Privacy notice

This privacy notice sets out how we handle, store, use and share your personal information.

This notice replaces all previous privacy or fair processing notices or statements issued by us. 

We control the personal data that we collect and use, unless stated otherwise.

 

What we collect and how we use personal data

What we do with your data if you contact us to: 

We will process the personal details you provide and that are necessary in order to respond to your enquiry.

This is necessary for us to perform our public tasks as a regulator.

Refer to numbers 1 and 7a below, where we specify the legal basis for this

We will use the data you provide and other personal data to investigate and take action accordingly to resolve your concern as part of our statutory duties or in the public interest.

Where your complaint involves processing special category data, about yourself or others, it is in the public interest, and regulatory good practice for us to process data to investigate.

Refer to numbers 1 and 7b below, where we specify the legal basis for this

We will use your contact information and any other information necessary for us to fulfil your request.

This is necessary for us to comply with our legal obligations to respond to FOI requests.

Refer to numbers 4 and 7d below, where we specify the legal basis for this

We will use your contact information and any other information necessary for us to fulfil your request.

This is necessary for us to comply with our legal obligations to respond to information rights requests.

Refer to numbers 4 and 7e below, where we specify the legal basis for this.

What we do with your data if you contact us about another organisation or individual to:

We will use the data you provide and other personal or special category data to investigate and take action in line with our function as a regulator and our statutory powers (what parliament permitted our organisation to do).

Refer to numbers 1 and 7b below, where we specify the legal basis for this

We will use the data you provide and other personal or special category data to investigate and take action in line with our function as a regulator and our statutory powers (what parliament permitted our organisation to do).

Refer to numbers 1 and 7b below, where we specify the legal basis for this

What we do with your data if you follow or engage with our work in the following ways: 

At the most we will collect your name and a photo of you so that we can make you a personalised visitor badge.

These will be shared with reception staff who, depending on the site, will ask to see a copy of your photo identification for verification purposes, but will not make a copy.

You will be asked to sign in and out of the building. We do this under our legitimate interests with regards to security and health and safety.

Refer to number 5 below, where we specify the legal basis for this

Please note that the security controls are slightly different at each of our offices.

Whilst in our office premises your image will be caught by CCTV cameras which are operated and managed by us.

We do this for security and health and safety purposes. 

Refer to number 5 below, where we specify the legal basis for this

There are also CCTV cameras at the sites that our offices are based which are managed and operated by the relevant building management companies.

We will collect your contact details so that we can send the information to you. We do this with your consent.

Refer to number 2 below, where we specify the legal basis for this

If you opt out of hearing from us we will retain a copy of your contact details and preferences in relation to these to ensure that you are not contacted in the future. This is necessary for us to comply with our legal obligation to respect your request.

Refer to number 4 below, where we specify the legal basis for this

If you join one of our networks, groups, campaigns, or sign one of our pledges (such as Working Forward or the Equality and Human Rights Exchange) we will use your contact details to:

  • share knowledge, best practice and exclusive content with you
  • follow up with materials to support your pledge or subscription

This may include:

  • news and updates relevant to your subscription or pledge 
  • tips, advice and guides
  • invitations to training, events, conferences and webinars

We do this with your consent.

Refer to number 2 below, where we specify the legal basis for this

If you opt out of hearing from us we will retain a copy of your contact details and preferences in relation to these to ensure that you are not contacted in the future. This is necessary for us to comply with our legal obligation to respect your request. 

Refer to number 4 below, where we specify the legal basis for this

We will collect and store your business contact details and use them to liaise with you about related work, events, training, research or our other activities if you:

  • work with us or might be interested in working with us
  • work for an organisation that undertakes relevant work
  • are an academic or researcher in a similar field
  • work in press/media/journalism
  • are a blogger
  • any other relevant stakeholder

We do this under our statutory powers to promote. 

Refer to number 1 below, where we specify the legal basis for this. 

Alongside your contact details we may store details about your potential interests based on your work, research or publications you may have been involved in. We believe it is in your legitimate interest to receive information relevant to your work and interests.

Refer to number 5 below, where we specify the legal basis for this

If you provide us with your personal contact details we will only contact you with your prior consent. 

Refer to number 1 below, where we specify the legal basis for this

We will use your contact details to provide you with a copy of the information or publication requested. We do this with your consent.

Refer to number 2 below, where we specify the legal basis for this

If you attend an event we will collect your name and contact details to register your attendance and to ensure adequate health and safety.

We do this under our legitimate interest to facilitate an event, provide you with an acceptable service, and ensure appropriate security, health and safety at such events. 

Refer to number 5 below, where we specify the legal basis for this

We will also maintain a record of your attendance at the event and may follow up with you about in relation to the event and any potential further relationship.

We do this under our legitimate interest to provide a good service and maintain relationships with stakeholders. 

Refer to number 5 below, where we specify the legal basis for this.

What we do with your data if you are an organisation or individual providing advice on equality and human rights advice to individuals and:

We will collect any details necessary and those that you provide us with in order to advise you.

We do this under our statutory power to promote awareness and understanding of rights under the Equality Act 2006.

