Privacy Notice
Privacy Notice
This privacy notice tells you how Harwich Haven Authority (The Authority) manages your personal information when you either make contact with us to use one of our services, or we make contact with you.
We have outlined:
- The various ways we collect or process personal information
- What personal information we collect about you
- Why we are processing it
- Why we are allowed to process it
- How long we keep it
- Whether we share it with anybody else
- Whether we intend to transfer it to a country outside of the European Economic Area (EEA)
- And, details of the rights you have relating to your personal information.
The Authority was created by an act of parliament in 1863 and, as such, we have a number of official duties that we must perform to keep the harbour safe for all users. To help us carry out these duties we have official powers that are detailed in our Acts and Orders.
The Authority is classed as the ‘Controller’ for the personal information we process. This means that we are responsible for keeping your personal information safe and secure once we collect it, and to ensure that you can exercise your rights to your personal information.
You can get in touch with us is lots of different ways all of which can be found here https://hha.co.uk/contact.
Our postal address is:
Harbour House
The Quay
Harwich
Essex
CO12 3HH
01255 243 030
The majority of personal information we receive is provided to us directly by you. There are, however, a few examples where this is not the case which will be detailed below.
There are also times when we collect Special Category data, but we only do this when we have a specific exception as detailed in the GDPR. The types of special category data and which exception we use are detailed below.
The Data Protection Act 2018 (DPA 2018) and General Data Protection Regulation (GDPR) states that any personal information that we process belongs to you and you have rights to it. The rights available to you depend on our reason for processing your information, however, not all of them apply all the time. There are also some exceptions that may be applied in certain circumstances as well.
If we are processing your personal information for law enforcement purposes, your rights are slightly different. We have another section below the details this.
When you ask us to exercise one of your rights, we have one month to respond to you. You will not be charged to exercise your right.
If you wish to make a request, please email [email protected]k or phone 01255 243 030
Your right of access
You have the right to ask us for copies of the personal information we hold. This right always applies, however, in some circumstances you may not receive all the information we hold about you
Your right to rectification
If you think the information we hold about you is inaccurate or incomplete, you have the right to ask us to rectify this information. This right always applies.
Your right to erasure
In certain circumstances you have right to ask us to erase all your personal information.
Your right to restrict processing
In certain circumstances you have right to ask us to restrict processing your information.
Your right to object to process
If we are processing your personal information using Article 6(1)(e) of the GDPR which relates to the duties we carry out in the public interest or Article 6(1)(f) of the GDPR if it is in our legitimate interest, you have the right to object to us processing this information.
Your right to your data portability
You have the right to ask us to transfer the information we hold about you and give it to another organisation or directly to yourself. This only applies to the information you have given us, and it only applies if we are processing that information based on your consent or as part of a contract.
In the day to day running of our business we use external data processors to provide services to us. This could be things like cloud service providers, such as Microsoft Office 365, auditors, or insurers. As these third parties are classified as data processors it means that they cannot do anything with your personal information unless we had explicitly told them to do so. It also means that they must hold your information securely and retain it for as long as we have instructed them to do so.
Most of our cloud service providers store your personal information in data centres within the European Economic Area which ensures data is treated to the same high standard that it is in the UK. However, some use data centres in the US and where this is the case, we use the EU-US Privacy Shield or Standard Contractual Clauses, which ensure data has the same level of protection.
There are some circumstances where we are legally obliged to share your personal information. For example, where there has been an incident in the harbour or at sea and we are cooperating with the Marine Accident Investigation Branch (MAIB) or the Marine Coastguard Authority (MCA) in an investigation or when we have been instructed to do so by a court of law.
We never share personal information with any other organisation for the purposes of direct marketing.
If you would like any further information about any of our data processors, there are some links to their websites below, or you can always ask us directly – please email [email protected].
External Data Processors:
This is a list of the external data processors we use and links to their privacy policies, notices, statements, or charters. The links in this table take you away from our website. Please take care when browsing.
