Data Privacy fact sheet

What data privacy risks does BAE Systems face, and how do you manage them?

Cyberspace is an increasingly contested environment with criminals, hacktivists and sub-threshold activity from nation states being a significant threat to the security and availability of all information held and processed by BAE Systems, not just personal information. But, personal data protection, or data privacy, is about more than just the security of people’s personal information; it is about respecting individuals’ privacy and ensuring personal information is handled lawfully and fairly. 
 
Failure to combat these risks effectively could: 

• cause distress or harm to individuals whose personal information we hold or process; 
• disrupt business operations; 
• lead to fines and claims for damages; and 
• negatively  impact the Group’s reputation among its customers and the public, resulting in a negative impact on the Group’s future results and financial condition. 

 

These risks should be viewed in the context of the personal data held and processed by the Company. The collection and processing of personal information about consumers, whether as a data controller or a data processor (as those terms are defined in the General Data Protection Regulation (GDPR)) is not a core component of the business of any of BAE Systems’ lines of business. The vast majority of the personal information held and processed by BAE Systems relates to the people who work for, have worked for, or apply for roles with the Company and their next of kin. It also includes details of visitors to the Company’s sites, members of its pension schemes and the scheme beneficiaries. Further details are available in the Company’s Privacy Notice Portal. 
 
Data privacy risks are managed through the implementation of policies which are designed to ensure that appropriate measures are in place, to ensure personal information is used and handled in a lawful manner, we are fair and transparent in how and why we collect, use and store personal information and that we safeguard and secure personal information, in line with applicable laws. 

What is covered by personal information or sensitive personal information?

Personal information is a catchall term for information that relates to and identifies a living individual. Examples include: 

• names, addresses and contact details of Company Employees, individuals working for the Company’s customers, suppliers and partners or any other organisation the Company engages with and any personal information they entrust us to hold or collect on their behalf. 
• job applications, CVs, references, performance reviews and appraisals, salary, payroll and bank details of our current and former employees, contractors and job applicants. 
• CCTV footage of individuals, IP addresses, and unique identifiers of website visitors (such as profiles created based on cookie information).

 

Sensitive personal information is information which could have a more significant impact on an individual’s privacy if it were to be lost, mishandled or shared inappropriately. Examples include details about an individual’s health, ethnic origin, religious beliefs, trade union membership, sexual preferences (sometimes referred to as “special categories” of data) and criminal records. The law imposes additional safeguards and more stringent requirements in relation to processing sensitive personal information.

What is BAE Systems’ Personal Data Protection Policy?

Our global Personal Data Protection Policy covers the way in which the Company processes personal information and is part of our Operational Framework (OF). The policy is supplemented by other global policies which form part of our Operational Framework, including the Information and Records Management Policy; Information Management and Technology Policy; People Policy; and Security Policy. 
 
Compliance with these policies is reviewed every six months, via the Operational Assurance Statement (OAS) process, by sectors and Group functions.
 
The policy requires Line Leaders to ensure that personal data protection practices are appropriately managed within their business, so that personal information is processed in accordance with requirements of applicable law, and where applicable, relevant contractual obligations. The policy includes requirements relating to:

• the need to implement local Personal Data Protection Policies where local laws differ materially from the Group policy;
• the collection and processing of personal information;
• retention of personal information;
• sharing and disclosure of personal information;
• rights of individuals;
• international transfers of personal information; and
• management of incidents.

 

Where new activities which involve processing  personal information are proposed, the policy requires that the requirement for a Privacy Impact Assessment (PIA) is appropriately assessed and, if required, a PIA is completed to risk assess the impact of the proposed processing and any mitigations available.
 
The requirements of the policy apply regardless of whether the personal information belongs to the Company, its customers or third parties. 
 
This global policy is supported by market level policies where these are necessary to address laws in local jurisdictions. Some of these policies are further supplemented by standard operating procedures which are designed to support application of the policies. 
 
