.png)
ILS Privacy Policy
Reviewed and Updated: December 2024
International Location Safety Ltd takes privacy and data protection very seriously. This Privacy Policy explains how ILS collects, stores and uses personal data when customers engage with our services or with the organisation. This policy will be kept under review and will be revised when required; notification of updates will be made accessible on our website.
This Privacy Policy has been drafted so that it is compliant with the UK General Data Protection Regulation (UK GDPR). The policy about personal data collection is written within the framework of the 7 data protection principles set out in the UK GDPR: 1. Lawfulness, fairness and transparency, 2. Purpose limitation, 3. Data minimisation, 4. Accuracy, 5. Storage limitation, 6. Integrity and confidentiality (security), and 7. Accountability.
Definitions
When reading this statement, please note that the terms ‘ILS’, ‘We’, ‘Us’ and ‘Our’ refer to International Location Safety Ltd (ILS) (company number 09481529) or its subsidiary company Manda Risk Management Solutions Ltd.
The terms ‘You’, ‘Your’, ‘Participant’,‘Customer’ and ‘Client’ refer to anyone who pays for and engages in the use of our services.
‘Personal data’ refers to any information that directly or indirectly identifies a person (a ‘natural person’ as defined by the UK GDPR) including name, address, email, phone number, job title and employer information.
‘Special category data’ refers to the UK GDPR definition, which is any information concerning race, ethnic origin, religion, politics, trade union membership, genetics, biometrics, health and sexual orientation.
The use of the term ‘Data Controller’ in this policy refers to International Location Safety Ltd.
The term ‘Data Processor’ refers only to the services we use for payment processing, consultancy, email marketing software, IT service partners, online survey software services, Hpass digital badge scheme, online learning platforms and accommodation providers.
‘HEAT’ refers to our Hostile Environment Awareness Training programme, these courses have previously been referred to as 'SAFA' and 'SAFA Refresher'; these are a 3-day residential, 4-day Residential (a bespoke course known as HEST), and 1-day non-residential courses respectively. All these courses involve outdoor learning and involve some mild physical activity.
‘Online training’ refers to our Travel Safety & Security courses (TSS), Security Risk Management Training courses (SRMT), and Personal Safety Awareness Training (PSAT), and any other online courses, these may have instructor-led content.
‘Face to face training’ refers to any course that is delivered face to face and in person which is not otherwise referred to.
'CMT' refers to our Crisis Management Training; this is available either as an in-person or online training.
‘Risk Advisory Services’ refers to all bespoke project work, consultancy and support services to our clients; these are delivered independent of our training courses.
‘TRM’ refers to the Travel Risk Management services from our Risk Advisory Team available through the ILS website.
Your Personal Data
When engaging in any of our services you will be asked to voluntarily provide only the personal data that is necessary to ensure accurate project outputs, successful learning outcomes, and safe training experiences.
In addition, when you engage with ILS for any recruitment process, ILS will collect and process personal data relating to the job application. This information may be held by ILS on paper or in electronic form.
Summary of Personal Data Collection and Retention
Services
What Personal Data do we collect?
What Special Category may we collect?
How long is your personal data retained for? ILS endeavours to minimise the retention of personal data as much as reasonably possible. In line with this principle, the different circumstances under which we retain some personal data are as follows:
HEAT and other Face-to-Face Trainings
The personal data collected on our booking and registration forms include name, email address, job title, employer, invoicing contact details, next of kin or emergency contact details, and medical Insurance details. There is also an opportunity to voluntarily complete special category data on our registration forms which may be necessary for a safe training experience.
Participants are invited to opt-in to our email mailing list and to provide course feedback.
The special category data that we ask you to provide is normally within the health category. Some examples of the information that we might expect participants to share are pre-existing physical or mental health conditions, dietary requirements, allergies, pregnancy, and any emergency medication. This is to enable us to provide a safe learning experience given the nature of the course.
Personal data is retained for 3 years and 6 months, as this is when the training certificate expires and to allow time for deletion. The above will apply in most cases unless an extended retention period has been negotiated as part of a contract.
Email addresses are retained for a longer period where participants have explicitly opted into the mailing list on their registration form.
