify your declaration of unspent convictions.
  • We'll contact your referees, using the details you provide in your application, directly to obtain references
  • We'll also ask you to complete a questionnaire about your health to establish your fitness to work.
  • We may also ask you to complete a PPE order form if it is necessary for your role.

If we make a final offer, we'll also ask you for the following:

  • bank details – to process salary payments
  • emergency contact details – so we know who to contact in case you have an emergency at work
  • any membership of a Civil Service Pension scheme – so we can send you a questionnaire to see whether you are eligible to re-join your previous scheme. Or we'll provide your information to our partnership pension provider if you don't want to join the Civil Service Pension scheme.

Before or just after appointment

Some roles require a higher level of security clearance – this will be clear on the advert or job description (or both). If you are required to have a National Security Vetting prior to the commencement of your role, it will be managed between HSE and United Kingdom Security Vetting (UKSV) the UKSV will tell us whether your application is successful or not. If it is not, we will not be told the reasons, but we may need to review your suitability for the role or how you perform your duties.

Our Code of Conduct requires all staff to declare if they have any potential conflicts of interest, If you complete a declaration, the information will be held on your personnel file. You will also need to declare any secondary employment.

Secondments

We also offer opportunities for people to come and work with us on a secondment basis. We accept applications from individuals or organisations who think they could benefit from their staff working with us.

Applications are sent directly to us. Once we have considered your application, if we are interested in speaking to you further, we'll contact you using the details you give.

We may ask you to provide more information about your skills and experience or invite you to an interview.

If you are seconded to us, you will be expected to adhere to a confidentiality agreement and code of conduct, which will be agreed with your organisation.

We may also ask you to complete our pre-employment checks or to obtain security clearance via the National Security Vetting process – both of which are described in this notice. Whether you need to do this will depend on the type of work you will be doing for us. We ask for this information so that we fulfil our obligations to avoid conflicts of interest and to protect the information we hold.

How long is the information kept for?

We will retain your personal data for as long as is necessary for the purpose it was collected at the end of the retention period; your personal data will be disposed of securely.

How we make decisions about recruitment

Final recruitment decisions are made by hiring managers and members of our recruitment team. We take account of all the information gathered during the application process. You can ask about decisions on your application by speaking to your contact in our recruitment team

Your data protection rights

As an individual, you have certain rights regarding your own personal data.

For more information on your data protection rights, please see 'Your rights as an individual'.

Do we use any data processors?

Yes – we use several processors to provide elements of our recruitment service for us.

We use Civil service jobs to operate our online application system and to produce anonymised management information about campaigns.

If you accept a final offer from us, some of your personnel records will be held on SOP, which is an internally used HR records system the system is managed by SSCL (Shared Services Connected Ltd).

SSCL also administers HSE's payroll.

Likewise, your details will be provided to MyCSP who is the administrator of the Civil Service Pension Scheme, of which we are a member organisation. You will be auto-enrolled into the pension scheme and the details provided to MyCSP will be your name, date of birth, National Insurance number and salary. Your bank details will not be passed to MyCSP at this time.

We use Duradiamond to provide our Occupational Health service.

We'll send you a link to the questionnaire that will take you to Duradiamond website the information you provide will be held by Duradiamond, who will give us a fit to work certificate or a report with recommendations. You are able to request to see the report before it is sent to us. If you decline for us to see it, this could affect your job offer. If an occupational health assessment is required, this is likely to be carried out by Duradiamond.

For senior vacancies, we sometimes advertise through Hays Recruitment. Hays will collect the application information and may ask you to complete a work preference questionnaire that is used to assess your suitability for the role; the results are assessed by recruiters. Information collected by Hays will be kept for 12 months after the end of our agreement with Hays.

Joining a research programme

Purpose and legal basis for processing

Our purpose for collecting this information is so we can facilitate the research project you are participating in.

The legal basis we rely on for processing your personal data is processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. GDPR Chapter 2 Article 9 (2) (j)

What we need

Enough medical and personal data to facilitate the research project. The exact nature of the project will be explained to you before you consider to participating

Why we need it

We use this information to complete the objectives of that particular research project.

