Privacy Policy

Introduction

Acumen Safety (“the Company”, “we”, “our”, “us”) is committed to protecting the privacy, rights,
and freedoms of all individuals whose personal data we process. We comply with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Data Security Standards

This policy applies to all personal data processed when providing

Scope

This policy applies to all staff, associates, contractors, freelancers, temporary workers, and any
individual handling personal data on behalf of Acumen Safety.
It covers personal data relating to:

  • Clients and their staff
  • Training delegates
  • Supplier and contractor employees
  • Individuals whose data appears within documents we audit or receive
  • Freelancers, contractors and associates
  • Members of the public who contact us
  • Website users

It applies to data processed in electronic or paper form and data stored on third-party systems.

Definitions

  • Personal Data: Information identifying or relating to a living individual.
  • Special Category Data: Sensitive data including health, disability, and biometric data.
  • Criminal Offence Data: Data relating to criminal convictions or allegations (Article 10 DPA 2018).
  • Processing: Any operation performed on data.
  • Controller: Determines purposes and means of processing (Acumen Safety).
  • Processor: Processes data on the controller’s behalf.

Roles and Responsibilities

Data Controller
Acumen Safety

Data Protection Lead (DPL)
Olly Galvin

Responsibilities

  • Ensuring compliance with UK GDPR
  • Maintaining Records of Processing Activities (ROPA)
  • Responding to data subject rights requests
  • Managing data breaches and ICO reporting
  • Ensuring contractors and associates follow this policy

All personnel must comply with this policy.

Data Protection Principles

Acumen Safety processes personal data in accordance with the UK GDPR Article 5 principles. Data
must be:

  • Lawful, fair and transparent
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and up to date
  • Kept no longer than necessary
  • Processed securely

Categories of Personal Data We Process

We process personal data for clients, delegates, supplier staff, contractor employees, and other third
parties whose information is provided to us as part of safety, training or auditing activities.

Contact & Identity Information

  • Names
  • Addresses
  • Email addresses
  • Phone numbers
  • Job titles / occupation
  • Pronoun preferences
  • Gender
  • Date of birth
  • Identification documents (passport, driving licence)
  • Right-to-work documents
  • Account/registration information

Financial & Transactional Information

  • Payment details (bank/card information)
  • Transaction records
  • Purchase/service history

Professional & Operational Data

  • Attendance and training records
  • Competency certificates (e.g., IPAF, PASMA, first aid)
  • Supplier/contractor personnel information
  • Records of meetings and decisions
  • Compliments/complaints
  • Correspondence (email, SMS, WhatsApp)
  • Insurance details where persons are named

Technical & Website Data

  • IP addresses
  • Browsing and device information
  • Operating system, browser and device identifiers
  • Usage data and user journey analytics
  • Security and authentication logs

Special Category Data

  • Health information
  • Disability and accessibility information
  • Medical conditions relevant to course attendance
  • Accident/incident information
  • Safeguarding information

Criminal Offence Data

  • DBS check results
  • Driving or criminal conviction data where relevant to roles
  • Safeguarding-related information

Processed under Article 10 DPA 2018 and Schedule 1 conditions (employment, safeguarding,
regulatory requirements).

Third-Party Supplier and Contractor Data

We process personal data contained within:

  • Supplier RAMS, SSOW and risk assessments
  • Structural engineering documents
  • SIA rota lists and badge numbers
  • Food safety documentation
  • Insurance certificates
  • Water safety plans
  • Contractor competency files

This data belongs to individuals who are not our direct clients but is required to assess compliance
and ensure event safety.

Sources of Personal Data

We obtain data from:

  • Individuals directly
  • Employers commissioning our services
  • Suppliers and service providers
  • Contractor documentation
  • Website forms and analytics
  • Email, phone, SMS, WhatsApp communications
  • Attendance and registration forms

Lawful Bases for Processing

We rely on the following lawful bases:

Contract
For delivering safety consultancy, training, certification, and auditing services.