Type of processor | Name | Link to privacy document |
Business Productivity Services | Microsoft Office 365 | Privacy Statement |
Survey tool | SurveyMonkey | Privacy Policy |
Customer Relationship Management | MailChimp | Privacy Policy |
Recruitment Agency | Bristow Holland | Privacy Policy |
Occupational Health Provider | Gipping Occupational Health | Privacy Policy |
Pre-employment Assessor | SHL | Privacy Notice |
Photographic and video production | Bruizer | Privacy Policy |
Board member appointments | Department for Transport | Personal Information Charter |
Website host | Trebuchet Creative | Privacy Policy |
Intranet host | Focus Integrated | Privacy Policy |
Distribution Company | Mutual Media | Privacy Policy |
Marine Regulatory Body | Marine Management Organisation | Personal Information Charter |
We work within the DPA 2018 and GDPR and your data and privacy are very important to us. We strive to work to the highest standards when handling your personal information and we are looking to improve our practices every day. If you have any queries or concerns regarding how we are processing your personal data please let us know at [email protected] and we’ll get back to you as soon as we can.
If, after we have responded, you remain dissatisfied, you have the right to complain to the UK’s supervisory authority, The Information Commissioners Office (ICO) using this link: https://ico.org.uk/make-a-complaint/
Typically, we don’t offer services directly to children or proactively collect their personal information. However, if any children visit our sites, namely Ha’penny Pier, their images will be captured by our CCTV cameras and processed in the same way any adults’ images would be. For more information see section 10.4 – visiting one of our sites.
Also, from time to time, we hold educational events for children. We may take photos or videos at these events. A privacy notice will be displayed, and we will ask for the consent of the child’s parent or guardian before we process any of their personal information.
The length of time we keep your personal information for will depend on what that information is and why we are processing it. We will only keep hold of your personal information for as long as it is absolutely necessary to fulfil the purpose we collected it for. At this point, and according to our retention schedule, we will either anonymise your personal information or delete it.
To keep your personal information safe, we have put in place numerous technical, procedural, and organisational measures. We have sophisticated cyber security systems to protect your personal information from malicious attacks. These include two factor authentication and user accounts with specific permissions to ensure that your personal information is only seen by those that need to see it. Internally, we have procedures, policies, and regular training takes place to ensure our staff know the importance of data protection and how best to deliver it.
In the event that your personal information is involved in a breach, where there is a risk to your rights and freedoms, we will contact the appropriate supervisory authority, normally the ICO. Where there is a high risk to your rights and freedoms, we will also contact you.
This section of the privacy notice provides information that is specific to your reason for contacting us.
Please click on a section below to expand it.
Our application process requires us to collect your personal information, whether you apply directly to us or through an external recruitment agency we have engaged.
Purpose and lawful basis for processing
Our purpose of processing your personal information is to assess your suitability for the role that you have applied for.
The lawful basis we rely on for processing your personal information is Article 6(1)(b) of the GDPR, which relates to processing necessary for the performance of a contract or to take steps, at your request, before entering a contract.
What we do with your information
Whether you send us your application directly or we receive it from an agency (or some other third party), your personal information will be stored securely and viewed only by those involved in the recruitment process.
The information we collect
The information we collect will differ depending on which stage of the application process you are at. Although, at any given stage, we will not collect more information than we need to fulfil that purpose and we will not keep it for any longer than is necessary.
The application stage – we will ask for your personal details as well as details about your previous work experience, relevant qualifications, and references.
The interview and assessment stage – we will capture your responses to the interview questions and your assessment and interview scores. At this stage we may also look for your social media presence, if you have one, to gauge whether this matches up with what we have seen.
Additionally, we may ask you to carry out a psychometric assessment. This assessment includes an element of automated profiling and, as such, you have the right to request human intervention in the process. For more information on this, please contact [email protected].
Making you an offer of employment – we will ask for more detailed information about you to carry out any pre-employment checks. This will include, but not be limited to, proof of your right to work in the UK, proof of your qualifications, contact details for your referees, bank details, emergency contact details, National Insurance Number, etc.
