CACI understands the importance of being transparent with individuals about how their data is being used, keeping individuals’ personal data secure, lawfully using such personal data and enabling individuals to exercise their privacy rights. EU and UK data protection laws protect individuals when organisations process their personal data, and this is particularly important as newly developed technologies and methods can be a threat to the rights and freedoms of individuals, and in particular, their right to privacy. Also, these laws give increasingly stronger rights to individuals that enable them to have greater control over what organisations do with their personal data. GDPR (General Data Protection Regulation) and the new UK Data Protection Act 2018 (DPA 2018) came into force in May 2018. The DPA 2018 incorporates GDPR and accordingly GDPR rules still apply since the UK left the EU.
This notice sets out an overview of the personal data that CACI controls, how it is used, and how it is protected. It also contains an overview of individuals’ rights in relation to their personal data and where to go for more information.
B2B: means business to business (e.g. where we send information relating to our business to your work/business email address).
Controller: means anyone (including any company, partnership or government body) that determines how to use the personal data and for what purpose. It is usually the organisation that (a) collected the personal data directly from the data subject or (b) received it from another organisation for its own independent use.
Data subject: means the individual person to whom the personal data relates (i.e. you).
Personal data: means any information that relates to an identified or identifiable living individual. It can include information which identifies a person (name, address) or factors about their identity (for example, their interests).
Processing: means anything that an organisation does to or with personal data (e.g. collection, storage, use, correction, deletion, access to or transfer of personal data).
Processor: means anyone that processes (e.g. uses, stores or has access to) personal data on behalf of the controller. A processor must not use the personal data it receives for its own independent purposes.
Who are CACI, and how can you contact us?
CACI Limited is a provider of marketing and information management services to many of the UK’s and world’s leading consumer brands, companies and public-sector organisations. We provide data, software and consultancy services to help our clients market their products and services or manage their information systems more effectively.
We can be contacted as follows:
London W14 8TS
Tel: 020 7605 7077
Email: [email protected]
CACI has appointed a Data Protection Officer, who can be contacted via the Compliance team using the following details:
Data Protection Officer
London W14 8TS
How do we use personal data?
CACI uses personal data in its business as follows:
(A) Data services: We supply personal data services to our clients, which they use to help them better understand the needs and attributes of their customers and prospective customers. We also supply personal data to organisations that in turn supply that data to their clients. The end purpose is to provide better targeted and relevant direct marketing communications to you. The single largest and most important source of personal data (i.e. name and address data) that CACI buys is the edited Electoral Register data. This data is lawfully collected by local authorities, pursuant to article 6(1)(e) of GDPR, as it is necessary for carrying out their tasks in the public interest or in the exercise of their official authority (as vested in each electoral registration officer under the Representation of the People Act 1983 (as amended) and the associated regulations). The Representation of the People Act 1983 (as amended) also permits local authorities to sell the name and address data of registered voters, who have not objected, to commercial organisations. Any individual can ask their local authority to remove their personal data from the list that is made commercially available to organisations. CACI buys its copy of the edited Electoral Register from Equifax Limited (to see a copy of their privacy notice go to www.equifax.co.uk/ein.html section 2(c) Marketing Services Processing. CACI also buys in other sources of personal data (see Big Table of Information below). The personal data that we buy in is then combined with non-personal data to build classification databases. Also, CACI uses your personal data to create segments, categories, or profiles that are used in our databases, or to provide other data services. Please note that we do not use profiled data to make automated decisions relating to you.
We have two main individual level classification databases, which we call Ocean and Fresco and we have postcode level classification databases, the largest of which we call Acorn. The individual level databases for both OCEAN and Fresco that we create contain personal data and profiled data. For example, our OCEAN database may contain your name, address and profiled attributes/behaviours, such as probability scores as to whether you may have pet insurance and whether you have bought books online in the last 12 months. These probability scores are modelled/predicted scores and are not actual data relating to you; they are created by inputting personal data and non-personal data (e.g. aggregated census data) into an algorithm and then running the computer model to produce probability scores for a wide range of attributes/behaviours. As for our postcode level classification database, Acorn, it contains postcodes and 62 alphanumeric codes, which are modelled/predicted codes (e.g. for a particular postcode the corresponding Acorn code may be 3.H.27; this indicates the postcode relates to “Conformable communities with steady neighbourhoods and with suburban semis, conventional attitudes”). Please note that a given Acorn code will be shared by many different postcodes and is not unique for a given postcode.
