Privacy notice

We process personal information that is provided to us directly by you, or when it is shared with us.

The circumstances by which we may collect personal data about you includes when:

• the personal data has been submitted to us by you. For example, when you visit our offices, register to use our sites, register for events, make an enquiry, subscribe to an e-newsletter or request that marketing be sent to you, participate in an online survey, or correspond with us by post, phone, email or otherwise. When we collect this type of information, we will notify you of the reason we are asking for information and how this information will be used
• the personal data is collected by us or on our behalf in the normal course of our relationship with you. For example, when you book on a webinar, make enquiries, or purchase our services
• the personal data about you is contained in a concern raised using our confidential reporting services by you or a third party about health, wellbeing and safety concerns. Where your personal data is submitted in this way by a third party this is redacted from our systems at the earliest opportunity and is not used by us for any purpose
• the personal data has been made public by you. For example, when you contact us via a social media platform. Please note when you have provided content to CIRAS for uploading to any of our websites and that content or material contains personal data about another person, you must only do so with that person's permission. You should not include information of a sensitive, non-professional nature (e.g. personal email addresses, phone numbers, health information) (see also Section 7)
• the personal data has been provided to us by your employer or the organisation you represent. For example, when they nominate you to attend an event or to be their designated contact or representative
• the personal data has been provided to us by our members
• the personal data has been provided by our suppliers and partners including service providers, contractors, regulators, and other industry bodies. This includes receipt of publicly available data gathered by Dun & Bradstreet, their Privacy Notice can be found here
• the personal data is available from publicly available sources such as Companies House
• the personal data is collected via our IT systems, including our CCTV systems or our website
• the personal data is created by us, such as records of your communications with us
• the personal data is collected when we record a meeting or event in which you take part either at our offices or remotely, e.g., using Teams. If a recording is taking place, you will be informed by the organiser. If you take part, you may have the option to share your video and / or audio during the meeting or event. If you choose to do so, this will be captured in the recording.

Personal information that may be collected or shared with us includes:

• Personal Details: such as names, titles, aliases and photographs. Where relevant, or where you (or your employer or the organisation you represent) provide them to us, we may process demographic information such as gender, age, date of birth, marital status, nationality, education, or work histories, academic or professional qualifications, hobbies, family composition, and dependants
• Contact Data / Employment and Business Details: such as job role / title, company details, telephone numbers, addresses, email addresses, details of services / products provided
• Financial Data: including information required for processing any transactions or financial payments, such as account details, or credit card or billing information
• Technical Data / System Use Details: including information about your computer's unique identifier (e.g., the IP address), information about your use of our information, IT and communications systems including the browser or device you used to access our sites, information processed by cookies when you use our sites or app in accordance with our Cookies Policy. This can include click data, timing, and frequency of site visit. For more information, see our Cookie Policy page
• Usage and Profile Data: including your username and password, purchases or orders made by you, your interests, preferences, feedback, how you use our sites, products, and services and survey responses
• Identifying or Identifiable Data: such as social media handles, photographs, video recordings i.e., CCTV (identifying physical characteristics)
• Communications Data: such as social media postings, responses, comments, feedback, and opinions when you communicate with us, for instance when making a complaint
• Preferences: such as consents, permissions, or preferences that you have specified or agree to our terms and conditions
• Research Data: including data collected as part of research, including internal analysis
• Incident History: such as health and safety accidents, security incidents, accident information, complaints communications
• Health, wellbeing and safety concerns: personal data collected in connection with any reports made using our confidential reporting services of health wellbeing and safety concerns.

Special categories or sensitive personal data

We do not systematically seek to collect, store, or otherwise use information about you classed as 'special categories of data' or 'sensitive data' (for example, information related to your ethnic origin, health or sexual orientation, criminal history).

We will consider that you have given us your consent to hold your special category of data where you have voluntarily provided such information in your communications with us or provided information we have marked as optional. We will only use the information for the purpose for which it was received unless required by applicable law.

Reports made using our confidential reporting services of health wellbeing and safety concerns may occasionally contain special category personal data.

When we process your personal information, we are required to have a legal basis for the processing. The lawful basis for collecting and using your personal data will depend on the specific context in which we collect it. Most of our data is processed because it we require it to comply with our contractual obligations or it is necessary for our legitimate interests, or the legitimate interests of a third party (such as another controller). We will always take into account your interests, rights, and freedoms.

We will comply with all legal obligations to keep personal data up to date; to store and destroy it securely; to not collect or retain excessive amounts of data; to keep personal data secure, and to protect personal data from loss, misuse, unauthorised access, and disclosure and to ensure that appropriate technical measures are in place to protect personal data.

Some of our processing is necessary for compliance with a legal obligation. For example, we are required to maintain certain records by law such as health and safety records. We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

We use your personal data for some, or all of the following purposes:

Where necessary to the performance of a contract with you, or to take steps linked to a contract, for example:

• To fulfil our contractual obligations to you.
• To exercise our legal rights with respect to our contract with you.
• To process any transactions or financial payments required for products for services (also required to comply with a legal obligation).
• To provide our members and their staff with a confidential reporting service and associated activities such as sharing insights and good practice (it may also be required for our legitimate interest).

