About Us
In this Privacy Policy, references to ‘we’ or ‘us’ are to Wessex Archaeology, a company limited by guarantee registered in England, no. 1712772 and a Registered Charity in England and Wales, (no. 287786) and in Scotland, (Scottish Charity number SC042630). Our registered office is at Portway House, Old Sarum Park, Salisbury, Wiltshire SP4 6EB.
We will be the controller of any relevant personal data regarding members of staff, customers, subcontractors, landowners, trustees, volunteers, students, interns, work experience children and their parents/guardians processed or described in this Privacy Policy as part of our operations.
We will not pass on your details to any third-party unless you give us permission to do so or we are required to do so by law.
We keep our privacy policy under regular review and we will place any updates on this web page. This privacy policy was last reviewed on 20/09/2019.
Exemptions
Certain data is exempted from the provisions of the GDPR including the following:
- National security and the prevention or detection of crime
- The assessment of any tax or duty
- Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the business, including safeguarding and prevention of terrorism and radicalisation
Data Security
Wessex Archaeology takes appropriate technical and organisational steps to ensure the security of relevant personal data. We have implemented security measures to protect the personal data that we have under our control from
- unauthorised access;
- improper use or disclosure;
- unauthorised modification
The Company ensures that all staff are aware of their responsibilities under GDPR, and provides them with the necessary advice, guidance and awareness training in handling personal data.
Processing of Personal Data
We are committed to complying with the General Data Protection Regulation (GDPR) in fulfilling our duty to the rights for individuals and in the collection, processing and transfer of personal information to ensure that personal data is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specific, explicit and legitimate purposes only
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected
- Accurate and, where necessary, kept up to date. We will take every reasonable step to erase or rectify inaccurate personal data
- Not kept in a form which allows identification of the subject for longer than is necessary for the specified purpose(s)
- Processed in an appropriately secure manner including protection against unauthorised use, accidental loss, destruction or damage.
Your personal data – what is it?
“Personal data” is any information relating to a (living) person which allows them to be directly or indirectly identified from that data. The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR”) and other legislation relating to personal data and rights such as the Human Rights Act.
What data do we process?
Staff
For full details of staff data that we legitimately collect and process staff can access the procedure HR-PR-029-A.
Customers
The majority of our customers are businesses and are not therefore supplying us with personal data other than their name along with their business contact details.
Some customers are private individuals requiring our services. We only collect their name, address and phone numbers to be able to supply the required service or advice.
All customer information is held on our secure customer database.
Subcontractors
Subcontracted business services usually supply us with contact names and business contact details thereafter. This information is held on our secure customer database.
Some subcontractors are freelance specialists who we take on, on a temporary contract for a specific project. As such we treat them as suppliers and the data we collect is name, address, (emergency contact details if site working) and payment details to pay their invoice. This information is kept on our secure customer database.
Volunteers & Work experience students
Volunteers are asked to fill in and sign a volunteer application and agreement (HR-F-025-001-A), and we ask for name, address, email and telephone numbers as well as emergency contact name and details. This information allows us to contact them and keep them up to date with opportunities for volunteering with us and attending training events/talks etc.
Medical and relevant prescribed medication information is requested to enable us to ensure volunteer safety and comfort whilst working with us, but it does not exclude them from working with us. Other information is requested to be used in anonymised reporting on our diversity profile but is only given and used by consent on the form.
This information is held securely and confidentially and only available to the HR team and relevant members of the Outreach department.
Work experience students are asked to fill in and sign a contact and emergency contact details form (HR-F-026-001-A). We ask for name, address, email and telephone numbers as well as emergency contact name and details. We also ask their age and school year to help us deliver the best learning experience. The information we collect allows us to contact them and keep them up to date with their planned work experience week with us.
Medical and relevant prescribed medication information is requested to enable us to ensure work experience student safety and comfort during their work experience with us, but it does not exclude them from working with us.
Other information is requested to be used in anonymised reporting on our diversity profile but is only given and used by consent on the form. This information is held securely and confidentially and only available to the HR team and relevant members of the Outreach department.
Work placements/internships
Adult students who are doing work placements or internships will supply us with the same information as the work experience students/volunteers above. This information is held securely and confidentially and only available to the HR team and relevant members of the department they are working.
Trustees
Our Trustees supply us with their name, address, email, telephone number and date of birth for our Register of Directors and Secretaries form (WA_Corp_012). This information is required as part of our corporate governance and the contact details are available on Companies House and the Charity Commission websites
The full details are held securely and confidentially and only available to the Company Secretary and the CEO.
Landowners
We need to contact landowners of sites where archaeological archives are generated to gain their permission to deposit the archive with the relevant museum to facilitate its long-term preservation.
The information we request is a name and address so that we can send them a Transfer of Title form to fill in; these details are then passed to the museum who have a legitimate interest in acquiring them as part of the legal agreement that the Transfer of Title constitutes, and will not use them for any other purpose than to acknowledge said Transfer of Title.
At Wessex Archaeology these details are kept securely within the archives folder where only relevant members of the archives team have access and are retained at Wessex Archaeology until deposited and the Archive Transmittal Record is completed.
External Processors
We use data processors for our staff payroll and pensions along with DBS services. We share personal data with them where it is necessary for them to carry out their duties as our data processors or where you have given us your prior consent.