(B) Location data: Apps that are downloaded to mobile devices (e.g. mobile phones or tablets) sometimes use location data – including your GPS latitude and longitude. If you have given permission for this within an app, the app developer might send that location data to CACI via one of our suppliers of location data. You would have been notified of this use of location data when you downloaded the app,and can check it via the privacy settings on your mobile phone.
The data we receive will be a disguised (“hashed”) version of the Advertising ID of your device (this is a code that only Google or Apple can link to your real-life identity), and the general location of your mobile device whenever it “pings” one of the apps (this might be for example when you open a transport app to look up a train time) we do not receive a specific location, just an indication of whether the device pinged within a 600m2 area. Some apps “ping” more often than others – but there will be between zero and fifteen pings per day. We use this to track population movement between shopping centres rather than individual movement.
We also ask our suppliers to add our Acorn* code, which is how CACI divides people into different categories that are useful to our clients – such as young families, or retired people. They do this by estimating the postcode you live in, which they assess from looking at the broad postcode area where your device is overnight. We do not receive data that reveals your precise location.
CACI does not provide any individual tracking services to our clients. However, CACI does provide consulting services to its clients who are interested in larger scale movements of people in a given area at a given time of day. For example, if a client of ours is looking for a good site for a new family restaurant in Leeds, they might ask us how many people with young families would pass by a specific site over time. This helps them decide if this is a sensible location for them to choose.
If you don’t want CACI, or other companies, receiving this data, you can adjust the settings on your mobile device (that is, either through the privacy controls on the app or through your overall location data settings). This link should help you understand how to do that
* Acorn is a segmentation code that is used by many of many of the UK’s leading consumer brands, as well as a range of public sector bodies, to understand the differing general types of people who buy their products or use their services, as well as to understand the types of people who live in different areas of the country. Acorn codes are not personal data.
(C) Recruitment: When you apply for a job at CACI, are employed by us, or contract with us as a consultant, we will use and store your personal data to enable us to consider your application and/or hire you.
(D) Potential and actual client/supplier B2B contacts: We keep the contact details of people at organisations we do business with in order to maintain cordial relations with them and/or offer, provide or receive the contracted products or services.
(E) B2B marketing: If you are, or we think that the organisation that you work for is or may be interested in our services, we will process your B2B contact details to provide you with information relating to our services. For more details on how we collect, store and use personal data for our own marketing purposes, click here.
(F) Website browsing: As you browse our website at www.caci.co.uk we will collect data on your IP address (a unique code, which identifies the computer or device you are using), operating system and browser type, and may send cookies to your device to track your progress through our website. For more details on cookies click here.
Big Table of Information
You can view details for in the table of information PDF here.
Do we collect your email, phone number data or card/debit card information?
No, except in relation to your email and phone number where (a) you have given it to us or a recruitment agent for recruitment purposes, (b) we have collected it for our B2B marketing services to the organisation that you work for, or (c) you work for one of our clients or suppliers.
Who do we share your personal data with?
We may share your personal data with our clients and partners, which include the following types of organisations:
- Advertising agencies
- Automotive companies
- Care homes
- Energy and water suppliers
- Financial Services, including banks, building societies, insurance companies and credit card providers
- Health and beauty companies
- Housing, including private builders and developers and social housing providers
- Internet companies
- Leisure groups, including restaurant and pub chains, cinemas, gyms
- Local and central government
- Mail order companies
- Marketing services providers
- Media companies, including newspaper and magazine publishers and TV companies
- Packaged goods manufacturers
- Political parties
- Professional Advisors who advise us (e.g. lawyers, accountants)
- Public and private health care providers
- Public sector organisations
- Retailers of all types
- Telecommunications companies
- Travel and transport, including travel agents, rail and bus operators and airlines
- Our IT services providers partners (e.g. IT security service providers, hosting providers)
Further information about how we (and our clients and partners) use consumer data can be found in https://www.caci.co.uk/data-privacy/consumer-information/
We also share your information with some Marketing Services providers who give services aligned to ours for the same sectors. The names of these organisations are:-
How long we we keep your personal data for?