All feedback forms are anonymous and are shredded or deleted after the statistics have been collated.
Crisis Management Training (CMT)
Whether a CMT is online or in-person the following data will be collected; names, email addresses, phone numbers and job titles for the key participants in the training. We need these details to effectively run the training which tests the readiness of clients' Crisis Management procedures.
Participants are invited to opt-in to our email mailing list and to provide course feedback.
Whether a CMT is online, or in-person, special category data is not required for a CMT.
CMT participants' contact details, and personal data are deleted after the trainings. This will happen within 3 months of the end of the training. All feedback forms are anonymous and are shredded or deleted after the statistics have been collated.
Online Trainings
For our online training, the personal data collected on our booking form is a name, email address, job title and employer. Participants on a closed course may have this data provided by their employer to ILS. Participants are invited to opt-in to our email mailing list and to provide course feedback.
Special category data is not required for online training.
Personal data is retained for 3 years and 6 months, as this is when the training certificate expires, and to allow time for deletion. The above will apply in most cases unless an extended retention period has been negotiated as part of a contract.
Email addresses are only retained for a longer period where participants have explicitly opted into the mailing list on their registration form.
All feedback forms are anonymous and are shredded or deleted after the statistics have been collated.
Risk Advisory Services
For our Risk Advisory Services, the personal data collected includes names, email addresses, telephone numbers, job titles and details of the key contact people within the client’s organisation. In addition, Risk Advisory projects may involve requests for key contact people to voluntarily provide contact details for interviewees who will be requested to provide
insights into the client's security culture. The feedback from the interview will be anonymised and the contact details deleted after the project is
complete.
For Risk Advisory Services, our Risk Advisory team invite clients to voluntarily provide any special category data that they feel is relevant to inform the safety and security of the traveller to a specified location, this could include any of the types of special category data (e.g.health issues/concerns, religion, sexual orientation, ethnicity etc.).
For general Risk Advisory projects personal data on key contact people will be retained for at least the legal minimum of years required under UK Law but may be retained for the duration of time ILS remains in business. Risk Advisory interviewees: personal data is deleted after survey data has been collated. This will happen within 3 months of the end of the project.
Travel Risk Management Services (TRM)
TRM services require the collection of names, contact information, travel destinations and itinerary.
For TRM services, our Risk Advisory team invite clients to voluntarily provide any special category data that they feel is relevant to inform the safety and security of the traveller to a specified location, this could include any of the types of special category data (e.g. health issues/concerns, religion, sexual orientation, ethnicity etc.).
TRM clients' personal data is deleted within 3 months after the contract has been completed.
Recruitment
The personal data
collected may include; your contact details, including your name, address, telephone number and personal e-mail address; personal information included in a CV, cover letter or interview notes; references; information about your right to work in the UK and copies of proof of right to work documentation; copies of qualification certificates; copy of driving licence; other background check documentation; details of your skills, qualifications, experience and work history with previous employers; and your professional memberships. During the recruitment process ILS may collect personal information directly from you or
sometimes from third parties such as references from current and former
employers. You are under no statutory or contractual obligation to provide
personal information to ILS during the recruitment process.
ILS may collect and use the following special category data during the recruitment process; whether or not you have a disability for which ILS needs to make reasonable adjustments during the recruitment process and information about criminal convictions and offences; any other special category data you choose to disclose as part of your application.
Recruitment applications: For the purposes of any recruitment exercises ILS will only use your personal information for the purposes for which ILS have collected it.
However, if your job application is unsuccessful, ILS may wish to keep your personal information on file in case of future suitable employment opportunities with us. We will ask for your consent before we keep your personal information on file for this purpose. Your consent can be withdrawn at any time. In addition, ILS will generally hold your personal information for six months, after the end of the relevant recruitment exercise, but this is subject to (a) any minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for data or records, and (b) the retention of some types of personal information for up to six years to protect against legal risk e.g. if they could be relevant to a possible legal claim in a tribunal.
Invoicing
The personal data collected will include name of who the invoice is addressed to and names of course participants, email address, job title and processing department details.
Special category data is not required for invoicing.
Any personal data included on invoices and within our accounting system will be retained for at least the legal minimum of years required under UK Law but may be retained for the duration of time ILS remains in business.
