Privacy Statement

CCW is committed to protecting the security and privacy of your personal data. CCW is a data controller under the terms of the General Data Protection Regulation (GDPR) which came into effect on 25 May 2018. We are registered with the Information Commissioner’s Office (ICO) with the registration number Z9387556.

This privacy notice explains what personal information we collect, how we use it and your rights in respect of your personal data.

Who we are?

We are the independent watchdog that represents the interests of water consumers in England and Wales. We have a committee in England, Wales and a team of Consumer Advocates that represent your area. Our contact details are:

23 Stephenson Street
B2 4BH

0300 034 2222 (for Birmingham)
0300 034 3333 (for Cardiff)

Information that we process

We process personal information in a number of ways to enable us to carry out our following duties:

  • consideration and investigation of customer complaints;
  • provision of advice and information;
  • responding to information requests;
  • maintenance of our own accounts and records;
  • supporting and managing our Board Members, Consumer Advocates and employees;
  • sending communications to stakeholders about the work we do;
  • recruitment;
  • commissioning of research;
  • internal support functions (suppliers etc.).

Types of data we collect

We process information relevant to the above reasons/purposes which include:

  • Name;
  • Address;
  • Telephone number (including mobile number);
  • Email address;
  • IP address;
  • Details of enquiries, complaints, incidents and grievances;
  • Responses to customer satisfaction surveys (via our research provider ORS);
  • Freedom of Information and subject access requests;
  • Subscriptions to our e-newsletters, social media sites, or requests for our publications;
  • Personnel files of employees, Board members and Consumer Advocates including pay details data relating to current and former employees;
  • Images of individuals for our publications;
  • Information from our suppliers.

The legal basis for processing your information

CCW processes personal information under the following legal bases:

  • Article 6(1)(a), Consent – the data subject has given consent to the processing (consent has to be specific, informed, freely given and unambiguous). Where you have given your consent to the processing you should be informed that you have the right to withdraw consent at any time.
  • Article 6(1)(b), Contract – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Article 6(1)(c), Legal obligation – CCW processes personal data for compliance with a legal obligation to which we are subject.
  • Article 6(1)(e), Public task – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • The processing of special category data is only permitted when certain further conditions in Article 9 of the GDPR are met. In most circumstances CCW’s legal basis for processing special category personal data is covered by:-
    • Article 9(2)(a) – the data subject has given explicit consent to the processing of those personal data.
    • Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
    • Article 9(2)(g) – processing is necessary for reasons of substantial public interest … which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
    • Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.

Customer complaints and enquiries

Why we need your information and how we use it

We need to collect and hold personal information about you in order to manage and investigate your complaint or enquiry and to obtain customer feedback to improve the services we provide. If you complain to CCW about your water company, we will hold the information you provide to us securely and use it to help us to process your complaint.

CCW will process your personal data in order to carry out our legal duties. In relation to complaints, this is specifically to enable CCW to investigate complaints about water and sewerage companies and retailers.

We may also use your information for training, monitoring and service improvement purposes. Failure to provide your personal data may make it difficult for us to investigate your complaint or enquiry effectively.

How we collect and process information from you

When you contact us with a complaint, whether this is by telephone or through our web form, we will ask for your name, address, contact number and email address. We will also ask you what your complaint is about, including which water company it relates to. So that CCW can deal with all complaints fairly, complaints sent to other CCW departments, including the Chief Executive, will be forwarded to the Consumer Relations team for review.

During times of high demand, your call may be answered by our third-party call handling service and the data it secures is sent securely to us. We have contractual clauses in place to ensure that the information you provide to this organisation is protected to the same standard as if it was provided directly to us.

CCW records all calls made to and from its Customer Relations Team from 20 December 2021 onwards. This is the team that handles complaints. These call recordings will be used to assist in quality monitoring of staff and to investigate and resolve a complaint. You may request that we delete your call records. Callers that do not want their call to be recorded will normally be advised to contact us either in writing or by email.

How and why we share your information

Your information may be shared internally with CCW staff in relevant departments in order that we can handle, investigate and respond to your complaint. We may also share details of your complaint with third parties such as your water company in order to investigate your complaint. For example, as part of our investigation into your complaint, we may contact the water company that is the subject of your complaint to request further information and to clarify aspects of the complaint.

We may also share information about you with the following:-

  • Where you have agreed so, a member of your family, associates, or someone who represents you in relation to your complaint or enquiry.
  • Where we receive a complaint that falls under the jurisdiction of another organisation such as the Water Services Regulation Authority (Ofwat), the Drinking Water Inspectorate (DWI) or the Environment Agency (EA). In this situation, we will not share your personal information without your consent.
  • If you are dissatisfied with the outcome of your complaint or the way we have dealt with it, you may approach WATRS or the Parliamentary and Health Service Ombudsman to look at your case. In this situation, we will not share your personal information without your consent.
  • Research companies appointed by CCW to obtain customer feedback to improve the services we provide.
  • We may also share your information with other organisations, such as government departments, and the police if we think it is necessary to do so.

