SMAS Worksafe Privacy Notice

Citation Group Privacy Notice

Why a Privacy Notice

The Citation Group understand that your privacy and the security of your Personal Data is extremely important. This notice gives you information about what we do with your Personal Data, how we manage it, what we do to keep it secure, and the importance data protection plays in how we operate, as well as your rights in relation to the Personal Data we hold about you.

As a UK based business our handling of your information is controlled by the UK Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (known as UK GDPR). We take great care to protect your Personal Data or anything which might identify you personally such as:

  • Name
  • Email Address
  • Telephone number
  • Organisation Information (e.g. job title)
  • Online identifiers (e.g. IP address)

Our data protection approach is supported from the top of the business and is a core competence of how we operate, which we continually strive to improve.


Who are we?

When we say ‘we’ or ‘us’ in this notice, we are referring to the companies that make up the Citation Group. A list of our Group Companies can be found at the end of this notice.

Citation as a data controller

For the purposes of this notice, we are the data controller unless it has been specifically noted otherwise.

This notice relates to the collection and processing of Personal Data for the Citation Group as a data Controller. It does not cover processing we do in relation to the service we provide to our clients as a data processor.

If you are an individual using one of our screening services please refer to our applicant Privacy Notice available here.


Processing activities that are covered

This notice applies to the processing of Personal Data collected by us:

  • When you visit our Group websites.
  • When you visit our social media pages.
  • When you visit our offices.
  • When you receive communications such as emails.
  • When you interact with us via phone calls, these calls may be recorded for training and monitoring purposes.
  • When you register for and/or attend events where we participate or host.
  • When you apply for a role at the Citation Group.
  • When you are a client and where our services are of a data controller (employment law, occupational health, health surveillance and responsible person for Health and Safety purposes).
  • For sales and marketing purposes.
  • For the understanding, development, growth, and administration of our business.

Where we use social media or where you click a social media icon on our websites, be aware that these companies are independent to us, they manage their own affairs, and they will be a data controller in their own right. If you have any questions pertaining to how they process your Personal Data, you should review their privacy notices which will be available on their websites.

Finally, our websites may contain links to other websites for your ease and convenience, we are not responsible for them, or how they operate or their security provision.


The Personal Data we collect from you

  • Name, phone number, email address, job title, company name and company address when you express an interest in our products and services.
  • Name, company name and security credentials when you contact our helpline.
  • Financial information for invoicing and collection purposes, this may include bank details, credit card information, invoice name, address and point of contact when you make a purchase either through our online platforms or with a Citation Group Colleague.
  • If you connect with us through a social media channel, we will know your social media handle and any other information including photos you make available through our interactions and your profile.
  • If you use our websites or emails, we will have details about your usage of our sites through cookies, beacons, and similar technologies. This information may include IP address and information about your visit. This is also the case when you use our online platforms, we may collect information about your usage and how you interact with the platform.
  • Name, email, phone number, company name and job title if you complete surveys or enter competitions with us or complete a registration form on our website when downloading content.
  • When you interact with live chat, we will need your name and email address in order to handle your request.
  • Information collected during an assessment, this may include qualifications, training, and other evidence necessary to complete the assessment.
  • If you apply for a job role with a Citation Group Company, we will require information relating to your career history which could include name, address, phone number and email address along with the positions you held and the date range you held those positions in different companies along with any qualifications.
  • If you visit one of our offices, we have CCTV in certain locations which may capture your image. You will be asked to provide your name, signature, company name and your car registration upon your arrival.
  • If you participate in our referral program, we strongly advise you give your details to the individual you want to refer, to use and facilitate the process that way. If you decide to provide us with their details, you represent that you have their authority to do so and are acting in accordance with data protection legislation and this privacy notice.
  • If we are delivering a service which requires an authorised person, or when dealing with an accident, we may require information such as name, health information, working patterns and contact details. This may also be information we gather from your employer if you are involved in an accident or incident.
  • We may process analytical or aggregated information relating to the products and services you have purchased or used including how you have interacted with our platforms.


Personal Data we collect from other sources

We may also receive Personal Data from other sources; this includes third parties we purchase data from and is used to help us grow our business. This could include a greater degree of personalisation. Additionally, we may combine these records with other publicly available information to ensure that our records are accurate and up to date.

We may also share information across the Citation Group in order to provide a greater level of service, improve our products and to offer additional services from across the Group.

Typically, the Personal Data we get from third parties includes name, phone number, email address, job title, social media handles and contact preferences.


Data from your device, usage of our website and applications

When you access our websites or use our online platforms, we may use tools such as cookies, beacons, and similar technologies to automatically collect information which may contain Personal Data from your device and usage of our sites and services. The nature of what these tools collect differ between websites but still fall into similar categories. This information may include IP address, application or system identification number, browser you are using, pages you have searched, files you have looked at and actions you have taken including when those actions were taken.

