Birmingham Airport Limited and Personal Data Transparency
The objective of this Transparency Notice is to provide information, under our transparency obligations, in regards to the processing the Airport carries using your personal data. We aim to go above and beyond what is required of us under the ‘Right to be Informed’, with a hyperlink to our privacy notice page included in this document.
Birmingham Airport Limited (BAL) is committed to achieving a high standard of data protection and GDPR compliance. This Transparency Notice will support the Airport’s open and honest approach to processing personal data, giving a bit more insight into the ways in which the Airport uses personal information. Please note that the specific processing activities are covered in our privacy notices, as required under the “Right to be Informed”, this transparency notice is designed to give an overview only and is not required by law.
The General Data Protection Regulation (GDPR) has introduced new Privacy Notice requirements. This meets the data subject’s ‘Right to be Informed’. Organisations, such as the Airport, that collect and use your personal information are required to produce a Privacy Notice, sometimes called a ‘Fair Processing Notice’, providing information to which you are legally entitled. Where applicable, the Airport publishes these Privacy Notices on https://www.birminghamairport.co.uk/data-protection/privacy-notices/. We encourage all visitors to the airport to contact the Data Protection Officer if they are providing personal data at the airport and are not provided with the required Privacy Notice. Contact details can be found at the bottom of this notice.
Privacy Notices are designed to inform you of how your personal data is being used but also give you control over it. The Airport always endeavours to ensure our Privacy Notices are appropriate, up to date and accurate.
There are times when the Airport will lawfully share your personal data with crime prevention organisations, such as the Police, UK Border Force or other international crime agencies, to keep the Airport’s visitors and staff safe, and to help in the wider remit of our enforcement partners obligations under crime legislation. Sharing of this nature is done lawfully and with all required evidential documentation.
We also share personal data with corporate partners, who provide services to visitors on the Airport site. Business to business information is shared where required but done so appropriately, in ways that we would expect our partners to think was fair.
The Airport keeps a record of what personal data we hold, why we legally hold it and who we share it with. We have a Records Management Policy and Retention Schedule to ensure we do not hold data for longer than is necessary.
The GDPR and Data Protection Act (DPA) 2018 sets out exemptions to certain obligations and data subject rights that organisations, such as the Airport, must adhere to. Use of these exemptions depends on why the Airport processes personal data and are applied on a case-by-case basis.
Where appropriate, the Airport will consider the extent to which the relevant GDPR requirement would be likely to prevent, severely impair, or prejudice the achievement of our processing activities. In these cases, the Airport would consider an exemption.
When the Airport relies on an exemption, it will be documented, along with the justification for doing so. The exemptions relevant to the Airport’s data processing include (but are not restricted to): immigration; crime and taxation and information required to be disclosed by law or in connection with legal proceedings.
Due to the nature of the Airport’s business and the scale of the Airport site, it is highly probable that all visitors and staff will be captured by the Airport’s CCTV recordings. The use of CCTV at the Airport is essential for health and safety, crime prevention and monitoring operational standards.
Access to the CCTV system is restricted to trained staff, who can only process and/or share your data within strict legal and operational boundaries. These boundaries are enforced through access controls, corporate procedures and staff monitoring practices. Staff who fail to use CCTV in an appropriate and legal manner will face internal disciplinary procedures. Additionally, all staff who have access to the CCTV System for their work are trained in GDPR & CCTV by the Data Protection Officer, this training is mandatory and access to the system is revoked or withheld if the training is not completed.
Access to CCTV footage, where you appear, can be requested through a GDPR ‘Right of Access’ request. Steps will be taken to ensure the rights of others are not infringed upon, and, where appropriate, an exemption may be applied preventing the release of data. Where the Airport does this, the reason will be documented.
For the purposes of capacity planning and management, the Airport uses a technology known as ‘BlipTrack’, or ‘BLIP’. This technology will track signals provided by WIFI and Bluetooth-enabled devices (such as mobile phones, headphones and smart watches), mapping passenger traffic across the Airport site.
The Airport temporarily holds device identification data, such as Media Access Control (MAC) or Internet Protocol (IP) addresses. This data will not be used to identify an individual. Data identifying your device will be disposed of by the Airport and the service provider (BLIP Systems) after 24 hours. Once your device address has been removed, this becomes anonymised data. The Privacy Notice is available on our website and you can access this through the link provided further up in this Notice.
Where appropriate, the Airport will continue to publish Privacy Notices on our website. These will be reviewed at least annually, or when a change to our processing activities takes place.
Additional signage will be displayed in publicly accessible areas to make staff and visitors aware that they are being captured by the CCTV system. Efforts will be made the ensure this signage is highly visible and easy to read.
Ongoing staff training helps to educate staff on their responsibilities around the data subject rights, including ensuring the Airport is transparent in its data processing activities. This includes the need to complete Data Protection Impact Assessments (or DPIAs) for high risk processing activities, including introducing new technologies into the organisation.
It is the Airport’s intention to add to this Notice over time.
Data Protection Officer Contact Details
For guidance on how Birmingham Airport Limited uses your personal data, or, to exercise your rights as a Data Subject, please contact the Data Protection Officer: [email protected]
The Data Protection Officer
Birmingham Airport Limited