Who we are

Our registered companies are; Baker Lomax and Shackley Limited, Baker Lomax Services Limited, Stay Compliant Limited.

All companies are registered to: Airedale Enterprise Services, Sunderland Street, Worth Way, Keighley BD21 5LE

This notice applies to all the above-named companies.

For the purposes of Data protection and privacy legislation, the data controller is Baker Lomax and Shackley Limited registered at the above address.

Our commitments to you

To enable us to undertake our business objectives we collect and use personal data about individuals. We recognise the trust placed in us by individuals whose data we are entrusted with. This policy (together with any other documents referred to in it) sets out the basis on how any personal data we collect from you, or that you provide to us, or that we obtain about you will be processed by us. We are committed to ensuring that we do so in a manner that is both lawful and respects your privacy.

Please read the following carefully to understand our approach and practices regarding your personal data and how we will treat it. We take any complaints we receive very seriously. If you think our collection or use of your personal data is unfair, misleading or inappropriate, please bring it to our attention and we will be happy to provide any additional data or explanations needed. We also welcome suggestions for improving our procedures.

You can also contact the Data Commissioner’s Office at ICO, www.ico.org.uk or write to ICO, Wycliffe House Water Lane, Wilmslow, Cheshire SK9 5AF or telephone 0303 123 1113 for advice or to make a complaint.

Your Privacy Rights

You have the right to be informed about how and why we process your personal data although those rights will not apply in all circumstances that we collect your data or to all the data that we hold about you. For example, we may need to continue to hold and process personal data to establish, exercise or defend our legal rights.

Some the rights may not be enforceable until the General Data Protection Regulation comes into force on 25 May 2018. We will tell you if this is the case when you contact us.

You have the right to be informed about how we use the data you provide, and we will try to be as transparent as possible in our interactions with you. Any time you give us personal data you have a right to be informed about why we need it and how we will use it. You can find most of the information you need in this Privacy Notice.

You can also find out more information about your privacy rights on the Information Commissioner’s Office website; www.ico.org.uk

If you have any questions, please contact us:

By post to Baker Lomax Services, Airedale Enterprise Services, Sunderland Street, Worth Way, Keighley BD21 5LE

By email at info@bls-ltd.co.uk

Through our website bls-ltd.co.uk

You have the right to access your personal data

You can request a copy of data we hold about you at any time.

You may choose to exercise your right of access through any of our contact methods, but we will ask you to provide documented evidence of your identity before we process your request. We may also contact you to clarify your request or to ensure we have all the data we need to fully meet your request.

Data Protection legislation requires us to respond to your request within 30 calendar days of verifying your identity (or within 3 months for more complex cases). You’ll receive a full response as soon as we can reasonably provide one and we aim to resolve all subject access requests within 30 calendar days from confirming your identity. In more complex cases where we cannot provide a full substantive response within that time frame, we will write to you within 30 calendar days to explain why an extension is needed.

We don’t charge for subject access requests.

You have the right to ask us to correct inaccurate personal data we hold about you

If you believe data we hold about you to be inaccurate or incomplete, you can ask us to correct it or complete it at any time, through any of our contact methods.  Wherever possible, we will correct inaccurate or incomplete data immediately.

In more complex cases we will take reasonable steps to confirm the accuracy of the data we hold. Whilst we investigate the accuracy of the data, we will restrict the processing of the data in question.

We will let you know the outcome of our investigation as soon as we can. Any data we can verify as inaccurate will be corrected within one month of receiving your request.

You have the right to ask us to delete your personal data

In some circumstances you have the right to ask us to delete data we hold about you.  For example, if we have asked for your consent to process your data, and you subsequently withdraw that consent.

We will respond to your request as soon as we can, and we will act on any requests granted within one month of your request.

Please note that we cannot delete any personal data where we have a specific legal or regulatory obligation to retain it. For example, this applies to outstanding debts and some HMRC requirements. In certain cases, we will be unable to delete your information if there are statutory grounds to retain it (i.e. legal requirements). If your request for deletion is refused, we will explain the reasons for refusal.