Special category information
We will ask you to provide us with details about your gender, race, religion, and any disabilities you have. We require this information so we can accurately report the diversity of our organisation and it enables us to make reasonable adjustments within the workplace to accommodate any disability. We understand that you may see some of the answers to these questions as sensitive so we will always provide the option – “I’d prefer not to say”.
Once you have accepted our offer of employment, we will send you for a medical examination. This is carried out by an external occupational health provider (for details see External Data Processors table). The precise results are not shared with us, they remain confidential between you and the provider. We only receive a report about your suitability for work and any recommendation for workplace adjustment.
We can process this ‘Special Category’ information because Article 9(2)(b) of the GDPR applies and fits with our obligations in the field of employment.
Who we share your personal information with
For some Board vacancies, the decision as to who to appoint is made by the Secretary of State for Transport. As part of these applications your personal information will be securely shared with the Department for Transport (for details see Section 5 – External Data Processors table).
The data processors we use
In addition to the cloud service providers mentioned in Section 5 – Sharing your personal information, we also use an external provider to carry out pre-employment assessments (for details see Section 5 – External Data Processors table).
Throughout the year we run numerous community events and operational exercises. If you attend, or apply to attend, one of these events or exercises we will collect various pieces of your personal information.
Purpose and lawful basis for processing
The reason we collect this information is to enable us to facilitate the event or exercise and provide you with an acceptable service.
The lawful basis we rely on for processing your personal data is either gaining your consent under Article 6(1)(a) of the GDPR or, particularly for operational exercises, Article 6(1)(f) as we would have assessed that it is our legitimate interest.
What we do with the information
For operational exercises we will collate the information gathered during the exercise (potentially including your personal information) to assess, evaluate and learn. When this process is completed, we will anonymise as much personal data as we can.
Activity related to our external events, with your consent, may be publicised via our digital platforms, social media, traditional media outlets and in our internal, employee newsletter.
The information we collect
If you apply to participate in one of our events, we will ask you for your name and contact details.
Closer to the event, if we are providing food, we may ask you about your dietary requirements. We will also ask if you have any other special requirements (e.g. accessibility needs, photo sensitivity, etc.).
At the event, we may also capture video or photographic images to use as publicity for the event or for training purposes. It will be made clear to you at the event, and notices will be clearly displayed, that we are taking photos or videos and what they are going to be used for.
Some events we put on are aimed at children. Notices will be clearly displayed and with the explicit consent of their parent or guardians, we may take their photos, record video of them and record their names.
If at any point you wish to withdraw your consent or ask us to stop using your images, please email [email protected] While we will always try to facilitate your requests, when we use the legitimate interest as the lawful basis, we may decline your request, if we have legitimate grounds to do so. We will always be transparent with you about this.
Special category information
When we collect any information about dietary or special (particularly health related) requirements, we also need your consent, under Article 9(2)(a) of the GDPR, as this type of information could be classed as special category data.
Who we share your personal information with
For operational exercises we may share your personal information with other partner agencies taking part in the exercise (e.g. Marine Coastguard Agency, Police, Fire Brigade, RNLI, etc.).
If we are providing food then we will share your dietary requirements with the catering provider, although, where possible, we will anonymise this.
The data processors we use
At most of our events we capture video and photos ourselves but, at some of our events, we use an external filming company (for details see Section 5 – External Data Processors table). We have a data processing agreement with them which ensures that they cannot do anything with your personal information without our permission.
We also use some of the cloud service providers mentioned in Section 5 – Sharing your personal information.
If you are making use of our free Wi-Fi around Ha’penny Pier or you are a visitor and are using our physical IT network, we will need to collect some of your personal information.
Purpose and lawful basis for processing
We need to collect this information to enable us to provide you with this service; it will not work without it.
We can do this because we have assessed that we have a legitimate interest to do so and the GPDR allows this under Article 6(1)(f) of the GDPR.