Employees are also responsible for understanding and complying with our global Code of Conduct. The Code includes a section on Responsible Use of Information which covers use of personal information.
 
For more information:
Policy summaries
Code of Conduct 

How is personal data protection managed?

Line Leaders are responsible for ensuring personal data protection practices are managed within each of their businesses. They are required to appoint a designated data protection lead who is responsible for compliance with personal data protection requirements.  
 
Data protection leads across the Lines of Business are supported by a team of specialists in the Legal function in Head Office. The data protection leads cover day to day management of data protection, including interfacing with functions on PIAs, managing incident investigation and offering general advice and support.

Do your employees receive training on how to protect personal data?

We engage employees, via mandatory training and targeted and ongoing communications campaigns, to take responsibility for safeguarding information (including any personal information) that they collect or have access to, from loss or misuse. 
 
There is also additional communications and training targeted at specific job roles. 
 
For more information:
Business Integrity Training - Scenarios for Team Discussion 

Can data subjects access their accounts to erase, rectify, complete or amend personal information?

Where required  by applicable law, our policy requires businesses to put procedures in place to appropriately handle requests from individuals who exercise any right to access, correct or to object to the use of personal information, or to exercise any other rights to which they are entitled under applicable law.

How can data subjects raise concerns about data privacy?

Issues regarding data privacy can be raised in a number of ways. Employees can report concerns to their line manager, to their local data protection officer/lead, to Ethics Officers or our Ethics Helpline.
 
External data subjects can raise a query using the contact details in our Privacy Notice on our website at www.baesystems.com/en/privacy. External stakeholders and third parties can also raise a concern via our Ethics Helpline.

How do you manage personal data protection incidents or breaches?

Despite our best efforts there may be instances when things go wrong, for example, personal information could be shared with the wrong individual or accessed by someone who is not entitled to do so.
 
Our policy requires that any activity or event that reasonably indicates that unauthorised, accidental or unlawful processing of personal information held by or on behalf of the Company has occurred (or is likely to occur in the future), and any suspected violation of this policy, is promptly reported to the relevant local Personal Data Protection Leads. 
 
Through investigation, the Company will determine whether a Personal Data Protection Incident constitutes a breach, with the involvement of the IM&T, Security, Legal, HR, Ethics, and/or Internal Audit functions as appropriate.
 
Where an investigation identifies a breach has occurred, breaches are reported externally in accordance with the requirements of applicable laws, regulations and contractual obligations.

Do you notify data subjects when a personal data breach has occurred?

Affected data subjects would be notified of a personal data breach if required by applicable law.

Do you undertake regular privacy risk assessments or audits on personal data?

For all new proposed processing activities involving personal information, our policy requires that a determination is made, in line with any Local Personal Data Protection Policy, whether a Privacy Impact Assessment (PIA) is required. Where required, a (PIA) is completed to assess the risk of the impact of the processing operations on the protection of personal information. We have an Internal Audit capability whose priorities are guided by risk, company objectives and strategic priorities, complaints and material issues of concern.

How do you manage personal data protection when contracting third party suppliers?

It is a requirement of our policy that only those service providers and suppliers who can implement and maintain the appropriate technical and organisational measures necessary to ensure personal information is processed and protected in accordance with the requirements of the policy and applicable laws are selected. Written contracts or other written agreements are to be put in place with any service provider, customer or supplier with whom personal information is shared or disclosed. Those contracts must contain provisions required by applicable law, including those that set out the obligations, responsibilities and liabilities of the parties and that require that the processing of personal information takes place only on the instruction of the Business. Our Supplier Code of Conduct (formerly Supplier Principles – Guidance for Responsible Business), also outlines our expectations of suppliers regarding information security, which includes personal data protection.
 
The information contained in this fact sheet is for PLC managed businesses and is accurate as at the date of its publication.
 
Publication date: 09/05/24