Privacy Policy


British Steel Limited and its group (“British Steel”) regards the lawful and correct processing of personal and sensitive data as an integral part of its purpose. British Steel believes this is vital for maintaining the confidence of customers, suppliers, employees and other stakeholders about whom we process data.

Policy statement

This privacy policy explains how British Steel will meet its legal obligations concerning confidentiality and data security standards. The requirements within the policy are primarily based upon the General Data Protection Regulation (“GDPR”), which is the key piece of legislation covering data security and confidentiality of personal data in the European Union.
The key principles of this policy are as follows:

  • British Steel will fully implement all aspects of GDPR
  • British Steel will ensure all employees and others handling personal data are aware of their obligations and rights under GDPR, and
  • British Steel will implement adequate and appropriate measures to ensure the security of all data contained in or handled by its systems

This policy provides guidance about the protection, sharing and disclosure of personal data within British Steel.

Definitions of personal data and sensitive personal data

“Personal data”, or “personal information”, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (i.e. anonymised data).
Examples of personal data that British Steel processes include:

  • names, addresses, emails, phone numbers and other contact information
  • some financial information including national insurance numbers and payroll data, and
  • photographs, video and audio recordings

“Sensitive personal data” means any personal data that reveals racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and any personal data relating to criminal offences and convictions. Sensitive personal data attracts additional legal protection.

Data protection principles

British Steel adheres to the data protection principles set out in the GDPR, which requires that all personal data be:

  • processed lawfully, fairly and in a transparent manner
  • collected only for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
  • accurate and where necessary kept up to date
  • not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed
  • processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage
  • not transferred to another country without appropriate safeguards being in place, and
  • made available to data subjects and data subjects allowed to exercise certain rights in relation to their personal data

British Steel is responsible for and must be able to demonstrate compliance with the data protection principles listed above at all times.
Personal data must not be used other than for the specific purpose required to deliver a product or service. The individual should always know that their data is being processed. When that data is especially sensitive, consent is required before the data can be processed by British Steel, unless there is another legal basis for processing this.

Personal data can be in computerised and/or in a physical format. It may include such documentation as:

  • paper documents (e.g. CVs, employee records, letters received and sent)
  • electronic records
  • printouts
  • photographs, and
  • videos and tape recordings

Backup data (e.g. archived data or disaster recovery records) also falls under GDPR; however, a search within them should only be conducted if specifically asked for by an individual as an official Subject Access Request.

Rights of access by individuals

The GDPR gives every living person (or their authorised representative) the right to apply for access to the personal data which organisations hold about them irrespective of when and how this is compiled (e.g. hand written records, electronic and manual records held in a structured file). This is called a ‘Subject Access Request’.

British Steel’s duties

Understanding and complying with the Data Protection Principles is key to British Steel’s responsibilities as a data controller. Therefore, British Steel will, through the use of appropriate measures and controls:

  • ensure there are lawful grounds for using any personal data
  • ensure that the use of the data is fair and meets one of the specified conditions
  • only use sensitive personal data if it is absolutely necessary and we have obtained the individual’s explicit consent (unless an exemption applies)
  • explain to individuals, at the time their personal data is collected, how that information will be used
  • only obtain and use personal data for those purposes which are known to the individual
  • ensure personal data is only used for the purpose it was given. If we need to use the data for other purposes, further consent will be obtained
  • only keep personal data that is relevant to British Steel
  • keep personal data accurate, up to date and only held for as long as is necessary
  • always adhere to our Subject Access Request Procedure and be receptive to any queries, requests or complaints made by individuals in connection with their personal data
  • ensure individuals are given the opportunity to 'opt in' to receiving mass communications, and
  • take appropriate technical and organisational security measures to safeguard personal data

In addition, British Steel will ensure that:

  • everyone managing and handling personal data understands that they are legally responsible for following good data protection practice and has read this privacy policy
  • enquiries about handling personal data are dealt with promptly
  • methods of handling personal data are clearly described in polices and guidance
  • a review and audit of data protection arrangements is regularly undertaken
  • methods of handling personal data are regularly assessed and evaluated, and
  • suitable protections are in place before any personal data is transferred to a third party

Roles and responsibilities

Employees and contractors

Maintaining confidentiality and adhering to data protection legislation applies to everyone at British Steel. British Steel will take necessary steps to ensure that everyone managing and processing personal data understands that they are responsible for following good data protection practice. Employees will receive training and must read this policy as part of their induction.

