Firstly, we are under a legal obligation to let you know what personal information we collect about you, what we use it for and on what basis. We always need a good reason and we also have to explain to you your rights in relation to that information. You have the right to know what information we hold about you and to have a copy of it, and you can ask us to change or sometimes delete it.
But whatever we do with your information, we need a legal basis for doing it. We generally rely on one of three grounds (reasons) for our business processing. Firstly, if you have ordered or take a service from us, we are entitled to process your information so we can provide that service to you and bill you for it.
Secondly, if we want to collect and use your information for other purposes, we may need to ask for your consent (permission) and, if we do, that permission must always be indicated by a positive action from you (such as ticking a box) and be informed. You are also free to withdraw your permission at any time. We tend to need permission when what is proposed is more intrusive.
But we do not always need permission. In some cases, having assessed whether our use would be fair and not override your right to privacy, we may come to the view that it falls within the third ground – our ‘legitimate interests’ to use the information in a particular way without your permission (for example, to protect our network against cyber-attacks). But when we do this we must tell you, as you may have a right to object, and we must consider further.
This is all set out in detail in this policy, which focuses more on those items that we think are likely to be of most interest to you. As well as covering processing for business purposes, we give you information on circumstances in which we may have to, or can choose to, share your information.
This policy explains how we use your personal information. Please read the policy carefully. It applies when you are a direct customer of ours (consumer, sole trader and partnership customers). This means it applies when you order something directly from us and browse our websites. It doesn’t apply to the information we hold about companies or organisations, or the customers of the communication providers we work on behalf of.
It also applies even if you’re not one of our customers and you interact with us, such as by:
You should review their privacy policies before giving them your personal information.
Who are we?
Openreach is a wholly owned subsidiary of BT Group. The other companies and parts of the BT Group have their own privacy policies. They’ll apply if you buy your product or service directly from them, and are provided below.
You can access and update the information we hold about you using our online form. Once we’ve looked at your request, we’ll let you know when you can expect to hear from us.
We’ll always try to help you with your request but we can refuse if we believe doing so would have a negative effect on others or the law prevents us. And even though we have to complete your request free of charge, we are allowed to reject requests if:
If that’s the case, we’ll explain why we believe we don’t have to fulfil the request.
You can ask us for a copy of the information we hold about you using our online form.
We will respond to a request electronically unless you advise us otherwise.
We’ll always try to help you with your request. But we can decline if we believe doing so would adversely affect others or the law stops us. We’ll also decline if it’s impossible for us to comply or the request is manifestly unfounded or excessive.
You can ask us to correct, complete, delete or stop using any personal information we hold about you by using our online form.
If we send you marketing information through our Fibre Community Partnerships programme, then you can ask us to stop sending those messages using the “unsubscribe” link in the email, or by using our online form.
In some cases, we might decide to keep information, even if you ask us not to. This could be for legal or regulatory reasons, so that we can keep providing our products and services, or for another legitimate reason. For example, we keep certain billing information to show we have charged you correctly. But we’ll always tell you why we keep the information.
We aim to provide our products and services in a way that protects information and respects your request. Because of this, when you delete or change (or ask us to delete or change) your information from our systems, we might not do so straight away from our back-up systems or copies on our active servers. And we may need to keep some information to fulfil your request (for example, keeping your email address to make sure it’s not on our marketing list).
Where we can, we’ll confirm any changes. For example, we’ll check a change of address against the Postal Address File, or we might ask you to confirm it.
If we’ve asked for your permission to provide a service, you can withdraw that permission at any time. It’ll take us up to 30 days to do that. And it only applies to how we use your personal information in the future, not what we’ve done in the past (for example, if we’ve run a credit check at the start of your contract).
If we provide you with our products and services, or you’ve said we can use your information, you can ask us to move, copy or transfer the information you have given us. You can ask us to do this using our online form.
We’ll send your personal information electronically. And we’ll do our best to send it in another format if needed.
