Albion Water Limited has a responsibility to document how we will protect your personal data. This is a legal requirement of the UK GDPR under the ‘right to be informed’.
This privacy notice will outline our responsibilities to you.
This privacy notice was last updated in September 2022.
1.0 Key Terms
1.1 Whilst every effort has been made to outline our responsibilities to you in as clear, concise, and easy to understand manner as possible, we do need to use certain terms throughout this privacy notice.
1.2 We will now provide an easy-to-understand definition of each term:
- Data Controller: A data controller has the responsibility of deciding how personal data is processed and protecting it from harm.
- Data Processor: In a similar way to data controllers, data processors must protect people’s personal data – but they only process it in the first place on behalf of the controller. They would not have any reason to have the data if the controller had not asked them to do something with it.
- Data Protection Act (DPA 2018): The DPA 2018 sets out the data protection framework in the UK, alongside the UK GDPR. It contains three separate data protection regimes:
- Part 2: sets out a general processing regime (the UK GDPR);
- Part 3: sets out a separate regime for law enforcement authorities; and
- Part 4: sets out a separate regime for the three intelligence services.
- Data Subject: A data subject is someone who can be identified from personal data. The data could be their name, address, telephone number or something else – but if it is about a person, then they are the data subject. They are the ‘subject’ of the data.
- GDPR: This stands for General Data Protection Regulation (GDPR), the EU’s agreed standards for data protection that are also written into UK law through the Data Protection Act 2018 (DPA 2018). The transition period for leaving the EU ended on 31 December 2020. The GDPR has been retained in UK law as the UK GDPR and will continue to be read alongside the DPA (2018), with technical amendments to ensure it can function in UK law.
- Individual Rights: In data protection law, people have rights over their personal data. These generally allow them to ask you to do something, or stop doing something, with their personal data. There are eight individual rights. If you are handling people’s personal data, you will have to comply with these rights whenever they are used, unless it is an exceptional situation.
- Information Commissioner’s Office (ICO): The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights, covering laws including the Data Protection Act (2018), Freedom of Information Act (2000), Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR.
- Lawful Basis: A lawful basis is the reason or legal grounds you can rely on for processing people’s personal data. There are six bases to choose from: consent, contract, legal obligation, vital interests, public task, and legitimate interests. There is no single lawful basis that is better or more lawful than any of the others.
- Personal Data: Personal data is information about who you are, where you live, what you do and more. It is all information that identifies you as a data subject.
- Privacy and Electronic Communications Regulations (PECR): PECR sits alongside the DPA (2018) and the UK GDPR. They give people specific privacy rights in relation to electronic communications. There are specific rules on:
- marketing calls, emails, texts, and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
- Processing: Processing means taking any action with someone’s personal data. This begins when a data controller starts making a record of information about someone and continues until you no longer need the information, and it has been securely destroyed. If you hold information on someone, it counts as processing even if you do not do anything else with it.
- Registration: If you have or use information about people, also known as processing, you may have to register with the ICO and pay a fee. Data protection fees are a legal obligation. If you need to pay and do not pay the fee you could be fined.
2.0 Scope
2.1 The scope for Albion Water Limited is any data subject, whose personal data is processed, in line with the requirements of the DPA (2018), PECR and UK GDPR. From time to time, we may also need to meet the requirements of additional UK privacy legislation and overseas privacy legislation, such as the EU GDPR.
2.2 We also acknowledge any additional responsibilities requested by the UK’s independent body set up to uphold information rights, the Information Commissioner’s Office (ICO).
2.3 The DPA (2018) and UK GDPR have a material scope covering personal data that is processed either electronically or is processed as part of a physical filing system. For example, any personal data that may be uploaded to a computer/electronic device or stored in a structured paper filing system.
2.4 Albion Water Limited will adhere to the UK GDPR data processing principles when handling personal data. They are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
2.5 All associates and employees of Albion Water Limited who interact with data subjects are responsible for ensuring that this privacy notice is drawn to the data subject’s attention, at the earliest available opportunity.
3.0 Lawfulness
3.1 Albion Water Limited is a private limited company, based in England, under company registration number 03102176, complying with the laws of England and Wales.