We use this information to help us improve our service and your experience; to improve how you and others view the sites, and to improve functionality, engagement, and performance. This helps us identify opportunities to develop our services further, our compliance with applicable usage terms and for overall security of Citation products, services, and applications. It will be used primarily to identify the uniqueness of each user for security and identification purposes, and to understand which of our generic advertising channels are the most effective.


Cookies, beacons, and similar technologies on our website and in email communications

Our use of cookies, beacons and similar technologies is to better understand how you interact with our websites and email communications.

We use cookies on our websites for a variety of reasons including remembering your settings, load balancing, marketing, and analytics. These will be either our cookies or third-party cookies, all of which can be configured by you using the cookie preference centre to configure the settings you are most comfortable with.

For further information regarding cookies and other similar technologies please see our Cookies Policy.


Social Media

Our websites use social media icons such as Facebook and Twitter icons and other social sharing widgets. By using these features, you will be connecting to and sharing information from your browsing session with these organisations. If you are logged into your social media account, it is also possible that they will connect your activity on our site to your social media account.

This is also the case if you access our social media pages on a social media platform. The respective social media company may add your interaction to any information they may already have about you or your interests.

In all cases, in that transfer of data the social media provider is a data controller and are responsible for what they do with your Personal Data. For further information please review the social media providers privacy notices.


Purpose for processing and the legal bases for processing we rely on

We collect and process Personal Data for the following purposes and with the following legal bases engaged:

  • For most elements of our website, we are processing based on the legitimate interest to operate and administer the site. Where site security is concerned and the activities through our cookies that enable a secure site, this is administered as a legitimate interest.
  • To download content from our sites you may be asked to complete a form, this is done with your consent. We may also get in touch with you either by email and/or phone because of the download and this would be a legitimate interest.
  • The recording of phone calls is done by default as a legitimate interest in protecting both your interests and ours. Call recordings are used for security, monitoring and training purposes.
  • We may ask you for Personal Data when dealing with enquires, this data would be processed as a legitimate interest in being able to effectively follow up on your enquiry. This is also the case where it relates to a service enquiry or complaint, unless of course it is linked to a contractual obligation, this could include service updates and client communications, in which case it is processed as part of the fulfilment of our contract.
  • Setting up and managing your journey as a client is done in line with the terms of our contract with our client. This is also the case when it comes to good administration of matters relating to your contract with us.
  • When you use the chatbot in our online platforms this is also processed in line with the terms of our contract with our client. We may use pseudonymised data to train the Machine Learning and/or to improve our services, we are doing this as a legitimate interest.
  • Managing event registration and administration of the event is done as a legitimate interest in ensuring the efficient administration and follow up of the event.
  • We also rely on legitimate interests to process client contact data for service surveys. If you choose to complete the survey with our partners this is done on the basis of consent.
  • Managing your payments relating to the service we provide. This also includes the entirety of the payment process in line with the terms and conditions of our service. We may also need to escalate this process to a third-party debt collection service where payments have been missed. The disclosure of such data would be as a legitimate interest and further processed as part of the contractual terms.
  • The identification of opportunities both with prospects and opportunities within our existing client base is done in furthering the legitimate interests of the business. Any sharing of data internally within Citation Group is also a legitimate interest when it is done for similar purposes. This data may also be used to improve user experience and our understanding of both the client journey and appropriateness of products and services at different points of the client lifecycle across the group of companies.
  • Targeted advertising on our websites is done with your consent when you select cookie settings on the cookie consent management tool. Where advertising of our products and services offline, it is done in the pursuit of our legitimate interest and done so with prior consent that you have provided.
  • Registering your information as a visitor to one of our offices will be done as a legitimate interest to protect our building, business, colleagues, and you. It may also be used to administer non-disclosure and confidentiality agreements.
  • If you provided a testimonial of our service, you will be doing so of your own free will, you can request the testimonial be removed at any time.
  • If we provide employment law and tribunal services, we will do so under the performance of a contract. This is also the case for some of our health and safety services where we are investigating accidents, liaising with the HSE and acting as a competent individual.
  • Where you have applied as a candidate for a role at one of our Group Companies, we will process your information to progress your application, contact you with updates, asses your qualities and capabilities against the requirements of the role and against other candidates. You may also be asked for proof of qualifications, references, and other right to work information such as identification documents. This processing is done in part as a legitimate interest, in part with your consent and in part as a legal obligation. We may also use recruitment companies to identify suitable candidates, where data is shared with these organisations, we will both be data controllers and you will have been referred to us by them. Further data protection information regarding their activities can be gained from them.
  • We may use Personal Data relating to usage of our online platforms for reporting and analytical purposes, this is a legitimate interest in trying to improve our offering and further the growth of the business.
  • We will send sales and marketing communications such as emails, SMS or phone calls related to our services and those services of other companies in the Citation Group, only if we can do so in accordance with all data protection legislation.
  • There are legal obligations that we must comply with, these could be tax-related or dealing with local or national government, authorities, agencies or courts and professional advisors. It may be in our legitimate interest to protect our rights and if necessary, to disclose information for the protection of these rights or complying with court orders.
  • Running, managing and administering our businesses are critical to our success and the successful delivery of our services. It includes but is not limited to aspects such as account management (sales, service and financial), IT (support to clients, use of or migration to platforms, running and improving the business and its security), development of our platforms, reporting and improvement. The legal bases for these activities will differ from performance of contract to legitimate interests.


