(Updated Tuesday 17 June 2025)
At Civica we take data privacy seriously; we are committed to being transparent about how we collect and use your personal data and to ensuring that we meet our data protection obligations under the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the “UK GDPR”)) and Privacy and Electronic Communications (EC Directive) Regulations 2003.
This Privacy Notice relates to Civica UK Ltd., if you are a customer of Civica Election Services, please click here.
Our Data Protection Officer (DPO) can be contacted on:
Dr Paula James
Southbank Central (8th Floor)
30 Stamford Street
London
SE1 9LQ
Tel: 020 7760 2800
Civica is registered with the Information Commissioner’s Office, with registration number Z5268164.
If you have questions or comments about this Privacy Notice or how we handle personal data, please direct your correspondence either to the above postal address (marking the envelope ‘FAO – Data Protection Officer’), or to DPO@Civica.com.
This Privacy Notice covers the following:-
-
How Civica collects personal information
-
Civica’s purposes and lawful bases of personal data processing
-
How we store your information
-
Sharing information
-
International transfers
-
Your rights
-
Rights related requests
-
How to complain
-
Changes to this Privacy Notice.
How Civica collects personal information
At Civica we may obtain personal data directly from individuals in a number or ways including:
-
When you fill in a form on our website
-
When you give us your business card
-
When you become a client
-
When you submit a job application
-
When you use our support and service portals
-
When you email or call us
-
When you visit our offices or attend events, conferences and meetings
-
When you subscribe to our newsletters and user groups
-
When you participate in a white paper research project.
Civica may also obtain personal information indirectly from a variety of sources including:
-
Third parties, such as joint marketing partners and data brokers that share business contact information with us
-
Recruitment services will provide us with CVs and Contractor Workforce Management services
-
Customers who may share the contact details of their employees
-
Publicly available sources such as LinkedIn, Companies House or freely available news articles
-
Companies providing security background checks
-
CCTV located at Civica offices
-
Reports that are raised through our whistleblowing process
-
Colleagues who provide us with your contact information as their next of kin.
-
Advertising platforms provided by third-party social media companies.
We will always ensure you know we are processing your personal information except where it is disproportionately difficult to do so.
Civica’s purposes and lawful bases of personal data processing
Civica processes personal data for the following reasons:
For Website Users
When you visit our website, we use your IP address and location data to determine which regional site, and region-specific content should be displayed.
Our legal basis for this processing is our legitimate interest in providing you with the information specific to your region to promote our services and improve our business.
We also enable cookies. Further details about what cookies we use, how we use them, how long they are stored for, and how you can manage them can be found in our Cookie Policy.
Additionally, we use Google Tag Manager to help manage website tags and track activity. User-provided data, such as email addresses, may be collected and shared in a hashed format with Google Ads for conversion tracking and measuring advertising performance in line with Google’s policies.
For Mobile App Users
Some Civica products have associated mobile apps. Depending on the functionality of the specific app, it may collect some of your personal data. Civica’s customers act as data controllers for the processing of your personal data by these apps; privacy information related to our role as processor in the provision of these apps is available on either the Google Play Store or Apple App Store.
To fill job vacancies
If you submit a job application either directly or through a recruiter, we will use your information in connection with the specific job that you have applied for. We will store your information for 15 months in case any legal claim for discrimination is made.
To consider you for other vacancies for which you may be suitable, which may arise during this 15-month period, we will add your information to our talent pool. If you’d rather not be added to the talent pool, or wish to be removed at any time, please let us know.
Sometimes we use publicly available sources of data such as LinkedIn to source candidate information. However, you will always be contacted before we add your information to our recruitment system and provide you with the opportunity to opt-out.
For certain roles there may be a request to share your CV with a specific customer to confirm your suitability. You will be notified during the recruitment process by our Recruitment Team if this applies to the role you have applied for.