What we do with the information
The personal information that we collect will be used to identify your device on the network (this is something that is required to access the internet or any IT system).
Our firewalls (protection between our network and the wider internet) monitor all network traffic to block certain types of website and file transfers. This information is recorded, but we only access it if there is reasonable suspicion of activity that breaches our policies.
The information we collect
We will collect your device information, any user account information (physical network only), and your network traffic (as mentioned before, this is in no way monitored and we cannot access it without just cause).
Special category information
We don’t anticipate any special category information will be captured in this process.
Who we share your personal information with
We will never share your personal information with any other parties.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
Whether you are visiting one of our sites for business related reasons or you are visiting Ha’penny Pier or the surrounding area, we will collect some of your personal information.
Purpose and lawful basis for processing
Depending on why you are visiting us will depend on why we are collecting your personal information. If you are entering one of our buildings as a visitor or you are a supplier or contractor, we have legal obligations under The Health and Safety at Work Act 1974 to collect you details.
Across our sites, including Ha’penny Pier, we have CCTV cameras which will be collecting your images. These are there to deter, prevent, and detect crime and for the safety and security of our sites and the people in or on them
For those processes where we do not have a legal obligation upon us (and therefore using Article 6(1)(c) of the GDPR), we have assessed that we have a legitimate interest to process your personal information; the GDPR allows for this under Article 6(1)(f) of the GDPR.
What we do with the information
When you visit one of our buildings, we will capture some of your personal information for our visitor book so that we know who is on site from a health and safety perspective. You will also be issued with a visitor card which will have an ID number that is assigned to you temporarily.
If you are a regular visitor, you may have a personalised card issued to you which will give you access to certain areas of the buildings. The use of your card is recorded.
Our CCTV system covers all of our buildings, sites, and vessels and are recording all of the time but we will only access these recordings in an appropriate situation (see the CCTV Privacy Notice for further details).
There are a few cameras that are classed as ‘operationally important’ that are monitored 24 hours a day by our VTS team. The cameras located on Ha’penny pier are monitored by the Pier Masters while they are on duty. The other cameras are recording all the time,.
The information we collect
Your name and contact details, and, if applicable, the company you work for is captured for our Visitor Book. We will also record your arrival and departure times.
If a visitor card issued to you, we will capture your name and contact details and the company you work for. You will also have a card ID number issued to you which will then become your personal information.
The CCTV system will capture video recordings of you, and, in certain circumstances, we may record audio as well (see the CCTV Privacy Notice for further details).
Special category information
We don’t anticipate any special category information will be captured.
Who we share your personal information with
In the event of an incident involving you that our CCTV cameras capture, we may share your personal information with the Police or an investigatory body, such as the Marine Accident Investigation Board or The Health & Safety Executive.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data other processors are used.
If you’ve had an accident at one of our sites that required us to administer first aid or fill in an accident report form, we will need to capture some of your personal information.
Purpose and lawful basis for processing
The reason we capture this information is because there is a legal obligation under The Health and Safety at Work Act 1974 to do so, and as such we are permitted to do so under Article 6(1)(c) of the GDPR.
What we do with the information
This information is kept as a record of the incident in case it is needed as part of a subsequent investigation.
The information we collect
Initially, we will collect your name and contact details, address, date of birth, and your involvement in the accident. If we then need more information regarding the accident, we may record other peoples’ opinions about it (if these opinions are relating to you, they then become your personal information too), we will also record your communication with us.
Special category information
In some situations, we may ask to record special category information about you (mostly information about your health). If you are able to consent to this we will seek it explicitly (using Article 9(2)(a)), if you are not able to give your explicit consent (i.e. you are unconscious), and we feel it is in your vital interest to capture this information, we will do so relying on Article 9(2)(c).
Who we share your personal information with
Your personal information will not be shared with any other organisation unless the Police or investigatory body request it and have followed the appropriate guidelines.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
When you get in touch with us because you have a query or a complaint, we will need to capture some of your personal information in order to respond to you appropriately and efficiently.
