Data Protection Policy

Updated Aug 2025

For the purposes of this Policy, ‘ITI Group’ or ‘we’ refers to: ITI Engineering Holding Limited, ITI Engineering Group Limited, ITI Operations Limited, and all subsidiary companies (currently ITI Digital Solutions Limited and ITI Simulation Limited and ITI Group Inc). Definition can be found at the end of this Policy.

ITI Group is committed to protecting the privacy and security of personal information and processing in accordance with Data Protection Laws.

This Policy sets out:

How ITI Group collects, processes and ultimately deletes personal data in accordance with the data protection principles;
What personal data ITI Group collects and from which data subjects;
Your rights and obligations in relation to data protection;
Who to contact regarding the processing of your personal data.

This policy applies to all of ITI Group’s personal data processing activities, including those relating to the personal data of Customers, prospective Customers, Employees, Individuals, and Suppliers.

The responsibilities set out in this policy apply to all Employees, Individuals and Suppliers. Any breach of the this Policy or Data Protection Laws will be dealt with:

in the case of Employees under ITI Group’s disciplinary policy;
In the case of Individuals and Suppliers, under the relevant contractual framework;

A breach may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate supervisory authorities.

Suppliers and Individuals who have or may have access to personal data, will be expected to have read, understood and to comply with this policy. No Individual may access personal data held by ITI Group without having first entered into a confidentiality agreement which imposes no less onerous than those to which ITI Group is committed, and which gives ITI Group the right to audit compliance with the agreement.

Responsibilities and Roles

Data Controller

ITI Operations Ltd is the data controller and data processor under the Data Protection Laws.

The UK GDPR includes provisions that promote accountability and governance. These complement the UK GDPR’s transparency requirements. The accountability principle in Article 5(2) requires us to demonstrate that we comply with the principles and states explicitly that this is our responsibility.

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”.

ITI will demonstrate compliance with the data protection principles by implementing data protection policies, adhering to codes of conduct, implementing technical and organisational measures, as well as adopting techniques such as data protection by design, DPIAs, breach notification procedures and incident response plans.

Board of Directors

The ITI Group Board of Directors (the Board) and all those in managerial or supervisory roles throughout ITI Group are responsible for developing and encouraging good information handling practices; responsibilities are set out in individual job descriptions.

Data Protection Officer

The Data Protection Officer (DPO), is a member of the Senior Leadership Team (SLT), and is accountable to Board for the management of personal data within ITI Group, for ensuring compliance with Data Protection Laws and demonstrating good practice. The Board considers the DPO to be suitably qualified and experienced and has been appointed to take responsibility for ITI Group’s compliance with this policy on a day-to-day basis.

The DPO will:

ensure that, on a periodic basis all data collection methods are reviewed by internal audit to ensure that collected data continues to be adequate, relevant and not excessive.
ensure that all staff have received appropriate training in the importance of collecting accurate personal data and maintaining it.
keep and review the register of processing in the light of any changes to ITI Group’s activities and any additional requirements identified by means of data protection impact assessments. This register needs to be available on the supervisory authority’s request.
ensure that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.
review the retention dates of all the personal data processed by ITI Group , by reference to the data inventory, and will identify any data that is no longer required in the context of the registered purpose. This data will be securely deleted/destroyed in line with the IMS001 IMS Manual
respond to requests from data subjects enforcing their rights under Data Protection Laws within the time periods specified i.e. one month of the request, or up to three months in total if the request is complex.
make appropriate arrangements that, where third-party organisations may have been passed inaccurate or out-of-date personal data, to inform them that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal data to the third party where this is required.
carry out a risk assessment using the preferred methods with PRO027 Risk Management taking into account all the circumstances of ITI Group’s controlling or processing operations.

Contact

You can contact the Data Protection Officer:

via email on [email protected], or
by post for the attention of the Data Protection Officer at the Rotherside Road, Eckington, Sheffield, S21 4HL.

Data Protection Principles

Processing data

ITI Group will comply with the following data protection principles set out it the Data Protection Laws when processing personal data:

we will process personal data lawfully, fairly and in a transparent manner;
we will collect personal data for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes;
we will only process the personal data that is adequate, relevant and necessary for the relevant purposes;
we will keep accurate and up to date personal data, and take reasonable steps to ensure that inaccurate personal data are deleted or corrected without delay;
we will keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; and
we will take appropriate technical and organisational measures to ensure that personal data are kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

Basis for processing personal data

In relation to any processing activity we will, before the processing starts for the first time, and then regularly while it continues:

review the purposes of the particular processing activity, and select the most appropriate lawful basis (or bases) for that processing
except where the processing is based on consent, satisfy ourselves that the processing is necessary for the purpose of the relevant lawful basis;
document our decision as to which lawful basis applies, to help demonstrate our compliance with the data protection principles;
include information about both the purposes of the processing and the lawful basis for it in our relevant privacy notice(s);
where ‘special category data is processed, also identify a lawful special condition for processing that data (see below), and document it; and
where criminal records data is processed, also identify a lawful condition for processing that data, and document it.

