NRoSO Privacy Notice
- Why have you been given this privacy notice?
BASIS Registration Ltd. on behalf of The National Register of Sprayer Operators (NRoSO) (hereafter confirmed as ‘we’, or ‘the Company’) is a “data controller”. This means that we are required under UK data protection legislation to notify you of how we will process your personal data whilst you are a member of NRoSO (hereafter referred to as ‘relationship’) and post the relationship. This notice will explain how we collect your personal data, its use, storage, transfer, and security. We will also explain what rights you have in relation to how we process your personal data. It is important that you read this notice, together with any other privacy notice we may provide during our relationship with you, so that you are aware of how and why we are processing your personal data. This notice does not form part of any other contract to provide services to you. We may update this notice at any time.
- What are our obligations to you in relation to how we process your personal data?
We are required by law to ensure that when processing any of your personal data that it is:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept in a form which permits you to be identified for only as long as necessary for the purposes we have told you about.
- Kept securely.
- What personal data will we collect, use and store about you?
We may collect, store, and process the following personal data for you for the purposes of fulfilling the requirements of our accreditation partners:
- Your name, salutation, addresses, contact numbers, and personal and company email addresses.
- Employer Details
- Gender or gender identity.
- Start date.
- Your Continuous Professional Development (CPD) Points
- Information about your use of our information and communications systems.
We may also collect, store, and use the following “special categories” of more sensitive personal information:
- Health details (where relevant for the purpose of mitigating circumstances during the period of the relationship).
- How do we collect your personal data?
We collect your personal data by a variety of means. As a minimum this will be via an Application Form or an employer.
Whilst you are a member of NRoSO, periodically we may need to collect additional personal information from you not identified on the above list but before doing so we will provide you with a written notice setting out details of the purpose and the lawful basis of why we are collecting that data, its use, storage and your rights.
- How will we use your personal data?
For the most part we will use your personal data for one of the following lawful bases:
- Where we need to perform the Contract, we have entered into with you, via your Application Form.
- Where we need to comply with a legal obligation.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. For example, this could be for Safeguarding purposes or to work with law enforcement agencies.
- For the purposes of a Farm Assurance Scheme audit, where carried out under either Red Tractor or SQC specifications by their authorised third-party assessors
- With your employer, where they pay your invoice, and require up to date statements for the above Farm Assurance Scheme audits.
There are other rare occasions where we may use your personal data, which are:
- Where we need to protect your interests (or someone else’s interests).
- Where it is needed in the public interest or for official purposes.
- When will we use your personal data?
During the relationship and for a period after the relationship has ended, we will use your personal information for specific purposes. The list below describes the purpose of our processing, the personal data involved (from Clause 3 above) and the lawful basis for our processing (from Clause 5 above):
- Determining the terms of the relationship.
- When taking payments from you or processing a refund to you.
- Administration related to your application and ongoing relationship with us.
- Accounting and auditing purposes.
- Conducting and managing reviews of achievement and determining training requirements.
- Making decisions about our continued relationship.
- Making arrangements for the termination of our relationship.
- Dealing with any disputes involving you or other candidates.
- Collecting information around mitigating or extenuating circumstances.
- Complying with health and safety obligations, completion of accident book and RIDDOR reporting.
- Monitoring use of our information and communication systems to ensure compliance with our internal procedures and prevention of security lapses and breach of data protection laws.
- Preventing malicious software distribution.
- Equal opportunities monitoring.
- Social media posts, including case studies and photographs (you will be informed of these in advance).
- Under the requirements of Farm Assurance Scheme policies, where required.
It is possible that some of the grounds for processing will overlap.
- Your failure to provide information
We will only ask you to provide information which we believe is necessary for the performance of the relationship with you or our associated legal obligations (for example giving information to HMRC). If you fail to provide certain information when requested, we may not be able to meet our contractual obligations to you or we may not be able to fulfil our legal obligations.
