This privacy notice explains how and why the Advisory, Conciliation and Arbitration Service (Acas) processes your personal data under the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
It tells you what Acas may do with your personal information when you contact us or use one of our services.
If you have a query about this privacy notice, please contact our data protection officer by emailing dataprotection@acas.org.uk
Most of the personal information we process is provided to us directly by you when you:
- make a complaint or enquiry
- make an information request (under the Freedom of Information Act, the Environmental Information Regulations or the Data Protection Act)
- book or attend an event
- subscribe to email updates
- apply for a job with us
How we use your personal data
What we collect about you and how we do this depends on:
- what Acas services you use
- how much personal data we need to provide these services
1. Acas helpline
If you call our helpline, the number you use to call will be automatically recorded and kept by us for up to 18 months. After this it will be deleted from our helpline database.
We keep your phone number for this period to help us distinguish your call from others. This means we can monitor how many helpline calls we get and what they're about.
Your call to our helpline may be recorded and used:
- for training purposes – you'll be told this by automated voice message before you speak to a helpline adviser
- by Acas staff to check that our wider services meet our customers' needs – the recording will be anonymised so staff will not know who made the call
We keep recordings for 35 days, after which they're deleted.
You may ask for more information to be sent to you or for your call to be referred to another part of Acas, for example to our conciliators. If so, the helpline may pass on relevant personal details about you to other Acas staff who will deal with your case. These details include your name, contact details, and details about your workplace.
2. Conciliation services
If you choose to use Acas's early conciliation or conciliation services – either as a 'claimant' (someone making a claim) or as a 'respondent' (someone responding to a claim) – we'll collect and use personal data to provide this service to you. This is required under the Trade Union and Labour Relations (Consolidation) Act 1992.
This personal data will include your:
- name
- address
- workplace details
Acas may also collect and use other personal data we need for your case, including sensitive personal data. For example, your medical information, National Insurance number, trade union membership, racial or ethnic origin.
Acas uses this personal data to:
- contact claimants and respondents
- conciliate in cases as part of its legal duty to help resolve employment disputes
- validate your identity
Calls about conciliation services are not recorded – conciliation cases are confidential. Occasionally, an Acas conciliation manager may listen to a call to help them train our staff and to monitor call quality.
Your personal data may also be used by Acas staff and external organisations that it employs for checking that our service meets customer needs.
Information you give during your conciliation case is protected by 'legal privilege'. This means we will not share anything you say in conciliation with the other side in the dispute, unless you give us your clear permission to do so.
How long we keep your data
After a case is closed, we usually keep conciliation personal data for 9 months. It is then securely destroyed.
Occasionally, we store personal data on a case for longer than 9 months after closure. For example, we may need to investigate a complaint.
We only hold your personal data for as long as is necessary before it is securely destroyed.
To make sure conciliation cases are confidential, calls relating to conciliation services are not recorded.
3. Training services
When you book or arrange a training course, workshop or project offered by Acas trainers, we collect and use personal data to provide this service to you.
In order to process your request when you make a booking we collect your:
- name
- address
- telephone number
- email address
- workplace details
You may also tell us about any special needs you have, such as dietary requirements if food is needed for a training course.
Where Acas charges for its training services, we can keep personal data collected for this purpose for up to 7 years.
Creating an online training account
If you create an online Acas training (elearning) account to book training, any personal details we collect using this will be stored for as long as you keep your account. This is so you can see your training history.
Acas may use this personal data:
- for marketing
- to check our services meet our users' needs
- to tell you about changes to our services
If you do not use your account for 3 years, your account and any elearning records will be deleted. Any linked accounts will not be deleted, for example any Acas training account used to book training.
If you wish to delete any other account held by us, follow our guidance below on 'your rights under data protection law'.
4. Acas website
When you visit our website, we collect:
- questions, queries or feedback you leave, and your email address if you contact us
- your name, email address, phone number and workplace details if you sign up to our email updates or fill in our customer enquiry form
If you consent to cookies on our website, we also collect the following data using Google Analytics and Microsoft Clarity:
- data about how you use our website, for example which pages you view, how much time you spend on them, which links you click on and what you search for
- information about your computer, including your device type, browser type and screen size
- geographic location
- the language used to display our website
- the website you came from, if you clicked on a link on a different website to get to our website
We collect this data to help:
- understand how people interact with our website
- improve our website and services
- make sure we're meeting the needs of our users
Find out about cookies we use and how to change your cookie settings
If you leave the Acas website
The Acas website contains links to other websites.
These websites are not covered by this privacy notice and Acas is not responsible for how they manage privacy.
5. Use of personal data for internal Acas research
We may use personal data we collect as part of the services we offer, to carry out research and evaluation, the findings from which are used to help monitor and develop our services, as part of Acas’s general duty to promote the improvement of industrial relations. Some of our research is undertaken by a contractor acting on our behalf. Where this is the case, we may pass some of your personal information, such as your name, email address (or reason for contacting Acas) to our contractor so they can contact you to invite you to participate in the research.
When conducting research, we adhere to legal requirements (for example, those in UK GDPR).
Contractors commissioned to conduct research on our behalf are also required to comply fully with the requirements of GDPR. All Acas research contractors are required to sign a confidentiality agreement for each research project, which makes their unlawful disclosure of information a criminal offence.
We limit the information passed to research contractors to include only what is necessary and relevant to the research. This information can only be used for the purposes of the research project and is erased by the contractor once the research project has concluded.