Purpose and lawful basis for processing
As a trust port, it is important that we are engaged with our stakeholders and that we respond to your queries and complaints. The lawful basis we rely on for processing your personal information is Article 6(1)(f) of the GDPR, necessary for the purposes of our legitimate interests.
What we do with the information
Depending on how you get in touch with us will depend on how we respond to you. You will be responded to by the appropriate member of staff and complaints may be shared internally in order to improve our services.
The information we collect
We need enough information to answer your enquiry and to enable us to respond to you. Typically, we will collect your name and contact details as well as the various messages that go between us.
Special category information
We don’t foresee any special category information being processed in this process.
Who we share your personal information with
None of your personal information will be shared with any external organisations.
The data processors we use
As well as the cloud service providers mentioned in Section 5 – Sharing your personal information, if you use the Contact Us page on our website, your details will be captured via a MailChimp form. (for details see Section 5 – External Data Processors table).
When major engineering projects are carried out within our area of jurisdiction, they generally involve a consultation with stakeholders. Whether you are an interested member of the public or a stakeholder in the project we value your input. To allow us to react to feedback requires us to capture some of your personal information.
Purpose and lawful basis for processing
We want our engineering projects to run as smoothly as possible and maximise benefit whilst minimising impact. For us to be able to do that we have assessed that we have a legitimate interest to process personal information and we use Article 6(1)(f) of the GDPR to do so.
What we do with the information
Your input into our consultation will be used to drive how we manage and deliver the project.
The information we collect
We will capture your name and contact details as well as any written communication you have with us. Also, if we hold any public meetings, minutes will be taken as well and, occasionally, we may take photos and videos of the meeting.
Special category information
We don’t anticipate any special category information being processed.
Who we share your personal information with
You feedback will be shared with partner organisations involved in the project, particularly regulatory bodies like The Marine Management Organisation (for details see Section 5 – External Data Processors table). Where possible we will anonymise your personal information.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
We have several mailing lists across The Authority across a range of topics, if you receive any of them then we will need some pieces of your personal information.
Purpose and lawful basis for processing
We need to collect your personal information to provide that particular service to you. The lawful basis that we rely on is Article 6(1)(a) of the GDPR which relates to you giving your explicit consent.
What we do with the information
The data is stored within Mailchimp and is collected via a form generated by the Mailchimp system that sits on our website.
The information we collect
We will collect your name and contact details as well as your marketing preferences.
Special category information
We don’t anticipate any special category information being processed.
Who we share your personal information with
Your personal information is only ever used internally.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
Every year we publish and send out several printed publications (e.g. the yachting guide, tide tables, etc.). If you request that we send you a copy we will need to collect your personal information in order to do so.
Purpose and lawful basis for processing
We need to collect your personal information in order to provide that particular service to you.
The lawful basis that we rely on is Article 6(1)(a) of the GDPR which relates to your consent.
What we do with the information
This data is stored in Mailchimp. When we need to distribute the publication, we will share your details with the distribution company (for details see Section 5 – External Data Processors table).
The information we collect
When you initially request a publication, we will collect your name and contact details as well as your communication preferences and you will be asked if you would like to subscribe to receive them every year or only once.
You can change these choices or unsubscribe completely at any time.
Special category information
We don’t anticipate any special category information being processed.
Who we share your personal information with
We won’t share your personal information with any other organisation other than the data processor we use to send publications via Royal Mail or courier to you.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
When you visit our website, www.hha.co.uk, we will need to collect some of your personal information via Cookies, some of which are necessary for security or functionality, and some of which are optional.
Purpose and lawful basis for processing
We have these measures in place to monitor, maintain, and hopefully improve the performance, usability, and overall user experience of our website.
We will either use Article 6(1)(a) of the GDPR when we ask for your consent to use optional cookies, or Article 6(1)(f) which allows us to process your personal information when we have assessed it is necessary for our legitimate interests.
What we do with the information
The information we collect will be stored within Google Analytics. It is never shared with third parties and we use what we learn through Google Analytics to provide more focused information to our stakeholders.