3.2 Albion Water Limited is registered with the ICO under registration number Z273756X.
3.3 Albion Water Limited acts as a data controller and data processor. We adhere to UK GDPR Article 30 which asks us to maintain a record of all personal data processing activities, as a core responsibility.
3.4 Albion Water Limited has appointed a Data Protection Officer (DPO). Our DPO is Chris Burn of CSRB Limited. The DPO can be contacted by telephone on 0117 325 0830 or via email dpo@csrb.co.uk.
3.5 Albion Water Limited uses lawful bases, as set out in UK GDPR Article 6, when we process your personal data:
- Consent – the processing is necessary for Albion Water Limited to provide additional help and support to customers, with regards to our water solutions services.
- Contract – the processing is necessary for Albion Water Limited to fulfil the obligations of an agreement or contract for the provision of our water solutions services.
- Legal Obligation – the processing is necessary for Albion Water Limited to be able to maintain sewerage and water infrastructure networks.
- Legitimate Interests – the processing is necessary for Albion Water Limited to inform customers of important regulatory and service-related information.
- Public Task – the processing is necessary for Albion Water Limited to provide water supply and/or sewerage services and send bills to you fulfilling a public task as a water company.
3.6 Albion Water Limited, processes certain special category data, such as personal data concerning health. For example, we process this type of personal data with regards to protecting vulnerable people.
3.7 Albion Water Limited ensures that all processing of the above special category data is lawful, fair, transparent, and complies with all the data processing principles of the UK GDPR. Albion Water Limited can only process special category data if we can meet one of the specific conditions in Article 9 of the UK GDPR. We may also have to meet additional conditions set out in the DPA 2018. The Article 9 conditions we use are:
- Health or social care (with a basis in law). This condition is met if the processing is necessary for health or social care purposes, which means the purposes of:
- preventive or occupational medicine;
- the assessment of the working capacity of an employee;
- medical diagnosis;
- the provision of healthcare or treatment;
- the provision of social care; or
- the management of healthcare systems or services, or social care systems or services.
3.8 Albion Water Limited may transfer personal data we collect about you to countries outside the UK and the EEA (European Economic Area). We treat each international data transfer individually and assess the risk associated with the transfer, and whether a suitable level of adequacy with UK data protection and privacy legislation is available, within the country to where the personal data is being transferred.
3.9 If the international data transfer would fall within the European Union/EEA, personal data would be able to flow freely under the ‘Adequacy Decision’ agreed between the UK and European Parliament on 27 June 2021. If the international data transfer is outside the EU/EEA/UK then appropriate safeguards or derogations would be put in place, such as Data Protection Impact Assessments (DPIAs). This privacy notice would also be updated.
4.0 Fairness
4.1 Albion Water Limited processes personal data in a fair way. We do this by putting the individual’s rights at the heart of all processing with regards to personal data. There are eight data subject (individual) rights:
- Right to be informed – you have the right to know why we are collecting and processing personal data, and this right is met by the provision of this privacy notice and any subsequent updates.
- Right of access – you have the right to know what personal data we have on record and request a copy.
- Right of rectification – you have the right to correct the personal data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the personal data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to ask us to only process your personal data for certain processing activities.
- Right of portability – you have the right to have the personal data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as marketing.
- Right to object to automated processing, including profiling – you also have the right to object to the legal effects of automated processing or profiling.
4.2 Albion Water Limited will only handle personal data in ways that data subjects would reasonably expect and will not use it in ways that have unjustified adverse effects on them.
4.3 Albion Water Limited will obtain personal data in the first instance in a fair way. We will seek consent from the data subject, or only bring personal data into the business where explicit consent has been given and recorded.
4.4 Albion Water Limited always considers the rights and freedoms of data subjects when processing personal data. This could be individually or in a group.
5.0 Transparency
5.1 Transparency is fundamentally linked to fairness. Albion Water Limited will always be clear, open, and honest with people from the start about who we are, and how and why we need to use your personal data.
5.2 Albion Water Limited wants individuals to have a choice about whether they wish to enter a relationship with us. We tell data subjects from the outset the types of personal data we may need to process, usually within our contract and proposal documentation. We issue all individuals with a copy of this privacy notice.
