Opus Compliance Cloud: Privacy Policy

Our role in relation to your data

Opus Compliance Cloud is used by organisations (typically employers) to manage their health, safety and compliance obligations. Depending on the data in question, Opus Safety LTD acts in one of two roles under UK data protection law:

Where we are the data controller.

For some data we decide why and how it is processed. This includes the account and contact details of the people who administer or log in to Opus Compliance Cloud, our communications and support interactions with them, and technical and usage data about how the platform is used. For this data, Opus is the controller and this notice describes how we handle it.

Where we are the data processor.

Most of the health, safety and compliance records held in Opus Compliance Cloud — including health surveillance data, accident reports and risk assessments relating to an organisation's workers — are entered into the platform by, and on the instructions of, that organisation. For this data the organisation (usually the individual's employer) is the data controller and decides the purposes for which it is processed. Opus acts as the processor, handling the data on the controller's behalf under a written contract. That organisation's own privacy information explains how the data is processed, and individuals should refer to their employer or organisation for it.

Where this notice describes purposes, lawful bases and retention, it does so in respect of data for which Opus is the controller. For data we process on behalf of a client organisation, those matters are determined by that organisation, although we apply appropriate safeguards to all data on the platform.

1. What information do we collect?

Personal Data Provided to Us

We collect personal data that users voluntarily provide when using Opus Compliance Cloud and information that your employees provide, including but not limited to:

• Identification Information: Name, email address, organisation details, job role.
• Contact Information: Email address.
• Health & Safety Information, Including special category data: Health surveillance data, accident reports, risk assessments, and other compliance-related records.

Data Automatically Collected

• Device and Usage Information: IP address, browser details, device characteristics, operating system, and platform usage analytics.

2. Why do we process your information?

The lawful bases below apply to personal data for which Opus is the controller (see "Our role" above). Where Opus processes data on behalf of a client organisation, that organisation is responsible for identifying the lawful basis and, for special category data, the applicable condition.

Under the UK General Data Protection Regulation (UK GDPR), we process your information based on the following lawful bases:

Performance of a Contract:

Processing necessary to provide the Opus Compliance Cloud service to our account holders and to administer their use of the platform.

Legitimate Interest:

Where it is necessary to ensure workplace safety

Legal Obligation:

To meet compliance and statutory reporting requirements.

Vital Interest:

To protect an individual’s safety or comply with workplace safety regulations when the data subject is physically or legally unable to give consent or when there's an urgent need to use the data for medical care.

Special category data:

Some records on the platform, such as health surveillance data, are special category data concerning health. Where Opus is the controller of such data, we rely on the condition relating to employment, social security and social protection obligations under Article 9 UK GDPR and Schedule 1 to the Data Protection Act 2018, and, where relevant, the occupational health condition. Where a client organisation is the controller, that organisation is responsible for identifying the applicable condition.

3. Sharing your personal information

We will only share personal data in these specific circumstances, or circumstances of an equitable nature, such as:

• With your employer, management chain or organisation for compliance and reporting purposes.
• With regulators, authorities or Opus Consultants when legally required for occupational health and safety compliance.
• With appointed legal advisors, where necessary, for the provision of legal services.
• For business transactions, such as mergers or acquisitions, where data transfer is necessary.

All third-party access is governed by strict contracts ensuring data protection and security.

Law Enforcement Requests

We will attempt to redirect the third party to obtain the requested data from yourselves. We will promptly notify you of any third-party request, and give you a copy unless we are legally prohibited from doing so. For valid requests that we are not able to redirect to you, we will disclose information only when we are legally compelled to do so, and we always make sure that we provide only the data specified in the legal order.

4. Security measures in place

We implement industry-standard security measures to protect personal data, including:

Encryption:

All data is encrypted in transit and at rest.

Access Controls:

Role-based permissions and multi-factor authentication (MFA) to restrict unauthorised access.

Audit & Monitoring:

Continuous logging and system monitoring to detect threats and anomalies.

Data Minimisation:

Collecting only necessary data and enforcing retention policies.

All Opus Compliance Cloud data is held within the EU.

More details on our security measures are available in our Knowledge Base.

5. How long do we keep your data?

We retain personal data only for as long as necessary for:

• Compliance with legal and regulatory requirements.
• Maintaining historical records for safety and compliance auditing.
• Providing ongoing services and support.

When data is no longer needed, it is securely deleted.

6. Your privacy rights

You have certain rights regarding your data, including those set out below.

How you exercise these rights depends on who controls the data (see "Our role" above). For data Opus controls, contact us at data-protection@opus-safety.co.uk. For health, safety and compliance records that your employer or organisation has placed in the platform, that organisation is the controller - please direct your request to them. If you send such a request to us, we will forward it to the relevant organisation and assist them in responding, as required of us as processor.

Access & Correction:

Request a copy of your data and correct any inaccuracies.

Erasure:

Request deletion of your personal data where applicable.

Restriction & Objection:

Limit how your data is processed.

Data Portability:

Obtain a copy of your data in a standard format.

Complaints:

Raise a complaint if you are unhappy with how your personal data has been handled. For data Opus controls, contact us at data-protection@opus-safety.co.uk; our Data Protection Complaints Policy explains how we handle complaints and the timescales you can expect. For data your employer controls, please raise it with them as the controller. You may also complain to the ICO (see "How to contact us").

To exercise these rights, contact us at hello@opus-safety.co.uk. We will comply with current law in regards to our response time.

7. Cookies and tracking technologies

Cookies are only used to provide functionality required to operate the site, such as being able to sign in and staying signed in. No cookies are used for any other purpose. No tracking technology is used.

8. Updates to this privacy notice

We may update this privacy notice periodically to reflect regulatory changes or enhancements to Opus Compliance Cloud. The latest version will always be available on Opus Compliance Cloud at cloud.opus-safety.co.uk/privacy.

9. How to contact us

For any privacy-related questions or data requests, contact us at:

Opus Safety LTD is a company registered in England and Wales, company number 13288579, with its registered office at 1st Floor, 2 Chamberlain Square, Birmingham B3 3AX.

If you are unhappy with how we have handled your personal data, please contact us first at data-protection@opus-safety.co.uk so we can try to put things right. You also have the right to complain to the Information Commissioner's Office (ICO), the UK's independent data protection regulator, at https://ico.org.uk/make-a-complaint, by calling 0303 123 1113, or by post to Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Where your complaint concerns data controlled by your employer or organisation, we may direct you to them as the controller.