Your privacy is important to us, and so is being transparent about how we collect, use, and share information about you. This policy is intended to help you understand:
- What information we collect about you
- How we use information we collect
- How we share information we collect
- How we store and secure information we collect
- How long we store data for
- How to access and control your information
- Other important privacy information
This Privacy Notice covers the information we collect about you when you use our products or services, or otherwise interact with us, unless a different policy is displayed. One Utility Bill, we and us refers to One Utility Bill Ltd, and any of our corporate affiliates. We offer a wide range of products, including our One Utility Bill packages, Notify, Bills Inclusive and Fused Bills products. We refer to all of these products, together with our other services and websites as “Services” in this policy.
This policy also explains your choices about how we use information about you. Your choices include how you can object to certain uses of information about you and how you can access and update certain information about you. If you do not agree with this Privacy Notice, do not access or use our Services or interact with any other aspect of our business.
Where we provide the Services under contract with an organisation (for example your letting agent) that organisation controls the information processed by the Services.
Your information will be held by One Utility Bill Ltd.
1.Purpose, Scope, and Users
This policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within One Utility Bill (further: the “Company”).
This Policy applies to all business units, processes, and systems in all countries in which the Company conducts business and has dealings or other business relationships with third parties.
This Policy applies to all Company officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers that may collect, process, or have access to data (including personal data and/or sensitive personal data). It is the responsibility of all of the above to familiarise themselves with this Policy and ensure adequate compliance with it.
This policy applies to all information used at the Company. Examples of documents include:
- Hard copy documents
- Soft copy documents
- Video and audio
- Data generated by physical access control systems
1.2. Other websites and services
Our Website contains links to other websites. This privacy notice only applies to this Website, so when you link to other websites you should review their own privacy policies.
We send information relating to your use of our web services to Google for the purposes of analytics and advertising. Please read how Google use that information here.
When you provide us with your personal contact information across any of our online services, you agree to be contacted by phone call, email, SMS, and WhatsApp. You can opt-out of marketing messages to these channels at any time on a per-channel basis by following the instructions outlined in the footer of our messages, by contacting our team, or by submitting a subject access request using this form.
Use of OpenAI Services: We use the services of OpenAI, LLC (“OpenAI”) to provide certain functionalities on our websites and web applications. OpenAI provides artificial intelligence and machine learning models that we employ to enhance our services, which may include language processing, content generation, and other AI-driven features.
Personal Information Processing: In order to deliver these functionalities, it may be necessary for us to pass on information, which could include personal data as defined by the UK General Data Protection Regulation (UK GDPR), to OpenAI. The information is used strictly for the purpose of delivering the service you have engaged with and is processed in accordance with our instructions.
Data Transfer and Security: The transfer of personal data to OpenAI is conducted in a secure manner using encryption and other industry-standard security protocols. OpenAI is based in the United States, and the data transferred to them is protected by appropriate safeguarding measures, including standard contractual clauses approved by the UK Information Commissioner's Office (ICO), to ensure a level of data protection that is adequate under UK law.
Automated Decisions: Our use of OpenAI services may involve automated decision-making capabilities. We do not use these capabilities to make decisions that have legal effects on you or similarly significantly affect you, without human intervention. Where such processes are used, we will ensure transparency and provide an option for you to request human intervention or challenge decisions made by automated means.
Data Retention: Data processed by OpenAI on our behalf is retained only as long as necessary to provide the specified service and in accordance with our data retention policy. OpenAI does not retain your personal data after the provision of the service, and it is deleted in accordance with OpenAI’s data retention policies and procedures.
Your Rights: You maintain all rights over your personal data as per the UK GDPR. This includes the right to access, correct, and request deletion of your personal data. Should you wish to exercise these rights regarding the data processed by OpenAI through our service, please submit a Subject Access Request by following the steps in this policy under the header "Submitting a subject access request".
2. Reference Documents
- EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
- Personal Data Protection Policy
3. Retention Rules
3.1.Retention General Principle
In the event, for any category of documents not specifically defined elsewhere in this Policy (and in particular within the Data Retention Schedule) and unless otherwise mandated differently by applicable law, the required retention period for such document will be deemed to be 2 years from the date of creation of the document.