- What happens if we need to use your personal data for a new purpose?
We will only use your personal data for the stated purposes, unless we consider that there is a need to use it for another reason and that reason is compatible with the original purpose. However, if we consider that it is necessary and reasonable to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.
There may be circumstances where we have to process your personal data without your knowledge or consent, where this is required by law and in compliance with the above rules.
- How do we use your sensitive personal information data?
Any personal data which reveals your, ethnic origin, religious and philosophical beliefs, health data, sexual orientations will be regarded as sensitive personal information. If we do collect this type of data, we will only use this data in the following ways:
- Where it is needed in the public interest, for example for equal opportunity monitoring and reporting.
There may be circumstances where we need to process this type of information for legal claims or to protect your interests (or someone else’s) and you are not able capable of giving your consent or where the relevant information has already been made public.
- Do we need your consent to use sensitive personal data?
If we are using your personal sensitive data in accordance with our written policy to perform our legal obligations or exercise specific rights connected to our relationship, in these circumstances we do not need your written consent to use sensitive personal data.
However, in limited circumstances, we may request your written consent to allow us to further process your sensitive personal data. If it becomes necessary to request your consent to further process your sensitive personal data, we will provide you with details of the information that we require and why we need it, so that you can decide whether you wish to provide your consent. It is not a condition of your contract with us that you must agree to any request for consent. Giving consent will always be a decision made by your freewill/choice. However, by declining consent, this may impact you completing any Farm Assurance Scheme audits.
We envisage that we will hold information about any safeguarding concerns relating to you, only where it is necessary and relevant to do so.
We are allowed to use your personal information in this way to carry out our obligations as set out in our Safeguarding Policy. A copy of this policy can be made available on request.
We have in place policy and safeguards which we are required by law to maintain when processing this data.
- Automated decision making
We do not envisage that any decisions will be taken about you using automated means, however, we will notify you in writing if this position changes.[NT1] [SM2] [NT3] [AL4] [NT5]
- Will we share your personal data with third parties?
In order to meet our legal obligations connected with our relationship with you, it is necessary to share your personal information with certain third parties (see below). We also need to share your data when we have legitimate business reasons for doing so and also where it is necessary in order to perform the contract we have with you.
- Which third party service providers will we share your personal data with?
The following third-party service providers process personal information about you for the following purposes:
- Accreditation Partners such as Red Tractor or SQC, and their designated Assessment centres
- The Voluntary Initiative, the owners of NRoSO
- External IT support.
- Company auditors.
- Insurance companies for employer liability and / or incidents/ accidents on site or at external events.
- HSE where there has been an incident/accident at site.
- Data Partner Organisations.
- Companies in accordance with your membership when outsourcing items such as:
- Producing and sending Membership Cards
- Sending out Pro-Operator
- Sending out any BASIS / NRoSO marketing materials[NT6]
- We will share your data with your employer where the employer pays the invoices, and where we are requested by them to do so.
- Third party service providers and data security
Third party service providers are only permitted to process your personal data in accordance with our specified instructions. They are also required to take appropriate measures to protect your privacy and personal information. We do not allow your information to be used by the third parties for their own purposes and business activities unless they have a legitimate reason for doing so.
- Will we share your personal data with other entities within our business group?
As a consequence of the need to report on business performance, project progress, marketing activity, accounting, internal business transformations and IT activity, your personal data will be shared with other entities within the business group.
- Will we transfer your personal data outside of the UK?
We may transfer personal data outside the UK, where you are based, and/or are working within countries outside of the UK, and/or your employer is based outside of the UK.
- How do we ensure your personal data is secure?
We take your privacy and protection of data very seriously. Consequently, we have put in place appropriate security measures to prevent unauthorised use of your personal data. Details of the measures which are in place can be obtained from the Company’s Data Protection Officer (DPO). We will notify you and any applicable regulator of any suspected unauthorised use of your personal data.
