Privacy Statement

Chromatrap is a business unit of Porvair Sciences Ltd.



Porvair Sciences Ltd needs to collect and use information on individuals such as customers, potential customers, suppliers and staff members.   We use this information to manage our business, meet our contractual obligations with the customer and meet our legislative requirements.  However, we must ensure that we use and protect the information in accordance with current legislation.  Failure to do so could lead to distress to individuals, financial sanctions from the Information Commissioners Office (ICO), reputational damage and impair our ability to attract new customers.


This policy, together with Porvair’s Security Standards, describes how we will safeguard personal information to protect the individual and comply with the law.




Porvair Sciences Ltd is the data controller for the personal information we collect such as our employee information and business contact information.  We are registered with the ICO, and we are responsible for protecting this information in accordance with this policy.


Data Subject

The data subjects are the individuals whose personal information we deal with such as customers, potential customers, suppliers and staff members. 

Personal Information

Personal information means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, from the information.  The information includes name, address, date of birth, email, telephone number, national insurance number etc.  Personal information also includes information associated with that individual such as telephone bills, call recordings, staff development, staff reviews and pay rates. Personal information also includes opinions on an individual and any intention that we may have towards that individual.  We must therefore be cautious what we record on personnel files.

Sensitive information

Sensitive information, such as medical, race, religion, sexuality, political or trade union membership, is a special category of data that requires sensitive handling.

Data Processing

Processing means any action performed on personal information, which includes collection, recording, organising, storing, sharing and transmitting.  This includes electronic and paper documents containing personal information.  Many of the activities within Porvair Sciences Ltd involves processing information and therefore we must comply with the law.


Porvair Sciences Ltd must comply with the Data Protection Act (DPA) 2018 and the EU General Data Protection Regulation (GDPR). 



Roles and Responsibility

Everyone associated with Porvair Sciences Ltd has a responsibility to ensure we protect the personal information we hold and comply with this policy.

Board Level

The Financial Controller is accountable for data privacy and will report to the board on data privacy every quarter. 

Data Protection Officer

The Financial Controller has day-to-day responsibility for data privacy and is the main point of contact for any questions about data privacy.

Staff Responsibilities

All staff are responsible for complying with this policy.


The Financial Controller will produce an annual report on data privacy for the board of directors.


Risk Management

Data Privacy Impact Assessment (DPIA)

When we are considering processing information in a new way, using a new technology or processing sensitive information, the Financial Controllerwill decide whether a Data Privacy Impact Assessment (DPIA) is required.

Risk Register

The Financial Controller will maintain the Porvair Sciences Ltd’s Privacy Risk Register. The register will be reviewed annually by the Board of Directors.


Privacy Principles

Collecting Information

We should collect the minimum personal information we need to complete a task.  We should not collect information just in case.  If someone is making an enquiry about our services we should only collect initial contact details, there is no need to collect further information as these can be added later.

Processing Information

When we are planning to process information, we need to consider the legal reason for processing, and whether we need the individual’s consent to process.  Much of our processing is for legitimate business reasons to run our business and deliver our contracted services to customers; we need to pay staff, monitor and report on services and invoice fees and therefore we do not require consent. 

However, some activities may not be considered necessary to deliver the contracted services, such as marketing. Where we are marketing to business customers we do this as a legitimate business interest and do not need their consent, but we must offer them the right to opt-out of further communications. Where a business customer opts-out we mustrecord this and ensure we do not market to that customer again.

We must not send marketing material to an individual’s personal email address or home address without their consent.

The Financial Controller will maintain the Processing Register which will record the details of the customer, the category of data being processed, all processing activities and any enhanced security controls.

Securing Information

We must protect the personal information we use whether in electronic or paper format. 

  • Documents containing personal information should be stored securely when not required.
  • Documents containing staff personal information should only be removed from business premises where necessary. Documents must be protected while off site and should not be left unattended.
  • Electronic copies of personal information must be stored on Porvair Sciences Ltd controlled devices or systems in accordance the Porvair Sciences Standards.
  • Electronic documents containing customer or another employee’s personal informationshould not be emailed to staff home computers or personal mobile devices.
  • Staff should not download electronic documents containing customer or staff information on their own devices.

Deleting data retention

When personal information is no longer required, and there is no legal requirement to retain the information, electronic data must be deleted, and paper copies securely destroyed.  Annex A contains a list of how long we need to retain the types of information we process.


Subject Access Request and Data Transfer Request

Individuals have the right to know whether we store and process their personal information, this is known as a Subject Access Request. If the information we hold is inaccurate they have the right for that information to be corrected.  In certain circumstances, they have the right to have the information deleted or to be given a copy of that information.  We have to respond to any request within 30 days. The individual does not have to state they are making a subject access request, it can be a simple email asking what information we hold, and therefore, any request by an individual with regards to the information we hold must be forwarded to the Financial Controller.



Porvair Sciences Ltd is registered with the ICO as a data controller and data processor. The Financial Controller is responsible for maintaining our registration.

We will have a privacy notice which will clearly inform individuals how we collect their information, what we do with their information and their rights.  A copy of the privacy notice will be displayed prominently on our website and a copy will be sent to individuals when we are requesting information from them.

Where we are delivering a service as a data processor the relevant privacy notices will be included in the terms and conditions of the contract.

The privacy notice for staff will be given to staff on induction.

The Financial Controller is responsible for maintaining the privacy notice.