For certain roles, such as those involving applicants from Northern Ireland, we are legally required to collect community background information. This is information which may reveal religious beliefs, and we will retain this for a period of three years from your application.
For all roles we also request equality and diversity data for monitoring purposes. This information is not mandatory, although we encourage you to provide it. We make every attempt to anonymise this information and ensure it cannot be linked back to an individual.
We may use a third-party tool to record interviews, generate transcripts, and provide AI summaries to support a fair and focused recruitment process. Information processed may include contact details, education and skills, employment information, personal identification, and professional experience. While the legal basis for this processing is our legitimate interests in running a fair and effective recruitment process, this will not be used without your prior consent.
We also work with recruitment agencies, who may provide us with CVs for potential candidates. These agencies may receive personal data from us such as start dates, salary, and, where relevant for refund claims, the end date and reason for termination.
For some roles, particularly in sales, we may use psychometric testing carried out by third-party providers. In these cases, we share your name and contact details with the provider, and we receive the test results to help determine your suitability for the role.
If you would like to remove the data that you've submitted to us during the recruitment process, please contact our Recruitment Team at PeopleTeam@civica.com. There may be occasions where we are unable to immediately fulfil this request, including for reasons set out above.
The legal basis for processing your data for recruitment purposes is our legitimate interest in operating our business.
The legal basis for processing community background information for applicants from Northern Ireland is legal obligation.
Employee Onboarding
We use an electronic signature tool to facilitate the completion of onboarding documentation. This allows new employees to securely sign contracts and submit required information digitally. The personal data collected may include name, contact details, date of birth, CV, employment and education history, ID documents, bank details, emergency contacts, and health or equal opportunities data.
Our legal basis for processing onboarding data is the performance of a contract, compliance with legal obligations, and our legitimate interests in managing recruitment and onboarding processes efficiently. Where we process special category data, we rely on employment law obligations or public interest.
To provide customer support and access to self-service portals and to provide service delivery
When you become a partner / customer of ours, we collect your data from our portal login pages. We do this in order to provide online and telephone support services to help deliver contracted services to you via web portals, email or over the telephone. We use this information to process online requests, solve problems, answer questions and respond to communications from individuals and organisations.
When your details are registered with our customer support service, Civica Support Cloud, we collect data including your work contact details and company details, in order to provide technical support.
The portal includes access to a knowledge hub, customer discussion forums, and visibility of Civica’s full product offering. Where discussion forums are used, the names of participants from other customer organisations may be visible to logged-in users.
Our legal basis for processing these data is our legitimate interest in providing our services.
For conducting user research on our products
We conduct user research to improve our products, where we collect your personal data including name, contact details, and opinions should you choose to take part. Our legal basis for this processing is the explicit consent of the research participants to help improve our business.
For conducting user analytics on some of our products
We conduct privacy-first user analytics for some of our products to help Civica understand how its products are utilised and to inform product development. For this purpose, the only personal data we process is the organisation you work for. No other personal data is used, and user activity tracking is minimised to include only some information about which modules and buttons are interacted with.
All content and personal data is encrypted, salted, and hashed so as to be inaccessible to the user analytics tool. No cookies or temporary files are stored on user devices for the purpose of user analytics.
Our legal basis for this processing is our legitimate interest in improving and maintaining our products.
We currently deploy user analytics in the following Civica products:
-
Altitude
-
Cashless Catering
-
CITO
-
Civica Care Records (Paris)
-
Civica Education Suite (CES)
-
Civica Income Management (CivicaPay)
-
Clinical Pathways (Infoflex)
-
Digital 360
-
Financials LIVE
-
iCasework
-
ModernGov
-
People Hub (HRP)
-
Prescribing
-
Scheduling.
For conducting user research on our website
We conduct research into user journeys of our website visitors. In order to do this, a code snippet is used to track only the research participants’ movements around our website, during timed research events. We also collect opinions, voice recordings, and location data. Our legal basis for this processing is the explicit consent of the research participants.