- How long will we keep your personal data?
We will retain your personal data for as long as is necessary to fulfil the purposes for which it was collected for. Details of retention periods for specific purposes are available on request from the Company’s DPO. When your employment relationship comes to an end with our business, we will either retain or securely destroy your personal data in accordance with our Data Retention Policy or other applicable laws and regulations.
- Your duty to inform us of any changes
In order that we can ensure that the personal data we hold in relation to you is accurate, it is important that you keep us informed of any changes to that data.
- What rights do you have in respect of how we use your personal data?
Subject to legal limitations you have the right to:
- Request access to your data: You can ask us to provide a copy of the personal data we hold about you.
- Request corrections to be made to your data: If you think that your personal data is incomplete, inaccurate you can ask us to correct it.
- Request erasure of your data: If you consider there is no lawful basis for us to continue processing your data you can ask for that data to be deleted or removed.
- Object to the processing of your data: If our lawful basis for processing your data relates to a legitimate business interest (or third-party interest) you can raise an objection to that interest. You can also object to us using your information for direct marketing purposes.
- Request that processing restrictions be put in place: If you believe that your information is being processed without a lawful reason or that the information is incorrect you can request that a freeze/restricting is placed on the processing of the information until your concerns are addressed.
- Request a transfer of your personal data: You can ask us to transfer your personal data to a third party.
If you wish to exercise any of the above rights, please contact the Company’s DPO in writing via email address: email@example.com
- Will I have to pay a fee?
You will not be expected to pay a fee to obtain your personal data unless we consider that your request for access to data is unfounded or excessive. In these circumstances we may charge you a reasonable fee or refuse to comply with your request. Details are available from our DPO.
- Confirmation of identity
Whenever you make a request for access to personal data, we may request specific information to confirm your identity. This is usually done to ensure that we are releasing personal data to the correct person.
- Right to withdraw your consent
If we have asked for your written consent to obtain information, you have the right to withdraw your consent at any time. To withdraw your consent please contact the Company’s DPO. Once we receive your notice of withdrawal, we will cease processing your data unless we have any other lawful basis on which to continue processing that data. However, withdrawing consent may impact adversely on your rights to continue to study with BASIS at present and in the future.
Any changes we may make to our privacy notice will be notified to you by e-mail and you will be provided with a new notice at that time.
- How to make a complaint
Regretfully there may be times when someone is unhappy with something we are doing or something we have done with their data.
We genuinely want to work with you to put things right and therefore should you have any concerns, please give us the opportunity to address them by directing your concerns to:
We will always do everything we possibly can to satisfy your concerns, but should you remain dissatisfied, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. Full contact details and how to raise a complaint are found on their website at www.ico.org.uk.
- Monitoring compliance
The Company’s Data Protection Officer has lead responsibility for ensuring compliance with this Privacy Notice and will review its contents on a regular basis.
They will be responsible for monitoring its effectiveness and supplying regular reports. They have overall responsibility for ensuring this Notice complies with the Company’s legal and ethical obligations.
The Company will provide training to all employees, contractors, and associated persons to help them understand their duties and responsibilities under this Privacy Notice.
Breach of any of the provisions of this notice will be investigated and appropriate action taken where any allegations are proven.
- Management discretion
The Company reserves the right to alter, amend or remove this Privacy Notice at any time in line with changing Company or legislative requirements. Due notice will be given, you will be notified accordingly, and any changes made will be notified accordingly.
- Monitoring and review
BASIS management has a responsibility for ensuring that this Privacy Notice it reviewed annually to ensure it is up to date and compliant with current legislation, Company requirements and that it is fit for the intended purpose.
Annual reviews of the Privacy Notice will be undertaken by the Data Protection Officer in conjunction with senior management, the internal HR Representative and external HR support.
Notice Owner: Data Protection Officer
Notice approved by: Data Protection Officer
Date Notice approved: May 2023
Next review Date: May 2024