The information we collect
We will collect information about the device you use to visit our website like its IP address, country and time zone, operating system, and browser. We also capture your activity while on our website.
Special category information
We don’t anticipate any special category information will be captured.
Who we share your personal information with
None of your personal information we capture is shared outside of our organisation or the data processors we use.
The data processors we use
Our website hosted by Trebuchet Creative (for details see Section 5 – External Data Processors table) and we use Google Analytics these are the only data processors we use.
When you moor your vessel on our pontoons at Ha’penny Pier, we will collect some basic pieces of your personal information.
Purpose and lawful basis for processing
We collect this information to record that you have paid and so that we can contact you in the event of an emergency.
We rely on Article 6(1)(f) of the GDPR to process your personal information which relates to processing personal information that is necessary for our legitimate interests.
What we do with the information
The information we collect will be is kept for the duration of your stay
The information we collect
We will collect your name and contact details as well as your vessel name and whether you have paid the berthing fee or not.
Please also see the ‘Visiting one of our sites’ section.
Special category information
We don’t anticipate any special category information will be captured.
Who we share your personal information with
None of your personal information we capture is shared outside of our organisation.
The data processors we use
No data processors are used in this process
Detailed in the sections below are the reasons you may have to contact us in our capacity as the Harbour Authority, or generally as a business.
Please click on a section below to expand it.
As part of our role as harbour authority, we regularly host meetings, either in person or virtually (using Teams) with local stakeholders, keeping them informed about our work and collaborating with them keeping the harbour as safe as possible.
Purpose and lawful basis for processing
The reason we collect personal information at these meetings is to record the discussions and decisions that have been made.
We also keep a list of key stakeholders to invite to, and correspond with about, these meetings. These stakeholders are businesses or organisations (sailing or yacht clubs, marinas, etc.), not individuals or members of the public. However, from time to time, some individuals representing these organisations will use their own personal contact details. If you choose to do this, our relationship remains with the organisation that you represent and not you as an individual.
We are doing this because we have assessed that we have a legitimate interest to do so; the GDPR allows for this under Article 6(1)(f) of the GDPR.
At the beginning of the meeting we will ask all participants for their consent (Article 6(1)(a) of the GDPR) for us to create an audio recording. This will be used to facilitate better note taking. If anyone objects, no audio will be recorded.
Once the notes have been taken, the audio recording is deleted.
In some meetings, particularly ones held virtually and to a wider audience, we may continue with recording the meeting. If you do not wish to be recorded, you will not be able to attend the meeting.
What we do with the information
The information captured will be used to keep a record of who said what at the meetings and keep a track of what decisions were made and by whom.
Contact details will be kept up to date in order of us to communicate with you the outputs of the meetings and invite you to subsequent meetings.
The information we collect
If you attend a meeting that we host, you will be asked for your name and contact details. The opinions that you share at the meeting will be captured in the written minutes or recording of the meeting.
Special category information
We don’t anticipate any special category information will be captured.
Who we share your personal information with
The minutes from the meeting may be shared with the attendees of the meeting (the recording will never be shared though) and invited attendees that couldn’t make it.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
If you are a pilot from another organisation and we are transporting you to board a vessel, we will collect certain pieces of your personal information.
Purpose and lawful basis for processing
In addition to the information we capture while you are visiting one of our sites (see Section 10.4 – Visiting one of our sites), we will also collect certain pieces of information that are necessary for the performance of our contract with the organisation you work for. Article 6(1)(b) of the GDPR applies to this process as it relates to the performance of a contract.
What we do with the information
This information will be used in contract performance reviews with your employer.
The information we collect
We will collect your name, the company you work for, your arrival and departure time, as well as details relating to your journey while aboard our vessel.
Please also see Section 10.4 – Visiting one of our sites.
Special category information
No Special category information is captured.