What we do with it

The data is processed for that project only but may be anonymised for further processing.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your data protection rights?

You have the right to have your data deleted under certain circumstances. However, if your data has already been used in the research project it may be impossible to separate it.

More information on your data protection rights

Do we use any data processors?

Yes – we use data processors to help process the research. We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

Being on a Professional Register/Database, receiving certification or Licence

Purpose and legal basis for processing

Our purpose for collecting this information is so we provide information on capabilities to the public. (e.g. Gas safe register, Qualified Diver, Asbestos Register)

Our purpose is to regulate Health and Safety in line with our statutory duties under the Health and Safety at work Act 1974, including facilitating registration or licencing of certain activities.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

What we need

We require enough information to process and prove a competency or skill. In some circumstances the database will be to manage or monitor an activity and the personal data may only cover what is necessary to facilitate the monitoring of this activity (e.g. monitoring/chemicals management REACH).

Why we need it

The data is necessary to fulfil our obligation to monitor specific activities ensuring compliance either by a database monitoring activity or a registration/certification process.

What we do with it

The personal data will be used to provide evidence that you are capable and fit to provide the activity you are certificated/registered to do. The HSE may use the data to check competencies based on the data held via inspection and audits.

Some of these registers are public facing registers which allow the public to verify your qualifications before engaging you.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your data protection rights?

You have the right to have your data deleted under certain circumstances. If you do that you will not be able to continue any activity which relies on this data

More information on your data protection rights

Do we use any data processors?

Yes

Reporting a RIDDOR

Purpose and legal basis for processing

Our purpose for processing this information is to report an occurrence under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

What we need

The HSE requires enough personal data to establish who the injured party is and what happened. The HSE and the Local authority regulate RIDDOR jointly and they will need enough personal data to establish if the occurrence falls under HSE or LA jurisdiction

Why we need it

The HSE and the Local authority regulate RIDDOR jointly and they will need enough personal data to establish if the occurrence falls under HSE or LA jurisdiction

What we do with it

The data will be used to establish if a breach of the regulations has occurred. If the occurrence fits within our investigation criteria it will be processed under law enforcement purposes

Law enforcement purposes

If appropriate the data will be shared with local Authorities if they have jurisdiction over that occurrence.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your data protection rights?

More information on your data protection rights

Do we use any data processors?

No – We are a joint controller with the local authorities.

Contact the Communications Team - enquiries from journalists

Purpose and legal basis for processing

Our purpose for collecting this information is so we can respond to you and give you information about the legislation we oversee.

The legal basis we rely on for processing your personal data is public task, under article 6(1)(e) of the GDPR.

What we need

We need enough information from you, so we can respond to you. We'll take your name and number/contact email address and, where relevant, the name of the organisation you represent.

Why we need it

We need to keep a record of who we have spoken with and what has been asked for/provided. If we can't answer your query/request over the phone, we'll need your contact information for our response.

What we do with it

We'll only use your personal information to respond to you and will make a record of our communications with you, both verbal and written.

We'll also use your contact information to send you our press releases. Or information in relation to your enquiry.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected. At the end of the retention period, your personal data will be disposed of securely.

What are your data protection rights?

We are acting in our official capacity as a regulator in providing you with press releases and responding to media enquiries. This means you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

You can however, ask us to stop sending you press releases at any time and we'll update our records immediately to reflect your wishes.

More information on your data protection rights

Do we use any data processors?

Yes - Vuelio privacy notice

Attend an event, training course, seminar or workshop

Purpose and legal basis for processing

Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service.

The legal basis we rely on for processing your personal data is public task, under article 6(1)(e) of the GDPR. When we collect any information about dietary or access requirements we also need your consent (under article 9(2)(a)) as this type of information is classed as special category data.

We may record our events and promote them on YouTube or other media this data is processed under public task, under article 6(1)(e) of the GDPR on these occasions our public task is (provision of training and information) HSAWA 1974 11 (2) (b).