CCW publishes an annual summary of activity in relation to complaints and enquiries received, including complaints accepted by the Parliamentary and Health Service Ombudsman. This summary does not include any individual’s details or personally identifiable information.

Where your personal information is stored and how long we keep it

We will only retain your Information for as long as is necessary for the purpose or purposes for which we have collected it. If you send CCW paper documents, disks or USB’s containing information about your complaint, we will upload these securely to a digital format. The originals will then be destroyed unless you asked for us to return the original documentation back to you.

Your personal data will be stored securely in CCW’s complaints handling/case management system and in our telephony system. It may also be stored in other CCW systems as we investigate your complaint, for example, in our email system.

CCW will hold written details of your complaint, including your personal data, for six years after the date of case closure. Recordings of calls made to and from the Consumer Relations team from 20 December 2021 will be held for 12 months after the date of the call; prior to that date call recordings were retained for two weeks after the date of the call.

Recordings of calls made to our third-party call handling service and the data that it sends to us will be retained by the supplier for up to 60 days.


We use market research companies for all research we commission. Our lawful basis of process is for the performance of a task carried out in the public interest. From some areas of our research we have a hub of contacts which we research on a regular basis. We do this on the lawful basis of consent.


All information provided to us during the recruitment process will only be used to progress applications, or fulfil legal / regulatory requirements. We hold the information securely whether it is held electronically or physically. We use your contact details for the recruitment process and other information to assess suitability.

We use a third party organisation for background screening of successful applicants. We share the applicant, name, address and email address. This is held by the processor for six months.

Our lawful reason for processing is it is necessary to take steps prior to entering into a contract – Article 6(b) GDPR. This information is stored for 2 years after the recruitment campaign.

For existing employees, Board members and Consumer Advocates we process the following information:

  • Contact details;
  • Pay details;
  • Annual leave;
  • Sick leave;
  • Qualifications;
  • Training;
  • Performance;
  • Ethnicity;
  • Disability details;
  • Employment history.

We process this information under the lawful basis because it is necessary for the performance of a contract. Sensitive information is processed under Section 9(2)(b) – employment. We keep personnel files for six years post-employment.

Supplier information

Personal data of suppliers whether they are an individual or an individual on behalf of an organisation is lawfully processed by CCW under the performance of a contract. The information includes name, contact details and payment details. We hold this information for six years plus the current year.

Feedback on our website and water meter calculator

We ask customers to include their postcode when inputting information relating to their assessed water consumption the water meter calculator on our website. This information is held internally in order for us to assess customer usage of the application. The lawful basis for us to process this information is for the performance of a task carried out in the public interest.

To make improvements to our website and water meter calculator we ask visitors to give their feedback. The basis of lawful processing we use is Article 6(1)(g) of the GDPR legislation 2018. The processing is necessary for the performance of a task carried out in the public interest. We delete the data after two years.

We use Survey Monkey to process this information and you can read their privacy statement here.

Individual’s images for our publications

On some occasions we may use an individual’s image or video footage of an individual at our events for our literature. We process this information under the lawful basis of Article 6(1)(a), consent of the individual.

Mailing Lists

We keep stakeholders up-to-date about our customer research reports that we conduct, our annual reviews, Forward Work Programme, stakeholder events and our newsletters.

The success of our email campaigns is measured by looking at the analytics of open rates, click-through rates and the subscriber list growth for our newsletter. For our communications through our stakeholder database, CCW’s lawful basis for processing information is necessary for the performance of a task carried out in the public interest particularly helping stakeholders to engage with CCW’s work.

Individuals can sign up to our newsletters through our website. We process this information with consent of the data subject.

For communications we use a free version of MailChimp that allows up to 2,000 subscribers. We have multiple lists according to each campaign we send which varies in size.

For more information, please see MailChimp’s privacy notice (now apart of Intuit!). You can unsubscribe at any time by clicking the unsubscribe link at the bottom of any of our emails.

Website Cookies and analytics

Our website uses cookies to collect and store information. Cookies are small text files placed on an individual’s computer and other mobile devices upon browsing our website. They are used to collect standard internet log information and visitor behaviour data. We may use the information stored in cookies to track visitor use of our website and generate reports on website activity. They cannot be used to identify you personally.Cookies are used to improve services for visitors to our website through, for example:

  • Enabling a service to recognise a device so the user does not have to give the same information several times during one task;
  • Recognising the individual may already have given a username and password so does not need to do if for every web page requested;
  • Measuring how many people are using services so they can be improved and there is sufficient system capacity;
  • Analysing anonymised data to help us understand how people interact with government services so we can make them better.

For further information about cookies, please visit

Google Analytics

When you visit or we utilise a third party service, Google Analytics, to:

  • collect details of visitor behaviour patterns;
  • collect standard internet log data; and
  • monitor the number of visitors to various parts of our website.