Who we share your personal information with
Your information will be shared with your employer but other than that, typically, we do not share this information with any organisation. However, if there is an incident, we will share your information with the emergency services and any investigating bodies.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
As one of our customers or suppliers we will need to capture pieces of your personal information, to best manage our relationship.
Purpose and lawful basis for processing
If you are a supplier we will need to process your personal information to make sure that you are kept up to date on the work you are carrying out for us and to make sure that invoices are paid in a timely manner.
If you are one of our customers, we will need to process your personal information so that we can contact you about our services and about any dues that may be owed.
In both cases we are applying Article 6(1)(b) of the GDPR which relates to the performance of a contract or prior to entering into one.
In some cases, it may be necessary to process your personal information while following anti-money laundering regulations. We will do this because we have a legal obligation to do so and we would be using Article 6(1)(c) of the GDPR to do so.
What we do with the information
Your information will be stored in our accounting software which we use to manage our customer/supplier relationship.
The information we collect
We will need to collect your name and contact details and your written communication with us, which could include your personal opinions.
In some cases, it may be necessary to perform a credit rating search for your business. This does not contain any personal information unless your business shares any details with you as an individual.
Special category information
We don’t anticipate any special category information being processed.
Who we share your personal information with
Most of the time your information is only used internally. However, if we need to share your personal information with another external stakeholder, we will always seek your consent first.
Exceptions to this are when we must share your information because of anti-money laundering regulations, in which case, we will not need to seek your consent to do so.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
To enable us to run a safe and efficient harbour our VTS team are communicating on the phone, VHF and by email with the vessels and users of the harbour as well as the various key stakeholders. Most of the information that they collect is not personal but from time to time some of it will be.
Purpose and lawful basis for processing
We will only ever collect personal information when it is absolutely necessary to do so. The purpose for collecting this information is to best facilitate the safe and efficient navigation through the harbour.
The lawful basis that we relay to do this is Article 6(1)(e) as it is a task we carry out in the public interest.
What we do with the information
All phone calls and VHF communication are recorded and securely stored using our integrated communication system (ICS).
These communications can be accessed if there is a business need (i.e. accessing them will improve the navigational safety of the harbour).
They can also be retrieved if there is an incident – for information on how your personal information will be used in this situation see section 11.9 – involved in a maritime incident.
The information we collect
For telephone calls, our ICS collects you phone number, time and date of call, as well as the call itself.
For VHF communication, our ICS collects all radio transmissions on the channels that we monitor and use and the channel number.
Within these communications personal information may be divulged either by you directly or by someone else.
Special category information
We don’t anticipate any special category information will be captured.
Who we share your personal information with
Typically, we do not share this information with any external organisations. However, if there is an incident, we will share your information with the emergency services and any investigating bodies.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
If you are applying for, or already hold, a PEC we need to collect items of your personal information in order to run the scheme effectively.
Purpose and lawful basis for processing
The purpose for collecting your personal information is so that we can register you on the scheme and go on to assess your suitability for certification.
This is a task carried out in the public interest as it is one of the tools we use to maintain safe navigational waters and, as such, Article 6(1)(e) of the GDPR applies.
What we do with the information
Your information will be collated into a folder on a secure drive and a record set up on our Management Information System. These are then accessed throughout your application journey by our PEC assessment team.
The information we collect
During the application process we will need to collect a range of items of your personal information. This will include your name and contact details, your employer, details about your pilot class, and which vessel(s) are you will pilot. We will also need to see copies of your medical certificate and certificate of competence.
During the process you will be allocated an ID number and examiners and assessors will record comments about your suitability for a PEC – as this information relates to you, it is classed as your personal information.
Special category information
We don’t anticipate any special category information will be captured.
Who we share your personal information with
Typically, we do not share this information with any external organisations. If there is an incident, however, then we will share your information with the emergency services and any investigating bodies.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
When one of our pilots boards your vessel there are certain pieces of personal information that need to be collected.
Purpose and lawful basis for processing
We collect this information as it serves as a record of the exchange and evidence in case of an incident.