For purposes of financial management
We use an electronic signature tool to facilitate the secure signing of customer commercial contracts. This involves processing personal data such as name, company information, and signature. Our legal basis for this processing is our legitimate interest in managing and finalising contracts efficiently.
We gather and retain business contact details for financial management purposes. Personal information such as names and contact information will be needed to ensure purchase orders, requisitions, invoices and debts are handled appropriately. Additionally, for some of our on-premise solutions we may be required to process user volumes of our products to ensure accurate licence management and billing. Our legal basis for processing financial information is our legitimate interest in operating our business. The retention period for this type of information is up to 7 years in line with legal and tax regulations.
Additionally, we use a third-party invoice portal to upload customer sales invoices for processing, approval, and payment. This may involve personal data such as name, email address, and company details. Our lawful basis is legitimate interests, to support efficient service delivery and payment.
To provide customer support and access to self-service portals and to provide service delivery
When you become a partner
To send you marketing materials by email
We use your contact details to send you marketing and product information. You can opt out of marketing messages at any time. We will remove your details from our marketing list if there is no activity (such as opening an email) for a 2-year period.
We only send marketing communications to corporate subscribers (business emails). Occasionally, we may share certain marketing lists with our trusted third-party brokers before purchasing a list). This allows them to cross-reference the data, helping to ensure the information we receive is accurate and up to date.
We may also contact you to conduct customer satisfaction and market research surveys.
Our legal basis for this processing is our legitimate interest in promoting and improving our business.
To tell you about our products and services
If you complete an enquiry form on our website or give us your details in person, for example at a conference, we will contact you by email or phone so that we can discuss the products or services in which you have indicated an interest.
If we collect your details from publicly available sources, such as LinkedIn, we may contact you by email or phone to tell you about our products or services that we believe may be of interest to you.
We may use targeted advertising tools to promote our products and services. This may involve limited professional information such as your name, job title, email address, and telephone number. Such processing is carried out in accordance with our legitimate interests in marketing our services and products.
As a Civica customer you may wish to join our special interest and user group forums . These are groups of people that share a common interest in Civica products and services. In such cases Civica will store personal contact information such as name and email address to facilitate the organisation of group events and meetings. Civica may share this personal information amongst other group members to aid discussions, facilitate knowledge sharing and distribute information relating to new products in which the group may be interested. Our lawful basis for processing is our legitimate interest in selling our products and services. Our retention period for this purpose is 2 years.
To invite you to conferences or exhibitions
We may use your data to invite you to conferences and events. Sometimes Civica uses this information to provide assistance with travel and/or hotel arrangements at the request of the individual.
Our lawful basis for processing data for these purposes our legitimate interest in promoting our business. Our retention period for this purpose is 2 years.
To host meetings with you at Civica Offices, conferences or exhibitions
We need to process your data in order to manage access and physical security at our offices. At some Civica sites visitors may be required to provide photo proof of ID, but this information will not be stored. Our lawful basis is our legitimate interest in ensuring the security of our business premises and authorised attendance at our events.
We may also ask for dietary restrictions or access requirements that reveal religious beliefs or physical health conditions. Our legal basis for processing these data is your consent which you can withdraw at any time.
Once your access has been arranged, we do not retain this information.
To provide access to Civica resources
Where we engage external consultants to provide a service to Civica we collect contact details to ensure that they can access the required Civica resources at an appropriate level for the support provided.
Our legal basis for this processing is our legitimate interests in ensuring appropriate, relevant access to Civica resources for those who require it.
To manage the security of our facilities
Some of our offices have CCTV systems that monitor the perimeter of the buildings. These collect location and time-stamped images of you and, sometimes, of your vehicle in order to protect our buildings and assets from damage, vandalism or any other crime. If necessary, the images may be shared with law enforcement and, where applicable, the landlords of our facilities in order for them to investigate security incidents.
