This Policy provides an overview of how I comply with data protection legislation and the basis on which any personal data I collect from you or that you provide to me during the course of carrying on my business will be processed. Although I may need to collect and hold certain personal data in order to deliver my services to you, I am committed to protecting and respecting your privacy.
About OGG Expert
OGG Expert is a trading name of Captain Terry Ogg, a marine investigator and consultant.
Controller / Contact details
Entity: OGG Expert
DPO: Terry Ogg
Address: 54 St James Street, Liverpool, United Kingdom L1 0AB
Contact Details: email@example.com
What information is being collected?
As part of providing my services, it is necessary to obtain and hold certain personal and sensitive personal data.
For individuals I may interview in relation to my investigative processes, the data I may collect includes title, first name, last name, job title, company name, company address, home address, phone and fax numbers, email addresses, date of birth, age, nationality, mother tongue, languages, communication app display/username(s), education and educational achievements, qualifications, training, employment contract(s) and employment history, working experience, working habits and medical fitness records and next of kin.
Special category personal data collected, held and processed includes information I collect about your health, including information about your existing and previous medial conditions, information sent from an employer and/or any third party relating to your health and other personal circumstances. I, any employer or other third party (as appropriate) may also collect any other Special Category of Personal data about you including details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation and trade union membership. I do not collect any information about criminal convictions and offences.
For individuals other than those I may interview in relation to my investigative processes, the data I may collect under these categories includes title, first name, last name, job title, company name, company address, home address, phone and fax numbers, email addresses, marketing preferences/records, professional qualifications and interests, personal interests, interaction and engagements with me, financial data (where relevant) and service data.
How I obtain personal information
I use different methods to collect data from and about you including through direct interactions, automated technologies or via third parties.
Purposes and Lawful Basis for Processing Personal and Special Category Information
I will only use your personal data when the law allows me to. Most commonly, I will use your personal data in the following circumstances:
Where expressed and informed consent has been given by the person whose data is being processed; and/or
Where it is necessary for me to perform the contract I am about to enter into or have entered into with your employer, their insurers, legal/claims advisors or agents; and/or
Where it is necessary for my legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and/or
Where I need to comply with a legal obligation.
Under the General Data Protection Regulations 2016/679, my lawful basis for processing and storing personal information is one of Legitimate Interest. I need to receive, process and store your information in order to provide the requested and agreed investigative, interview and witness services to the highest standard. Without such information, I cannot provide an effective service.
Note that I may process your personal data for more than one lawful ground depending on the specific purpose for which I am using your data. Please contact me if you need details about the specific legal ground, I am relying on to process your personal data.
I require your explicit consent for processing sensitive category data, so I will provide you with a further communication asking for you to confirm your consent to this processing.
How data is stored
All data received, generated and processed as part of the service I provide is stored securely.
Paper: written notes, and other materials generated from discussions in session, and any written materials sent to us from a third party, are stored in a locked secure filing cabinet. Only I will have access to the key.
Computer-based/Smartphone: I use MS Office, various communication apps (Zoom, WeChat, Whatsapp, Slack, etc) and digital image management apps (Adobe Reader/Acrobat/Bridge, Affinity, iPhoto) audio processing apps (Fusion, Audio Hijack, etc) and cloud-based transfer and storage services (WeTransfer, iCloud, Dropbox, Googledocs). These can be accessed via my iPhone, iPad, desktop and laptop, all of which will only be accessible via a password and/or Touch ID. Only I will have access to any information stored on local storage via password/Touch ID, or via their individual URL and username/password for cloud-based services. Temporary storage of digital copies on password protected laptop used away from office is transferred to desktop computer on return. Emails and attachments on MS Exchange server, with emails replicated to password protected desktop and laptop computers, and Touch ID protected iPad and iPhone, are backed up to desktop computer. I use GDPR-compliant service providers such as WeTransfer and Dropbox for data transfer service. Your data will be in an encrypted state during transfer and at rest. I back-up data to local storage and to cloud-based services.
Email/Messaging/Chat: your email addresses, display/usernames, avatars, and correspondence may be stored in the relevant communication system account or app by nature of you making contact. Copies of correspondence may be taken and stored in accordance with the processes for other types of electronic records described above. Your telephone number may be stored in messaging apps or on the relevant call list should communication happen via these routes.