When you give us consent, for example:

• To seek views or comments, including inviting you to participate in surveys or consultations (where appropriate, we may rely on our legitimate interests for this purpose).
• For marketing purposes, we may provide you with information on our activities and / or our products or services or the activities, products and services of RSSB which may be relevant or of interest to you, including training courses, consulting services relevant to your specific business role or affiliated services. (Where appropriate, we may alternatively rely on our legitimate interests for this purpose). If you no longer wish to be contacted by us for marketing purposes you can unsubscribe at any time (see section 10).
• On occasions we may ask you for consent, we will use the data for the purposes which we explain at the time.

To comply with a legal obligation, for purposes which are required by law, for example:

• To enable us to meet all legal and statutory obligations, such as in the framework of tax control and reporting obligations.
• For prevention, detection, or investigation of fraud or security incidents (also required for our legitimate interests).
• In response to requests from government law enforcement authorities, government agencies and departments, such as British Transport Police.
• Our processing also includes the use of CCTV systems for the prevention and prosecution of crime (also required for our legitimate interests).
• To process any transactions or financial payments required for products for services (also required for our performance of a contract).

Where necessary for our legitimate interests and where our interests are not overridden by your data protection rights such as:

• To manage and facilitate the provision of our services to you.
• To support business and administrative functions of our business.
• To enhance, modify, personalise, or otherwise improve our sites, products, and services.
• To seek views or comments, including inviting you to participate in surveys or consultations.
• To use data analytics for statistical and analytical purposes, to improve our sites, products, and services, to improve our relationship with members and stakeholders and their and your experience of our sites, products, and services.
• To use software and tools containing artificial intelligence (AI) for business efficiency and analytical purposes. AI may be used to analyse emails / content you have provided to CIRAS such as suggesting responses we provide to customers and to help with managing the content internally such as providing a summary of an email. Where used, all responses are viewable by CIRAS prior to being issued and personal data is only used in line with the original purposes for which it was provided and/or processed in accordance with this notice. AI will not be used to analyse personal data provided to us to raise a confidential report.
• For some research, we may use AI tools for analysing and processing data. If inputting any personal data (where necessary) in connection with such AI tools we will ensure compliance with data protection legislation. Any data generated by the AI will be anonymised.
• For marketing and business development purposes, we may provide you with information on our activities and / or our products or services or the activities and / or products or services of RSSB (which may be relevant or of interest to you, including training courses, consulting services relevant to your specific business role or affiliated services. RSSB services includes RISAS and RISQS (privacy notice available here). If you no longer wish to be contacted by us for marketing purposes, you can unsubscribe at any time (see section 10).
• To provide our members and their staff with a confidential reporting service and associated activities such as sharing insights and good practice (it may also be required for our performance of a contract).
• To administer and protect our business and our sites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
• For security purposes, including the security of our networks and property, managing access to the sites, materials, authenticating your identity and recording visits to our premises (for example through monitoring our web platform and IT systems, and use of CCTV).
• To maintain our own accounts and records, to manage our relationship with you which will include notifying you about changes to our privacy notices and our terms and conditions.
• To contact you and manage any enquiries, complaints, and feedback.
• For risk management purposes.
• For health and safety purposes.
• For quality assurance and staff training purposes.
• Where you have agreed to take part in a meeting, either at our offices or remotely, e.g. using Teams. AI may be used to help with summarising and analysing the tone of meetings.
• For prevention, detection, investigation and reporting of fraud, crime or security incidents or other related matters (also required to comply with law).
• Our processing also includes the use of CCTV systems for the prevention and prosecution of crime (for legitimate interests and / or to comply with law).
• In connection with a business transaction such as a merger, restructuring or sale of the business.
• We will use personal information in connection with legal claims, compliance, and regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation).

Where your information is used other than in accordance with one of these legal bases, we will inform you.

We sometimes use or process personal data relying on exemptions under applicable data protection law. Any use of processing of personal data under such exemptions will take priority over this priority notice to the extent of any inconsistency.

Confidential reporting

Where you provide personal data to raise a confidential report, this is never shared outside of CIRAS and its systems suppliers who are bound by confidentiality and data sharing agreements. If you provide this information through the app, a web form, voicemail, text or postal form the original source is erased or shredded as soon as the data is captured within our single secure database. The operational copy of your personal data is erased six months after a report is closed but copies may be held in a secure archive.

Sharing personal data with other organisations

Your personal data will be treated as strictly confidential. It will only be shared with other organisations where it is required for task performance (including where it is necessary in order for a third party service provider to deliver services to us), where there is a contractual obligation or where it is permitted to do so by law. On some occasions, these third parties may also be a controller of your personal data.