We use Google Analytics to collect information about how people use this site. We do this to make sure our website is meeting its users’ needs and to understand how we could do it better.

Google Analytics stores information about what pages are visited visit, how long users are on the site, how they got here and what they clicked on. We do not collect or store personal information (e.g. name or address) so this information cannot be used to identify an individual. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

Google Analytics cookies: _utma, _utmb, _utmc, _utmz

  • Purpose: To record how many people are using the CCW website and how they move around the site once they’ve arrived: o _utma tracks how many times (if any) you have visited our website before. o _utmb and _utmc are connected, and track how long you stay on the site. o _utmz tracks identifies where you’ve come from e.g. from a search engine or from another website.
  • Benefit: So service is available when required we measure numbers and volumes of visitors.
  • Data stored by cookies: No personal information about you, just information about your computer and your browser.

Duration of cookies:

  • utma: Expires 2 years after your last visit to this site.
  • _utmb: Expires 30 minutes after your visit, or after 30 minutes of inactivity.
  • _utmc: Expires when you close your browser.
  • _utmz: Expires 6 months after it was last set.

Cookies set by our consumer support site

Customer Portal: cp_session, cp_profile, cp_login_start, oauth_token

  • Purpose: store session specific user data including session ID, answers viewed, number of searches, previously viewed answers, previous searches, previously seen e-mail
  • Data stored: information about the session; the cookie itself contains no personal information.
  • Duration of cookie: expires when you close your browser.

How your information is stored and deleted

Customer information is stored electronically onto our complaint management system. This system, and our network, comply with ISO 27001 I/L2 data security hosting standards, the EU Safe Harbour Data Protection Directive and Telecoms Data Protection Directive.

For more information, on how long we keep personal data please see our retention schedule:-

Keeping your information up to date

If your contact details or other personal information change or if you think that the information we have isn’t accurate. Please contact us as soon as possible.


As we are classified as a public authority, we have appointed a Data Protection Officer (DPO) to ensure we comply with data protection law. Our DPO operates with independence and is supported by suitability skilled individuals granted all necessary authority. The DPO’s duties include:

  • Informing and advising CCW and its employees who carry out data processing pursuant to data protection regulations, European Union or other Member states data protection provisions;
  • Monitoring compliance in relation to the protection of personal data, including providing relevant training to employees involved in controlling customer data;
  • Providing advice and guidance with regards to carrying out Data Protection Impact Assessments (DPIAs);
  • Operating as a point of contact for and cooperating with supervisory authorities, notably in the event of any data breaches;
  • Implementing and operating a register or system which records requests for information;
  • Reviewing personal data, ensuring that any data which is not necessary to be retained for longer than is necessary is effectively destroyed or obfuscated to reduce CCW’s compliance footprint;
  • Updating CCW’s data protection, privacy and cookie policies to reflect operational changes as a result of audits and corrective actions;
  • Ensuring employees are fully briefed on any changes made to CCW’s data protection, privacy and cookie policies.

How CCW protects your personal data

CCW takes the security of your personal data seriously and has internal policies and controls in place to protect your data from loss, accidental destruction, misuse or disclosure. Some of the ways in which CCW protects your personal data include:

  • Implementing appropriate technical and organisational controls to protect the confidentiality, integrity and availability of personal data and information
  • Regular review of CCW information assurance and security policies and procedures
  • On-going training and awareness for staff on data protection and security
  • Use of the government Supplier Assurance Framework and Crown Commercial Services frameworks when working with suppliers and third parties
  • Regular review of security and cyber risks

Your rights over your personal data

CCW is committed to being transparent about how it collects and uses your personal data and to meeting its data protection obligations. CCW is a Data Controller under data protection legislation and we comply with the data protection principles when processing your personal information.

Under data protection laws, you have a number of rights. You can:

  • Access and obtain a copy of your personal data
  • Require CCW to rectify/change incorrect or incomplete personal data
  • Require CCW to delete/erase your personal data
  • Request CCW to restrict the processing of your personal data (in certain circumstances)
  • Request your personal data in a portable format
  • Object to the processing of your personal data

If you would like to exercise any of these rights you should contact CCW’s Data Protection Officer via email at You can also write to the Data Protection Officer at:

23 Stephenson Street
B2 4BH

How to find out more

The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights. If you would like to know more about your rights under data protection laws, and what you can expect from us, please visit the ICO website at


If you believe that CCW has not complied with your data protection rights you should contact its Data Protection Officer in the first instance. You can also complain directly to the Information Commissioner at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Tel: 0303 123 1113

Changes to our Privacy Notice

We may amend this privacy notice and will update it to reflect feedback or make it more accessible. We recommend you regularly read this to be informed how we are protecting your privacy.

Alison Townsend is our Data Protection Officer. Should you have any concerns about your personal data held by us please contact us at