1. Introduction

The Emergency Planning College ('The EPC', 'we' or 'us') is committed to ensuring that your personal information is protected and that we are being transparent about the information we hold about you.

Please read this Privacy Policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal information. It also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint.

We have developed this Privacy Policy to ensure those who use our services and otherwise interact with The EPC, including visitors to our website (www.epcresilience.com), are informed and confident about the security and privacy of their personal information.

When we handle certain personal data about you, we do so subject to the General Data Protection Regulation ((EU) 2016/679) ('GDPR') which applies across the European Union (including in the United Kingdom) from 25 May 2018. This Privacy Policy supplements our terms and conditions and is not intended to override them.

2. Who We Are

The Emergency Planning College (The EPC) is owned by the Cabinet Office and managed on their behalf by Serco Limited, with company number 00242246 and having its registered office at Serco House, 16 Bartley Wood Business Park, Bartley Way Hook, Hampshire, RG27 9UY.

For the purposes of this Privacy Policy, Serco Limited and the Cabinet Office are joint data controllers.

3. Principles Of Data Protection

When using the term 'personal data' or 'personal information' in this Privacy Policy, we mean information (including opinions) that relates to you and from which you could be identified, either directly or in combination with other information which we may have in our possession.

To help you understand how we handle your personal information more clearly, below is a summary of the privacy principles which guide how we use your personal information. These principles provide that personal data should be:

  • used lawfully, fairly and in a transparent way;
  • collected for lawful reasons that have been clearly explained to you;
  • relevant to the purposes you have been told about and limited only to those purposes;
  • kept accurate and up to date;
  • shared only as has been explained to you, when you ask us to or when legally required to;
  • kept only as long as necessary for the purposes you have been told about; and kept securely and protected.

Our website may provide links to third party websites. The EPC is not responsible for the conduct of third party companies linked to the website and you should refer to the privacy notices of these third parties as to how they may handle your personal information.

4. How Your Personal Data Is Collected

The circumstances by which we may collect personal data about you includes when:

  • the personal data is provided to us by you (e.g. when you sign up to our mailing list);
  • the personal data is collected in the normal course of our relationship with you (e.g. when booking on a course with us);
  • the personal data has been made public by you (e.g. contacting The EPC via a social media platform) or obtained from a publicly accessible source (e.g. Companies House);
  • the personal data is received by us from third parties (e.g. marketing agencies to which you subscribe, employers booking you on a course);
  • the personal data is collected via our IT systems (e.g. our website, CCTV surveillance);
  • and the personal data is created by us, such as records of your communications with The EPC.

5. Cookies

We use cookies on our website. Cookies are small text files that are downloaded onto your device when you visit a website. Please refer to our cookies policy for further information about our use of cookies.

6. Personal Data Collected

The categories of personal information about you which we may collect and use includes:

  • Personal details: title, full name, business or home address, telephone numbers, email address, nationality, language/dialect spoken, job role, vehicle details, travel assistance requirements.
  • Family and Friends Information: dependents and contact details.
  • Public Identifiers: signatures, passport details, social media handles, photographs, video recordings (identifying physical characteristics).
  • Financial Details: purchase transaction history, card payment details.
  • Travel Information: travel and accommodation itinerary information.
  • Correspondence: social media postings, general correspondence.
  • Preferences: consents, permissions, or preferences that you have specified, such as whether you wish to subscribe to our mailing list or agree to our terms and conditions.
  • Incident History: health and safety accidents, security incidents, accident information, complaints communications, insurance claims history.
  • Sensitive Personal Data: health and medical information, racial or ethnic origin, religion.
  • Website Access Details: your computers unique identifier (e.g. IP Address), the date and time you accessed the Website, passwords to access alerts preferences.

7. Purposes And Use of Personal Data

The main purposes for using your personal information is (where applicable):

  • to facilitate the delivery of the requested training, exercising and/or advisory services;
  • to provide function and event services; and
  • to improve and monitor the operation of our website.