Our lawful basis for the processing this data is legitimate interest to ensure the security of our business premises and help to prevent and detect crime.
Our policy is to automatically overwrite CCTV footage within 60 days.
At certain office locations – specifically Altrincham, Southbank, and Belfast – CCTV systems are operated by the landlords or other third parties, not by Civica. In such cases, the landlords are responsible for the operation and management of the CCTV systems, including any associated data processing.
To identify Civica colleagues
If you successfully apply for a role at Civica, we ask that you send us a picture of yourself for us to provide you with an ID badge to access our sites.
Our legal basis for this processing is our legitimate interests for ensuring the safety and security of our facilities, systems and colleagues.
To contact you, as next of kin, in the event of an emergency involving our colleagues
We collect next of kin name and contact information from our colleagues for us to use in an emergency situation where we need to contact our colleagues’ next of kin on their behalf. We retain these details for no longer than necessary for the specified purpose.
Our legal basis for this processing is our legitimate interests in ensuring the health and wellbeing of our colleagues.
To comply with auditing requirements
In order to maintain our certifications and to comply with our legal obligations, Civica is required to assist and cooperate with external third-party auditors. We may need to share your information as part of these audits.
Our legal basis for this processing is our legitimate interest in maintaining our business certifications.
To develop our staff and improve call quality standards
We record calls that are made to our Civica Support Cloud to assist in our review of call quality standards. We use this information to help train and develop our staff. We also record calls that are made to customers and prospects to assist in our review of call quality standards.
In addition, Microsoft Teams calls may be recorded with the consent of participants. On occasion, these recordings may be shared with trusted third parties such as current or prospective customers, suppliers, or partners for the purposes such as showcasing solutions, collaboration, or improving service delivery. Personal data captured during these recordings may include full name, company entity, and opinions expressed during the call.
Call recordings are retained for a period of 90 days before they are automatically deleted.
Our lawful basis for processing data for these purposes is our legitimate interest in improving our call quality standards and, where applicable, explicit consent.
For the purposes of sales enablement
Our sales processes include the use of tools that collect personal data including contact details; email metadata including subject, recipients, and time; meetings attended; and technical identifiers such as IP address.
Our legal basis for this processing is our legitimate interest in selling our products and services.
Business reorganisation
Like many organisations, Civica may reorganise its business operations around the world from time to time, whether by buying new businesses or selling or merging existing businesses. This may involve us disclosing personal data to prospective or actual purchasers of parts of our business, or receiving personal data from potential sellers. Our legal basis for this processing is our legitimate interests in restructuring our business.
How we store your information
Civica is dedicated to keeping your data safe. We are certified under ISO27001 and ISO27701 as having put technical and organisational policies and procedures in place to protect personal data from loss, misuse, alteration or destruction. We ensure that access to your personal data is limited only to those who need to access it, and those individuals are required to maintain the confidentiality of such information. Where necessary, we apply encryption and anonymisation techniques in efforts to further protect personal data.
How long we keep personal data
We retain personal data for no longer than necessary for the purposes for which it is processed, unless we are required to do so by law or if the data is required for the exercise or defence of legal claims.
Sharing information
We will never sell your data to third parties. We may, however, share your data with companies with whom we have a direct business arrangement to jointly market Civica related products.
We use third party data processors for purposes including:
-
Marketing and marketing automation
-
Lead generation
-
Sales enablement
-
Recruitment
-
Security vetting.
We have contracts in place with our data processors. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal information with any unauthorised organisation, and they will hold it securely and retain it for the period we instruct.
International transfers
Civica operates and provides services from its locations across the globe. As such we may transfer personal information to Civica group locations outside of the UK when we have a business reason to do so. We have Intra-Group Transfer Protocols in place based on Standard Contract Clauses which provide legal safeguards for such transfers, where applicable.
Additionally, we may transfer personal data to our third-party service providers outside of the UK. We only transfer this data where it is necessary to do so and where a legal safeguard is in place. Before making such transfers, we assess the potential risks involved and implement appropriate measures to protect your data.