3.2.Retention General Schedule
The Data Officer defines the time period for which the documents and electronic records should to be retained through the Data Retention Schedule.
As an exemption, retention periods within Data Retention Schedule can be prolonged in cases such as:
- Ongoing investigations from Member States authorities, if there is a chance records of personal data are needed by the Company to prove compliance with any legal requirements; or
- When exercising legal rights in cases of lawsuits or similar court proceeding recognized under local law.
3.3.Safeguarding of Data during Retention Period
The possibility that data media used for archiving will wear out shall be considered. If electronic storage media are chosen, any procedures and systems ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the information against loss as a result of future technological changes. The responsibility for the storage falls to the Data Officer.
3.4.Destruction of Data
The Company and its employees should, therefore, on a regular basis, review all data, whether held electronically on their device or on paper, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. See Appendix for the retention schedule. Overall responsibility for the destruction of data falls to the Data Officer.
Once the decision is made to dispose of according to the Retention Schedule, the data should be deleted, shredded or otherwise destroyed to a degree equivalent to their value to others and their level of confidentiality. The method of disposal varies and is dependent upon the nature of the document. For example, any documents that contain sensitive or confidential information (and particularly sensitive personal data) must be disposed of as confidential waste and be subject to secure electronic deletion; some expired or superseded contracts may only warrant in-house shredding. The Document Disposal Schedule section below defines the mode of disposal.
In this context, the employee shall perform the tasks and assume the responsibilities relevant for the information destruction in an appropriate way. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the Data Officer subcontracts for this purpose. Any applicable general provisions under relevant data protection laws and the Company’s Personal Data Protection Policy shall be complied with.
Appropriate controls shall be in place that prevents the permanent loss of essential information of the company as a result of malicious or unintentional destruction of information – these controls are described in the company’s IT Security Policy.
The Data Officer shall fully document and approve the destruction process. The applicable statutory requirements for the destruction of information, particularly requirements under applicable data protection laws, shall be fully observed.
3.5.Breach, Enforcement and Compliance
The person appointed with responsibility for Data Protection, the Data Officer has the responsibility to ensure that each of the Company’s offices complies with this Policy. It is also the responsibility of the Data Officer to assist any local office with enquiries from any local data protection or governmental authority.
Any suspicion of a breach of this Policy must be reported immediately to Data Officer. All instances of suspected breaches of the Policy shall be investigated and action taken as appropriate.
Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss and damage to the Company’s reputation, personal injury, harm or loss. Non-compliance with this Policy by permanent, temporary or contract employees, or any third parties, who have been granted access to Company premises or information, may therefore result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.
4. Document Disposal
4.1.Routine Disposal Schedule
Records which may be routinely destroyed unless subject to an on-going legal or regulatory inquiry are as follows:
- Announcements and notices of day-to-day meetings and other events including acceptances and apologies;
- Requests for ordinary information such as travel directions;
- Reservations for internal meetings without charges / external costs;
- Transmission documents such as letters, fax cover sheets, e-mail messages, routing slips, compliments slips and similar items that accompany documents but do not add any value;
- Message slips;
- Superseded address list, distribution lists etc.;
- Duplicate documents, unaltered drafts, snapshot printouts or extracts from databases and day files;
- Stock in-house publications which are obsolete or superseded; and
- Trade magazines, vendor catalogues, flyers and newsletters from vendors or other external organizations.
In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation.
Level I documents are those that contain information that is of the highest security and confidentiality and those that include any personal data. These documents shall be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of the documents should include proof of destruction.
Level II documents are proprietary documents that contain confidential information such as parties’ names, signatures and addresses, or which could be used by third parties to commit fraud, but which do not contain any personal data. The documents should be cross-cut shredded and then placed into locked rubbish bins for collection by an approved disposal firm, and electronic documents will be subject to secure electronic deletion.
Level III documents are those that do not contain any confidential information or personal data and are published Company documents. These should be strip-shredded or disposed of through a recycling company and include, among other things, advertisements, catalogues, flyers, and newsletters. These may be disposed of without an audit trail.
5. Validity and document management
This document is valid as of May 2018
The owner of this document is the Data Officer who must check and, if necessary, update the document at least once a year.