We only retain information for as long as it is required for the purpose(s) for which we legitimately use it, or for longer periods if required for legal and regulatory reasons. When we buy in or license in personal data the period for which we use it can vary depending on the contract terms with the data supplier.
In any event personal data that is out-of-date is of little use for our marketing activities or data services. Accordingly, we delete personal data when it is no longer sufficiently recent to be useful. The exact length of time could differ for different types of personal data and sources. In general terms the personal data in the databases we sell to our clients and partners are refreshed annually, since in most cases we receive annual updates for the personal data lists we use. Also, we check these refreshed lists against any suppressions lists to reduce the chance of you being contacted when you have asked not to be contacted.
We keep copies of our single largest source of personal data, the edited Electoral Register for 6 years. Since Parliamentary elections must be held, at least, every five years it is reasonable to expect that the local authorities will hold and process your data for at least this period. In addition, we receive an extra annual refresh after the five years and so have 6 years’ worth of data at any one time. We often enter into multi-year data services contracts with our clients and use previous copies of the edited Electoral Register for checking names and addresses for our clients.
In relation to your CV, cover letters and other information you provide in response to our recruitment activities, we keep it for up to 6 months from the date of receipt, unless the job advert makes it clear that we keep it for longer, or you otherwise consent to us keeping it for longer. Successful applicants will, on joining us, have access to our internal data retention policy.
Do we send personal data outside of the United Kingdom)?
We will only send personal data outside of the UK in accordance with the strict provisions and protections set out in GDPR (e.g. via use of the EU Model Clauses). The UK are expected to introduce their own version of the EU Model Clauses (a draft was issued in 2021), and when they do we will comply with them.
We do not transfer your personal data outside of the UK except, (a) on the rare occasion that our clients and/or partners might ask us to send the personal data to their locations outside of the UK, or (b) where we use international organisations (e.g. Amazon Web Services) to provide IT and IT security, backup and hosting related services. From time to time we may use IT service providers in the UK that provide support and maintenance using staff who are located outside of the UK (e.g. an IT support desk based in India).
Your Privacy Rights
In relation to your personal data you have the right, e.g. by sending an email or letter to our Compliance Team (using the above contact details) to request us to do any of the following:
- Give you access to your personal data, free of charge. This is usually done via a “subject access request”, which simply requires you to contact us and ask for your personal data. We will respond as soon as possible and in any case within 30 days of you providing us with the necessary proof of ID (which we will delete or destroy shortly after sending you our response). To enable us to respond faster to your request it would help if you informed us whether you have ever applied for a job at CACI, or received any emails from us to your work email address and/or post from us to your work address. We are entitled to charge you a reasonable administration fee for additional copies or when your request is excessive.
- Correct your personal data if it is incorrect.
- Delete your data. This is also known as the “right to be forgotten”. If you request this, we will delete your personal data from our databases (but will keep your details on a suppression list so we know not to provide anyone with your personal data should your data come into our possession and control again (e.g. if we buy in a subsequent copy of the edited Electoral Register containing your details).
- Restrict/limit processing (e.g. usage) of your personal data in some circumstances, where you do not like the purpose for which we use it whilst allowing us to use it for other purposes. In practical terms, you may ask us just to delete your personal data.
- Object to processing (e.g. usage or storage) of your personal data. Again, in practical terms, you may ask us just to delete your personal data.
How to complain
If you are not happy with the way we have responded to you, or with the way we process your personal data, we would like to hear further from you. Please contact our Compliance Team using details provided above or the direct dial phone no: 020 7605 7077 Also you have the right to complain to the ICO, which you can reach on 0303 123 1113 or at www.ico.org.uk (in particular see https://ico.org.uk/make-a-complaint/
Information security is CACI’s top priority. We maintain and practise a very high level of IT security to protect your personal data and accordingly are certified to the ISO27001 Information Security management standard. Our IT systems are regularly checked to see if they are safe from hackers. To help prevent internal personal data breaches our staff have been given data protection training and relevant staff have also been given IT data security training. We will continue to provide regular privacy and data security training and materials to staff.