Who we share your data with?

We may share your Personal Data in the following circumstances:

  • Where we are using contracted service partners for services such as IT, web conferencing, hosting and system administration, email communications, analytics and research, data enrichment, survey providers, and customer support. All these purposes and legal bases for processing are done in accordance with the information provided above.
  • If you are a client, we may share your details internally within the Citation Group to improve the service offering and range of services we provide, for the good administration and control of the business, marketing, analysis, reporting and account management purposes. Our group companies are data controllers in their own right.
  • If you register for events where we are partnering with another organisation or if a third party is running the event on our behalf, we may be required to share your details for the purpose of registration, security and administration of the event. This will be done in accordance with the legal bases noted above.
  • To any competent law enforcement or regulatory body, government agency, court or other third party where we believe disclosure is necessary: –
    • as a matter of applicable law or regulation,
    • to exercise, establish or defend our legal rights, or
    • to protect your vital interests or those of any other person.
  • To a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger, or acquisition of any part of our business, provided that, we inform the buyer it must use your Personal Data only for the purposes disclosed in this Privacy Notice.
  • To enforce or apply our Terms of Service or other agreements or to protect Citation and its customers (including with other companies and organisations for the purposes of fraud protection and credit risk reduction).
  • To any other person with your consent to the disclosure.

Finally, we may share anonymised or aggregated data gathered in the normal course of the administration and good running of our business with third parties or service providers to enable greater analysis, improvements, industry or service-related trends to be identified and action taken accordingly.


How long do we keep your data for?

We retain your data for as long as necessary to fulfil the purpose for its collection and processing. In some instances, this may be a set period of time, for instance, as an unsuccessful job applicant we may retain your records for 12 months once the process has concluded. In other instances, and especially where there is a legal obligation to retain your information for a certain period of time, we will do so to comply with the legal requirement; this is typically 6 years.

Once your data is no longer required it will be deleted or, if it is technically not possible to delete, we shall ensure sufficient controls are in place to put it beyond future use.


International Transfers

Our data is typically hosted In the UK and other parts of the EEA, there are however some of our contracted technical service providers that process data in other parts of the world. Where these transfers and any other transfer that may occur in the future are concerned, we ensure that there is a legal bases for the transfer and a lawful transfer mechanism in place prior to any transfer.

Any such transfers are currently done using either a transfer to a country with an adequacy ruling, using European Commission Standard Contractual Terms addendum or International Data Transfer Agreement along with a completed Transfer Risk Assessment.


Your rights

Under data protection legislation, you have rights as an individual in respect of the Personal Data we hold about you – these are set out in more detail below. If you wish to exercise any of these rights, you can do so by contacting the Data Protection Officer at Please note that you will need to provide us with evidence of your identity for us to complete your request.

These rights include:

  • The Right to be informed – As a Data Controller, we are obligated to provide clear and transparent information about our data processing activities. This is provided by this Privacy Notice along with any related communications we may send you.
  • The Right of Access – this is the right to access data we hold about you and, where required, an explanation of that data.
  • The Right to Rectification – this is the right to have inaccurate or incomplete data rectified.
  • The Right to Erasure – this is also known as the ‘right to be forgotten’ and means that in certain circumstances you have the right to ask us to delete data we hold about you.
  • The Right to Restrict Processing – this is where you can request that we restrict/block processing of your Personal Data (but still retain it)
  • The Right to Data Portability – this allows people to reuse their Personal Data by requesting it in a useable format.
  • The Right to Object – this right allows you to object to us processing your Personal Data. This is typically related to processing based on legitimate interest, performance of a task in the public interest, direct marketing, and processing for scientific or historical research.

Security of Personal Data

We take every reasonable, proportionate and commercially viable precaution to protect personal and commercial data. These are organisational, technical, and physical measures to protect against unlawful or accidental access, disclosure, loss, or alteration.

Whilst we take a robust stance to security, no method of storage and transmission is 100% secure and, in some instances, out of our control. For that reason, you are entirely responsible for password security, controlling access to your devices and accounts, access to your environment in our platforms, signing out and closing down web sessions once completed.


Complaints and queries

We try to meet the highest standards when collecting and using Personal Data. For this reason, we take any complaints we receive very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading, or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It may not provide exhaustive detail of all aspects of our collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below: –

Data Protection Team

Kings Court

Water Lane




Or you can email us at

If you would like to make a complaint about the way we have processed your Personal Data, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law –

It is worth noting that the ICO expects an individual to address any complaints with the organisation before contacting the regulator.


Changes to this privacy notice

We keep our Privacy Notice under regular review and would encourage you to also review this notice regularly. This Privacy Notice was last updated on 15th of April 2024.


List of Group Companies