Refer to numbers 1 and 7a below, where we specify the legal basis for this.

What we do with your data if we're supporting you on equality or human rights issues, or you're supporting our work, and:

We will collect and use the necessary information about you for the case under our statutory powers.

Due to the nature of our work this is likely to include special category data about you.

We process this data as part of our statutory function in the public interest.

Refer to numbers 1 and 7a below, where we specify the legal basis for this

In the event that it is necessary to use data relating to criminal convictions we will do this in relation to a legal claim and under our statutory powers

Refer to numbers 1 and 6 below, where we specify the legal basis for this

This includes where we impose injunctions or interdicts or undertake judicial reviews.

Refer to numbers 1 and 7a below, where we specify the legal basis for this

We conduct inquiries in the public interest and under our statutory powers into any matter relating to Section 8 or 9 of the Equality Act (equality and diversity or human rights).

We will collect information from a variety of sources about, or directly from, individuals themselves, including:

  • government departments
  • private companies
  • voluntary sector organisations
  • MPs and Ministers
  • public sector organisations
  • regulators
  • solicitors
  • unions
  • advice organisations
  • publicly available information
  • other sources

If necessary, we may require organisations or individuals to provide information to us. Failure to provide such information may result in us applying for a court order.

We will collect personal data including special category data that is relevant and necessary for the inquiry.

Any data collected about you will only be used for the purposes of the inquiry in line with its published terms of reference and in any investigations launched as a result of the inquiry.

Such data will not be disclosed unless explicitly permitted by the Equality Act 2006 (Section 6).

Refer to numbers 1 and 7a below, where we specify the legal basis for this

We may also get in touch with you about the information you have provided.

We will only do this with your consent unless it’s necessary for our statutory functions to get in touch otherwise.

Any findings, reports or recommendations shared publicly or otherwise as part of the inquiry will only contain statistics which don't identify individuals, unless you have otherwise consented.

Refer to number 2 below, where we specify the legal basis for this

We will gather the data you provide to us to analyse and use it as evidence for the purpose stated in the activity, for example to understand experiences of discrimination.

This may include special category data (i.e. about protected characteristics relevant to the evidence requested).

We do this under our statutory powers to undertake research and in some cases we will instruct other organisations to undertake these activities on our behalf.

We will often use the information provided to publish anonymised data such as statistics, but these will not identify you in any way.

Refer to numbers 1 and 7a below, where we specify the legal basis for this

With your explicit consent we will collect details that you provide us about yourself and your story or experience(s) in written, audio, or video format to publish publicly as a case study.

This may include personal and special category data about you.

We will also collect your contact details, which are not published, so that we can liaise with you about the case study itself.

Refer to numbers 2 and 8 below, where we specify the legal basis for this.

We will use these in our publications, website or in other public facing media.

We only do this with your consent.

Refer to number 2 below, where we specify the legal basis for this

What we do with your data if you are an organisation we are engaged with in relation to your compliance with equality or human rights, and:

We will collect the necessary information to review practices and compliance standards and undertake our enforcement work.

This is necessary for us to fulfil our statutory functions

Refer to numbers 1 and 7a below, where we specify the legal basis for this

Where necessary we may request that you provide evidence containing personal or special category data to us (particularly in relation to protected characteristics).

If this is not provided we may issue a compliance notice.

Failure to adhere to a compliance notice may result in a court order to obtain the data.

We will also need to collect contact details of relevant senior employees at your organisation.

We may also use data available in the public domain to support our review.

Refer to numbers 1 and 7a below, where we specify the legal basis for this

This includes where you or your organisation may be subject to formal enforcement action including investigations, Public Sector Equality Duty assessments and Judicial Reviews.

Refer to numbers 1 and 7a below, where we specify the legal basis for this

What we do with your data if you are working with us or apply for a grant, and:

We will collect your contact details or the details of a representative, and any other necessary details, in order to liaise with you about the contract of service and its work and fulfil the contract.

This is necessary for us to fulfil our contract with you.

Refer to number 3 below, where we specify the legal basis for this

In line with our legal obligations we will provide relevant details to external organisations such as HM Revenue
and Customs (HMRC) and the National Audit Office (NAO).

Refer to number 4 below, where we specify the legal basis for this

If the services you provide to us are legal services, we will publish the names of the legal professionals and expenditure relating to the service you provided in line with our statutory obligations.

Refer to number 4 below, where we specify the legal basis for this

We will collect your contact details or the details of a representative, and any other necessary details, in order to liaise with you about the grant and related service.

We may collect references relating to your organisation in order to ensure the appropriate use of public funds.

This is necessary as part of our statutory powers to issue grants.

Refer to number 1 below, where we specify the legal basis for this.

What we do with your data if you require reasonable adjustments when you: 

We will collect the necessary details that you provide to us so that we can put in place such requirements and comply with our legal obligations under Section 20 of the Equality Act 2010.

Where relevant to the requirements, this will include sharing the necessary information with the relevant service providers such as building facilities staff, health and safety staff or caterers.

Refer to numbers 1 and 7f below, where we specify the legal basis for this.