When determining whether ITI Group’s legitimate interests are the most appropriate basis for lawful processing, we will:

conduct a legitimate interests assessment (LIA) and keep a record of it, to ensure that we can justify our decision;
if the LIA identifies a significant privacy impact, consider whether we also need to conduct a data protection impact assessment (DPIA);
keep the LIA under review, and repeat it if circumstances change; and
include information about our legitimate interests in our relevant privacy notice(s).

Data subjects’ rights

Data subjects have the following rights regarding data processing, and the data that is recorded about them:

To make subject access requests regarding the nature of information held and to whom it has been disclosed.
To prevent processing likely to cause damage or distress.
To prevent processing for purposes of direct marketing.
To be informed about the mechanics of automated decision-taking process that will significantly affect them.
To not have significant decisions that will affect them taken solely by automated process.
To sue for compensation if they suffer damage by any contravention of the UK GDPR.
To take action to rectify, block, erased, including the right to be forgotten, or destroy inaccurate data.
To request the supervisory authority to assess whether any provision of the UK GDPR has been contravened.
To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
To object to any automated profiling that is occurring without consent.

If you would like to exercise any of those rights, please:

Email or write to us using the DPO Contact details above
provide enough information to identify yourself (eg your full name and relationship to ITI Group) and any additional identity information we may reasonably request from you;
let us know what right you want to exercise and the information to which your request relates.

Security of data

ITI Group has implemented appropriate technical and organisational measures to keep your personal data confidential and secure from unauthorised access, use and disclosure. We limit access to personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality. We regularly test our systems and are ISO27001 certified, which means we follow top industry standards for information security.

We require our Suppliers to implement appropriate security measures to protect personal data from unauthorised access, use and disclosure.

Data Sharing

Access to your personal data will be restricted to those who have a need to access it in order to carry out their duties.

We routinely share personal data with:

One or more companies who form part of ITI Group and internally within ITI Group.
Suppliers we use to help deliver our services, e.g. providers of our finance system, IT service providers including cloud service providers such as data storage platforms, shared service centres and financial institutions in connection with invoicing and payments;
Suppliers providing services for money laundering checks and other crime prevention purposes and companies providing similar services, including financial institutions and credit reference agencies;

We only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We ensure all outsourcing providers operate under service agreements that are consistent with our legal obligations.

We or the third parties mentioned above may occasionally also share personal data with:

Regulators and government authorities such as HMRC or the police if we are required to do so by law or if the regulator or authority requests it and we regard that request as reasonable.
Our insurers, legal and professional advisers, auditors or other third parties who need access to it, in which case the recipient of the information will be bound by confidentiality obligation;
other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition or asset sale or in the event of our insolvency—usually, information will be anonymised but this may not always be possible and the recipient of any of your personal data will be bound by confidentiality obligations

Retention and disposal of data

ITI Group will not keep personal data in a form that permits identification of data subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.

We may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.

Where personal data is retained beyond the processing date for a legitimate reason, it will be minimised and / or pseudonymised in order to protect the identity of the data subject in the event of a data breach.

The retention period for each category of personal data is set out in the applicable section below.

Data transfers

In certain limited circumstances, we may export personal data outside of the UK for processing, and we may use Suppliers who do the same.

We only do that if there is a good reason to do it and where adequate safeguards (such as the appropriate contractual arrangements with suppliers, or adequacy decisions, depending on the destination country) are in place. We will only transfer data, which is reasonably necessary to support, or is in relation to the underlying purpose.

Document Owner and Approval

The Data Protection Officer is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with the review requirements stated above.

This policy was approved by the Board and is issued on a version-controlled basis under the signature of the Chief Executive Officer (CEO).

Changes to the details of any data processing will be posted by updating the publicly accessible version of this policy and, where necessary, notified to you by e-mail.