Your rights
-
Your right of access – You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
-
Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
-
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
-
Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
-
Your right to object to processing – You have the right to object to processing if we are using legitimate interests as our lawful basis for processing.
-
Your right to data portability – This only applies to information that we have collected directly from you. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or as part of a contract, or in talks about entering into a contract and the processing is automated.
-
Your right to withdraw consent – Where the lawful basis of processing is consent, you can withdraw your consent that you have previously given to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
Validating rights related requests
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it.
Fees
No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
There are circumstances, where we have an obligation, legal or otherwise, or the right to process your personal information, and therefore your request may be challenged or denied where we believe there is good cause to do so.
How to complain
If you disagree with how we are processing your data, please contact our DPO at DPO@civica.com or address your letter to the DPO at the Civica Headquarters address listed in the ‘Contact Details’ section.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
EU representative
Civica has appointed an EU representative in accordance with Article 27 of the EU GDPR. Their contact details are as follows:
The DPO Centre Europe Ltd
Alexandra House
3 Ballsbridge Park
Dublin, D04C 7H2
Ireland
civicaeurope@dpocentre.com
+353 1 631 9460
Where applicable, we will share your contact details with our EU representative.
Changes to this Privacy Notice
Civica will occasionally update this privacy notice to reflect changes in legislation, our practices and services. When we post changes to this privacy notice, we will revise the “updated” date at the top of this privacy notice. We recommend that you check this page from time to time to inform yourself of any changes in this privacy notice.
Summary of changes:
Update | Detail |
Friday 15 May 2020 | Amended retention information for job vacancies and marketing processes. |
Tuesday 28 July 2020 | Clarification of marketing for corporate subscribers only. Expanded upon requirement to share data with external auditors. |
Thursday 30 July 2020 | Highlighted personal data used for contact tracing purposes. |
Monday 15 February 2021 | Updated references to legislation to recognise UK GDPR. |
Thursday 4 March 2021 | Expanded upon our reasons for relying on legitimate interest. |
Monday 8 March 2021 | Included details of our EU Representative. |
Monday 12 July 2021 | Clarification of when personal data is shared with third-party auditors. |
Friday 1 October 2021 | Clarification of retention periods |
Friday 5 November 2021 | Extended upon our marketing processes |
Thursday 20 January 2022 | Included data processed via our whistleblowing process |
Monday 11 April 2022 | Clarification on data being used in connection with legal proceedings |
Thursday 16 June 2022 | Clarification on data used for market research purposes |
Wednesday 13 July 2022 | Inclusion of Northern Ireland ‘community background’ information & payment card processing. |
Friday 15 July 2022 | Clarification of CV retention & pseudonymised data for machine learning |
Friday 22 July 2022 | Clarification of retention of recruitment data & legal basis for product development |
Thursday 28 July 2022 | Inclusion of the Bring Your Child to Work event |
Wednesday 28 September 2022 | Removal of the Bring Your Child to Work event |
Thursday 1 December 2022 | Removal of Covid-19 information. Addition of business reorganisation section. |
Friday 9 December 2022 | Addition of location data for website and mobile app |
Tuesday 31 January 2023 | Addition of potential to share candidate CVs with specific customers |
Friday 29 September 2023 | Retention of candidate data |
Friday 13 October 2023 | Sales call recordings |
Tuesday 30 July 2024 | Review and update. CCTV sharing. |
Tuesday 13 August 2024 | Next of kin information |
Friday 22 November 2024 | Civica Support Cloud |
Thursday 09 January 2025 | External access to Civica resources |
Tuesday 4 March 2025 | ID badges, user research, Contractor Workforce Management services |
Tuesday 17 June 2025 | ID badges, user research, product user analytics, Contractor Workforce Management services, recruitment agencies, psychometric testing, invoice portal, e-signature tool, social media ads. |