Investigative interview records will be kept until all actual and potential commercial disputes have been finally resolved.
The security and confidentiality of your data are extremely important to me. Therefore, your data will never be used, sold or shared for any purpose other than for providing my professional services. As part of my services I may be required to share the data I collect with legal/claim advisors, insurers’ organizations, shipowner/shipmanager organizations and your employer.
My professional code of practice requires me to share information appropriately. Should an individual I work with disclose that they or someone else is at serious risk of harm, I may need to contact other agencies such as their usual medical practitioner, as is consistent with my professional obligation to place safety first.
Individuals have the right to have a copy of the records I hold for them, under GDPR. I will only release copies of my records where there has been a signed, addressed and dated request for such from you.
I require all third parties to respect the security of your personal and special category data and to treat it in accordance with the law. I do not allow my third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with my instructions.
Change of purpose
I will only use your personal data for the purposes for which I collected it, unless I reasonably consider that I need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact me.
If I need to use your personal data for an unrelated purpose, I will notify you and I will explain the legal basis which allows me to do so.
Please note that I may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Many of the parties I work for and with are based outside the UK, so their processing of your personal data will involve a transfer of data outside the UK. Whenever I transfer your personal data out of the UK, I ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
I will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
Where I use certain service providers, I may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
Please contact me if you want further information on the specific mechanism used by me when transferring your personal data out of the UK.
I have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, I limit access to your personal data to those who have a business need to know. They will only process your personal data on my instructions, and they are subject to a duty of confidentiality.
I have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where I are legally required to do so.
Data retention and destruction
I do not keep information about you any longer than is necessary. The length of time I keep your data may be determined by statutory or regulatory requirements. I delete or destroy all personal data when it is no longer required.
A copy of my data retention policy is available to individuals on request. This shows how long I would expect to keep your data and why.
Your rights under data protection legislation
You have various rights under the relevant data protection legislation. If you wish to exercise any of these rights, then please contact me (as DPO) in writing.
I are confident that I will be able to answer any questions you may have, but should you feel it is necessary you do have the right to contact the UK Information Commissioner’s Office to discuss the matter further.
You have the right to see what personal data I hold about you. You also have the right to know where I got the data from, how and why I am processing your data, who it has been shared with, and how long I intend to keep it for.
You have the right to ask me to investigate, and correct where appropriate, any personal data I hold about you that you believe is wrong.
You have the right to ask me to erase personal data that I hold about you where I no longer have a lawful purpose to process the data, or where the data is being processed based on your consent which has now been withdrawn.
This right may be restricted by my need to comply with laws, regulations or other legitimate reasons that require me to retain data. However, I will tell you if this is the case.
Restriction of Processing
You have the right to ask me to restrict the processing of your personal data. Restricted processing means that I cannot make any changes to the data unless I have your consent. You can ask for restricted processing where:
You believe the data I hold is inaccurate and I need time to properly investigate;
I have unintentionally come into possession of your personal data that I should not hold but you do not want me to delete it;
Where I no longer need your personal data, but you want me to hold on to it for legal reasons; or
Where you have objected to how I use your personal data, and this is being investigated.
Right to Object
Where you feel that I am processing your personal data in a way that is inappropriate you have the right to object and so ask me to demonstrate legitimate grounds for doing so. This includes asking me not to communicate with you other than in ways you choose.
Right to not be subject to Automated Decision-making or Profiling
I do not make decisions based on automated processing or profiling.
Changes to this Privacy Notice
Third Party Links
Data collected by third parties on my behalf
My site is hosted by Spoton.net Limited (registered company number 06139437 in England and Wales). Spoton.net logs all requests in order to determine the causes of reported faults and to detect and block suspicious traffic. The log records the time of the request, your IP address, the requested resource, the referring site (if specified by your browser), and your browser’s user agent string (which will usually include the name and version of your browser and operating system). Log files are deleted after ninety days.
Lawful basis for processing
Compliance with a legal obligation. To comply with the GDPR obligation to implement appropriate technical measures to protect data.
Other data collected by third parties