Waterways Ombudsman Scheme – compliance with the EU General Data Protection Regulation (GDPR)
The Waterways Ombudsman Scheme is covered by the GDPR. This includes a range of measures governing who may process personal data, by what means and for what purposes.
The Scheme is registered with the Information Commissioner’s Office as a data controller.
Your personal data and how we use it
Personal data (or information) is data about individuals (also known as data subjects) who contact the Scheme in connection with a complaint or enquiry. It includes information such as your name, address, contact details, correspondence and conversations with us, as well as any evidence provided by you or the organisation you are complaining about.
The main role of the Ombudsman is to consider complaints where the complainant has completed the internal complaints process of the organisation which is the target of the complaint. The Ombudsman also deals with enquiries, which may be about a potential complaint, or of a more general nature, or may be requests for advice or guidance.
Where the Ombudsman decides to conduct a formal investigation, or where she handles an enquiry, she will need to process your personal data. Under the GDPR there must be a lawful basis for processing personal data, one of which is “legitimate interest”. This means, in essence, that data is used in ways that a complainant or enquirer would reasonably expect.
For investigations and enquiries the your personal data is processed on the basis of legitimate interest. Where the Ombudsman conducts a formal investigation she may also ask you to provide feedback about the service, but this will only be with your consent.
The Ombudsman will process your personal data only to the extent that is necessary to achieve the aims of the Waterways Ombudsman Scheme. In addition to considering complaints or dealing with enquiries, this will include sharing of information with the Waterways Ombudsman Committee, which oversees the Scheme, and with the Chartered Trading Standards Institute for the purposes of accreditation of the Scheme. Information will not be provided, without your consent, to any person or organisation that is not subject to the GDPR.
The Scheme is an independent entity. It does not have direct access to any personal data held by any organisation within its scope, nor do any of those organisations have direct access to any personal data held by the Scheme.
How long we keep your personal data
Personal data will not be kept longer than is necessary. Once a case or an enquiry has been closed, it will be retained for the following periods:
- in the case of enquiries where the Ombudsman does not carry out a formal investigation, any electronic or paper records are securely deleted or destroyed 12 months after the last contact with the enquirer;
- full case files are securely deleted or destroyed 12 months after the last communication from the complainant after the case has been closed, or six months after the publication of the annual report covering the date on which the final decision was issued, if later;
- Ombudsman final decisions are kept permanently.
You have the right to request a copy of your personal information and for it to be corrected if appropriate. A charge will not normally be made. The Ombudsman has a month to comply with the request.
You also have the right to request that your data be deleted or amended. You can also request that any further processing be stopped, although this will mean that your complaint or enquiry will be discontinued.
What to do if you’re unhappy with how we’ve handled your personal information
You should first let the Ombudsman know, so that she can look into your concerns. She is the data controller.
If you’re unhappy with the response, you can contact the Information Commissioner’s Office at www.ico.org.uk, firstname.lastname@example.org or 01625 545745.
More detailed information about compliance with the GDPR is available under the Publications tab or by following this link.