NDA Privacy Policy - Granicus

Version: 1

Date: 12/07/24

Introduction

The Nuclear Decommissioning Authority (NDA) is committed to protecting the privacy and security of your personal information.

We will ensure that we treat all personal information in accordance with data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

We take your privacy very seriously. It is important that you read this Privacy Notice, together with any other privacy notice we may provide when we are collecting or processing personal information about you, including, our Personal Information Charter and Employee Privacy Notice (for NDA employees only) so that you are aware of how and why we are using such information, how it is legal and your rights.

This privacy notice applies to personal data provided in connection with the Granicus e-bulletin platform.

Please be aware that all recorded information is subject to the Freedom of Information Act 2000, Environmental Information Regulations 2004 & Data Protection Act 2018 (Subject Access etc.).

Our Contact Details

Data Protection Officer (DPO)
Nuclear Decommissioning Authority (NDA)
Herdus House
Westlakes Science & Technology Park
Moor Row
Cumbria
CA24 3HU
Email: dpo@nda.gov.uk

Changes to the Privacy Notice

We may change this Privacy Notice from time to time and any updates will be published. We therefore encourage you to access this Privacy Notice periodically for the most up to date information on our privacy practices. Changes to the purposes for which we process your data will be highlighted to you.

The type of personal information we collect and how we get it

We currently process the following personal data within Granicus:

  • External Stakeholders: personal email address provided to us directly by you.
  • NDA employees: works email address from HR/Active Directory.

We will ask you to indicate specific subjects you want to receive emails about. We also collect records of the links you click in the newsletters.

Why we use your information

Our purpose for collecting your contact details is so we can provide you with a service and let you know about the NDA’s work and events.

We use your subject preferences to ensure you receive content that is of interest and relevant to you and/or your organisation. We collect analytics information so we can provide a personalised service and monitor the impact of our work.

Organisations that we may share your data with

The NDA Corporate Affairs team is responsible for the processing of your information within Granicus.

We take steps to ensure that our service providers process your data in accordance with the Data Protection Laws, only use it in accordance with our contract with them and keep it secure. For more information on how Granicus will process your personal data please refer directly to the Granicus Privacy Policy.

We do not sell or exchange our mailing list with other companies or organisations for marketing purposes. However, we will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

Lawful basis for processing

Processing of personal data is deemed acceptable within the UK GDPR for the following reasons and legal bases:

  • External stakeholders: the lawful basis we rely on for processing your contact details and interest preferences is your consent under article 6(1)(a) of the UK GDPR. This will be kept under review and refreshed if anything about the processing of your personal data changes. The lawful basis we rely on for the processing of analytics information is article 6(1)(e) – public task.
  • NDA employees: the lawful basis will depend on the specific purpose of the processing. For example, if you are receiving an internal consultation document associated with our official functions, we will rely on article 6(1)(e) – public task. If we are notifying you about other aspects of the NDA work, not set down in law, we will rely on 6(1)(f) – legitimate interests.

How we store your information

All of your personal data is stored within Granicus. To prevent unauthorised access, loss or disclosure, they have put in place technical and organisational measures that reduce the risk of a security breach of your personal data. For more information please see the Granicus Privacy Policy.

Retention and deletion of your personal data

We keep your personal information in line with business need and for the shortest time possible.

External Stakeholders - we will regularly contact you to ask if you still want to remain a subscriber. You may withdraw your consent to processing at any time. If you decide to do this your personal information will be removed from Granicus as soon as the request is received.

NDA employees – Initially ‘Leavers’ will be manually removed from Granicus on a monthly basis by the Corporate Affairs team. In future this will be done by utilising Active Directory.

Transfers of your personal data outside the UK or EEA

Granicus is owned and operated within the United States. Therefore, the data that we collect from you will be transferred to, and stored at, a destination outside the European Economic Area/UK. Any such international transfer of your data is carried out in accordance with the Data Protection Laws to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms.

In this instance Granicus complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF deems the organisation to provide adequate privacy protection, which is a requirement for the transfer of personal data outside of the European Union under the EU General Data Protection Regulation (GDPR), and outside of the United Kingdom under the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR). For further information please refer to directly to the Granicus Privacy Policy.

Your data protection rights

You have a number of rights under data protection law. For a detailed explanation and the specific circumstances in which they apply, please visit the Information Commissioners Office (ICO) website.

If you wish to exercise any of your rights, including where you are seeking a copy of your own personal information, please contact the DPO via dpo@nda.gov.uk.

How to complain

If you wish to make a complaint to the NDA about the way in which we have processed your personal information, please contact the DPO using the email address above.

If you remain dissatisfied with the response received, you have the right to lodge a complaint to the ICO. The ICO is the UK's independent body set up to uphold information rights, and they can investigate and adjudicate on any data protection related concerns you raise with them. They can be contacted at:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
0303 123 1113
ico.org.uk