Contracts (excluding individual and group booking forms).
The personal data collected will include names, email addresses, job titles, contact telephone numbers for the contract point of contacts and the contract signatory.
Special category data is not required for contracting.
Any personal data which forms part of a contract, will be retained for at least the legal minimum of years required under UK Law but maybe retained for the duration of time ILS remains in business.
Why do we collect it?
Name: We collect your name for identification purposes during trainings and recruitment, training certification, Risk Advisory workshops and interviews, TRM services, invoicing, and for booking accommodation at our training venues.
Email address: We ask all learners and trainees (online and face-to-face) for their email address for enrolment onto our digital learning platform which provides course learning materials, resources, certification, and an invitation to join the Hpass digital badge scheme. We also require the email address to be able to send any information about changes to course dates, venues or cancellations. We may also use it for invoicing for services, or to contact you about your job application. Participants are invited to opt-in to our email mailing list should they wish to, there is no automatic enrolment on the list. This mailing list is used for keeping clients updated with company news, details of new services, upcoming courses and offers.
Job title and Employer: The information provided about job title and employer is used to provide our trainers with a general impression of the professional background, experience, and knowledge of participants, thus being able to tailor the course and make the training relevant. It may also be required for invoicing and recruitment purposes.
Invoicing contact details: To process fees for our services, we require the contact details of any person responsible for the payment of invoices on behalf of our participants. The details required are a contact name, email, and billing address.
Emergency contact and medical insurance details: Due to the practical outdoor component of HEAT training, we require a next of kin contact in case of emergency as well as any medical insurance details that maybe relevant. This is part of our duty of care and health & safety obligations.
Health details (Special Category Data): HEAT courses involve mild physical exertion, exposure to outdoor elements and practical exercises that may place you in mildly stressful conditions. The information provided allows ILS to account for any personal circumstances that need to be considered to ensure participants health and wellbeing.
Special Category Data: Risk Advisory Projects and TRM projects may also invite clients to voluntarily share other categories of Special Category Data to ensure the safety and security of travellers or provide adequate context for accurate project outputs.
Recruitment information: we will be processing personal data in relation to a recruitment process to; manage the recruitment process and your suitability for employment or engagement; decide whom to offer a job; comply with statutory or regulatory requirements e.g. checking right to work; ensure compliance to your statutory rights; ensure effective HR and business administration and to monitor equal opportunities.
Who do we share it with?
ILS uses a small number of carefully selected third parties to help provide our services to you. These act as ‘Data Processors’ as defined by the UK GDPR. Examples of the services we use are payment processing, consultancy, email marketing software, IT service partner, online survey software services, Hpass digital badge scheme, online learning platforms and accommodation providers. In choosing to work with any such Data Processors, we will endeavour to ensure that the security policies, confidentiality arrangements and UK GDPR compliance of those third parties are equitable or better than ILS standards. No ownership rights to the data will be transferred to any third party.
The personal data that we collect will not generally be transferred outside the European Economic Area ("EEA"). The only circumstance where this may occur is for training courses, either where they are taking place outside the EEA and we give accommodation providers your name for booking purposes, or when one of our staff or consultants is either delivering training overseas, or from an overseas location. By submitting your data, you agree to this transfer, storing or processing. We will take all reasonable steps to ensure that your data is treated securely and in accordance with this privacy policy.
Security
All reasonable steps have been taken to ensure the security of personal data through the minimisation of collection, IT security measures, and best practice in handling data, both digitally, and on paper. Our IT system meets UK GDPR requirements, including Hard drive encryption, remote wipe functions and the most up-to-date security software delivered by our IT support company who are Microsoft 365 partners. We are certified by the UK government-backed Cyber Essentials scheme.
Access
If you would like to get in touch with us regarding any of your personal data access rights, please email us: data@locationsafety.com.
Or alternatively, use the address and phone number provided below:
FAO: Data Protection Enquiries
International Location Safety
Unit 7/8 Commercial House
52 Perrymount Road
Haywards Heath
West Sussex
RH16 3DT
Office Telephone: +44(0) 1273 833070
Office hours: 9am-5pm, Monday-Friday