Definitions

Binding corporate rules means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State in the United Kingdom for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.
consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; (but see section 6 of the 2018 Act).
Customer means: any company who receives goods or services from ITI Group, and as the context requires, those data subjects who are associated with it.
Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Data Protection Laws means Data Protection Act 2018, UK General Data Protection Regulation (UK GDPR), and Privacy and Electronic Communications Regulations 2003 (PECR)
Employee means: individuals employed (whether full or part time) by ITI Group and includes Officers and Directors.
enterprise means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Individual means: Employees, individuals employed by Suppliers or any individual who provides goods and services to ITI Group.
ITI Data means: any information stored in electronic form which is created by Employees or is created for ITI Group by an Individual, or is provided to ITI Group by a Customer.
ITI Group means: ITI Operations Limited, ITI Engineering Group Limited, ITI Engineering Holdings Limited, ITI Digital Solutions Limited, ITI Simulation Limited, ITI Group Inc. and any subsidiaries of each from time to time.
personal data means any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law domestic law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
representative means a natural or legal person established in the Union the United Kingdom who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation.
Supplier means: an external organisation or person who performs, or will perform, services for, or on behalf of, ITI Group, or with whom ITI Group has, or will have, a partnership, including suppliers of goods or services to ITI Group for its internal purposes.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Privacy Notices

Customers and Prospective Customers

Information we may collect from you

Information you or your organisation gives us:

You may give us information about you by filling in forms on our sites or by corresponding with us by phone, e-mail, paper or otherwise, including information included on contract documents with your organisation. This includes information you or your organisation provide when you register to use our sites, subscribe to our service, join one of our user groups or participate in discussion boards or other social media functions on our sites, enter a competition, promotion or survey, and when you report a problem with our sites/products/services or enter into a contract with us.
In each case, this may include your name, role, company name, company activity, address, e-mail address and phone number, financial information, personal description and photograph.

Information we collect from public sources or third parties:

We may obtain information about you from your organization website, LinkedIn and other business social media platforms, Companies House, companies providing services for money laundering checks and other crime prevention purposes and companies providing similar services, including financial institutions and credit reference agencies.
In each case, this may include your name, role, career history, company name, company activity, address, e-mail address and phone number, financial information, personal description and photograph.

Uses made of personal data

Type of Personal Data	Uses made of the personal data	Lawful basis for use	Retention period
Information you or your organisation give us	To carry out our obligations (and exercise our rights) arising from any contracts/arrangement entered into between you/your organisation and us and to provide you/your organisation with the information, products and services that you/your organisation request from us.	Where our contract/arrangement is with you (personally), we rely on Article 6(1)(b) of the UK GDPR (processing necessary for the performance of a contract with the data subject) as the lawful basis for use. Where our contract/arrangement is with your organisation, we rely on Article 6(1)(f) of the UK GDPR (processing necessary for legitimate interests pursued by the controller or a third party) as the lawful basis: our rights and obligations under the contract/arrangement (and more generally, our business) are legitimate and the data processing activities that we and (where appropriate) our third parties perform are proportionate and secure and have due regard to your rights and freedoms.	The personal data will be retained for no longer than is reasonably necessary and, in any event, no longer than the applicable limitation period of the most recent, applicable contract/arrangement.
Information you or your organisation give us	To provide you with information about other goods and services we offer that are similar to those that you/your organisation have already purchased, searched for, or enquired about.	Where you have requested information and provided consent, we rely on Article 6(1)(a) of the UK GDPR (processing pursuant to consent from the data subject) as the lawful basis for use. Where you have not requested information and provided consent, we rely on Article 6(1)(f) of the UK GDPR (processing necessary for legitimate interests pursued by the controller or a third party) as the lawful basis: our rights to promote our products and business to organisations and individuals who we genuinely believe will be interested in or will benefit from them are legitimate, and the data processing activities that we and (where appropriate) our third parties perform are proportionate and secure and have due regard to your rights and freedoms.	Your personal data will be retained for this purpose until: 1. We no longer reasonably require it for these purposes; or 2. (if earlier) you withdraw your consent* 3. You object to the processing*
Information you or your organisation give us & Information we collect from public sources or third parties	To provide you/your organisation, or permit other organisations within our group of companies (or their appointed representatives) to provide you with information about goods or services we feel may interest you/your organisation.	We rely on Article 6(1)(f) of the GDPR (processing necessary for legitimate interests pursued by the controller or a third party) as the lawful basis: our rights to promote our products and business to organisations and individuals who we genuinely believe will be interested in or will benefit from them are legitimate, and the data processing activities that we and (where appropriate) our third parties perform are proportionate and secure and have due regard to your rights and freedoms.	Your personal data will be retained for this purpose until: 1. We no longer reasonably require it for these purposes; or 2. You object to the processing*

You may withdraw your consent or object to the processing of your personal data by either:

Clicking an unsubscribe button in any email marketing communication we have sent you; or
Contacting us as set out in the DPO section above

Visitors to our Website

Information we collect about you

With regard to each of your visits to our sites we may automatically collect the following information:

technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our sites (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
Information we receive from other sources. We may receive information about you if you use any of the other websites we (or other companies within our group) operate or the other services we provide. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.