We use information held about you in the following ways:

  • to process you bookings;
  • to inform you of similar training and services at the The EPC in the future;
  • to administer our records and website;
  • to prevent unauthorised access and modifications to systems;
  • to improve the quality of service and ensure business policies are adhered to;
  • to investigate incidents and detect and prevent crime;
  • to provide a safe working environment;
  • to promote our services and on occasion, conduct research; and
  • to gather and provide information in the event of an audit or investigation by regulatory bodies.

8. When Is Special Category Personal Data Collected And Used?

Special category personal information is particularly sensitive personal information as defined by the GDPR. We may from time to time request that you provide special category personal information or you may choose to share such information with us, such as details about specific medical conditions or dietary requirements.

Where we do collect and handle special category personal information, we will only handle that information in accordance with applicable law, including where:

  • we have your explicit consent – including where you voluntarily provide us with that information.
  • the law permits us to do so, to comply with our legal obligations or to exercise specific legal rights;
  • you have clearly made the information public;
  • processing is necessary for the establishment, exercise or defence of legal claims; or
  • processing is necessary for reasons of substantial public interest.

9. Direct Marketing

We may use your personal information to send you updates (by email, telephone or post) about our services including exclusive offers, promotions or products that we believe will be of interest to you.

We have a legitimate interest in processing your personal information for promotional purposes. This means we do not always need your consent to send you promotional communications. However, where consent is needed, we will ask for this separately and clearly.

You can subscribe to our marketing list by visiting http://www.epcresilience.com.

We will always treat your personal information with the upmost respect and never sell your information for marketing purposes, or share with other organisations without your prior permission.. We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you.

Where applicable, you may opt out of receiving marketing communications by:

  • using the unsubscribe option included on all The EPC marketing correspondence; or
  • sending us an email to enquiries@emergencyplanningcollege.com. Please ensure your correspondence is marked ‘Unsubscribe: Marketing Contact List’ and include your full name, email and telephone number to ensure your details are fully deleted from our direct marketing system.

10. CCTV

We currently have closed circuit television (CCTV) operating on our premises for the primary legitimate purposes of: (i) public and staff safety; and (ii) crime prevention, detection and deterrence. For these reasons, the information processed may include visual images of personal appearance and behaviours of staff, guests and general members of the public who were in the immediate vicinity of the area under surveillance.

We display signs to inform visitors and staff that they are under surveillance and may be video recorded. This information is kept in secure environments and access is restricted to designated staff and use shall be in compliance with the The EPC security and privacy policies.

We retain CCTV recordings centrally for up to 28 days, and for a longer period if they are relevant to an incident, complaint, investigation, legal proceedings or for as long as legally required by regulatory bodies and law enforcement agencies.

11. Legal Basis For Using Your Personal Information

Data protection and privacy laws requires companies to have a 'legal basis' or 'lawful ground' to collect and handle your personal information. We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal justification to do this.

The following is a summary of the relevant legal bases for the purposes of this Privacy Policy:

  • we have obtained your prior consent;
  • we need to use your personal information to take steps before entering into a contract with you. For example we need your contact details when making a booking;
  • our use is necessary for the complying with our legal obligations;
  • where it is necessary for our legitimate interests or those of a third party (to the extent that your interests and fundamental rights do not override those interests), such as:
    • to provide the requested products and services to you;
    • maintaining adequate booking records;
    • to detect and protect against fraud and crime;
    • to make sure we are following our own internal procedures so we can deliver the best services;
    • promotional and market research purposes;
    • for security and safety purposes;
    • for monitoring service quality and business procedure compliance;
    • establishing, exercising or defending our legal rights in the event of a claim;
    • monitoring operational efficiency of the website; and/or
    • managing and operating our IT systems and ensuring security of those systems.