5.3 Albion Water Limited processes the following personal data types as a minimum:
- Identity Data (e.g., contact name, email addresses, telephone numbers);
- Location Data (e.g., addresses); and
- Financial Data (e.g., payment card information, bank details).
5.4 We believe if individuals know at the outset what we will use their personal information for, they will be able to make an informed decision about whether to enter into a relationship with Albion Water Limited.
5.5 Albion Water Limited informs individuals about all personal data processing in a way that is easily accessible and easy to understand, using clear and plain language. We do this via this privacy notice.
5.6 Albion Water Limited hope we can resolve any query or concern you raise about our use of your personal data. You can contact Albion Water Limited in the first instance at any time by telephone on 03300 242020 or via email customerservices@albionwater.co.uk.
5.7 In addition Albion Water Limited has appointed a Data Protection Officer (DPO) to act in the interests of all parties. Should you require further information with regards to personal data and the protection of that data please contact our nominated DPO, Chris Burn of CSRB Limited. CSRB can be contacted by telephone on 0117 325 0830 or via email dpo@csrb.co.uk.
5.8 Should we not be able to resolve the complaint, you have the right to lodge a complaint with the UK’s independent body set up to uphold information rights, the Information Commissioner’s Office (ICO), who may be contacted by telephone on 0303 123 1113 or by visiting ico.org.uk.
6.0 Purpose Limitation
6.1 Albion Water Limited will always be clear about what our purposes for processing are from the start.
6.2 Albion Water Limited will record our purposes for data processing as part of our contract and proposal documentation obligations. We will also specify them in any additional privacy documentation provided.
6.3 Albion Water Limited specifically process your personal data for the following purposes:
- to process and respond to requests, enquiries, and complaints we receive from you;
- to provide products and services when you ask us to;
- to manage and administer your account;
- to carry out credit checks where appropriate;
- to communicate with you about services provided to you;
- to process payments;
- to make sure our records are correct and up to date;
- to analyse trends and profiles;
- to carry out market analysis (on a non-personal basis);
- for audit purposes;
- to carry out customer satisfaction research;
- to improve our products and services;
- to stop someone committing fraud or to help authorities investigate fraud;
- to comply with something the law says we must do;
- where you have said that we may do so, to recommend products and services that we believe will be of interest to you, or contact you about offers, or other marketing promotions;
- to contact you (including by SMS texts) about service-related issues including interruptions to water supply, emergency events, water quality issues, planned maintenance, or major roadworks that could require road closures;
- to help us establish or defend legal claims; and
- to help third parties to carry out any of the purposes above on our behalf.
6.4 Albion Water Limited will only use personal data for a new purpose if either this is compatible with your original purpose, or we obtain consent, or we have a clear obligation or function set out in law.
6.5 Albion Water Limited will not share your personal data unless we have a legitimate interest or a legal obligation to so. If we do have to share your information, then we will keep it to a minimum to let the person or organisation do what we have asked or as the law requires. We may need to share your information with other organisations as follows.
- We sometimes use agents and service providers to process personal information on our behalf. For example, we share your information with Pelican Business Services to recover debts. We also use other companies to send out letters, to process credit card payments and maintain our IT systems. Where we use other organisations to process your personal information, we will ensure that they have adequate security measures in place to safeguard it.
- We may need to share your information with engineering contractors and consultants who carry out emergency or essential construction or repair work on our behalf that could affect you.
- We will release your personal information when we’re required to do so for legal or regulatory purposes or as part of legal proceedings. This may include sharing your information with regulators such as the Environment Agency and the Drinking Water Inspectorate. We may need to share it with Ofwat, our regulator, or the Department for Environment, Food and Rural Affairs (DEFRA), the Consumer Council for Water (CCW) and Water Redress Scheme (WATRS) (the water industry ombudsman services).
- We may share your personal information with organisations including Local Authorities, Police, Fire and Ambulance services in the event of an emergency (this may include information about your health if we think it could be in danger).
- We may give information we hold about you to a third party as part of the process of selling one or more of our businesses, in which case we may provide your information to a prospective buyer.
