The Oil and Gas Authority (‘OGA’) respects your privacy and is committed to protecting your personal information. This Privacy Statement (‘the Statement’) will tell you how we look after your personal information and your rights in relation to your personal information and how the law protects you.
When we talk about personal information in this Statement, we mean any data which identifies you or which could be used to identify you such as your name or contact details. Your personal information may also include information about how you use our website or the Energy Portal or the National Data Repository (NDR).
- Important information and who we are
- The personal information we collect about you
- How your personal information is collected
- How we use your personal information
- Data Retention
- Disclosures of your personal information
- Data Security
- International Transfers
- Your Rights
1. Important information and who we are
1.1 The OGA is the data controller and responsible for your personal information. Our registered address is 21 Bloomsbury Street, London, WC1B 3HF. We are registered as a company in England and Wales and our company number is 09666504. Our Headquarters is at AB1 Building, 48 Huntly Street, Aberdeen, AB10 1SH.
1.2 We have appointed a Data Protection Officer (‘DPO’) who is responsible for overseeing our compliance with data protection laws and answering any questions about this Statement. If you have any questions about this Statement or any requests to exercise your legal rights, please contact the DPO using the details set out below:
Data Protection Officer
Oil and Gas Authority
21 Bloomsbury Street
Tel: 0300 020 1010 or 0300 020 1090
1.3 Changes to the Statement and informing us of changes
The Statement was last updated on 26 March 2021.
It is important that the personal information we hold about you is accurate and up to date. Please let us know if your personal information changes while we hold information about you.
2. The personal information we collect about you
2.1 Personal information means any information about an individual from which that person can be identified. It does not include data where your identity has been removed (anonymous data).
2.2 For example, when you submit an application in the Energy Portal, register as a user of the NDR, register to receive information from us or engage with the OGA or NDR website we may collect certain personal information from you. We may collect, use, store and transfer different kinds of personal information which we have grouped together as follows:
- Identity data which includes your first, middle and/or surname, username or similar identifier and title
- Contact data which includes your postal and/or email address, telephone numbers and date of birth
- Transaction data which includes payments you have made for applications;
- Technical data which includes internet protocol (IP) address, log in details, operating system and platform and other technology on devices you use to access the OGA or NDR website
- Profile data which includes your username and password, applications submitted by you, preferences, feedback and consultation responses
- Usage data which includes information about how you use the OGA or NDR website;
- Communication data which includes information on emails and updates you have subscribed to receive from us.
2.3 We do not collect any special categories of personal information such as details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic or biometric data. We may process limited information in relation to criminal convictions and offences being investigated.
3. How your personal information is collected
3.1 We use different methods to collect personal information from and about you through:
- Direct Interactions such as corresponding with us by post, phone, emails or otherwise. Providing identity and contact details by creating an account in the Energy Portal or the NDR, subscribing to receiving information from us, responding to consultations.
- Technical data from Google Analytics.
- Contact and transaction data from providers of payment services.
4. How we use your personal information
4.1 We will only use your personal information when the law allows us to. Most commonly we will use your personal information in the following circumstances:
- For the purposes of discharging our statutory functions including:-
- Licensing activities including granting a licence and other applications in respect of a licence;
- Undertaking stewardship and other surveys;
- Undertaking regulatory investigations;
- Gathering and publishing evidence and opinions including through consultations and carrying out research;
- When you provide information to the OGA in the NDR as a Relevant Person or former licensee.
- Where we need to comply with a legal or other regulatory obligation;
- To establish, exercise or defend legal rights;
- To improve our services;
- To send communications about the OGA which you have subscribed to (some communications may be sent using the Government Digital Service's GOV.UK Notify service).
We may rely on consent as the legal basis for processing your personal information. You have the right to withdraw your consent as the basis on which we process your personal information. If you wish to withdraw your consent for processing for a particular purpose, please contact the DPO. The withdrawal of consent will not affect the lawfulness of the data processing before your consent was withdrawn.
4.3. Purposes for which we will use your personal information
We have set out below, in a table format, a non-exhaustive description of the most common ways we may process your personal information. We may process your personal information for one or more lawful ground depending on the specific purpose for which we are using your data. Please contact the DPO if you need details about the specific legal ground we are relying on to process your personal information where more than one ground is set out in the table below.
4.5 Change of purpose
We will only use your personal information for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact the DPO.
If we need to use your personal information for an unrelated purpose, we will tell you and explain the legal basis which we consider allows us to do so.
We may process your personal information without your knowledge or consent in compliance where required to do so by law.
5. Data Retention
We will only keep your information as long as we need it. How long we need it for will depend on the purposes for which is was collected, our statutory duties and other legal, accounting or reporting requirements.
In determining how long we will keep your personal data we will consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those processes through other means.
6. Disclosure of your personal information
We may need to share your personal information with third parties including:
- Government departments and other regulatory bodies for the purposes of enabling them and us to carry out our respective legal and statutory functions;
- Third parties who we may engage to process personal information on our behalf. We require all third parties to respect the privacy or your personal information and to treat it in accordance with the law. We do not allow third parties to use your personal information for their own purposes and only permit them to process your personal information for a specified purpose and in accordance with our instructions.
7. Data Security
We protect your personal information against unauthorised access, unlawful use, accidental loss, corruption or destruction.
We use technical measures such as firewalls and password protection to protect your data and the systems they are held in.
We limit access to your personal information to employees, agents, contractors and other third parties with a business need to know. They will only process your personal information in accordance with our instructions and are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data breach and will notify you and the Information Commissioner’s Office as required.
8. International Transfers
From time to time we may need to transfer your personal information to other countries, for example where personal information is being stored securely in the cloud and the servers are located in another country.
If we send your personal information outside the European Economic Area (EEA), we will ensure the country your personal information is transferred to affords a similar degree of protection by ensuring one of the following safeguards is implemented:
- Transferring your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission
- Where we use providers based in the United States, we may transfer personal information to them if they are part of the Privacy Shield which requires them to provide similar protection to personal information shared between Europe and the United States.
9. Your rights
9.1 You have the right to access your personal information. In certain circumstances, you have the right to:
- Request correction of your personal information
- Request erasure of your personal information
- Object to the processing of your personal information
- Request restriction of processing your personal information
- Request a transfer of your personal information
- Withdraw consent you have provided for the processing of your personal information.
To request your personal information or exercise any of your other rights, contact the DPO.
You will not normally have to pay a fee to access your personal information (or to exercise any of the rights at 9.1 above).
9.3 Information we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that your personal information is not disclosed to a third party who has no right to receive it.
We may also request further information in relation to your request to help us deal with it as quickly as possible.
9.4 Time Limit to Respond
We will try to respond to all requests for personal information within 30 days. Occasionally it may take us longer than 30 days if your request is particularly complex or if you have made a number of requests. In these cases, we will notify you and keep you updated on the time scale for responding to your request.
If you have any complaints about the way we process your personal information, please contact the DPO.
You also have the right to make a complaint to the Information Commissioner’s Office, which can be contacted at:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, by visiting the official ICO website or calling 0303 123 1113 or 01625 545 745.
 For further information see The EU's statement on the adequacy of the protection of personal data in non-EU countries
The data protection laws in the United Kingdom changed on 25 May 2018. This Privacy Statement sets out most of your rights under the new laws, we may not be able to respond to some of your requests (for example, a request for the transfer of your personal data) as we are working towards getting our systems ready for some of the changes