Information we may collect from you

We may collect and process the following data about you:

Information you or your organisation gives us by filling in a form on our website. Please see the section “Customer or Prospective Customers” for details about how we process this information.

Cookies and similar technologies

We use cookies and similar technologies to provide, protect, and improve our products and services, such as by personalizing content, offering and measuring advertisements, understanding user behaviour, and providing a safe experience.

You can remove or reject cookies using your browser or device settings, but in some cases doing so may affect your experience of our website. For further information about cookies and how to disable them please go to the guidance on cookies published by the UK Information Commissioner’s Office, or www.allaboutcookies.org.

Definition of cookies

Cookies are small pieces of text used to store information on web browsers. Cookies are widely used to store and receive identifiers and other information on computers, phones, and other devices. We also use other technologies, including data we store on your web browser or device, identifiers associated with your device, and other software, including web beacons and pixel tags, for similar purposes. In this Cookie Statement, we refer to all of these technologies as “cookies.”

Prospective Employees

Types of data we process

We hold many types of data about you, including:

your personal details including your name, address, date of birth, email address, phone numbers
whether or not you have a disability (in order for us to make reasonable adjustments if necessary)
information included on your CV including references, education history and employment history
documentation relating to your right to work in the UK

How we collect your data

We collect data about you in a variety of ways including the information you would normally include in a CV, a job application, cover letter or notes made by our recruiting officers during a recruitment interview.

In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies and other information used for our pre-employment screening checks under the Baseline Personnel Security Standard (BPSS).

Further information will be collected directly from you when you complete any necessary forms at the start of your employment, for example, your bank and next of kin details. Other details may be collected directly from you in the form of official documentation such as your driving licence, passport or other right to work evidence. Personal data is kept in personnel files or within ITI Group HR and IT systems.

Why we process your data

We will process your personal data only:

in order to perform the employment contract that we are party to
in order to carry out legally required duties
in order for us to carry out our legitimate interests
to protect your interests and
where something is done in the public interest.

All of the processing carried out by us falls into one of the permitted reasons. Generally, we will rely on the first three reasons set out above to process your data.

We need to collect your data to ensure we are complying with legal requirements such as:

carrying out checks in relation to your right to work in the UK and
making reasonable adjustments for disabled employees.

We also collect data so that we can carry out activities which are in the legitimate interests of ITI Group. We have set these out below:

making decisions about who to offer employment to
making decisions about salary and other benefits
assessing training needs
dealing with legal claims made against us

If you are unsuccessful in obtaining employment, we will seek your consent to retaining your data in case other suitable job vacancies arise in ITI Group for which we think you may wish to apply. You are free to withhold your consent to this and there will be no consequences for withholding consent.

Special categories of data

Special categories of data are data relating to your:

health
sex life
sexual orientation
race
ethnic origin
political opinion
religion
trade union membership and
genetic and biometric data.

We must process special categories of data in accordance with more stringent guidelines. Most commonly, we will process special categories of data when the following applies:

you have given explicit consent to the processing
we must process the data in order to carry out our legal obligations
we must process data for reasons of substantial public interest
you have already made the data public.

We will use your special category data:

for the purposes of equal opportunities monitoring
for the purposes of making reasonable adjustments

We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.

Criminal conviction data

We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage during our pre-employment screening (BPSS). However, may also be collected during your employment should you be successful in obtaining employment for further national security vetting if required. We use criminal conviction data in the following ways:

To obtain various levels of security vetting required by the role

We rely on the lawful basis of consent to process this data.

If you do not provide your data to us

One of the reasons for processing your data is to allow us to carry out an effective recruitment process. Whilst you are under no obligation to provide us with your data, we may not be able to process, or continue with (as appropriate), your application.

How long we keep your data for

In line with data protection principles, we only keep your data for as long as we need it and this will depend on whether or not you are successful in obtaining employment with us.

If your application is not successful and we have not sought consent or you have not provided consent upon our request to keep your data for the purpose of future suitable job vacancies, we will keep your data for 30 days once the recruitment exercise ends.

If we have sought your consent to keep your data on file for future job vacancies, and you have provided consent, we will keep your data for six months once the recruitment exercise ends. At the end of this period, we will ask for your consent to keep your data for a further six months. Should you decline our request we shall delete or destroy your data, unless you have already withdrawn your consent to our processing of your data in which case it will be deleted or destroyed upon your withdrawal of consent.

If your application is successful, your data will be kept and transferred to the systems we administer for employees. We have a separate privacy notice for Employees, which will be provided to you.

Data Sharing

In addition to the third parties identified in the Policy we may share your personal data with the following:

Your data will be shared with third parties if you are successful in your job application. In these circumstances, we will share your data in order to obtain references as part of the recruitment process and obtain a criminal records check as part of our pre-employment screening.
HR System providers.