General Privacy Statement – How we handle your personal data
Ofcom ('the Office of Communications') is the communications regulator for the United Kingdom. It collects and processes personal data that it needs to carry out its statutory functions and to operate as a public body, including employing and contracting staff. This general statement covers all of these various purposes. In most cases we will collect that data from you directly (for example, if you are applying for a licence from us), however from time to time we might need to collect personal data about you from a third party, such as your communications provider.
In accordance with our legal obligations this General Privacy Statement sets out the information you need to know about the way in which Ofcom will collect, process and store your personal data, how long we will keep it for, your rights in connection with that data, and the people with whom we may need to share it.
Whenever we request personal data for a specific purpose that is not covered in this General Privacy Statement we will explain why we need that information and our lawful basis for collecting it. Similarly, if in the future we intend to process your data for a purpose other than that for which it was collected, we will provide you with information on that purpose and any other relevant information.
Ofcom is committed to protecting your privacy in accordance with data protection legislation.
Ofcom collects personal data that it needs to perform its statutory functions, to operate as an organisation and to comply with its legal obligations.
Ofcom’s statutory functions include (but are not limited to) its duties and powers under the Office of Communications Act 2002, the Communications Act 2003, the Broadcasting Acts 1990 and 1996, the Wireless Telegraphy Act 2006, the Competition Act 1998, the Enterprise Act 2002, and the Postal Services Act 2011.
As an organisation Ofcom needs to employ staff and to contract with third-party service providers. Ofcom’s legal obligations include its obligations under the Equalities Act 2010, for example, and its duties as an employer under applicable employment and tax legislation.
Depending on the purpose and context, the personal data Ofcom collects may include:
- Your name and job title
- Your contact information (which may include your IP address)
- Your occupation and employer’s details
- Your bank details and national insurance number
- Information relating to your age, disability status, racial or ethnic origin, political opinion and political affiliations, religious or philosophical belief, trade union membership, genetic data, health, sex, sexual orientation, gender and nationality, criminal convictions and offences
- Other information relevant to:
- Improving our services (including, but not limited to, recording or monitoring communications between you and Ofcom for the purposes of quality control and staff training)
- Carrying out our statutory functions as a communications regulator (which include protecting and furthering the interests of consumers and promoting competition)
- Other information relevant to our duties as an employer.
In carrying out our functions, Ofcom may from time to time collect personal data which users of online media platforms (for example, Twitter, Facebook, Instagram, YouTube, news websites and other public blogs/forums) have chosen to make publicly available.
Ofcom may use your personal data for the purposes of carrying out its statutory functions, including Ofcom’s law enforcement functions, and complying with its legal obligations. Ofcom may also use your personal data where there are reasons of substantial public interest to do so, or where it has otherwise obtained your consent.
In particular, Ofcom may use your personal data for one or more of the following reasons:
- To carry out our statutory functions, for example:
- Licensing, including granting and administering broadcast licences and licences for radio equipment and other wireless communications apparatus
- Logging and handling complaints, including consumer complaints and fairness and privacy complaints
- Undertaking regulatory investigations or investigations under the Competition Act 1998
- Carrying out law enforcement activities, including investigating and prosecuting criminal offences relating to illegal broadcasting and unlawful use of wireless communications apparatus
- Gathering and publishing evidence and opinions, including through consultations and carrying out research
- Ensuring transparency and accountability in the way in which Ofcom carries out its regulatory activities.
- To improve our services;
- To send information to you which we think may be of interest to you;
- To undertake our duties as an employer;
- To pass your details to accountants, consultants and other professionals for the purpose of obtaining professional advice and complying with Ofcom's contractual obligations;
- To comply with our legal and regulatory obligations;
- To establish, exercise or defend legal claims;
Ofcom may also, from time to time, need to share your personal data with other third parties, including:
- Where appropriate, broadcasters and communications providers, for the purposes of resolving complaints about broadcasting (including on-demand content) or services;
- Organisations falling within the scope of Ofcom’s powers, third party complainants, and any representatives and expert witnesses engaged by those parties or Ofcom for the purposes of exercising our regulatory functions, including undertaking investigations and subsequent appeals. This includes, for example, allowing the subjects of an investigation (and where relevant, the complainant) access to the file, which allows those parties to understand the evidence that Ofcom is relying on in its provisional and final decisions;
- The police, or other law-enforcement bodies, for the purposes of undertaking investigations or where we are legally obliged to do so;
- Government departments and other regulatory bodies for the purposes of enabling us and them to carry out our respective legal and statutory functions. These may include, for example, the Information Commissioner, the Advertising Standards Authority, the Charity Commission, the Civil Aviation Authority, the Competition and Markets Authority and the European Commission (amongst other regulatory or co-regulatory bodies or investigatory bodies of a similar nature);
- Third parties who we may employ to in order to process personal data on our behalf (in compliance with the requirements of data protection legislation). Such third parties may include those providing e-discovery services.