Education and Awareness

All new joiners including temporary staff must read this data privacy policy as part of their induction process.

All staff will receive data privacy training as part of their ongoing staff development. The Financial Controller will periodically send emails to all staff highlighting key aspects of data privacy.


Incident Handling

We have a legal responsibility to report certain data privacy incidents to the ICO within 72 hours or face a financial penalty.  It is essential all staff follow the incident procedure.  Example of privacy breaches are:

  • Revealing a customer’s contact details to an unauthorised third party.
  • Accidentally emailing an employee’s sensitive personal information to an unauthorised member of staff or third party.
  • Losing a laptop containing the personal information of a large number of customers and staff.

Not all the examples above are reportable to the ICO however it is essential that staff report any incident or potential incident to the Financial Controller.  The Financial Controller will then discuss the incident with the board of directors and decide whether the incident requires reporting to the ICO and whether an action is required to manage the risks from the incident.


Assurance and compliance

The Financial Controllerwill carry out periodic checks to monitor staff compliance with this policy.


Annex A - Retention Schedule

The primary actors that inform decisions on retention are:

  • Business need – as agreed by the organisation and their HR policy.
  • Legislative and regulatory requirements.
  • National Archives requirements and guidelines.

It is important that the retention schedule is kept up-to-date, to reflect changing business needs, new legislation, changing perceptions of risk management and new priorities for the organisation.

It should be noted that personal data should not be kept longer than is necessary for the purpose or purposes for which it is being processed. So, this means you’ll need to apply some judgment and apply different holding times for different types of personal data.  It is essential you ensure that manual records be shredded, and electronic files permanently deleted from the system. 


Retention schedule:

Type of Record

Retention Period


Financial transaction records

6 years after end of financial year


6 years after account is closed


6 years after account is closed


6 years after account is closed


3 years after account is closed


10 years after account is closed


Job application and interview records

6 months following unsuccessful application

Personnel records

7 years after employment ceases

Training records/appraisals

7 years after employment ceases

Employment agreements

7 years after employment ceases

Payroll and wage records (including details of overtime, bonuses and expenses)

7 years after employment ceases

Salary records

7 years

Disciplinary warnings should be removed from employee's personnel files once they have expired

Oral warning – 6 months

Written warning – 12 months

Final warning – 18 months

Disciplinary action ever taken, in particular disciplinary hearings

7 years after employment ceases

Grievance issues

7 years after employment ceases

Termination: The process of termination of staff through voluntary redundancy, dismissal and retirement

7 years after employment ceases

Details of benefits in kind

7 years after employment ceases


Income tax records (P45/P60/P%*/P48 etc.)

12 years

Annual return of taxable pay and tax paid

12 years

Published accounts

12 years

Tax returns

12 years

Financial records held on general ledgers

12 years

Health & Safety


Accident/Incident Book

15 years

Legal/Accident/Incident Forms

4 years from date of accident

Risk Assessments

7 years

Health & Safety Reports

15 years

Fire Procedure

Until superseded but retain copies of earlier versions

Health & Safety Policy

Until superseded but retain earlier versions up to 15 years and review as necessary

Records of monitoring areas where employees are likely to come into contact with asbestos.

Retain for 40 years (refer to The Control of Substances Hazardous to Health Regulations 2002)

Fire log books

Retain for 7 years


Third party contracts

6 years after date of termination (unless signed as a deed, in which case 12 years after date of termination)



6 years from the date they cease to be relevant


6 years from the date they cease to be relevant

Company Secretarial Records (eg board meeting minutes)



30 days





























Privacy Notice



This document describes how Porvair Sciences Ltd, the data controller, collects, uses and protects your information.


How we collect your information

The information we hold about you comes from the way you engage with us such as online through our website, via email, the post or over the telephone. We collect information supplied by you in the course of our business transactions and from our business development activities.


The type of information we hold

The information we hold includes your name, business address, email address, telephone number and possibly our transactional history.


How we use your information

We process your information to fulfil any contracts between us and for legitimate business interests such as direct marketing and sales activities.


Who we will share your information with

We will not share personal information about you with third parties without your consent unless the law allows us to or they are our suppliers who are involved in delivering the supply chain and our contract to you. 


Storing your information

Your personal information will be stored on systems owned or operated by Porvair Sciences Ltd and will only be stored inside the European Economic Area (EEA), or a country approved by the EU.


Within Porvair Sciences Ltd your information will be stored on our secured systems in accordance with Porvair Sciences Access Control Policy. Where your information is stored in countries outside the EEA we will ensure it is protected by encryption.



We will retain your personal information in accordance with legal and regulatory requirements.  You can request your information be deleted and if we can we will, but sometimes we have to maintain records for legal reasons. 


How you can access your information

If you would like a copy of your information we hold about you, please email


Your Rights

If you are not happy with how we are using your information or how we have responded to your request, you have the right to complain to the Information Commissioner’s Office at


Use of cookies [if you use cookies] 

We may use cookies and similar technologies on our website.  Cookies are small text files that may be stored on your computer or mobile device when you visit our website.  Cookies do many different things, such as letting you navigate between web pages efficiently and remembering your preferences.  We do not use cookies to track your use of our site, to make decisions about you or to send you marketing information electronically.


How we will tell you about future changes to this Privacy Notice

Any changes we make to our Privacy Notice will be put on our website.  Please check for updates from time to time, so you are always fully aware of what information is collected and how it is used.


How to contact us

If you have any questions or concerns about our use of your personal information, please email