What we do with your data when you visit our website:

We may collect details such as your name, email address or IP address (a unique number that gets linked to your online activity) to administer and secure our website.

This is in our legitimate interest to keep our website working. 

Refer to number 5 below, where we specify the legal basis for this

It is also part of our legal obligation to maintain appropriate security. 

Refer to number 5 below, where we specify the legal basis for this

A cookie is a small file that we store on your device to collect information about how you use our website.

For more information on how we use these, see our cookies policy.

How we share your personal information

How we share your personal information with:

We will instruct and contract third party organisations (suppliers) to process data on our behalf where this supports our work.

We will only work with organisations that have equivalent, or sufficient, security in place to handle personal data considering the sensitivity of the data.

We will always have a contract or agreement in place with the supplier.

Supplier organisations that we use include:

  • IT system providers
  • research agencies
  • survey providers
  • film companies
  • copywriters
  • event management platforms
  • marketing platforms
  • photo management platforms
  • transcription service providers
  • external legal services
  • building management
  • auditors
  • professional advisors or consultants

We may need to share your personal information with other organisations that use the data for their own purpose.

In most cases we will not disclose information you have provided us under our statutory powers to other organisations.

Sometime this will include joint working or data sharing arrangements, for example data sharing with government departments.

In these cases we will always have a data sharing agreement or other appropriate arrangement in place to protect your data.

These organisations include:

  • Government Equalities Office
  • National Audit Office
  • barristers, advocates or legal advisors
  • courts
  • regulators such as the Charity Commission / Office of the Scottish Charity Regulator and Care Quality Commission
  • parliamentary and health ombudsman
  • Scottish Public Services ombudsman
  • central and devolved governments
  • prosecuting authorities
  • local authorities, such as safeguarding teams
  • family or friends e.g. in relation to complaints

If we become aware of issues relating to the statutory remit of other regulators such as the Care Quality Commission, and disclosure to the regulator is in the public interest then we may share data about you with them.

We may also share data in other one-off circumstances such as providing information to the police to assist with their work to prevent or detect crime.

There are also circumstances where we are legally obliged to share information for example if the courts require us to disclose information to them.

How long we keep your personal information

We will only keep your personal information for as long as it’s needed.

For details of how long we keep different types of records for please see our retention schedule.

For more information on how long personal data is retained, please contact our Data Protection Officer.

How we keep your personal information safe

We take appropriate measures to secure your personal information and protect it against unauthorised or unlawful processing, as well as against its accidental loss, destruction or damage.

This includes ensuring both technical and organisation security measures are in place. 

  • using secure servers to store personal information
  • using technologies to encrypt data in transit and at rest
  • access permissions to restrict access only to staff that need it
  • providing access to the minimum personal data necessary, using appropriate restrictions
  • making the data anonymous, pseudonymised or unidentifiable whenever possible
  • ensuring changes are authorised
  • regular security testing and assurance
  • having organisational policies and procedures in place to protect your information
  • ensure staff handling personal information receive relevant training
  • ensuring formal agreements such as contracts or data sharing agreements are in place with other organisations that work with us and handle personal data
  • making sure we check suppliers have good security before working with them

Where your data is located

In most instances your data remains within the European Economic Area (EEA), or within the UK. 

We may transfer your personal information to countries outside the EEA or to an international organisation.

Where we transfer your personal information outside the EEA, we will ensure that adequate safeguards are used to secure the data. This is detailed in our Data Protection Policy.

Where data is transferred to an organisation within the United States, we ensure that it is protected by the EU-U.S. Privacy Shield in place.

Where organisations that we work with operate globally or use services outside the EEA we will take reasonable steps to ensure they safeguards such as model contract clauses are in place to protect personal data.

For information on data transfers to other countries through our use of cookies, see our cookies policy.

Your rights to your personal information

You have the following rights under data protection legislation to your personal information:

  • to know what information we hold about you ('right to be informed')
  • to request access to or a copy of the information we hold about you ('right of access')
  • to have your data corrected if it is inaccurate ('right to rectification')
  • to have your data erased where we do not have an overriding legal obligation or reason to retain it ('right to erasure')
  • to prevent your data being used, if you have contested and are pending resolution in relation to its lawful use, accuracy or impact of your rights, or require that it is retained in relation to a legal claim (‘right to restriction of processing’)
  • to object to its use, including opting out of receiving marketing such as our newsletter (‘right to object’)
  • to request that we pass data about yourself that you provided us to another organisation on your behalf (‘right to data portability’)

Where you have provided your consent for us to hold or use your personal data, you have the right to withdraw this consent at any time.

You can find out more about your rights on the Information Commissioner's Office

You can make these requests or withdraw your consent by sending an email or writing to the Data Protection Officer.

We may ask you to provide confirmation of your identify and in most cases requests will be responded to within one month.

How you can contact us

If you have any question or concern on how we collect, handle, store or secure your personal information, contact our Data Protection Officer:

Data Protection Officer
Equality and Human Rights Commission
Arndale House
The Arndale Centre
Manchester
M4 3AQ

Email the Data Protection Officer.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Last updated: 12 Apr 2019