What we need

If you wish to attend one of our events, you will be asked to provide your contact information including your organisation's name and, if offered a place, information about any dietary requirements or access provisions you may need. We may also ask for payment if there is a charge to attend.

Why we need it

We use this information to facilitate the event, cascade the training message and provide you with an acceptable service. We also need this information, so we can respond to you.

What we do with it

If you are not successful in securing a place, we'll let you know and hold your details on a reserve list in case a place becomes available. We may also process your data to Invite you to an event of a similar nature.

If you are allocated places at an event, we'll ask for information about any dietary/access requirements. We don't share this information in any identifiable way with the venue. We may also process your data to Invite you to an event of a similar nature.

We don't publish delegate lists for events.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected. At the end of the retention period, your personal data will be disposed of securely.

What are your data protection rights?

You have the right to have your data deleted under certain circumstances. If you do that, we'll update our records immediately to reflect your wishes.

More information on your data protection rights

Do we use any data processors?

Yes – we use data processors to help facilitate the events.

We collect registration information from some of our conference microsites. This is done via an online reporting tool hosted by Eventbrite, who process information in line with our instructions.

We may sometimes charge a fee to attend an event. If this happens, our communications about the event will provide details of the data processor we use to collect payments.

Subscribe to our e-newsletter/e-bulletin

Purpose and legal basis for processing

Our purpose for collecting the information is so we can provide you with a service and let you know about upcoming events.

The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR.

What we need

Your name and email address.

Why we need it

We use your email address to send you our E-newsletter.

What we do with it

We only use your details to provide the service.

We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.

You will receive a confirmation email once you have submitted your details and then the newsletters monthly.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your data protection rights?

We rely on your consent to process the personal data you provide to us for marketing purposes. This means you have the right to withdraw your consent, or to object to the processing of your personal data for this purpose at any time. If you do that, we'll update our records immediately to reflect your wishes.

More information on your data protection rights

Do we use any data processors?

Yes - we use GovDelivery provided by Granicus to manage subscription lists, preferences and send emails.

Granicus has staff based outside the European Economic Area and stores your data in the US. Granicus is certified under the EU-US Privacy Shield framework.

Making an information request

Purpose and legal basis for processing

Our purpose for processing your personal data is so we can fulfil your information request to us.

The legal basis for this is article 6(1)(C) of the GDPR, which relates to processing necessary to comply with a legal obligation to which we are subject.

If any of the information you provide us in relation to information request contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.

What we need and why we need it

We need information from you to respond to you and to locate the information you are looking for. This enables us to comply with our legal obligations under the legislation we are subject to:

  • General Data Protection Regulations (2016)
  • Data Protection Act (2018)
  • Freedom of Information Act (2000)
  • Environmental Information Regulations (2004)
  • Re-use of Public Sector Information Regulations

What we do with it

When we receive a request from you, we'll set up an electronic case file containing the details of your request. This normally includes your contact details and any other information you have given us. We'll also store on this case file a copy of the information that falls within the scope of your request.

If you are making a request about your personal data or are acting on behalf of someone making such a request, then we'll ask for information to satisfy us of your identity. If it's relevant, we'll also ask for information to show you have authority to act on someone else's behalf.

We'll use the information supplied to us to process your information request and check on the level of service we provide.

If the request is about information we have received from another organisation – regarding a complaint, for example – we'll routinely consult the organisation/s concerned to seek their view on disclosure of the material.

We compile and publish statistics showing information such as the number of requests we receive, but not in a form that identifies anyone.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected. At the end of the retention period, your personal data will be disposed of securely.

What are your rights?

For more information on your rights, please see More information on your rights

Do we use any data processors?

No – we do not use data processors for the above.