We’ll always try to help you with your request. But we can refuse if sharing the information would have a negative effect on others, for example because it includes personal information about someone else, or the law prevents us from doing so.
It will normally take us up to one month to get back to you but could take longer (up to a further two months) if it’s a complicated request or we get a lot of requests at once.
The personal information we collect depends on the products and services you have and how you use them. We’ve explained the different ways we use your personal information below.
We’ll use your personal information to provide you with products and services. This applies when you register for or buy a product or service from us. Or if you register for an online account with us or download and register on one of our apps.
This means we’ll:
We use the following to provide products and services and manage your account.
We use this information to carry out our contract (or to prepare a contract) and provide products or services to you. If you don’t give us the correct information or ask us to delete it, we might not be able to provide you with the product or service you ordered from us.
If you tell us you have a disability or otherwise need support, we’ll note that you are a vulnerable customer, but only if you give your permission or if we have to for legal or regulatory reasons. For example, if you told us about a disability we need to be aware of when we deliver our services to you, we have to record that information so we don’t repeatedly ask you about it. We will also record the details of a Power of Attorney we have been asked to log against your account.
We’ll use your personal information if we consider it is in our legitimate business interests so that we can operate as an efficient and effective business. We use your information to:
We’ll use your personal information to create aggregated and anonymised information. Nobody can identify you from that information and we’ll use it to:
We use the following to generate aggregated and anonymised information.
We have a legitimate interest in generating insights that will help us operate our network and business or would be useful to other organisations.
This means we’ll:
We use the following information to do this.
Before we provide you with a product or service (including upgrades or renewals), or sometimes when you use our products and services, we’ll use personal information you have given us together with information we have collected from credit reference agencies (such as Experian or Equifax), the Interactive Media in Retail Group (IMRG) security alert, or fraud prevention agencies (such as Cifas). We use this information to manage our credit risk, and prevent and detect fraud and money laundering. We’ll also use these organisations to confirm your identity. When they get a search from us, a “footprint” goes on your file which other organisations might see. We might also share the information with other organisations. We do this because it’s in our, and the organisations’, legitimate interests to prevent fraud and money laundering, and to check identities, to protect our business and to keep to laws that apply to us.
Details of the personal information that will be used include your name, address, date of birth, contact details, financial information, employment details and device identifiers, including IP address and vehicle details.
If you don’t become one of our customers, we’ll still keep the result of our credits checks about you if we have a legal obligation and it’s in our legitimate interests to help prevent or detect fraud. Fraud prevention agencies can hold your personal information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your information can be held by us and the organisations we share it with for up to six years.
If you give us false or inaccurate information which we identify as fraudulent, we’ll pass that on to fraud prevention agencies. We might also share it with law enforcement agencies, as may the agencies we have shared the information with.
If you tell us you’re associated with someone else financially (for example, by marriage or civil partnership), we’ll link your records together. So you must make sure you have their agreement to share information about them. The agencies we share the information with also link your records together and these links will stay on your and their files – unless you or your partner successfully asks the agency to break that link.
If we, a credit reference or fraud prevention agency, decide that you are a credit, fraud or money laundering risk, we may refuse to provide the services or financing you have asked for, or we may stop providing existing services to you.
The credit reference and fraud prevention agencies will keep a record of any fraud or money laundering risk and this may result in other organisations refusing to provide services, financing or employment to you. If you have any questions about this, please contact us using the details below.
We send credit reference and fraud prevention agencies information about applications, and they keep that information. We might also give them details of your accounts and bills, including how you manage them. This includes telling them about your account balances, what you pay us and if you miss a payment (going back in the past, too). So if you don’t pay your bills on time, credit reference agencies will record that. They, or a fraud prevention agency, might tell others doing similar checks – including organisations trying to trace you or recover money you owe them.
There are different credit reference agencies in the UK (for example, TransUnion, Equifax and Experian). Each one might hold different information about you. If you want to find out what information they have on you, they may charge you a small fee.