You have the right to ask us to restrict the use of your personal data

In some instances, you have the right to ask us to restrict the use of your personal data (for example if you’ve challenged the accuracy of the data we hold or have objected to our processing). We will restrict our use of your data whilst we investigate your objection or request to correct your data.

We will respond to your request as soon as we can. If your objection is unsuccessful, we will only continue processing once we’ve let you know the outcome of the investigation.

Data related to these requests will not be automatically deleted unless you expressly ask us to.

You have the right to data portability

If you have given us your consent to process your data, and we use automated procedures, you have the right to move, transfer or copy that data to another system for your own purposes.  We do not make use of any automated processes. If we decide to use such procedures in the future, we will update this Privacy notice and you may make a request for the appropriate data to be moved under your direction.

You have the right to ask us not to process your personal data.

We process most of the personal data we collect under the lawful basis of ‘legitimate interest’. You have the right to object to our processing your personal data under this basis.

We will respond to your objection as soon as we can. In some cases, such as fraud prevention or network and information systems security, your objection may not be enough be sufficient to override our Legitimate Interests. Where we believe there is a compelling reason to continue the processing, we will explain why we think this is.

We will action any requests to stop any direct marketing to you as soon as we receive your objection.

You can object to us using your data at any time through any of our contact methods:

By post to Baker Lomax Services, Airedale Enterprise Services, Sunderland Street, Worth Way, Keighley BD21 5LE

By email at info@bls-ltd.co.uk

Through our website bls-ltd.co.uk

Lawful basis for processing

We must have a lawful basis for processing your information; this will vary on the circumstances of why we process and how we use your information, but typical examples include:

  • the activities are within our legitimate interests as a registered business that provides consultancy and training services,
  • the processing is necessary for compliance with a legal obligation to which we are subject e.g. we must provide certain contact information and other details about our services to HMRC or other such government organisations,
  • the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract,
  • you have given consent for us to process the information e.g. in relation to specific marketing or communication activities,

If we process any special categories of information i.e. information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, processing of genetic or biometric data for uniquely identifying individuals, health data, or data concerning your sex life or sexual orientation, we must have a further lawful basis for the processing.

This may include:

  • you give us your explicit consent to do so
  • the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
  • the processing is necessary for: reasons of substantial public interest, for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services based on legislation or pursuant to contract with a health professional and subject to the conditions and safeguards.

What information do we collect?

It is important to us that we inform you about the information we collect and why we collect it.  The information we collect and the reason for collecting it are different for different groups of individuals.

Information can be classed as ‘regular’ such as your name and address or ‘sensitive’ such as details about your health.  The list below provides an overview of the types of information we collect and why.

We process information as follows:

  • your name, address and contact details, including telephone number and email address, and designations, roles or positions in your organisation;
  • the terms and conditions of our agreement with you or where you have expressed interest in our services;
  • details of your organisations bank account;
  • information about your preferred business contact (for example via another colleague)
  • details of your attendance at our training events
  • your feedback and comments about our training events
  • to provide a duty of care and arrange accessibility during training events, we request information about any medical, health or dietary conditions, including if you have a disability for which we need to make reasonable adjustments.
  • This may be by you completing forms on our websites (see above) or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you complete the membership application form on our websites, when you change/update your personal details, contact preferences etc. and when you report a problem with our sites.

    To provide our services to you, we need to collect, process and store data about you that may be personal or sensitive in nature.  We use your data to administer, support, improve and develop our business generally, to provide statistical data to meet our regulatory requirements and to enforce our legal rights.  If we intend to use your data for a different purpose, we will do so in compliance with Data Protection legislation, wherever possible, by notifying you in advance.

    We only use your data for the specific purpose(s) for which it has been provided or collected.

