The National Physical Laboratory (“NPL”) is committed to protecting and respecting your privacy. This policy (together with any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it. NPL contact details are below:
National Physical Laboratory, Hampton Road, Teddington, Middlesex, TW11 0LW | Tel: 020 8977 3222
The website www.npl.co.uk is owned and operated by NPL. By continuing to use the Website and by submitting information to our Website, you are accepting the practices described in this policy.
NPL collects information that you provide to us directly, including (e.g. names, email addresses, and etc), and other information, including (e.g. addresses, age group, and etc.), to enable us to deliver our products and services (e.g. fundraising, goods advertising, and etc.). We also collect information automatically when you visit our website, namely your IP address, the pages you had previously visited or when you use our services, including usage, log and cookies information or similar technologies.
Under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Data Protection Act 2018 ('the Act'), personal data is defined as 'any information relating to an identified or identifiable natural person ('data subject'), by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'.
The data controller
A data controller is the individual, legal person or entity who controls and is responsible to keep and use personal data in paper or electronic files. NPL is the data controller as defined by relevant data protection laws and regulation.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever personal data is to be processed:
(a) Consent: you have given NPL (e.g. any of the following depending on the situation freely, specific, informed or unambiguous) consent for your personal data to be processed for a specific purpose.
(b) Contract performance: the processing is necessary for the performance of a contract you have with NPL, which had asked you to take specific steps before entering into a contract.
(c) Compliance with legal obligation: the processing is necessary for NPL to comply with the law (e.g. the tax/social security obligation/employment law) (not including contractual obligations).
(d) Protection of vital interests: the processing is vital to an individual's survival.
(e) Public interest: the processing is necessary for NPL to perform a task that is in the public interest or for its official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for NPL legitimate interests, or the legitimate interests of a third-party, unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests.
Your data subject rights are listed below:
- the right of access
- the right to rectification
- the right to erasure or right to be forgotten
- the right to restriction of processing
- the right to be informed
- the right to data portability
- the right to object
- the right not to be subject to a decision based solely on automated processing
Under the GDPR and the Act, you may ask for a copy of the information we hold about you and you may request rectifications be made to this information if it is inaccurate or not up to date. Please write to Simon Buchanan, the data protection officer ('DPO'), at the aforementioned address or email email@example.com.
Personal data we collect
Information that you provide by completing forms in writing, email, through our web site or social media. This includes information provided at the time of registering with us, to use our website (where applicable), to become a member of staff, to enter into a contract for our services, to support or subscribe to our services (where applicable), to request materials or to request further services, when you respond to a survey and/or when you report a problem with any of our communication channels or services.
We collect the following classes of information:
- name(s) and address(es), email, phone number(s) and other relevant (e.g. age group, interests, subscriptions, and etc.) personal details and preferred (e.g. activities, events, news, and etc.)
- staff details relevant to their employment status with us
- use of social media relating to NPL
- records of donations
- records of volunteering
- photographs, recordings (audio and video)
- information about our relationship with you, correspondence, meeting notes, attendance at events etc.
- occupation, skills and professional activity, network(s) and interests where relevant to our needs
- Financial information (e.g. bank details) where they may be relevant to our needs
If you contact us, we may keep a record of that correspondence.
We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
Details of transactions you carry out and of the fulfilment of your orders.
Details of your access to our databases or other materials.
To help us improve our services, if you send us personal information which identifies you via email, we may keep your email, your email address and 'screen' name. We may also collect information that is available from your browser.
How we collect your personal data
There are two main ways in which we collect your personal data:
- directly from you
- that you provide to us
- that we automatically collect (e.g. IP addresses, OBA)
b) from third parties.
Personal data that you give to us may be through one of a number of ways. These may include:
- directly via our website www.npl.co.uk
- emailing your CV to an NPL employee regarding a voluntary appointment
- providing information via on-line forms, surveys or via MYNPL related to NPL activities such as consultations or pathology workforce matters
- collecting your data through a contractual or commercial relationship with you e.g. for membership subscriptions or attending a fee-paying event
- via a form which could be online as part of our website or a form provided to us as a hard copy or electronically
- contacting us with enquiries or comments by telephone, email or hard copy correspondence.
Personal data may be given to us through another organisation with which you have registered, and we may be required to process that data in order to fulfil services that you expect of us. This could include one of the following:
- via another authorised body with whom joint education or professional development takes place
- via professional bodies with whom there is a sharing of registration for events or activities
How we use your personal data
We will process any of your personal data, in accordance with our obligations under the Act and the GDPR, for the following reasons:
- to provide you with the services you have requested
- to comply with the Act and the GDPR
- for administrative purposes
- to assess enquiries
- to provide you with information about us and our services. If, at any time, you do not wish to receive further information about us and our services, contact us at firstname.lastname@example.org.
Sharing your personal data
We may disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any agreements, or to protect the rights, property, or safety of the organisation, or other individuals. This includes exchanging information with other companies and organisations for the purposes of safeguarding or other statutory regulations we have to comply with as well as those organisations with whom you and we have reciprocal agreements for providing services for education or professional development.
Third party websites
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Protecting your personal data
The data that we collect from you will be processed at our servers in the UK. It may also be processed by organisations operating in the EEA that NPL has instructed.
The above applies in the case where we may collect photographs and recordings, including both audio and video.
If personal data is transferred outside the UK or EEA to a country without a designated adequacy rating, NPL will request the data subject's consent before processing the data, unless the processor's Binding Corporate Rules, Standard Contractual Clauses or ad-hoc contractual clauses stipulate that the data will be processed in accordance with the GDPR.
Security of your information
To help protect the privacy of data and personally identifiable information you transmit through use of this our website, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees' privacy responsibilities.
How long we store your personal data for
We store your personal data in accordance with our data retention policy. This policy is reviewed and updated internally to ensure we do not store your data for longer than is necessary. We also review how and where we store any data to ensure that we meet our obligation to store data securely.
In addition, some of the data we hold may be subject to certain legal and regulatory obligations, which provide a minimum retention period for different types of data. The retention period varies depending on the data we hold.
Please see our Cookies Policy for more information.
For further information on your rights and how to complain to the ICO, please refer to the ICO website.
Information Commissioner's Office
0303 123 1113 (local rate)