As the operator of this website and the provider of the registration service, Vulnerability Registration Service Ltd (VRS, we, us, our) is what is known as the “data controller” of personal data that it collects. This is because we decide why certain types of information are collected and how they are handled. As a data controller we are registered with the Information Commissioner’s Office, the authority in charge of data protection in the UK, under registration number ZA500525.

As a non-for-profit organisation, we care passionately about the service that we offer. But, looking after personal data is also important to us. So whether you’re registered with us as a service user, work with one of our trusted partner firms, or are just passing through our site (you, your), we want to give you as much information as possible about how we use your data and why. We also want you to know that you can always reach out to us if you are worried or want to know more about how we look after your personal data, so please feel free to contact us at info@vregservice.co.uk.

What is “personal data”?

“Personal data” means any information about you or that could be used to identify you. This includes your name and contact details, but also information about the device you’re using to access our site. There is more detail about the kinds of information that we use below.

What is “special category data”?

“Special category data” means information about you that is more sensitive, for example because it’s about your health, religion or ethnicity. In order to run our service, we have to process some health data. We may categorize vulnerabilities in this respect and offer a flag system for our users, but don’t collect any other specific details regarding the nature of our service user’s vulnerabilities. To the extent that we do process any health data, we will take extra measures to make sure that this is done safely and legally. We don’t process any other types of special category data.

What is “processing”?

When we talk about “processing”, this is just a legal term for using data and pretty much includes anything that we could do with your personal data. For example, “processing” includes collection, retrieval, organisation, storage, transfers and erasure.

How do we collect it?

For our service users, we either collect information from you when you register with us or from one of our trusted partner firms where they are registering you on your behalf. You can see a current list of our current partner firms by following this link.

If you are visiting our website or are acting on behalf of one of our partner firms, then we will only collect data from you when you visit our site, or that you provide to us in connection with providing the service to others.

What types of personal data do we use and why?

We will collect different types of personal data for different reasons depending on who you are. But, we will only use your data where we have a real purpose and a legal basis for doing so. To help make it clear why we use different kinds of data and what the legal bases apply, we have put all of this information into the table below.

 

  Types of Personal Data Purpose Legal Basis
Service users • Names
• Address (and length of residence)
• Contact details (email address and telephone number) and preferred contact method
• Gender
• Date of birth
• VRS registration number
• Legal status
• Information related to your financial, familial, legal or other personal circumstances
To register you for the service and to manage your registration, including setting appropriate flags for your period of registration Your consent
  • Health data To register you for the service Your explicit consent
Website users • IP address
• Website usage data (for more information about how this works please see our Cookie Notice below)
To protect and improve our website Our legitimate interest in operating our website
Partner firms • Name
• Employer
• Work location
• Work contact details (email and telephone number)
• Contact history with us
• Account login details and password
To allow you to access the service or provide it to others and to manage our relationship with you   

To keep in touch with you regarding use of the service

Our legitimate interest in providing and maintaining the service

How does consent work?
For service users registering for our service, we will only process your data where we have your explicit consent to do so. Equally, we will only allow others to see your registration where you have explicitly consented to that. In any case where you have provided your consent, you can always withdraw it at any time by contacting us and letting us know.

However, it’s important for you to understand that withdrawing your consent does not affect the lawfulness of processing already done on that basis. Equally, if you do withdraw your consent, then we would have to remove you from the register meaning that unfortunately you would no longer be able to use our service.

Do we share your personal data with other people?

For our service users, we will only share your registration details with third parties directly if the third party uses VRS and indirectly through intermediatory companies such as TransUnion who pass your registration details to other third parties.  More information can be found here.

Will you send my personal data to other countries?

All of the personal data we handle is stored in the UK, we’ll never send your data to recipients located in other countries.

How do we keep your data secure?

We have implemented appropriate technical and organisational measures to ensure that we are doing everything that we can be in order to protect the security of your data. We regularly review our internal policies, procedures and technical security to ensure that they remain appropriate to the risks of your data being compromised in any way.

How long will we keep your data?

Generally we only keep your information for as long as necessary to achieve the purposes for which it was initially collected. However, if data has been collected in connection with contractual commitments, then we will store associated data for 6 years after the ending of the contractual relationship, at which time it will be reviewed and if no longer necessary then it will be permanently deleted.

In some cases we may anonymise data for statistical purposes. Where we do this we make sure that you can’t be identified by the information we keep, meaning that it’s no longer personal data and can be kept for a longer period.

What is “automated decision making” and do we do it?

Automated decision making is where a decision is made about you or you are profiled without human involvement in that process, and where that has a legal or other significant effect on you. We don’t do any automated processing so you never need to worry about decisions being made in this way.

Do you have rights and, if so, what are they?

We want you to know that you have rights under data protection laws in connection with our use of your data. These don’t apply in every case and can be complicated, but to help we have included some general information on what these rights mean in the table below.

What is my right? What does that mean?
Access You can ask that we provide copies of your personal data that we are processing
Rectification If any of the data that we hold about you is inaccurate or incomplete, then you can ask us to fix that
To be forgotten You can ask us to delete the data that we hold about you
Restriction of processing Sometimes you can ask us to stop using your data in a certain way, for example if the data we hold is inaccurate and needs to be corrected before being used again
Object to processing In some circumstances you can object to the way that we use your data
Data portability Where we hold your data other than in paper files and processing is based on your consent, you can ask us to transfer your data to another data controller

What if we update this notice?

We want to be able to provide you with the most accurate information about how we process your personal data and also accept that laws and regulations change over time. To make sure that we continue to provide the best information and so that we can be sure that we are complying with the law, we might need to change this notice from time to time and reserve the right to make those changes. However, if we do change any part of this notice and that affects you, then we will get in touch to let you know.

Questions or complaints?

If you have any questions at all about this notice or how we handle your personal data then you can always contact us at info@vregservice.co.uk. We hope that you never have cause to complain about the way we handle your data, but you can always do so by contacting the Information Commissioner’s Office (ICO) online here or by telephone at 0303 123 1113.