We may use machine learning programmes to help us as we analyse large datasets, but we will not use automated means to take decisions about individuals.
Ofcom will determine the period for which it needs to keep your personal data having regard to the reasons and purposes for which it was collected, our statutory duties and other legal obligations, the exercise and defence of any legal claims, including the period within which any current or potential future legal claims may be brought.
Ofcom has put in place appropriate technical and organisational measures to protect your personal data and to prevent any unauthorised or unlawful processing and any accidental loss, destruction or damage to it.
From time to time, Ofcom may need to transfer personal data to other countries, for example, where personal data is being stored securely in the cloud and the relevant servers are located overseas. We will, in these circumstances, first ensure that the relevant country has the appropriate safeguards in place to protect your personal data.
As your employer (including where you are on secondment to Ofcom, or may be working for us as a freelance contractor), or prospective employer or where you perform a role for Ofcom as a non-executive member of a Committee, Board or Panel (whether or not you are directly employed by Ofcom), Ofcom is required to keep and process information about you for normal employment purposes. The information we hold and process will be used only for our management and administrative use, to carry out our employment or related tasks, or to comply with our legal obligations. We will hold and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, in connection with the recruitment process, whilst you are an Ofcom employee (or whilst you are appointed as a non-executive member of a Committee, Board or Panel), at the time when your employment or appointment ends and, usually, for a period of 6 years after you have left or cease to be a non-executive member of a Committee, Board or Panel. This includes using information to enable us to:
- comply with the terms of the employment contract we have with you
- perform our statutory functions
- comply with our legal obligations (for example, with respect to tax legislation) and to protect our legal position in the event of legal proceedings
- monitor and improve our performance as an employer (including with respect to diversity).
Much of the information we hold will have been provided by you but some may come from other sources such as your line manager, referees, or current employer where this is not Ofcom.
The sort of information we may collect and hold includes:
- Your application form which includes your name, address, telephone number
- Your curriculum vitae with details of your work experience to date
- Your references
- Copies of your passport and qualification certificates
- Your contract of employment and any amendments to it
- Correspondence with, or about, you, for example letters to you about a pay rise
- Information needed for payroll, benefits and expenses purposes such as bank details
- Contact and emergency contact details (including next of kin)
- Records of holiday
- Details of your age and gender
- Records relating to your career history such as training records, appraisals and other performance measures
- Any disciplinary and grievance records
In some circumstances, we may also collect information that, under the GDPR, is deemed to be sensitive personal data. This includes:
- Records and any details of sickness as well as information relating to your health including Occupational Health reports which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety occupational health obligations including assessing how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also require this information to administer and manage sick pay.
- Nationality – this will be used for monitoring equality and diversity within our organisation
- Race/Ethnic origin – this will be used for monitoring equality and diversity within our organisation
- Religious belief – this will be used for monitoring equality and diversity within our organisation
- Sex/sexual orientation – this will be used for monitoring equality and diversity within our organisation
- Details of any criminal convictions – this will be used for monitoring equality and diversity within our organisation
We may also monitor computer use, as detailed in our Acceptable Use Policy. We also maintain records of the hours that colleagues work by way of the timesheets which include sickness absence recording.
We may also need to share your data with the third-parties who provide our pension, health insurance schemes and/or other ‘Choices’ benefits to our employees.
Where we have collected your personal data for the purposes of our employment functions, we will retain it for a period of 6 years after you have left Ofcom. Online job applications will be held for up to 3 years for unsuccessful candidates for trend activity reporting purposes and to contact applicants in the future about jobs that they may be interested in. We will retain interview notes and/or any supporting recruitment information for all applicants for a period of 6 months.
As set out in our General Privacy Notice, if, in the future, we intend to process your personal data for a purpose other than that for which it was collected, we will provide you with information on that purpose and any other relevant information.
Under data protection legislation, you have rights to access your personal data and, in certain circumstances to: object to the processing of the data, or to request that it be rectified or erased; request that the processing of the data is restricted; and to data portability of that data. Where Ofcom is relying on your consent in order to use your personal data you may withdraw that consent at any time (however this will not affect the lawfulness of the data processing before your consent was withdrawn).
Should you wish to confirm whether or not Ofcom holds personal data about you, request copies of that data, or make any other request in relation to your personal data, you should send this to Ofcom’s Information Requests team at: firstname.lastname@example.org
If it would be helpful, you can use the form below to make your request:
Should you wish to make a request for personal data that we may hold about someone other than yourself, for example because you are carrying out an investigation under statutory powers, you may wish to use one of the following forms:
Ofcom’s handing of personal data is overseen by our Corporation Secretary, who is Ofcom’s Data Protection Officer. Should you wish to query the way Ofcom is handling your personal data or submit a complaint about this you should address this to our Data Protection Officer at:
2a Southwark Bridge Road
Tel: 020 7981 3000
If you are unhappy with the way that Ofcom is dealing with your personal data, and have already raised your complaint with Ofcom, you can make a complaint to the Information Commissioner’s Office at:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number