About this Privacy Notice

One West is a trading arm of Bath and North East Somerset Council. We provide specialist professional services, including internal audit, data protection, risk management, investigations, cyber security, complaints handling and business continuity, to public bodies, education providers, charities and care organisations across the South West.

We are committed to protecting your privacy and being transparent about how we use personal data. This Privacy Notice explains, in broad terms, the personal information we collect, why we use it and your rights.

This is our main organisational Privacy Notice. Some of our services collect and use personal data differently. Where that applies, we publish service specific Privacy Notices to explain those uses in more detail.

 

Who we are (Data Controller)

For most of the personal data we process, One West is the Data Controller.

Address: One West, Guildhall, High Street, Bath BA1 5AW
Email: one_west@bathnes.gov.uk
Phone: 01225 395959

We form part of Bath and North East Somerset Council and are included within the Council’s ICO registration.

Data Protection Officer

Bath & North East Somerset Council

Email: data_protection@bathnes.gov.uk

 

What personal data we collect

The personal information we collect depends on how you interact with us and which service you receive. At a high level, we may collect:

  • Contact details such as your name, role, email address and telephone number
  • Business or organisational information
  • Information you provide when you contact us, including emails, queries or documents
  • Information needed to deliver the service you have purchased, for example audit evidence, data protection enquiries or investigation details
  • Information submitted through our website forms, event registrations or mailing lists
  • Technical information such as your IP address or browser type when using our website (see our Cookies Policy)
  • We may also receive personal data indirectly from client organisations when supporting them with services such as investigations, data protection enquiries, subject access requests or breach management.

We only collect what we need in order to deliver our services and manage our relationship with you.

 

Why we use personal data (our purposes)

We use personal information to:

  • Provide and manage the services you request
  • Deliver professional advice, reports, assessments and assurance work
  • Respond to enquiries and provide customer support
  • Manage contracts, invoicing and administration
  • Maintain internal records and quality assurance
  • Improve our services and website
  • Meet legal and regulatory obligations
  • Investigate and manage complaints
  • Send marketing communications, including newsletters and service updates, where the law allows us to do so. You can opt out at any time.

If a service uses personal data in a different way, this will be set out in the relevant service specific Privacy Notice.

 

Our lawful bases for processing

Under UK GDPR, we rely on one or more of the following lawful bases:

  • Contract – to deliver the service you have requested, or to take steps to enter into a contract (e.g. where an organisation is enquiring about our services)
  • Legal obligation – where the law requires us to use or share information
  • Public task – where we carry out functions on behalf of public sector clients
  • Legitimate interests – for our business operations, including sending newsletters and marketing communications where this is appropriate and where the law allows it, and where this does not override your rights and freedoms
  • Consent – for optional activities where we ask for it, such as event registrations or surveys (you can withdraw consent at any time)

Some services, such as investigations or data protection support, may involve processing special category data. Where this applies, details will be included in the relevant service specific Privacy Notice.

 

Who we share information with

We treat your information confidentially. We may share data with:

  • Client organisations where needed to provide contracted services, and where we receive requests from data subjects which relates to the client
  • Professional advisers or specialist partners who support our work
  • Bath and North East Somerset Council where required for governance, oversight, IT support or legal purposes
  • Third party suppliers who process data on our behalf under contract, for example secure systems or software providers
  • Regulators, law enforcement or other bodies where required by law

We do not sell personal data.

We do not routinely transfer personal data outside the UK. If this is ever required, we will ensure appropriate safeguards such as approved IDTAs or adequacy decisions are in place.

 

How long we keep personal data

We keep personal information only for as long as necessary to fulfil the purpose it was collected for.

Retention periods differ by service area and record type. Where a service has a defined retention period, this will be set out in the relevant service specific Privacy Notice.

 

How we keep your information secure

We use appropriate technical and organisational measures to protect personal data from loss, misuse or unauthorised access. Access is limited to staff who need it for their work and who are bound by confidentiality obligations.

Your rights

You have the following rights under data protection law:

  • Access to your personal data and to receive a copy of it
  • Correction of inaccurate information
  • Erasure in certain circumstances
  • Restriction of processing
  • Objection to certain uses, including where we rely on legitimate interests and an absolute right to object to direct marketing.
  • Withdrawal of consent where this is our lawful basis
  • Data portability where applicable
  • The right not to be subject to automated decision making where it has a legal or significant effect

To exercise your rights, please contact us at one_west@bathnes.gov.uk.

You also have the right to complain to the Information Commissioner’s Office:
www.ico.org.uk | 0303 123 1113.

 

Service specific Privacy Notices

This notice is intended to cover One West at a high level.

Some One West services process personal data differently. Their Privacy Notices explain:

  • What data that service collects
  • Why it is collected
  • How long it is kept
  • Who it is shared with
  • Any special category or sensitive data processing

 

Updates to this Privacy Notice

We may update this notice occasionally to reflect changes in our services or the law. The most recent version will be available on our website.

Last updated: March 2026

© 2018 One-West
Top
OneWest
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.