This notice explains how the Last Mile Infrastructure Group of companies collects, stores, manages and protects your personal data in compliance with Data Protection Legislation. The companies to which this notice applies are set out at the end of this privacy notice.
To make reading this privacy notice easier, we refer to the collection, storage, management and protection of personal data as “processing”.
References in this notice to “Data Protection Legislation” means (as applicable) the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003, all as amended from time to time.
Why do we process your personal data?
We process personal data in relation to:
- our current and former employees (including apprentices), contractors and other workers (to make reading this notice easier, we refer to all of these people as “employees”);
- job applicants and people that no longer work for us;
- the employees, contractors, consultants and workers of our external stakeholders, including clients and suppliers; and
- end-user customers who we provide services to.
We process your personal data in order to carry out our business operations and administration, and to provide information and services to our clients and customers. Examples of why we might process your personal data include:
- communicating with you as part of our ongoing relationship (for example, providing services to you, or in connection with your engagement with us);
- record-keeping (including after our relationship has ended);
- paying you, or receiving payments from you;
- HR and Finance administration – for example, payroll, pensions and benefits;
- marketing (where allowed by law);
- details of your interaction with one of our companies, including responding to any queries or complaints;
- debt recovery, fraud and crime prevention.
If you are not one of our employees, we process your personal data as part of our legitimate interest in carrying out our routine business operations and administration, and to provide information and services to our clients and customers.
If you are one of our employees, it will be a requirement of your contract that you provide us with certain personal data (which is described below). We need this information in order to administer your employment with us (for example, HR and finance information) and to fulfil our legal obligations. If you are applying for a job with us, it will be a requirement that you provide us with certain personal data before entering into a contract with us, for the same reasons.
We may need to process special categories of personal data (such as health data) for the purpose of fulfilling our legal duties in connection with the health and safety of people affected by our businesses.
We are also required to process certain personal data in order to meet other legal requirements. For example, Ofgem and Ofwat require us to participate in industry data-sharing arrangements regarding the premises connected to our utility networks.
What personal data do we process?
Most of the personal data we process is provided by you as part of your interactions with us. It usually includes the following items:
- your name(s), title and employer details;
- your address, email address and/or telephone number; and
- your billing details if you are an end-user customer of ours.
We may also process information we obtain or are provided by third parties (such as Glenigans Lead Generation Database) in order to send direct marketing material to our current or prospective clients and customers.
If you are one of our employees, we will collect some additional personal data in relation to your employment with us, which will include:
- your gender and date of birth;
- your health information;
- your driving licence details;
- your right to work information, which may include passport or birth certificate and biometric permit or work visa where applicable;
- your bank account number and sort code;
- your CV; and
- name(s), address(es), email address(es) and telephone number(s) of family contact(s) (for example, for emergency contact details).
We will usually collect some or all of this information in relation to job applicants and new employees, too. We might also retain some of this information in relation to former employees for record-keeping purposes.
Your personal information is likely to be contained in:
- updates to your contact details (such as address, email address and telephone number);
- emails and other correspondence that you sent to us, or that were sent to you by us;
- records of conversations and meetings;
- website contact forms and marketing preferences;
- project-related documents such as tenders and responses, contact lists, approvals and similar paperwork;
- internal business systems such as HR, payroll and finance systems; and
- CCTV that we control on our business premises for the purposes of safety and security.
Our regulated businesses are also legally required to access industry-wide databases that contain personal data in the form of names, addresses, and alphanumeric identifiers such as “Meter Point Reference Numbers” (MPRNs) and “Meter Point Address Numbers” (MPANs). Some of these databases might also indicate whether a person is vulnerable for health or other reasons. This information is used to identify the end users of our energy networks and, in relevant cases, any special or additional support they might need.
Who might we share personal data with?
Most personal data is kept within the Last Mile Infrastructure Group of companies but shared between the data controllers named at the bottom of this notice. Personal data might be shared with third parties where that is necessary to comply with the law, protect our rights and operate our usual business practices. For example:
- some of our systems are cloud-based, so some personal data may be transferred to servers controlled by the providers of these cloud-based systems (who have no direct access to the personal data);
- some employees are insured to drive our fleet vehicles, so their personal data will be sent to the providers of those vehicles and any related insurance provider;
- some of our employee benefits are provided by third parties (such as pensions and health insurance), so their personal data will be sent to those providers;
- personal data might be included in records sent to our professional advisers, such as lawyers, accountants and insurance brokers;
- where we might engage with an external customer billing partner, we will need to share billing and payment history data;
- our outsourced IT providers may have access to personal data on our IT systems if such access is required to enable them to resolve problems with our IT systems;
- we might need to provide personal details to subcontractors who perform services on our behalf – for example, details of contacts on site;
- clients will receive employee personal data during routine communications in the form of contact details (and vice versa);
- we will have to provide personal data to some of our regulators – for example, HMRC, the Home Office (for sponsored employees) Ofgem, the Environment Agency, the Drinking Water Inspectorate and Lloyds Register – to fulfil our legal obligations and to assist them in fulfilling their regulatory functions; and
- potential purchasers of our business, subject to those persons entering into strict confidentiality obligations with us and only to the extent permissible under data protection law.
