Effective date: October 2025

This notice explains how Burges Salmon LLP (the "Firm", "we", "us", “our”) handles personal data collected through the Culture Shift Report + Support tool (the "Tool"). It is intended for all the Firm people, partners, contractors and alumni who use the Tool ("you", "your").

We are committed to using your information responsibly, keeping it secure, and being transparent about how and why we use it.

Who manages the Tool

We act as the controller of personal data processed via the Tool.  Culture Shift Communications Ltd provides and hosts the Tool as our processor.  If you have questions about this notice or how your data is used, please contact our Risk and Best Practice Team. You may also contact the Firm’s Data Protection Officer, Paul Haggett at paul.haggett@burges-salmon.com, if applicable.

What the Tool is for

The Tool enables you to report concerns and seek support regarding unethical conduct, unacceptable behaviour including incidents related to equality, diversity and inclusion. Reports can be submitted in your name or anonymously. The Tool helps us to monitor themes and trends, support individuals, and take appropriate action in line with our policies and values.

What data we collect

The Tool collects only the information you choose to provide, which may include:

  • Identity and contact details, such as name, firm email address and phone number.
  • Employment details, such as department or role.
  • Incident details, including free-text descriptions and any files you upload (for example, screenshots or photos).
  • Demographic data that you choose to self-identify as for monitoring purposes, such as age range, disability, ethnicity, religion or belief, gender and sexual orientation.
  • System data necessary to administer the Tool for authorised People Advisory team members, such as firm email for login.

You may submit a report anonymously. If you choose not to provide personal data, we may be limited in the support we can offer or the steps we can take.

Special category (sensitive) data

Depending on what you choose to share, your report may include special category data, such as information about health, racial or ethnic origin, religious or philosophical beliefs, or sexual orientation. We ask you only to provide information that is relevant to your report and support needs.

How we use your data

We use personal data submitted via the Tool to:

  • Receive, assess and, where appropriate, follow up on reports, including contacting you if you request support or consent to follow up.
  • Provide guidance, signposting and support to individuals.
  • Monitor, analyse and report on trends to inform prevention, training and culture initiatives, generally using aggregated and anonymised information wherever possible.
  • Administer and secure the Tool, including access controls for authorised people.
  • Comply with legal and regulatory obligations and exercise or defend legal claims.

We will not use your data for unrelated purposes without notifying you and, where required, obtaining your consent.

We process your personal data under the UK GDPR on the following legal bases:

  • Our legitimate interests in ensuring a safe and respectful workplace, managing people matters, preventing and addressing misconduct, and improving our culture and practices.
  • Compliance with legal obligations in the employment context and related regulations.
  • Where applicable, your consent, for example if you choose to be contacted following an anonymous report or provide optional demographic information for monitoring purposes.

For special category data, we rely on one or more of:

  • Processing necessary for employment law obligations and rights (UK GDPR Article 9(2)(b) and UK Data Protection Act 2018, Schedule 1).
  • Processing necessary for the establishment, exercise or defence of legal claims (Article 9(2)(f)).
  • Processing necessary for equality of opportunity or treatment monitoring (where conducted with appropriate safeguards) (Schedule 1, DPA 2018).

Where we rely on these conditions, we apply appropriate safeguards as required by law.

Where your data comes from

We collect data directly from you when you submit a report. For administrative users, limited personal data (for example, email address) may be provided by us to enable secure access. In some cases, we may receive information relating to a report from witnesses or from our internal systems where relevant and lawful.

Who can see your data

Access to personal data in the Tool is strictly limited to authorised People Advisory team members and the Firm’s General Counsel who need it to perform their roles. They are bound by confidentiality and receive appropriate training.

We use aggregated and anonymised information for trend analysis and reporting wherever possible. We do not share your personal data with others unless it is necessary and lawful, for example with external advisers or authorities where required by law or to protect individuals' vital interests, or where necessary to address serious allegations.

Where sharing is necessary, we share the minimum data required and apply appropriate safeguards.

International transfers

The Tool is hosted in the UK. If we need to transfer personal data outside the UK, we will ensure appropriate safeguards are in place (for example, approved transfer mechanisms) and that your rights are protected.

How long we keep your data

We keep personal data only for as long as necessary for the purposes described in this notice and in line with our Data Archiving and Retention Policy. Typically, report records are retained for six years from closure, unless a longer period is required for legal, regulatory or safeguarding reasons. After the retention period ends, data is securely deleted or anonymised.

Security and Confidentiality

We apply technical and organisational measures to protect personal data, including role-based access controls, encryption in transit and at rest, system monitoring, and secure hosting.

Culture Shift hosts the Tool on UK-based infrastructure and implements appropriate security measures. We regularly review access and security controls. Only those with a legitimate need can access identifiable data.

Your rights

Depending on how you submit your report and the information you provide, you have rights under the UK GDPR, including to:

  • Submit a subject access request.
  • Request correction of inaccurate or incomplete data.
  • Request deletion of your data, or restriction of processing, in certain circumstances.
  • Object to processing based on our legitimate interests.
  • Withdraw consent where we rely on your consent.

These rights may be limited where exercising them would seriously prejudice our ability to investigate concerns, protect others, or meet legal obligations, or where reports were submitted anonymously and we cannot identify you.

To exercise your rights, please contact the Firm’s DPO via the contact details below.

Contact and Complaints

If you have questions about this notice or how your data is handled, please contact Paul Haggett, the Firm's DPO at paul.haggett@burges-salmon.com.

If you are not satisfied with our response, you can contact the UK Information Commissioner's Office. You also have the right to seek a remedy through the courts.

Updates to this notice

We may update this notice from time to time. The latest version will be available within the Tool and will include the effective date of the changes.

There are two ways you can tell us what happened

Share anonymously or Share with contact details