The other organisations we may share your personal data with include:

• Other organisations within the RSSB group of companies, where RSSB and CIRAS are joint controllers, and/or where such disclosure is necessary to provide you with our services and/or to manage our business.
• Your employer or the organisation you represent, for example if you are the nominated contact for their organisation. As explained above, this will not include your personal data contained in any confidential report you make.
• Our agents, suppliers and contractors. For example, banks and payment providers, third party service suppliers, such as those providing software or support needed to provide a product or service, marketing agencies, IT support service providers, analysis experts, communication platform providers etc.
• Third parties we use to deliver our products, services, or training on our behalf.
• Our members and stakeholders. For example, a member may check with us who we have on record as their representative or finance contact.
• Our professional advisers including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance and accounting services.
• HM Revenue & Customs, regulators and other authorities based in the UK.
• Government, regulatory and law enforcement bodies, where we are required in order:
  a) To comply with our legal obligations
  b) To exercise our legal rights (e.g., to pursue or defend a claim)
  c) For the prevention, detection, and investigation of a crime.
• third parties where personal data is disclosed in connection with a reorganisation, restructuring or merger, outsourcing, acquisition, sale, or transfer of assets.
• Less commonly, we may process and share your personal data with third parties where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent.

We will keep your personal information for as long as necessary for the purposes in which we are processing, unless the law permits or requires longer. Some records may be kept permanently if we are legally required to do so. In general, we will endeavour to keep data only for as long as we need it. Where necessary we keep records for the establishment, exercise, or defence of legal claims.

You have the following rights with respect to your personal data:

When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.

The right to access information we hold on you:

At any point you can contact us (see section 11) to request the information we hold on you as well as why we have that information, who has access to the information and where we obtained the information from. Once we have received your request, we will try to respond within one calendar month.

There are no fees or charges for the first request but additional requests for the same data may be subject to an administrative fee.

The right to correct and update the information we hold on you:

If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated.

The right to have your information erased:

If you believe that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold.

When we receive your request, we will confirm whether the data has been deleted or the reason why it cannot be deleted (for example because we need it for our legitimate interests, legal or regulatory purpose(s)).

The right to object to processing of your data:

You have the right to request that we stop processing your data. Upon receiving the request, we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with our other rights or to bring or defend legal claims.

The right to data portability:

You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies where: (i) the processing is based on your consent or where we used the information to perform a contract with you; and (ii) the processing is carried out by automated means.

You can withdraw your consent:

If your personal data is processed based solely on your consent as the legal basis, you can withdraw your consent easily by telephone, email, or by post (see section 11). This will not affect the lawfulness of any processing carried out before you withdraw your consent.

If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise if this is the case at the time you withdraw your consent.

The right to restrict the processing of personal data where applicable:

You have the right to restrict the processing of your data in certain circumstances.

The right to lodge a complaint with the Information Commissioner’s Office (ICO):

Please refer to section 12 for further information.

This section does not relate to confidential reports made to CIRAS.

If you are providing content or material to CIRAS for uploading to any of our sites which includes personal data relating to another person, you must do so only with that individual's permission. You should not include information of a sensitive, non-professional nature (e.g. personal email addresses, phone numbers, health information).

If you are providing personal data relating to another person to us in connection with any of our other sites, it is your responsibility to ensure that you have complied with all applicable data protection legislation requirements (including but not limited to notifying the individual that their personal data will be published on our sites (as the case may be) and notifying them of their rights) before sharing the personal data with us, If you require anything to be updated or removed please contact us (see section 11).

International Transfers

Whenever we transfer personal data outside the UK or the European Economic Area, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

• We only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data, except where we have your consent for the transfer or where there is an exemption that we are relying on for the transfer to occur
• We may use specific contracts or contract terms approved for use by the ICO or the European Commission which give personal data the same protection it has in the UK or the European Economic Area.

Our website is also accessible from overseas so on occasion some personal data may be accessed from overseas.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us (see section 11).

If we wish to use your personal data for a new purpose, not covered by this privacy notice, then we will notify you and explain the legal basis which allows us to do so.

If you are receiving any marketing emails and would like to unsubscribe, please use the unsubscribe link included within the communication. For any queries you can contact editor@ciras.org.uk.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us in connection with your membership, or as a result of a product or service purchase, or a product or service experience, or other transactions.

Please contact us if you have any questions about this privacy notice or the information we hold about you, or to exercise all relevant rights, queries, or complaints at:

• The Data Protection Officer, RSSB, The Helicon, 1 South Place, London EC2M 2RB
• Email: The Data Protection Officer via enquiries@ciras.org.uk
• +44 (0)20 3142 5300

EU Representative

We have appointed IT Governance Europe Limited to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or if you have any queries in relation to your rights or general privacy matters under EU GDPR, please email our Representative at eurep@itgovernance.eu.

Please ensure to include our company name in any correspondence you send to our EU Representative.

If you are concerned with the way in which your personal data has been processed, you may in the first instance contact our Data Protection Officer using the contact details in section 11 above.

If you remain dissatisfied, then you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at:

• The Information Commissioner, Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF
• Telephone: Switchboard: 01625 545 700
• Data Protection Help Line: 01625 545 745
• Notification Line: 01625 545 740
• Email: mail@ico.gsi.gov.uk

We may update this privacy notice from time to time. This privacy notice includes the date last updated.

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.