Whenever credit reference and fraud prevention agencies transfer your personal information outside of the European Economic Area, they place contractual responsibilities on the organisation receiving it to protect your information to the standard required in the European Economic Area. They may also make the organisation receiving the information subscribe to “international frameworks” aimed at sharing information securely.
Here are links to the information notice for each of the three main credit reference agencies.
If you don’t pay your bills, we might ask a debt-recovery agency to collect what you owe. We’ll give them information about you (such as your contact details) and your account (the amount of the debt) and may choose to sell the debt to another organisation to allow us to receive the amount due.
We’ll use your personal information to help prevent and detect crime and fraud. We’ll also use it to prevent and detect criminal attacks on our network or against your equipment. We monitor traffic over our network, trace nuisance or malicious calls, and track malware and cyber-attacks.
To do that we use the following information, but only where strictly necessary.
We use this personal information because we have a legitimate interest in protecting our network and business from attacks and to prevent and detect crime and fraud. We also share it with other organisations (such as other communications providers and banks) who have the same legitimate interests. Doing this helps make sure our network works properly and helps protect you from attacks.
If you call the emergency services, we’ll give them information about you and where you are so they can help. We do this because it is necessary to protect you, or another person, and because it is in our interests to help the emergency services in providing help to you.
We might have to release personal information about you to meet our legal and regulatory obligations.
Under investigatory powers legislation, we might have to share personal information about you to government and law enforcement agencies, such as the police, to help detect and stop crime, prosecute offenders and protect national security. They might ask for the following details.
The balance between privacy and investigatory powers is challenging. We share your personal information when the law says we have to, but we have strong oversight of what we do and get expert advice to make sure we’re doing the right thing to protect your right to privacy. You can read more about our approach to investigatory powers in our report on Privacy and free expression in UK communications. And you can see the terms of reference for our oversight body here.
We’ll also share personal information about you where we have to legally share it with another person. That might be when a law says we have to share that information or because of a court order.
In limited circumstances, we may also share your information with other public authorities, even if we do not have to. However, we would need to be satisfied that a request for information is lawful and proportionate (in other words, appropriate to the request). And we would need appropriate assurances about security and how the information is used and how long it is kept.
We have to report certain information to our regulators, such as Ofcom, which might include personal information. We will only do so in confidence and where it is necessary to fulfil our obligations.
We share your personal information with other companies within the BT Group. We have a group-wide arrangement, known as binding corporate rules, to make sure your personal information is protected, no matter which company in the BT Group holds that information. You can ask for a copy of our binding corporate rules by contacting us (details can be found here ).
We also use other service providers to process personal information on our behalf. Details of how they handle your personal information are set out below.
Using other service providers
We use other providers to carry out services on our behalf or to help us provide services to you. We also use them to:
Where we use another organisation, we still control your personal information. And we have strict controls in place to make sure it’s properly protected.
The section above describes the situations in which your personal information is shared to other organisations, government bodies and law enforcement agencies. When we share your information with other organisations we’ll make sure it’s protected, as far as is reasonably possible.
If we need to transfer your personal information to another organisation for processing in countries that aren’t listed as “adequate” by the European Commission, we’ll only do so if we have model contracts or other appropriate safeguards (protection) in place.
If there’s a change (or expected change) in who owns us or any of our assets, we might share personal information to the new (or prospective) owner. If we do, they’ll have to keep it confidential.
For more information about a specific transfer of your personal information, get in touch with us here. The fraud prevention section above provides details on transfers fraud prevention agencies may carry out.
The countries we share personal information to
BT Group is a large multinational organisation. Our binding corporate rules reflect how we operate. We have a UK and EU version of the binding corporate rules because of Brexit. They include a list of countries (below) which are structured to allow us to transfer personal information to the countries where we have a presence. For us, after the UK and wider EU, India and the Philippines are where most of our processing of personal information takes place. Your personal information is used for customer or IT support or operations purposes in these countries. While our binding corporate rules allow us to transfer personal information to these countries, the information won’t always include your personal information in every case.