Legal Obligation
To comply with:

  • Health and Safety at Work Act
  • CDM Regulations 2015
  • Licensing and regulatory requirements
  • HMRC legislation
  • Safeguarding obligations

Legitimate Interests

Including:

  • Reviewing supplier documentation for event compliance
  • Ensuring event safety
  • Preventing fraud
  • Maintaining accurate records
  • Marketing to existing clients (PECR soft opt-in)

A Legitimate Interests Assessment (LIA) is performed where required.

Consent

Used for:

  • Email marketing/newsletter sign-ups
  • Collection of accessibility/medical information
  • Certain training data

Consent can be withdrawn at any time.

Vital Interests

Used for emergency contact/health information where necessary.

Criminal Offence & Safeguarding Data

Processed under:

  • Article 10 DPA 2018
  • Schedule 1 (employment, safeguarding, regulatory requirements)

How We Use Personal Data

We use personal data for:

  • Delivering safety consultancy services
  • Producing ESMPs, RAMS, inspection reports
  • Assessing supplier competence and compliance
  • Training course administration and certification
  • Account and financial management
  • Incident or claim investigation
  • Website optimisation
  • Responding to complaints, queries or claims
  • Marketing (consent or legitimate interest)

We do not use personal data for profiling or automated decision-making.

Sharing Personal Data

We may share data with:

Approved Processors

  • Google Workspace
  • Dropbox
  • QuickBooks
  • Mailerlite
  • 360Learning
  • Outsourced accountant/payroll provider

Regulatory and Legal Bodies

  • Local authorities
  • Emergency services
  • Courts
  • Other organisations where legally required

We never sell personal data.

International Transfers

Some processors store data outside the UK/EU.
We ensure adequate protection through:

  • UK adequacy regulations
  • ICO-approved IDTAs
  • Standard Contractual Clauses (SCCs)

Data Security

Technical Measures

  • Encrypted cloud storage
  • Multi-factor authentication
  • Strong password controls
  • Secure devices and antivirus protection
  • Automatic updates and patching
  • Access control restrictions
  • Encrypted email where appropriate
  • Staff and contractor training
  • Confidentiality agreements
  • Role-based access control
  • Data minimisation
  • Clear desk and screen practices

Data Retention

Personal data is retained only as long as required:

Data TypeRetention
ESMPs, RAMS, compliance documents6 years
Supplier/contractor information6 years
Training records and certificates6 years
Incident/accident reports3–6 years (depending on claim requirements)
Health/accessibility informationDeleted after course unless required for certification
Right-to-work documents2 years after engagement
DBS information6 months
Financial data6 years (HMRC)
Website analytics26 months
Dropbox storage3 years
Safeguarding informationAs required by law

Data Subject Rights

Individuals have rights under UK GDPR:

  • Right to be informed
  • Right of access (SAR)
  • Right to rectification
  • Right to erasure
  • Right to restriction
  • Right to object
  • Right to portability
  • Right to withdraw consent

Requests should be sent to hello@acumensafety.co.uk.
We respond within one month.

Individuals whose data appears in supplier documentation or contractor files retain full GDPR rights.

Data Breach Procedure

Examples of Breaches

  • Sending documents to the wrong recipient
  • Loss or theft of a device
  • Unauthorised access to Dropbox or Google Workspace
  • Ransomware or malware attack
  • Accidental deletion or alteration

Immediate Response

  • Report to the Data Protection Lead
  • Contain the breach
  • Assess risks and categories of data affected
  • Document all findings

ICO Notification

If a breach risks individual rights, the ICO will be notified within 72 hours.

Notification of Individuals

Where high risk is identified, affected individuals will be contacted promptly.

Record Keeping

All incidents are recorded in the Data Breach Register.

Complaints

Complaints should be directed to:
hello@acumensafety.co.uk

If unresolved, individuals may contact the ICO:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
0303 123 1113
https://www.ico.org.uk/make-a-complaint

Review

This policy is reviewed annually or earlier if:

  • Legislation changes
  • Our processing activities change
  • A breach or audit indicates a need for revision