Communicate with us as a business

We hold the names and contact details of individuals acting in their capacity as representatives of their organisations across the business (Business cards & outlook contacts etc). If this relates to interactions regarding our regulatory functions or public task, the legal basis is article 6(1)(e) of the GDPR. If the interactions relate to suppliers, contracts, buildings management, IT services etc., the legal basis is article 6(1)(c) of the GDPR for any legal obligation or article 6(1)(f) because the processing is within our legitimate interests as a business

We are inspecting your business

Purpose and legal basis for processing

Our purpose for processing this information is to have a contact point at your organisation and to tell you the outcome of the visit.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

What we need

When we conduct an Inspection or an advisory visit, we'll take the name and contact details of your organisation's main point of contact. We may also take details of other staff members during the visit process.

Why we need it

We use the data collected to complete the inspection/advisory visit and evidence the information provided.

What we do with it

We may publish a summary of the audit we have completed with you, but this will not contain any personal data. We'll publish the fact that we have conducted an inspection/advisory visit, but this will not contain any personal data.

How long we keep it

We will retain your personal data for as long as is necessary for the purpose it was collected.

At the end of the retention period, your personal data will be disposed of securely.

What are your data protection rights?

We process personal data in the visit information in our capacity as regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

More information on your data protection rights

Do we use any data processors?

No

Testing Tissue Samples on behalf of your organisation

Purpose and legal basis for processing

The HSE is able to test biological samples for evidence of chemical exposures (e.g. blood lead) or the early effects of possible health impacts (e.g. haemoglobin level). Your employer will have identified a requirement to test for such exposures (e.g. under CoSHH or the Control of Lead at Work Regulations).

What we need

We only need enough data to complete the task your employer has asked us to do. we can only process your personal data in accordance with instructions from your employer. This may include Name, Address, Medical Information, Gender, Smoking status and Date of birth.

Why we need it

Some data is required for identification processes and we need certain specific data to be able to understand the results of the tests (e.g. normal haemoglobin levels are different for men and women, smoking can lead to higher levels of some chemicals). 

What we do with it

We collect the Data on behalf of our customers and data controller for the Data is our customer who collected the sample from you.

You should review their privacy information to understand how your information will be used.

We will not use your contact information for marketing.

We apply high standards of security to all information that we hold, in line with our ISO 27001:2013 certification, which provides independent confirmation that our information security policies and procedures follow industry best practice.

How long we keep it

Your Personal data will only be kept as long as the contract stipulates. Fully anonymized data may be kept for research purposes. This will not contain any data which would identify you as an individual.

What are your data protection rights?

More information on your data protection rights

Do we use any data processors?

From time to time we may use processors, but they are only permitted to process the data under our direct instructions.

Internal privacy notice

For HSE staff (including contractors) there is a separate internal privacy statement that relates specifically to their interests. This is not applicable if you do not work for HSE.

Cookies on HSE website

Cookies are files saved on your phone, tablet or computer when you visit a website. We use necessary cookies to make our website work. We also use cookies to store information about how you use our website, such as the pages you visit, so we can improve our services.

We do not use cookies to collect personally identifiable information about you.

Find out more about cookies on HSE.gov.uk

Complaints Privacy Notice

This explains how HSE will use your personal information under Data Protection Act 2018 and UK GDPR 2018.

For the purposes of this privacy statement, the Data Controller is the Health & Safety Executive (HSE), Redgrave Court, Merton Rd, Bootle L20 7HS, Tel: 0203 028 3547.  HSE’s Data Protection Officer can be contacted via Email at [email protected].

Purpose

HSE staff will process your personal information through the 3 Tier complaints process, for the purpose of processing and responding to your complaint. This is to ensure:

  • HSE staff members have a full understanding of your complaint
  • HSE can provide you with a full response to your complaint, which includes providing you with services you have requested

Lawful basis for processing

HSE will process this information under Article 6 (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Information that will be processed

The information that will be collected is name, contact details and issue raised for the purposes of the complaint.

Storage

Information will be stored on the HSE’s internal secure systems in the UK.

Retention

All personal data of complainants will be held for up to 7 years for audit purposes unless requested otherwise by the individual. After that period any personal data will be deleted.

Your data protection rights

Under Data Protection law you have certain rights as a data subject.
More about your data protection rights.

Is this page useful?

Updated: 2023-08-16