    12. Sharing Your Personal Information With Others

    We will only disclose personal information to a third party in very limited circumstances, or where we are permitted to do so by law. The third parties to whom we provide your personal data include:

    • other organisations within the Serco group of companies, where such disclosure is necessary to provide you with our services or to manage our business;
    • third parties we use to help deliver our products and services to you, (e.g. banks and payment providers);
    • third parties with which we have a contractual relationship related to delivery of The EPC training and other services;
    • other third parties we use to help us run our business, (e.g. marketing agencies, IT support service providers, analysis experts, communication platform providers);
    • third parties approved by you e.g. when you request your details to be transferred;
    • our professional advisers (e.g. law firms, insurers and brokers); and/or
    • Government, regulatory and law enforcement bodies where we are required in order:
      • to comply with our legal obligations;
      • to exercise our legal rights (e.g. pursue or defend a claim); and
      • for the prevention, detection and investigation of crime.

      We may transfer your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is an operational or management change of The EPC, provided that the receiving party agrees to treat your personal information in a manner consistent with this Privacy Policy.

      We also impose data protection obligations on contracted third parties to ensure they can only use your data to provide services to The EPC for the purposes listed above. These third parties cannot pass your details onto any other parties unless instructed by The EPC.

      13. Transferring Your Personal Information Globally

      We currently do not transfer, store or otherwise process personal data, as applicable under this Privacy Policy, outside European Economic Area ('EEA'). However, if our business needs change, we will update this Privacy Policy accordingly and ensure the transfer complies with data protection law and all personal information will be secure. Our standard practice is to use standard data protection contract clauses that have been approved by the European Commission.

      If you would like further information about the handling of your personal information, please contact us at enquiries@emergencyplanningcollege.com.

      14. Security of Your Personal Information

      The EPC takes precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction. We protect electronic data using a variety of security measures including, where applicable:

      • password access;
      • data back-up;
      • encryption;
      • firewalls;
      • placing confidentiality requirements on employees and service providers and providing training to ensure that your personal data is handled correctly;
      • destroying or permanently anonymising personal information if it is no longer needed for the purposes it was collected; and
      • secure physical storage units for hard copy files with appropriate security restrictions, preventing damage, and unauthorised access to your personal information.

      Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted by you to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access

      15. How Long Do We Keep Your Personal Information?

      We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this Privacy Policy. Where your information is no longer needed, we will ensure that it is disposed of in a secure manner.

      In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with contractual, legal, regulatory, tax, accounting requirements.

      16. Your Legal Rights In Respect of Your Personal Information

      You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to:

      • Request access to your personal information (commonly known as a 'data subject access request'). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
      • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
      • Portability of the personal information you provided us, in certain situations.
      • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
      • Object to processing of your personal information by us or on our behalf for direct marketing (including profiling) and in certain other situations (such as processing carried out for legitimate interests).
      • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
      • Request the transfer of your personal information to another party.
      • Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent (please refer to section 9 for details about withdrawing consent to marketing).

      If you would like to exercise any of these rights, please submit your requests to the Data Protection Champion:

      Data Protection Champion,

      The Emergency Planning College

      The Hawkhills,

      Easingwold, York,

      YO61 3EG.

      Email: enquiries@emergencyplanningcollege.com

      Telephone: 01347 821406

      Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request.

      17. Data Protection Officer

      Serco Limited has appointed a Data Protection Officer (DPO) to oversee its compliance with this Privacy Policy. If you have any questions about this Privacy Policy or how we handle your personal information, please address to:

      Data Protection Officer

      Serco Ltd

      Enterprise House

      18 Bartley Wood Business Park

      Bartley Way

      RG27 9XB

      Alternatively, please email dpo@serco.com or call +44 (0)1256 745900.

      18. Complaints

      You also have the right to contact the Information Commissioner’s Office and file a complaint. (https://ico.org.uk/concerns/ or telephone: 0303 123 1113). The Information Commissioner’s Office will then investigate your complaint accordingly.

      19. Changes to This Privacy Policy

      We may amend this Privacy Policy from time to time to keep it up to date with legal requirements and the way we operate our business. This Privacy Policy was last reviewed and updated in May 2018.

      Please regularly check this page for the latest version of this Privacy Policy. If we change this Privacy Policy, we will post the details of the changes below:

      Changes made to Privacy Policy – September 2019