We review all contractual arrangements we have in place with third parties who receive personal data from us to ensure such third parties have robust systems and procedures to ensure compliance with Data Protection Legislation.
To the best of our knowledge, understanding and belief, any personal data we collect will be kept within the United Kingdom and will not be transferred outside of the European Economic Area (EEA) or to an international organisation (as defined in the GDPR). We keep this under review with our third party providers and if this changes, then we will let you know.
How long do we keep personal data?
We only keep your personal data for so long as it is reasonably necessary. When setting our data retention periods, we consider the amount, nature and sensitivity of the data we hold, the potential risk of harm from unauthorised use or disclosure of the data and the purposes for which we process the data. Most personal data will be kept for the duration of our relationship with you plus an additional six (6) years (or any longer period required by law). The reason for this is that if we have to respond to a legal claim, we might need to use records that contain your personal data and most legal claims have to be brought within six (6) years.
What are your rights in connection with your personal data?
You have the following rights in respect of your personal data:
- Access to your personal data – you have the right to a copy of any personal data we hold in relation to you, as well as information about how we process that personal data (which is already set out in this notice). This is known as a “Subject Access Request” and all Subject Access Requests should be made in writing and sent to the email or postal address shown below. To make this as easy as possible for you, a Subject Access Request Form is available for you to use which, while you do not have to use this form, it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.
- Rectification of your personal data – you have the right to have any inaccurate personal data about you corrected. You also have the right to have any incomplete personal data completed.
- Right to erasure / “right to be forgotten” – in certain circumstances, you have the right for personal data about you to be erased. We are not required to erase your personal data if we need to keep it in order to comply with legal obligations or to establish, exercise or defend legal claims.
- Right to restrict processing – in certain circumstances, you have the right to restrict how we process your personal data. There are some purposes for which we can continue to process your personal data even if you ask for it to be restricted. These include storage; the establishment, exercise or defence of legal claims; or for the protection of the rights of another legal or natural person (which includes companies).
- Right to object – if we process your personal data on the basis of our legitimate interests, you can object to that processing. If you object, we may have to stop processing that personal data (and this may mean we are no longer able to interact with you in ways that rely on that personal data). However, we are not required to stop processing your personal data where our legitimate grounds for processing it override your interests, rights or freedoms, or are necessary to establish, exercise or defend legal claims.
- Right to data portability – if we process your personal data on the basis of a contract you have with us as an individual, and that data is automatically processed, you have the right to receive that personal data from us in a commonly-used and machine-readable format so that you can transmit it to another data controller (or you can ask us to transmit it for you where technically feasible).
Requests to exercise any these rights should be sent to firstname.lastname@example.org.
If requests are manifestly unfounded, excessive or repetitive we are allowed to charge a reasonable fee for fulfilling the request or refuse to fulfil the request.
We will always store your digital information on secure servers. Unfortunately, however, the transmission of information via the internet is not completely secure. Although we will do our best to protect your information, we cannot guarantee the security of your information transmitted to our site or otherwise to our servers (such as by e-mail). Any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Links to other websites
Our websites may contain links to other websites. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy notice. You should exercise caution and look at the privacy notice applicable to the website in question.
How you can contact us about how we handle your personal data
The appointed representative for each of the Last Mile Infrastructure Group data controllers is:
Data Protection Officer
Last Mile Infrastructure Group
Hamilton International Technology Park
Queries for the appointed representative should be sent to email@example.com
If you are not satisfied by our response, you may lodge a complaint directly to the Information Commissioner’s Office (www.ico.org.uk). The Information Commissioner is the UK regulator for data protection.
Who are the data controllers of personal data you provide to Last Mile?
The following Last Mile Infrastructure Group companies are data controllers processing personal data under this privacy notice:
- Last Mile Infrastructure (Holdings) Limited
- Last Mile Infrastructure Holdco1 Limited
- Last Mile Infrastructure Holdco2 Limited
- Last Mile Infrastructure Group Limited
- Last Mile Infrastructure Holdco Limited
- Last Mile Infrastructure Limited
- Last Mile Infrastructure UK Limited
- Last Mile Meters Limited
- Last Mile Water Limited
- Energetics Design and Build Limited
- UK Power Solutions Limited
- Icosa Water Limited
- Icosa Water Services Limited
Changes to our Privacy Notice
This notice was last updated on 1 October 2020. We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.
Any material changes we may make to our Privacy Notice in the future will be uploaded to our website and you will be deemed to have accepted the terms of the Privacy Notice either when you first use our website following the alterations, or when the revised version is exhibited to you. A copy of our Privacy Notice is also available on request from our Data Protection Officer.