    We collect and process various personal data from you and about you.  In most cases, the data we collect about you is provided by you directly. This is one of the ways we can ensure the data we collect is as accurate and up to date as possible. We will usually do this when you first contact us, and we may ask you to confirm your details on subsequent contacts from time to time.

    The type of data collected from you and obtained about you will vary depending on your relationship with us, the service you are requesting and your chosen method of contacting us.  However, in almost all cases we are likely to ask you to provide:

    1. Details to verify your identity and help us prevent fraud;
    2. Business contact details (including phone number, e-mail address or social media labels) – to contact you about your account, update you about the services you’ve requested or received from us, or contact you with other data related to our business;
    3. financial data (including method of payment and bank account details) – to allow us to bill you for the services you receive from us and to manage your payment arrangements;

    We may ask you for documented evidence of the above and will retain digital copies for validation and audit purposes.

    We will only collect sensitive personal data about you with your explicit consent, and for a specified purpose which will be explained to you at the time.

    If you contact us by phone we may retain a written record of the conversation.

    If you contact us by post or e-mail we will retain a record of the contact.

    If you use our website, we will retain a record of the contact and we may collect additional data about you to provide a better digital service and website functionality.

    More detailed data on what we collect in different circumstances and how it will be used is set out below.

    Data we collect or obtain from others about you

    We prefer to collect data directly from you, so we can ensure it’s as up to date and as accurate as possible. However, we also collect data about you from other sources.

    We may receive data collected by our business associates or partners or sub-contractors relating to services they are delivering to you on our behalf, or to respond to a query or complaint that you have made.

    Profiling and automated decision making

    We do not carry out any profiling or automated decision making concerning your personal data that we hold.

    What to expect when you contact us

    If you contact us by phone or in writing (including e-mail, social media or via our websites) we may record, monitor or retain copies of your correspondence. This is to allow us to:

    • assist our response to any queries you may have;
    • ensure we continue to offer you the best possible service;
    • maintain standards and help to develop our staff;
    • validate our compliance with regulatory obligations; and
    • retain our records up to date so that we can offer you the most suitable consultancy and training services, including marketing and promoting our business where appropriate consent has been given.

    We also retain this data for several reasons, including our statutory responsibilities under legislation and to prevent fraud.

    Contacting us by telephone

    When you contact us by telephone, your telephone number may be added to our client management database so that we can contact you in future to maintain and update our records. Where appropriate we will use telephone number(s) recorded on our client management database to contact you to discuss our services or your contract etc.

    We may also use a telephone number listed on our client management database to call or text you regarding the services you require.

    Contacting us by post

    Some post/mail received by us is scanned on to our systems and we will store letters or documents and attachments on our client management database.

    Emailing us

    If you email us, we will respond to you using the email address you gave us. We may add your email address to our client management database and it may be used for future communications.

    Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with our business policies. Emails are stored, archived and deleted in line with our data security and data retention policies.

    Contacting us via social media

    We strongly advise not to post your personal contact or other sensitive data on our public social media site. If you contact us using social media to report an issue, we will ask you to contact us by other means to gather any appropriate information. We will suggest an alternative contact method if we think this is more appropriate.

    Making a complaint

    If you make a complaint to us, we will follow our own internal complaints process. We may need to share details about your complaint internally to fully investigate.

    If the complaint relates to a service provided by a third party, we will share data with them to resolve your complaint.  If a complainant doesn’t want data identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

    We will only use the personal data we collect to process the complaint and to check on the level of service we provide.

    We will retain complaints in line with our data retention policy. This means that data relating to a complaint will be retained for seven years from closure.

    Visiting our website

    Each time you visit to our website we will automatically collect the following data:

    • technical data – This includes the Internet Protocol address (IP address) used to connect your device to the Internet, your login data, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
    • Location data – When using one of our location-enabled services on our website, we may collect and process data about your actual location. If you wish to use the feature, you’ll be asked to consent to your data being used for this purpose. You can withdraw your consent at any time either by modifying the location settings of your web browser or the location awareness permissions of your mobile device.
    • Session data – data about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction data (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our client service number.