Wessex Archaeology undertakes checks to ensure that external parties who process data on our behalf (such as pensions and payroll) are compliant with the GDPR.
Special Category Data
We may be required to process data that is more sensitive such as:
- data relating to medical information,
- gender,
- religion,
- race,
- sexual orientation,
- and criminal records and proceedings.
We do this to be able to report on our diversity profile and comply with some government legislation such as Gender pay gap reporting. It also enables us to formulate and implement employment procedures to break down barriers to equality.
This data is held securely and confidentially and only available to the HR team.
Right of Access to Information
Individuals have the right of access to their personal data held by Wessex Archaeology, subject to the provisions of the GDPR and the Freedom of Information Act 2000.
Any individual wishing to access their personal data should put their request in writing to the Data Protection Team, Wessex Archaeology, Portway House, Old Sarum Park, Salisbury, Wiltshire, SP4 6EB. Subject access requests can also be made via email to info@wessexarch.co.uk with the subject GDPR SAR.
A Subject Access Request Form (HR-F-029-001-A SAR) is available to download below. We will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 30 days from receipt of request. Downloading and completion of the pro forma form is not mandatory and requests can be made verbally or in writing.
We do not charge a fee but if a request is manifestly unfounded or excessive we may charge a reasonable fee for the administration costs.
Right to Rectification
Wessex Archaeology will endeavour to ensure that all personal data held is accurate and up to date and will amend or change data upon request if it is inaccurate.
It is important that the personal data we hold about you is accurate and current so please keep us informed if your personal data changes during your working relationship with us. Members of staff can pass any updates directly to the HR team or the Data Protection Team can be contacted via email info@wessexarch.co.uk.
A Right to Rectification Form (HR-F-029-005-A RTR) is available to download below. We will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 30 days from receipt of request. Downloading and completion of the pro forma form is not mandatory and requests can also be made verbally or in writing.
Right to Erasure
Individuals have the right to have personal data erased though this right is not absolute and only applies in certain circumstances (see Article 17 of the GDPR for full details).
Any individual wishing to have their personal data erased should put their request in writing to the Data Protection Team, Wessex Archaeology, Portway House, Old Sarum Park, Salisbury, Wiltshire, SP4 6EB.
Data erasure requests can also be made via email to info@wessexarch.co.uk with the subject GDPR ROE.
A Data Erasure Request Form (HR-F-029-003-A RTE) is available to download below. We will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 30 days from receipt of request. Downloading and completion of the pro forma form is not mandatory and requests can also be made verbally or in writing.
We may refuse to comply if a request is manifestly unfounded or excessive or we may charge a reasonable fee for the administration costs in these circumstances.
Right to Restrict or Object to Data Processing
Individuals have the right to request the restriction or suppression of their personal data, though this is not an absolute right and only applies in certain circumstances (see Article 18 and 21 (1) of the GDPR for full details). Individuals can also object to the processing of their personal data to stop it being used for direct marketing.
Any individual wishing to restrict the processing of their personal data should put their request in writing to the Data Protection Team, Wessex Archaeology, Portway House, Old Sarum Park, Salisbury, Wiltshire, SP4 6EB.
Data Restriction Requests can also be made via email to info@wessexarch.co.uk with the subject GDPR DRR.
A Data Restriction Request Form (HR-F-029-004-A RODP) is available to download below. We will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 30 days from receipt of request. Downloading and completion of the pro forma form is not mandatory and requests can also be made verbally or in writing.
We may refuse to comply if a request is manifestly unfounded or excessive or we may charge a reasonable fee for the administration costs in these circumstances.
Right to Data Portability
Individuals have the right to obtain and reuse their personal data for their own purposes i.e. in a structured, commonly used and machine-readable format and/or have it transmitted directly to another controller. We will comply with this where it is technically feasible.
Any individual wishing to have obtain their personal for this purpose should put their request in writing to the Data Protection Team, Wessex Archaeology, Portway House, Old Sarum Park, Salisbury, Wiltshire, SP4 6EB.
Data Portability Requests can also be made via email to info@wessexarch.co.uk with the subject GDPR DPR.
A Data Portability Request Form (HR-F-029-006-A RTDP) is available to download below. We will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 30 days from receipt of request. Downloading and completion of the pro forma form is not mandatory and requests can also be made verbally or in writing.
We may refuse to comply if a request is manifestly unfounded or excessive or we may charge a reasonable fee for the administration costs in these circumstances.
Automated Decision making including profiling
Wessex Archaeology do not make any automated individual decision-making or profiling.
Retention of Data
Wessex Archaeology may retain data for differing periods of time for different purposes as required by statute or best practices, this is recorded in our data processing documentation (HR-PR-029). Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data. It should be noted that our standard company disaster recovery process requires regular and secure data back-ups.
Transfer of data abroad
Wessex Archaeology will only transfer data to countries or territories outside of the European Economic Area (EEA) if their systems comply with measures giving equivalent protection of personal rights through international agreements or contracts approved by the European Union.
Data Breach Notification
Wessex Archaeology has a response plan for addressing any personal data breaches that occur (HR-PR-029-002-A PDB notification) either by accidental or deliberate causes.
Contact details
If you have any questions about this Privacy Notice please contact the Data Protection Team:
info@wessexarch.co.uk or Portway House, Old Sarum Park, Salisbury, Wiltshire SP4 6EB.
To learn more about your your privacy rights while using our website read our Web Privacy Policy here.