- When we carry out credit checks, we pass your information to credit reference agencies. This information may also be accessed by third parties who carry out credit checks on you.
- We pass your information to Pelican Business Services for the collection of unpaid charges on our behalf and to benefit agencies where we seek a deduction from state benefits.
- We will disclose your personal data if we are under a duty to share your personal data to comply with any legal duty, or in order to enforce our rights and other agreements; or to protect the rights, property, or safety of our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
- We may share information with advertisers and advertising networks or other carefully selected partners that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we may provide them with aggregate information about our users. We may also use such aggregate information to help advertisers reach the kind of audience they want to target.
- We may share information with Wessex Searches, part of Wessex Water Enterprises Limited, which provides information about residential and commercial water and drainage searches to professional service providers such as solicitors and licensed conveyancers. We share information about the location of sewers, water pipes, etc. in relation to properties to assist with property sales, purchases, and legal enquiries.
- If we need to investigate or defend a claim you make against us or need to bring a potential claim against you, we may share your personal data with your representative(s), our legal advisors, our insurance company, or other professional advisors.
- We carry out customer satisfaction surveys through a specialist company who we ask to check what our customers think of the service we provide so we can act on the feedback, to make our service better.
- Trusted third-party partners who we work alongside and process personal data on behalf of, with regards to agreements and contracts, or for the provision of supplementary support services. Disclosure of the nominated trusted third-party partner would be provided at the agreement/contract stage and a relevant Data Processing Agreement (DPA) would be put in place to protect all personal data, from a data controller, data processor, and data subject perspective.
- Fraud prevention agencies, money laundering agencies and associations.
- Regulators and law enforcement agencies, including the police, HM Revenue and Customs, or any other relevant authority who may have jurisdiction. We would always inform you ahead of acting on any instructions to proceed.
6.6 Albion Water Limited will share personal information with law enforcement or other authorities if required by law.
7.0 Data Minimisation
7.1 Albion Water Limited always ensures the personal data we are processing is:
- Adequate – sufficient to properly fulfil our stated purpose;
- Relevant – has a rational link to that purpose; and
- Limited to what is necessary – we do not hold more than we need to for that purpose.
The UK GDPR does not define these terms. As this is the case, Albion Water Limited accepts these terms may have a differing definition from one individual to the other, as the processing will depend on the specified purpose for collecting and using the personal data.
7.2 In order to assess whether we are holding the right amount of personal data, we demonstrate clearly why we need it, before engaging with the data subject.
7.3 Albion Water Limited undertakes an annual data protection audit, to review our processing to check that the personal data we hold is still relevant and adequate for the stated purposes, and we delete anything we no longer need.
8.0 Accuracy
8.1 Albion Water Limited will take all reasonable steps to ensure the personal data we hold is accurate and up to date.
8.2 Albion Water Limited will take reasonable steps to ensure that personal data we hold is not incorrect. This may involve contacting you via our official communication channels, to ensure all personal data held is accurate.
8.3 Albion Water Limited will always record the source of where personal data came from and will ensure that source is compliant with UK privacy laws including the UK GDPR.
8.4 If we need to keep a record of a mistake, we clearly identify it as a mistake, and add this to our records of processing for audit purposes and continuous improvement.
8.5 All Albion Water Limited records clearly identify any matters of opinion, and where appropriate whose opinion it is and any relevant changes to the underlying facts.
8.6 Albion Water Limited will comply with the individual’s right to rectification and carefully consider any challenges to the accuracy of the personal data.
8.7 As a matter of good practice, we keep a note of any challenges to the accuracy of the personal data.
9.0 Storage Limitation
9.1 Albion Water Limited will not keep personal data for longer than we need it.
9.2 Albion Water Limited will only keep personal data for the period outlined to meet the requirements of the contract, legal obligation, or legitimate interest identified. We always document our purposes for holding personal data.
9.3 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
9.4 Furthermore, any retention of personal data will be carried out in compliance with legal, professional body and regulatory obligations. These data retention periods are subject to change, due to any revisions of associated legislation, regulations, or requirements.
