How and why we manage your data

Explaining the legal bases we rely on:

The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:


In specific situations, we can collect and process your data with your consent, for example, when you tick a box to receive email newsletters or complete a survey.

When collecting your personal data, we will always make clear to you which data is necessary in connection with the particular activity.

Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.

Contractual obligations

In certain circumstances, we need your personal data to comply with our contractual obligations.

Legal compliance

If the law requires us to, we may need to collect and process your data. We also have regulatory requirements, which means we may pass details of complaints to Ofgem and Ofcom.

Legitimate interest

In order to consider your complaint we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.

Retention of Information

We will only retain your Information for as long as is necessary for the purpose or purposes for which we have collected it.

If you send OS paper documents, disks or USB’s containing information about your complaint, we will uploaded these securely to a digital format. The originals will then be destroyed within one month of receipt unless you explicitly request that they be returned.

We will exercise discretion when necessary in destroying original documents, and may keep them longer if they are not readable in a digital format.

In all cases we will retain your complaint file for a period of up to 6 years after the case has been closed. The retention period is set at 6 years for the following reasons:

•           to ensure we have dealt with all aspects of your enquiry or complaint; and

•           to assist us should you or the participating company contact us again about the matter in the future.

You have a right to contact OS at any time during this period to correct or amend any information you have provided to us.

We may record and/or retain anonymised information about your complaint in order to document and/or measure our own performance or the performance of our participating companies. We may also pass anonymised information about your complaint to regulatory bodies who oversee us or our participating companies. Any such reports will contain no personal data about you or any information from which you or your third parties could be identified.

All personal information that we hold will be deleted at the end of a six year period, or earlier if requested, in a structured and organised manner.

If someone opens an account to tell us about us about a complaint but we do not investigate it, we will keep the information for three years after the case has been closed.

If someone contacts us as part of an initial enquiry and does not open a case, we will keep the information for a period of 6 months.


Retention period

Website information

  • –internal domain
  • IP address
  • Brower software
  • Date and time accessed site
  • Further website info

6 months

Telephone recordings

12 months

Social media contacts

6 months (unless forms part of the complaint details )

Paper documents, disks or USB’s


Originals kept for a period of one month unless explicitly request that they are returned during this time.

Please note that we may keep them longer if they are not readable in a digital format.

Complaint file

6 years


OS has anonymised results returned to it.

Unsuccessful candidates for OS roles

12 months


Security Measures in Place

OS has a number of protections in place to ensure that your personal data is kept secure.

All of our employees understand the content of this privacy policy and are appropriately trained in data protection legal requirements.

We have been independently tested to verify its systems meets the requirements of Cyber Essentials and Cyber Essentials plus. This is a standard set by the Government having worked together with the industry to improve standards for cyber security. Cyber Essentials Plus offers a higher level of assurance through the external testing of OS’s cyber security approach.

We would recommend that if you are sending us USB’s or disks containing information, you consider encryption or passwords that you can provide to us separately to enable us to access the information.