Algeria, Argentina, Australia, Bahrain, Bangladesh, Barbados, Bermuda, Bolivia, Bosnia and Herzegovina, Botswana, Brazil, Canada, China, Colombia, Costa Rica, Cote d'Ivoire, Dominican Republic, Ecuador, Egypt, El Salvador, Ghana, Gibraltar, Guatemala, Honduras, Hong Kong, India, Indonesia, Isle of Man, Israel, Jamaica, Japan, Jersey, Jordan, Kazakhstan, Kenya, Republic of Korea, Lebanon, Macedonia, Malawi, Malaysia, Mauritius, Mexico, Moldova, Montenegro, Morocco, Mozambique, Namibia, Nicaragua, Nigeria, Norway, Oman, Pakistan, Panama, Paraguay, Peru, Philippines, Puerto Rico, Qatar, Russian Federation, Serbia, Singapore, South Africa, Sri Lanka, Switzerland, Taiwan, Tanzania, Thailand, Trinidad and Tobago, Tunisia, Turkey, Uganda, Ukraine, United Arab Emirates, United States, Uruguay, Venezuela, Vietnam, British Virgin Islands, Zambia and Zimbabwe.
We have strict security measures to protect your personal information. We check your identity when you get in touch with us, and we follow our security procedures and apply suitable technical measures, such as encryption, to protect your information.
For wayleave agreements, we’ll keep:
For repair and alternation agreements, we’ll keep:
In other cases we’ll store personal information for the periods needed for the purposes for which the information was collected or for which it is to be further processed. And sometimes we’ll keep it for longer if we need to by law. Otherwise we delete it.
You can get in touch with our data protection officer by completing this online form and select “I want to contact the DPO” as part of your submission or by writing to them at the address below.
Openreach Data Protection Officer
C/O Fifi Day
123 Judd St
If you want to make a complaint on how we have handled your personal information, please contact our data protection officer who will investigate the matter and report back to you. If you are still not satisfied after our response or believe we are not using your personal information in line with the law, you also have the right to complain to the data-protection regulator in the country where you live or work. For the UK, that’s the Information Commissioner.
means grouped information, for example the total number of calls made in a month or total number of minutes called.
means data which has had all personally identifiable information removed.
means an application, such as one you’ve downloaded to your mobile or portable device.
means EE Ltd, Plusnet plc, Openreach Limited, BT Communications Ireland Ltd, BT Business Direct Ltd, Pelipod Ltd and BT Law Ltd, and the areas that make-up BT: Consumer, Enterprise, Global Services, Networks, Digital, Group Functions, BT Wifi and BT Shop.
are designed to allow multinational companies to transfer personal information from the European Economic Area (EEA) to their affiliates outside of the EEA and to keep to data protection legislation.
are small text files (up to 4KB) created by a website and stored in the user’s connected device – either temporarily for that session only or permanently on the hard disk (called a persistent cookie). Cookies help the website recognise you and keep track of your preferences.
means scrambling information into an unreadable form that can only be translated back using a special key.
is a unique string of numbers that identifies each device using the internet or a local network.
are standard contractual clauses set by the European Commission. They offer enough protection of people’s privacy, fundamental rights and freedoms when their personal information is moved from within the EEA to outside of it. The contracts keep to data protection legislation.
means Openreach Limited.
means information that identifies you as an individual, or is capable of doing so.
refers to the option to choose a trusted friend or relative (or more than one if you want) to act on your behalf. The person you appoint, called an “attorney”, can then use your money to pay bills, sell assets on your behalf and make gifts. In the UK an “attorney” must be registered with the Office of the Public Guardian to be valid.
means our obligations to regulators such as Ofcom and the Information Commissioner’s Office.