We apply Article 6(1)(e) of the GDPR to processing this information as it is involved in maintaining navigational safety, and, therefore, in the public interest.
What we do with the information
Your information is captured on one of our Master / Pilot exchange (MPX) forms which are then scanned and saved securely on our network and the paper version shredded.
The information we collect
On the MPX form we will capture your name, rank, signature, details of the vessel, and any remarks you choose to make.
Special category information
We don’t anticipate any special category information will be captured.
Who we share your personal information with
Typically, we do not share this information with any external organisations. If there is an incident, however, then we will share your information with the emergency services and any investigating bodies.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
From time to time our IT team will need to call upon external suppliers to resolve an issue with one of our IT systems or applications. We use a helpdesk application to log and manage these issues. For this process to work effectively we will collect some of your personal information.
Purpose and lawful basis for processing
The reason that we collect your personal information is to best facilitate our helpdesk service.
We can do this because we have assessed that we have a legitimate interest to do so and the GPDR allows this under Article 6(1)(f) of the GDPR.
What we do with the information
The information that we collect will be used to identify you and the contribution that you have made to resolving the issue.
The information we collect
We will collect your name and contact details, the company you work for, and the written communications (or notes taken about verbal communication) you have with us.
Special category information
We don’t anticipate any special category information will be captured in this process.
Who we share your personal information with
Typically, this information is only used internally. However, if we need to share your personal information with another external stakeholder, we will always seek your consent first.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
We operate a web application which has a real-time view of some of the vessel movements in and around the harbour. For you to have access to this we need to set you up with a password protected account which we will require some of your personal information.
Purpose and lawful basis for processing
The reason that we collect your personal information is to best facilitate this service. Without this information you will not be able to use the application.
We can do this because we have assessed that we have a legitimate interest to do so and the GPDR allows this under Article 6(1)(f) of the GDPR.
What we do with the information
Your personal information is used to create an account and enable us to communicate with you about this application.
The information we collect
We will collect your name and contact details and your company name. We will also issue you with a username and ask you to create a password – as these relate to you, they also become your personal information.
Special category information
We don’t anticipate any special category information will be captured in this process.
Who we share your personal information with
We will never share your personal information with any other parties.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.
Through our remit to maintain safety of navigation within our jurisdiction, from time to time there are incidents that require an emergency response. Some of these incidents may be serious and potentially involve fatalities.
Purpose and lawful basis for processing
When an incident occurs, we will collect as much information relating to the incident as we possibly can as it may help initially save lives, speed up any resolution, and aid any subsequent investigation.
Where saving life is concerned, we will be relying on Article 6(1)(d) of the GDPR which is there to protect your vital interests.
For anything else, we will be using Article 6(1)(e) of the GDPR which relates to carrying out a task in the public interest.
What we do with the information
The information we capture relating to an incident is initially used to resolve the incident as safely and swiftly as possible. We will then use the captured information to investigate the incident.
The information we collect
The information that we collect will obviously depend very much on what sort of incident it is. We may capture your name and contact details, your recollection of the incident, your role in the incident, and other people’s views about you or your actions. In rare examples we may even collect dietary requirements from you if we need to provide food and drinks.
Special category information
In rare cases we may collect special category information. If this information needs to be shared in order to save lives, and you are not able to give explicit consent, then Article 9(2)(c) shall apply in order to protect your vital interest or those of others. For anything else Article 9(2)(f) will apply as we will be establishing evidence for a potential legal claim.
Who we share your personal information with
In the event of an incident there are numerous third parties that we will share information with. These could be emergency services, investigators such as the Police, Marine Coastguard, MAIB or HSE, other stakeholders involved in the incident, or insurance investigators.
We will only share your personal information where there is a legitimate and lawful reason to do so. We take all reasonable steps to anonymise your personal information before we share it, where it will not jeopardise or impede any investigation. If we do have to share your personal information, the third party that it is passed to become the Controller of your information.
The data processors we use
Apart from the cloud service providers mentioned in Section 5 – Sharing your personal information, no data processors are used.