9.5 Albion Water Limited acknowledges that UK privacy legislation does not determine how long personal data needs to be kept. This is up to us as a data controller or processor to determine and document accordingly, at the earliest possible opportunity. For example, in contracts or proposal documentation.
9.6 Albion Water Limited has a personal data retention policy and procedure in place, which documents the types of record or information we hold, what we use it for, and how long we intend to keep it. We keep copies of most personal data for a period of up to seven years, to satisfy legal obligations.
9.7 Albion Water Limited periodically reviews the personal data we hold, and erases or anonymises it, when we no longer need to process it.
9.8 Albion Water Limited also considers any challenges to the retention of personal data. We understand that individuals have a right to erasure if we no longer need the personal data.
9.9 Albion Water Limited acknowledges there are exceptions to retention periods. Here we can keep personal data for longer if we are only keeping it for public interest archiving, scientific or historical research, or statistical purposes. We would always inform you if this was the case, along with our lawful basis for retention.
9.10 Any personal data held as physical documents is securely stored pre-destruction, securely destroyed, with a Certificate of Destruction issued in line with our UK GDPR and our Data Retention Policy.
10.0 Integrity and Confidentiality (security)
10.1 Albion Water Limited undertake an analysis of the risks presented by our processing and use this to assess the appropriate level of security we need to put in place. We review our Business Continuity Plan (BCP) annually.
10.2 We have an information security policy and take steps to make sure the policy is implemented. For example, we undertake an annual information security review with an accredited external provider. We make sure that we regularly review our information security policies and measures and, where necessary, improve them.
10.3 Albion Water Limited believe in building an information governance framework by design. Where necessary, we have additional policies and ensure that controls are in place to enforce them.
10.4 Albion Water Limited has put in place basic technical controls such as those specified by established frameworks like Cyber Essentials.
10.5 We understand that we may also need to put other technical measures in place depending on our circumstances and the type of personal data we process. For example, we use encryption for personal data transfer, where it is appropriate to do so.
10.6 Albion Water Limited understands the requirements of confidentiality, integrity, and availability for the personal data we process.
10.7 Albion Water Limited makes sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
10.8 Albion Water Limited conducts regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.
10.9 Where appropriate, Albion Water Limited implement measures that adhere to an approved code of conduct or certification mechanism.
10.10 Albion Water Limited ensure that any data processor we appoint also implements appropriate technical and organisational measures.
10.11 Albion Water Limited does not use tracking cookies on our website to track user behaviour and/or improve site experience. The UK GDPR and PECR interprets data collected by cookies as personal. It prohibits the collection of personal data without consent, which means a website is only allowed to collect information that the user voluntarily inputs. This includes name, email address, phone number or any other information that the user shares with the website. The cookie consent must be freely given, specific, informed, and unambiguous. Albion Water Limited does not use these tracking cookies, giving the user complete control over their personal data.
11.0 Accountability
11.1 Accountability is one of the data protection principles. Albion Water Limited takes our responsibility for complying with the UK GDPR very seriously, as documented by this privacy notice.
11.2 Albion Water Limited has put in place several measures that we can, and in some cases must take, including:
- Adopting and implementing data protection policies;
- Taking a ‘data protection by design and default’ approach;
- Putting written contracts in place with organisations that process personal data on our behalf;
- Maintaining documentation of our processing activities;
- Implementing appropriate security measures;
- Recording and, where necessary, reporting personal data breaches;
- Carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individual’s interests;
- Appointing a data protection officer;
- Adhering to relevant codes of conduct and signing up to certification schemes; and
- Undertaking annual employee training with regards to data protection and UK GDPR.
11.3 Albion Water Limited understands that accountability obligations are ongoing. We review and, where necessary, update the measures we put in place. For example, we continually enhance our privacy management framework, as this can help embed our accountability measures and create a culture of privacy across our organisation.
11.4 Albion Water Limited understands that being accountable can help build trust with individuals and may help mitigate any gaps in compliance, and thus any potential regulator enforcement action.
11.5 If you have any questions or concerns about how Albion Water Limited process and protect your personal data not covered in this privacy notice, please contact Albion Water Limited by telephone on 03300 242020 or via email customerservices@albionwater.co.uk.