    We use data gathered through cookies and similar technologies to measure and analyse data on visits to our websites, to tailor the websites to make them better for clients and site visitors and to improve technical performance (see below for more data). We don’t use the data to identify you personally or to make any decisions about you.

    Third-party links

    Our website may also contain links to and from other websites including our partners or other Information Governance advisors.

    If you follow a link to any of these websites, please note that we do not have control over these websites or their content. These websites have their own privacy policies and we cannot accept any responsibility or liability for these. We recommend that you review the website terms and conditions that are applicable to the third-party website.

    Data about cookies we use

    We use cookies to make our websites more efficient, as well as to collect data. We may obtain data about your general internet usage by using a cookie file which is stored on your browser, your mobile device or the hard drive of your computer. Cookies contain data that is transferred to your computer’s hard drive. They help us to improve our systems site and to deliver a better and more personalised service. Some of the cookies we use are essential for the site to operate.

    The services contained in this section enable the Owner to monitor and analyse web traffic and can be used to keep track of User behaviour.

    • Google Analytics – https://analytics.google.com/analytics/web
    • Google Analytics is used to understand how the website is being used where upon changes can be made to improve the User experience.

      Data is gathered about how the User progresses via their IP address.

      The Data Controller ensures that the IP Anonymization is Enabled and the specific location of the User is not identifiable.

      The Data collected by Google Analytics will only be used by the Data Controller for the benefit of the Website and not shared with any 3rd parties.

      The Data is stored with Google Analytics for 26 months which enables the Data Controller to analyse over annual trends.

    Contact form

    By filling in the contact form with their Data, the User authorises this Application to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header.

    Personal Data collected: email address, first name, last name and phone number.

    • Gravity Forms – https://www.gravityforms.com
    • Gravity Forms is used to compose the online forms which are found in ‘Contact Us’ and ‘Subscribe to Newsletter’ pages within the Website.

      Your data is not processed until the mandatory fields of the form are completed and the form submitted.

      Your data is emailed directly to the Data Controller and processed via their email protocols.

      Your data is then completely deleted from the Websites Database within 24 hours.

      In circumstances where the purpose of the form is for ‘Subscription to a Newsletter’, the data gathered is forwarded to Mailchimp https://mailchimp.com

    • Mailchimp – https://mailchimp.com
    • Mailchimp is a cloud based software used to organise and control subscription lists. This enables the Data Controller to email all the subscribers to a newsletter.

      The Data Controller abides by a Double Opt-in procedure regarding your data. i.e Once the Users Data from the Website form is sent to Mailchimp, a secondary email is sent to the User from Mailchimp which requests further confirmation before the Data can be added to the Mailchimp Subscription List.

      It is only the Data Controller which has access to the Mailchimp account associated to the Website.

      Updating or deleting the Users Data. This can be done either by clicking the links at the foot of the Newsletter emails or by contacting the Data Controller.

    Using your data to provide our services

    Most of the data we collect from you or about you is to help us to improve and manage our services to you and to make business management decisions according to your needs or the services we provide. We will use this data to invoice you for the services or to update you on your training event or contract.

    Falling into arrears or failure to pay your bill

    If you fail to pay your invoice as required under the terms and conditions of our agreement, or fall into arrears, the data that we hold about you may be used to recover arrears in line with our regulatory obligations. In doing so, we may use third party debt collection / management companies and credit reference agencies to assist us. This will involve sharing your data with them.

    Data we share with others

    In most circumstances we will not disclose your personal data without your consent. However, there are circumstances where we need to share some of your data to meet our regulatory obligations or where we are permitted to under Data Protection legislation.

    The obligations that we have to our Regulators

    We have legal obligations to share data with our regulators and other third parties identified in law. We may disclose your personal data to third parties if we are under a duty to disclose or share your personal data to comply with any legal obligation. We do not require your consent to process your data in this way.

