BAFE is registered with the ICO as part of our commitment to data protection best practice (ICO Registration Reference: Z772040X)
General Data Protection Regulation (GDPR)
“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies.”- www.eugdpr.org/key-changes
The General Data Protection Regulation (GDPR) came into enforcement on 25th May 2018. Whilst this focuses on the protection of individual’s personal data, BAFE has reviewed its policies to ensure that all registered organisations data continues to be protected as well.
BAFE uses a third party provider, Salesforce, to record all information regarding BAFE registered organisations (including previously registered organisations), Fire Extinguisher Technicians (including applicants and leavers) and complaints data.
BAFE does not sell or share any registered organisation information to third parties, with the exception of the third party certification body that awarded their BAFE scheme certification.
All BAFE registered organisations have the right NOT to appear on the BAFE website search feature. If you do not wish to appear on the search feature please contact the BAFE office where this will be updated immediately.
Google Analytics is used to collect standard internet log information and details of visitor behaviour patterns for the BAFE website www.bafe.org.uk. BAFE does this to find out things such as the number of visitors to the various pages of the site. This information is only processed in a way which does not identify anyone. BAFE does not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
BAFE Communications (including e-newsletter)
BAFE communicates with BAFE registered organisations’ primary contacts and/or other nominated contacts as part of its ‘provision of service’ regarding scheme information/BAFE operation. BAFE operates as a business-to-business organisation; it does not promote to individuals using personal data (unless exclusively opted-in to do so in line with GDPR). All contact information requested from a BAFE registered organisation is regarding business operation. BAFE does not directly sell any products or services within its general communications, which are considered informative in regards to being a BAFE registered organisation.
BAFE uses two third party providers, Salesforce and MailChimp, to deliver the BAFE e-newsletters. BAFE gathers statistics around email opening and clicks to help improve this service.
You may however opt out of the BAFE newsletter at any time. To do this, please scroll to the bottom of the newsletter and select ‘unsubscribe’. You will still continue to receive important scheme information updates if you are the primary contact for this. Emails containing scheme information may not have an ‘unsubscribe’ option present.
BAFE uses third party providers, Twitter, Facebook, LinkedIn, Google (YouTube), Vimeo and Hootsuite to manage our social media interactions. If you send any BAFE social media account a private or direct message via social media the message will be stored in accordance with their retention policies. If this is not a predetermined time, this will be retained indefinitely for our records.
Individuals can find out if BAFE holds any personal information by making a ‘subject access request’. If BAFE do hold information about you we will:
To make a request to the ICO for any personal information we may hold, you need to put the request in writing clearly stating it is a Subject Access Request to email@example.com. If you agree, we will deal with your request informally, for example by providing you with the specific information you need over the telephone or via email.
Fees for dealing with a subject access request
Subject access request information is provided free of charge. However, BAFE reserve the right to charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive.
BAFE may also charge a reasonable fee to comply with requests for further copies of the same information. (The fee will be based on the administrative cost of providing the information)
If we do hold information about you, you can request for BAFE to correct any mistakes by, contacting the BAFE office (Please note this does not override any scheme requirements e.g. organisation name and address, which BAFE require an updated Certification Body certificate to update this information).
Right to be forgotten
Any personal data can be requested to be erased. Please note, however, BAFE Registrations and the contacts associated with the registered organisation are retained as business information (e.g. primary contacts for scheme registrations/complaints information). If you would like to know what is held on the BAFE database regarding yourself, please contact BAFE in writing to make a ‘subject access request’.
Data breach notification
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;- EU GDPR “Definitions” Article 4, (12) ‘personal data breach’
In the case of any personal data breach that is likely to “result in a risk for the rights and freedoms of individuals” those affected will be made aware within 72 hours of BAFE first having become aware of the breach. The ICO (https://ico.org.uk) will also be notified.
Individuals who make a complaint to BAFE
When BAFE receives a complaint from an individual, a record of this information is created. This normally contains the identity of the complainant and any other individuals involved within the complaint.
BAFE will only use the personal information it collects to process the complaint and to review the complaints procedure. If any statistics are published showing BAFE complaints information, individuals will not be identified.
If a complainant does not want information identifying them to be disclosed, BAFE will always endeavor to treat them as anonymous. However, if it is not possible to handle a complaint on an anonymous basis, the complainant will be informed of this.
Any personal information contained in complaint files will be retained indefinitely, until BAFE decides to destroy this. It will be retained in a secure environment and access to it will be restricted.
When BAFE takes enforcement action against someone, we may publish the identity of the defendant. Usually BAFE does not identify any complainants unless the details have already been made public.
Disclosure of Personal Information
In many circumstances BAFE will not disclose personal data without consent. However when BAFE investigates a complaint, for example, we may need to share information with your awarding Certification Body (if a BAFE Registered Organisation), the organisation concerned and with other relevant bodies.
BAFE is a business-to-business organisation, and any information received by your awarding Certification Body is part of their ‘provision of service’ towards gaining BAFE Registration. You should contact your chosen Certification Body for further information on how they share your information.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy policies on the other websites you visit.
Information specific to BAFE registered organisations
To review the data BAFE holds about your organisation, you should contact the BAFE office. Any changes to organisation data can be performed after a written request (which can be done via email to firstname.lastname@example.org or letter to the BAFE office). If you wish to change your organisation name or address, BAFE will require a copy of your updated Certification Body certificate to validate this. As part of your organisation information is supplied to BAFE by your Certification Body, they will also have policies in place regarding the transmission of your information to BAFE.
Job applicants, current and former BAFE employees
BAFE is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact the BAFE office via email email@example.com or call 0844 335 0897. All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
BAFE will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
BAFE will use the details you provide to progress your application. If you are unsuccessful in your application, we may retain this information. However, any information containing personal data (e.g. CV) can be destroyed on request.
Current and former employee data is retained indefinitely and these individuals can make a ‘Subject Access Request’ to have a copy of the information retained for review (see Personal Information).
BAFE, The Fire Service College, London Road, Moreton-in-Marsh, Gloucestershire, GL56 0RH
0844 335 0897