All employees and contractors have a responsibility to:

  • observe all guidance and codes of conduct in relation to obtaining, using and disclosing personal data
  • obtain and process personal data only for specified purposes
  • only access personal data that is specifically required to carry out their activity or work
  • record data accurately in both manual and electronic records
  • ensure any personal data held is kept secure
  • ensure that personal data is not disclosed in any form to any unauthorised third party, and
  • ensure personal data is sent securely

Failure by an individual to adhere to any guidance in this policy may result in disciplinary action.

Senior managers

All Senior Managers within each business unit are responsible for:

  • determining what personal data is held by their area and ensuring that the data is adequately secure, access is controlled and that the data is only used for the intended purposes
  • providing clear messaging to their teams about data protection requirements and measures
  • ensuring personal data is only held for the purpose intended
  • ensuring personal data is not communicated or shared for non-authorised purposes, and
  • ensuring personal data is password protected when transmitted electronically or appropriate security measures are taken to protect the data when in transit or storage

Data Protection Officer

British Steel’s Head of Legal holds the position of Data Protection Officer. His responsibilities include:

  • monitoring compliance with GDPR, other data protection laws and our data protection policies
  • managing internal data protection activities; raising awareness of data protection issues and training staff
  • acting as a contact point for the Information Commissioner’s Office (ICO) on issues relating to processing of personal data
  • providing guidance and advice to employees on data protection issues, and
  • reporting any data protection breaches

The Data Protection Officer can be contacted at

Information Commissioner’s Office (ICO)

The ICO is the UK’s independent authority set up to uphold information rights in the public interest and data privacy for individuals. The ICO has wide-ranging powers to investigate complaints relating to use of personal data and personal data breaches. Any failure to comply with data protection obligations may lead to investigation by the ICO which could result in serious financial or other consequences for British Steel.

Dealing with a personal data breach

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data.

Personal data breaches can include:

  • access by an unauthorised third party
  • sending personal data to an incorrect recipient
  • computing devices containing personal data being lost or stolen
  • alteration of personal data without permission, and
  • loss of availability of personal data

If a data breach is suspected, the person who identified the breach should immediately notify the Data Protection Officer and provide all relevant details regarding the breach.
Following notification of a breach, the Data Protection Officer will take the following action as a matter of urgency:

  • implement a recovery plan, which will include damage limitation
  • assess the risks associated with the breach
  • inform the appropriate people and organisations that the breach has occurred, and
  • review British Steel’s response and update our information security as appropriate

Registration with the Information Commissioner

British Steel is registered with the ICO with registration number ZA225537.

Glossary of terms used in this policy

“Data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is processed. The data controller for the purposes of this document is British Steel.
“Data processor” means any person who processes personal data on behalf of the data controller but is not employed by them.
“Data subject” means an individual who is the subject of personal data. This includes employees, contractors, customers, consultants and visitors.
“Processing” means recording or holding data or carrying out any operations on that data including organising, altering or adapting it; disclosing the data or aligning, combining, blocking or erasing it.
“Subject access request” means a written, signed request (which includes email and other written formats) from an individual to see personal data which British Steel holds about them. Data controllers must provide all such information in a readable form within one month of receipt of the request.
“Third party” means in relation to personal data, any person other than the data subject, the data controller, or any data processor or other person authorised to process data for data controller or processor. For example, the Police or HMRC.

12 February 2019