Privacy Notice: Monitoring

  1. Introduction

Your privacy is important to us so we developed this privacy notice to explain how we manage and look after your information whilst visiting our premises at 2 Thomas More Square, London E1W 1YN (2TMS), or using our IT Networks and mobile devices, whether as staff, visitor, supplier or other capacity.

  1. Who we are

We are UK Payments Administration Limited (UKPA), a London based company that provides services to organisations operating in the UK payments industry.

We can be found at:
UK Payments Administration Limited
2 Thomas More Square
London
E1W 1YN

You can contact us in the following ways:

  • By writing to the Risk & Compliance team at the above address
  • By emailing us at rrc@ukpayments.org.uk
  • By telephoning us on 020 3217 8565
  1. How we use your personal information

This privacy notice tells you what to expect when we collect personal information about you. It applies to information we collect about visitors to our premises and users of our IT networks and mobile devices.

The processing of your personal information will be carried out to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and does not materially impact your rights, freedom or interests.

  1. Scope

All staff and visitors to our premises will be monitored in four ways:

  • Closed Circuit Television (CCTV)
  • Physical access to premises (door control)
  • UKPA IT network access (if applicable)
  • Mobile device monitoring (if applicable)
  1. Attending our premises

When you visit our premises we process information provided by you including:

  • name
  • company being represented
  • date of the visit
  • who you are visiting
  • closed circuit television (CCTV)

The processing of this information is to maintain security of the organisation and transparency of visitors’ actions to all our colleagues; the processing is necessary to maintain security, comply with local fire regulations, and comply with the Health and Safety at Work Act.

The information is also shared with the Landlord to enable general building security and in accordance with UKPA’s building security obligations under UKPA’s lease agreements with the landlord of 2TMS.

  1. Closed Circuit Television (CCTV)

CCTV is operated by UKPA and the Landlord internally and externally to the building. The system operates 24 hours a day, 7 days a week, is monitored, and retained. All entrances and exits to each floor are monitored to ensure safety and security and are not used for active monitoring.

The processing of your personal information will be carried out to pursue our legitimate interests and in a way which might reasonably be expected as part of running our business and does not materially impact your rights, freedom or interests.

  1. Physical access (door control)

Access in and around the building is provided, and controlled, by UKPA. The system operates 24 hours a day, 7 days a week, is monitored, and retained. Physical access is on the basis of role in the Company: there is general access to public areas; there is specific access to Company areas.

The processing is necessary for your safety and security; and for compliance with the Health and Safety at Work Act 1974.

  1. UKPA IT Network Access

Role based access controls manage your access to the UKPA IT network. You are provided with access to specific services, and locations, based on the role defined by your employment. When you access the network from any device, or location, data is generated including:

  • name
  • job title
  • section
  • services accessed
  • date and time
  • duration
  • IP address
  • device address
  • device
  • device operating system
  • device operating system patch level
  • anti-virus system
  • anti-virus system patch level

This data is processed on the basis of a contract between UKPA and each of its clients. The processing is necessary to provide role based access to the network and for the maintenance of confidentiality, integrity, and availability of technology.

All activity on the UKPA IT network is captured. UKPA does not warrant that it provides security of operation for any employee using the UKPA IT network for personal use. Use of the UKPA IT network for personal use, within the Acceptable Use Policy, is at your own risk. We have implemented risk appropriate, technical and organisational measures to maintain the confidentiality, integrity, and availability of any employee data processed during business operations.

Access to this data is available only to specific IT technical staff for the purposes of IT service monitoring and problem resolution, in order that UKPA IT can maintain necessary levels of confidentiality, integrity, and availability of IT systems including the use of backups, and disaster recovery.

  1. Mobile devices

UKPA installs mobile device management software (for example, MobileIron) on UKPA provided mobile devices. You may choose to install this software on your own personal mobile device if you wish to access UKPA IT networks from your personal mobile device. Through this software, we may monitor the device’s current location or last known location if the device has since been switched off.

The processing of this information is to maintain security of UKPA’s IT network and UKPA issued mobile devices. We do not keep historical location data.

  1. Recipients we share your data with

We may share your personal information for the following purposes:

  • outsourced security operations centre for the monitoring and assessment of security threats, the following data may contain personal information: system logs showing login/out events; web browsing traffic – for security analysis purposes – retained for up to two years
  • content checking of email and web pages to identify viruses and spam emails, the following data may contain personal information: email address, login, email history, browser history – retained for 30 days
  • cross referencing of UKPA issued mobile phone numbers to owner of the phone for billing purposes, retained for the life of the contract
  • account login details for Skype, retained for the life of the contract
  • anyone else where we have your consent or as required by law

We will not share your data for marketing purposes.

  1. Transfer of personal data outside the European Union (EU)

We are committed to adequately protecting your information regardless of where the data resides. We use third parties that may be located in other countries to help us run our business. When we transfer personal information to organisations outside the European Union, we take measures to provide an appropriate level of protection of your personal data.

  1. Automated decision making including profiling

Your personal data is not subject to automated decision making, including profiling.

  1. How long do we keep your data?

The following criteria are used to determine retention periods of your personal information:

  • retention in accordance with legal and regulatory requirements (your personal data will be retained based on our legal and regulatory requirements);
  • retention in accordance with business requirements (your personal data will be retained in accordance with our retention policy)

We retain your data primarily to meet statutory and regulatory obligations; secondly your data is retained to enable us to pursue our legitimate business interests in relation to our clients, current and future requirements. The retention periods are:

  • CCTV: 30 days
  • Door control: 40 days

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you; in such circumstances we may use such information without further notice to you. Once you are no longer a member of staff of UKPA, we will retain and securely destroy your personal information in accordance with our data retention policy.

  1. Your rights concerning personal data

Data protection regulation gives you a number of rights regarding your personal information processed by us.

  • The right to be informed: our obligation to provide fair processing information
  • The right of access: allows you to be aware of and verify the lawfulness of the processing
  • The right to rectification: allows you to request that the data is rectified if it is inaccurate or incomplete
  • The right to erasure: allows you to request the deletion or removal of personal data where there is no compelling reason for its continued processing
  • The right to restrict processing: allows you to ‘block’ or suppress processing of personal data
  • The right to data portability: allows you to obtain and reuse your personal data for your own purposes across different services
  • The right to object: you must have an objection on grounds relating to your particular situation

You can contact us directly by post, email, or telephone, to exercise your rights.

  1. Complaints or queries

We try to meet the highest standards when processing personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.

This privacy notice does not provide exhaustive detail of all aspects of our processing of personal information. However, we are happy to provide any additional information or explanation needed.

If you want to make a request, or a complaint, about the way we have processed your personal information, you can contact us directly:

  • In writing: Risk & Compliance, UK Payments Administration, 2 Thomas More Square, London, E1W 1YN
  • By email: rrc@ukpayments.org.uk
  • By telephone: 020 3217 8565

Alternatively you have the right to lodge a complaint with the regulator which oversees data protection law:

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Tel: 0303 123 1113

  1. Changes to this privacy notice

We keep our privacy notice under regular review. Notifications of changes to this privacy notice will be via our website. This privacy notice was last updated May 2018.

Our Story

Founded in 1985, UK Payments has over 30 years’ experience of successfully supporting a key element of the financial services sector – the payments industry.

Find out more

What We Do

We provide a comprehensive range of core support services and each of our teams has a broad and deep understanding of the payments and finance industry.

Find out more

Our Vision

Our vision of The Hub is as an outstanding environment in which to safely and effectively collaborate on industry issues and to resiliently deliver industry solutions.

Find out more

Read more about our vision of The Hub Find out more