Data protection

What is data protection?

Data protection concerns the protection of personal information relating to living individuals. This includes information like names, addresses, dates of birth and so on.  Any data that are in our possession are included. 

Data protection ensures safeguarding against any loss of, or any unauthorised use or access to personal data.

Data Protection Act

We are registered with the Information Commissioner’s Office under the Data Protection Act 2018 (Registration Number Z6289325).

We are committed to upholding the core data protection principles as outlined in the Data Protection Act.

We comply with the requirements of the Data Protection Act in the way we collect, store, process and disclose personal information.

Further details can be found on the Information Commissioner’s website.

ICNARC and Data protection

As a responsible, forward-looking business, ICNARC recognises at senior levels the need to comply with all relevant data protection laws and ensure that effective measures are in place to protect the personal data of our customers, employees and other stakeholders, and to ensure that it is processed lawfully, fairly and transparently.

Commitment to the security of personal data extends to senior levels of the organisation and is demonstrated through the relevant policies and the provision of appropriate resources to establish and develop effective data protection and information security controls.

As part of meeting our legal obligations, we have put in place a comprehensive programme to understand and validate our use of personal data and to confirm the lawful basis of our processing.  Further to this, we can confirm that:

  • A policy is in place for the protection of personal data within ICNARC which has been approved by management and communicated to all employees and other relevant people within ICNARC
  • All employees have received awareness training regarding data protection and cyber security
  • All ICNARC staff understand their roles in the protection of personal data, and has received training where needed
  • We have identified the personal data we process, including where special categories of data are involved
  • For each occasion we process personal data, we have established a lawful basis for the processing
  • Where we have used the lawful basis of legitimate interest, we have conducted a documented balancing test to assess the benefits versus the impact on the data subject of the processing
  • In those cases where our processing is based on consent, we have taken steps to ensure clear, free consent has been given and is recorded, including consideration of parental consent for children
  • We have put in place a blended approach, using just in time privacy notices and a layered privacy policy, to ensure that the required privacy information is provided in clear language whenever we collect personal data
  • Tested procedures and online user facilities are in place to promptly process and fulfil data subject access requests, such as consent withdrawal, access and rectification
  • The length of time we keep personal data for, or the way we decide this, has been defined in each area of processing, and has been minimised
  • We are keeping records of processing activity
  • Where we are a controller, all of our contracts with processors have been updated to comply with the requirements of data protection laws
  • Where we act as a processor, we have contractually committed to complying with the requirements of the GDPR
  • All of our employees are subject to confidentiality obligations with respect to personal data
  • Where we transfer personal data internationally, we have ensured that the transfer is legal under the Data Protection Act
  • Where appropriate, a data protection impact assessment approach which is line with the requirements and recommendations of the GDPR and relevant best practice, will be conducted in advance of the processing of personal data
  • By default, we plan for data protection in new or changed services and systems, including minimising our use of personal data and protecting it via techniques such as pseudonymisation
  • We have tested procedures in place to fulfil our obligations in the event of a breach of personal data, both as a controller and as a processor
  • In order to ensure the confidentiality of Personal Data, ICNARC implements information security controls to ensure access to such information is authorised and only for legitimate purposes
  • We have policies and other controls in place to provide appropriate protection of personal data, based on a careful assessment of risk

We have appointed a Data Protection Officer whose contact details are as follows:

Name:             Scott Carnegie 

Address:        24 High Holborn, London WC1V 6AZ

Telephone     020 4513 6235


If you have a complaint or query regarding the use of your data, please contact the DPO. We will continue to develop and improve our data protection policies and controls over time, guided by legal requirements and the needs and preferences of our customers and partners.