Information you provide when you participate in Acas's research projects is used for research purposes only, and unless you agree otherwise, the information you provide will be confidential. Any personal data that is used or collected as part of the research will only be kept as long as is necessary for the research.
Participation in Acas research is entirely voluntary, and you can withdraw at any point. This will not affect your ability to use Acas services, either now or in the future.
Where information held by us is used to invite you to participate in our research, you will usually receive a communication in advance informing you that the research is taking place. This will provide details of who to contact if you do not wish to participate or wish to withdraw from the research later.
6. Social media
To understand how your personal data is processed when using Acas's social media channels, you can view privacy policies for:
7. User research
Acas carries out user research to improve our products and services. We need information about you when inviting you to take part in user research to ensure that:
- you meet the criteria for the piece of research
- we are including a wide range of people
Information we collect
If you agree to be a participant, personal data we collect will include your:
- name
- email address
- phone number
We might collect other data from you, with your permission, based on the topic being researched. For example, if we're researching content, we might want to know whether you have used the content before or have experienced a situation that it covers.
We might use Consent Kit to help us collect, manage and store your information, including your consent to take part in user research. Consent Kit is an online tool that complies with UK GDPR and gives you control over how we use your information. We will ask you for consent for special category information if it is required for research.
We sometimes work with other organisations to carry out research, such as agencies. These organisations help us recruit people to take part in research. If we do this, these organisations might also collect additional data for which they are the data controller, and their privacy policy will also apply.
During the research session
It is important that we have an accurate record of what happened and what was said during the session.
This is because we analyse this information and use it to decide what we should do next. In most cases, we collect personal data during the research session in the form of:
- audio recordings
- video recordings
- screen recordings
- written notes or transcripts
We will ask you to fill in a separate consent form before the session so that you can decide on the level of consent you are comfortable with. We might use Consent Kit to collect and store your consent.
Collecting and analysing
We might use survey tools and online collaboration tools, including Microsoft Teams, Lookback and Miro, to collect and store your information. Their privacy policies will also apply.
If we do use these tools, we will monitor and limit the access that people outside Acas have to your data.
Reporting the results
We will make sure you cannot be identified from your data when:
- using your comments or actions in reports or presentations
- sharing with third parties
Each research participant will be assigned a number, and any names or other personal and identifiable data will not be used.
Only Acas employees or relevant third-party contractors, working on the project, will have access to the full original recordings.
How long we keep your data
We will hold your personal data for a maximum of 2 years. This includes the data from research sessions and a record of your consent.
If you withdraw consent at any time, we will delete all personal data we hold about you. We might retain reports that contain your anonymised quotes.
For participants who work at Acas, we will delete all personal data after analysis and hold it for no longer than 6 months.
If you have questions about user research that you've been invited to participate in, email userresearch@acas.org.uk
Confidentiality, storage and security of personal data
We're committed to the confidentiality and privacy of our users. Any personal information you give us will be held securely. It will not be sold or traded to another organisation or company.
We may sometimes need to share information with government departments, the emergency services, law enforcement agencies, and public authorities (such as the Employment Tribunals Service).
If we share personal data with an external company or service we employ as part of our work, we make sure:
- it will be held securely
- they'll only use it to provide the services or information you've asked for
How we protect your data
We protect the information you give us using physical, electronic and management procedures on use of personal data. Industry-standard secure sockets layer (SSL) encryption is used on web pages where we collect personal information electronically.
We manage risks around use of personal data using the '10 Steps to Cyber Security' framework, managed by The National Cyber Security Centre (a part of the government). Security of our information technology (IT) systems are evaluated using the UK government's Security Policy Framework.
Customer, claimant and respondent data is held in a government secure data centre in the UK. Back-up services are also provided in a separate government secure data centre in the UK.
Legal basis for processing your personal data
Under data protection law, we must have a legal basis to collect, store and use your personal data. If we also use sensitive personal data, we need a second legal basis.
The legal basis for processing most of the personal data we use is that it's necessary:
- to perform a task in the public interest
- in the exercise of our legal duties
-
when you have given consent
-
when we make a contract with you
-
to protect your (or someone else's) interests
-
to protect our legitimate corporate interests (to develop our products or services and grow our business)
Your rights under data protection law
You may have a right to request:
- a copy of the information that Acas holds about you ('subject access request' (SAR) in the UK GDPR)
- that anything inaccurate in your personal data is corrected ('rectification' in the UK GDPR)
- that we remove your personal data ('right to erasure' in the UK GDPR)
- that we use your personal data only in specific circumstances ('restriction' in the UK GDPR)
- that we stop processing your personal data ('object' in the UK GDPR)
- to get your personal data so you can reuse it across different services ('data portability' in the UK GDPR)
You may also have rights in relation to automated decision-making and profiling.
Make a request under data protection law
You can send a personal data request to dataprotection@acas.org.uk
Alternately, you can write to us at:
The Data Protection Officer
Knowledge and Information Management team
Acas
14 Westfield Avenue
Stratford
London
E20 1HZ
If you're not happy with how Acas has dealt with your request
If you feel there's a problem with your request to Acas you have the right to complain to the Information Commissioner's Office (ICO), the UK's authority on data protection.
You can:
- make a complaint on the ICO website
- call ICO on 0303 123 1113
Data transfers
If we process your personal information on servers or use third-party service providers outside the European Economic Area (EEA), we'll try to ensure your personal information gets the same level of protection as in the EEA.
Changes to this privacy notice
We regularly review this page so you're always aware of:
- what information we collect
- how we use it
- what circumstances, if any, we will share it with other parties
If this privacy notice changes, we'll update this page.