    Where necessary we will be required to supply personal data to HMRC, the Department for Work and Pensions DWP, the police, fraud agencies or UK Visas and Immigration. Under Data Protection legislation we are permitted to share this data with them without your consent and we are not required to notify you that this has taken place. We will always fulfil our duty to support the prevention and detection of crime by statutory agencies.

    Agreements we have with other organisations for sharing data

    We share your payment data (bank account; sort code; direct debit mandates etc) with some banking institutions to process your payments.

    Trusted Partners we use who may have access to your data

    We use trusted partners to help us process your personal data and provide services to you. For example; we contract Worldpay, a global leader in card payments processing technology and solutions to enable clients to book our training events.

    They operate reliable and secure proprietary technology platforms that enable us to accept payments across multiple channels.

    All our data processors have a binding contract with us that restricts their access to and handling of your personal data to only what is necessary in performance of their contract.

    From time to time we may require legal assistance and may need to share your personal data with our legal advisers or our insurance company or other professional advisors to obtain advice or make a claim.

    How we store your data and how we keep it secure

    All client personal data is stored on our systems on secure servers. We operate a suite of IT and security policies to ensure your data is kept secure, including appropriate access and auditing controls. 

    We use anti-virus software and fire walls to protect against cyber-attack. Regrettably, the transmission of data via the internet is not entirely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of data you send to us that is outside of our security arrangements; any transmission is at your own risk.

    We also operate strict physical security at all our sites and employees all receive security and data protection awareness training.

    You may store your personal data on your local device, such as your computer or mobile phone to assist you in your repeated use of our services. We have no control over inappropriate access to this data. You can delete this data at any time using the facilities of your Internet browser or mobile device.

    Where we transfer data to third parties to enable them to process it on our behalf (see the data about Trusted Partners above), we ensure that the providers meet or exceed the relevant legal or regulatory requirements for transferring data to them and retaining it secure.

    Storing or transferring your data outside the European Economic Area (“EEA”)

    We do not transfer or store your personal data outside the EEA.

    How long we will retain your data

    We only retain your data for as long as we need it. We will retain certain data (e.g. contact data and bank details) for as long as you have a relationship with us. Our data retention policy is our guide to keeping your personal data, but the length of time depends on the purpose of the processing.

    Generally, we retain:

    • client correspondence, complaints, invoices and tasking records for up to seven years;
    • general enquiries for our services for up to three years;
    • data subject requests (e.g. subject access requests and objections) for up to two years;
    • social media posts (in third party systems) for up to six months, unless related to a complaint.

    After which time your personal data will be either deleted or anonymised.

    These retention periods may be extended in certain limited cases as prescribed or permitted by law – e.g. because of an incident or accident requiring investigation or to seek or defend a legal claim.

    If we sell or buy any other business or assets, or merge with another business or organisation or carry out internal corporate restructuring, your data may be disclosed to new or prospective business partners or owners or the new corporate entities.

    Changes to Our Privacy Notice

    We review this notice regularly as part of our internal processes or as our services, activities, or regulatory requirements change. It’s subject to change at any time, but the most up to date version is published on our bls-ltd.co.uk or staycompliant.training website[s].

    Contacting us

    If you’d like to request further data about our privacy policy or exercise any of your rights, you can contact us:

    By post to Baker Lomax Services, Airedale Enterprise Services, Sunderland Street, Worth Way, Keighley BD21 5LE

    By email at info@bls-ltd.co.uk

    Through our website bls-ltd.co.uk

    Data Protection legislation means the Data Protection Act 1998 (as amended by the Data Protection Act 2018 (GDPR)), the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, the General Data Protection Regulation (from 25 May 2018) and all other applicable laws and regulations relating to processing of personal data and privacy in any applicable jurisdiction as amended and replaced, including where applicable the guidance and codes of practice issued by the UK Data Commissioner or such other relevant data protection authority.

    Privacy notice April 2018