Contact Us
Contact Us

Privacy Notice

Privacy Notice: Information Governance Services Limited

Last Updated – 15 January 2026

Our Contact Details

Name: Information Governance Services Limited
Address: Furlong House, 10A Chandos Street, London, W1G 9DQ, United Kingdom
Phone Number: 0208 8106 7936
E-mail: info@informationgovernanceservices.com
 
  1. Overview

    We, Information Governance Services Ltd (“IGS”), are a data protection and data ethics consultancy firm. We help our clients navigate regulatory requirements in all areas of information governance, data protection, and data ethics. IGS is incorporated in England and Wales with company number 11779744. For more information about who we are, please visit the “ABOUT US” page on our website.  

    This Privacy Notice explains what information we will be collecting about you and why, how that information will be used, how we keep it safe, and what your rights are around the data we collect and use. 

    This Privacy Notice covers any personal data we process when you have:  

    • engaged our services as a client or prospective client;  
    • interacted with our website and have consented to the use of our cookies;  
    • submitted a contact form on our website;  
    • gone through our recruitment process as an applicant;  
    • attended our events whether online or in person; or  
    • purchased a training module from our website or set up an account in the process of purchasing a training module.  


    We take our responsibilities under the UK General Data Protection Regulation (GDPR) 2018, Data (Use and Access) Act 2025, Data Protection Act 2018 and Privacy and Electronic Communications Regulations 2003 very seriously. You can be assured that your information will always be used appropriately, lawfully and in line with the applicable data protection legislation. We will store your data securely with appropriate safeguards in place to protect it against unauthorised or unlawful processing and ensure that we do not store any of your data for longer than it is strictly necessary to do so.      

    This Privacy Notice covers our use of personal data for our own purposes, meaning the instances where we are acting as the “data controller”. A data controller under the UK General Data Protection Regulation (UK GDPR) is the entity or natural person determining the purposes and means of the processing. In other words, the responsible entity which decides why and how the personal data is used. 

  2. What personal data do we collect, why do we collect it?

    As an organisation, we process personal data only where it is strictly necessary to do so for our purposes, as outlined below. We process different sets of personal data in different circumstances, depending on your relationships and interactions with us.  

    Client Data 

    What personal data do we collect? 

    If you or your organisation has, or is intending to procure, a business relationship with us, we may collect information from you and/or your colleagues to provide the services for which you have engaged us. Some of this information will include personal data.  

    The information we collect in these circumstances may include:  

    • First Name;  
    • Last Name;  
    • Job title;  
    • Company name;  
    • Gender;  
    • Email address;  
    • Postal address; and  
    • Telephone number.  


    In specific circumstances, we may be required to collect additional information from individuals in order to fulfil our anti-money laundering obligations. In these circumstances, we will be required to collect the following information from you by way of a copy of your passport, which we will obtain directly from you:      

    • Nationality;  
    • Ethnicity;  
    • Photograph;  
    • Place of Birth; and  
    • Signature.    

     

    Why do we collect this data? 

    We will require this information for the functionality of communicating with you or your organisation, and to facilitate a business relationship between us. We also collect information to fulfil our anti-money laundering obligations.  

    What’s our lawful basis for collecting this data? 

    Non-special category data:  

    • UK GDPR Article 6(1)(b) – performance of contract;  
    • UK GDPR Article 6(1)(c) – legal obligation; and  
    • UK GDPR Article 6(1)(f) – legitimate interests.  

    Special category data:  

    • UK GDPR Article 9(2)(b) – employment, social security and social protection.  


    How long do we keep this data? 

    The duration of the contract and client engagement, along with our legal obligations to hold certain financial information. 

    Contact Form

    What personal data do we collect? 

    If you fill in the contact form on our website, we require certain personal information from you to process your request. We will collect your:  

    • Name;  
    • Email address;  
    • Telephone number; and  
    • Any optional information you put in the message body of your form.  

     

    Why do we collect this data? 

    We process this data to reply to your query, to capture initial information in anticipation of starting a business relationship with you and for direct marketing purposes to send you marketing communications using the contact details you have provided, subject to compliance with applicable direct marketing laws.  

    What’s our lawful basis for collecting this data? 

    • UK GDPR Article 6(1)(b) – performance of contract; and 
    • UK GDPR Article 6(1)(f) – legitimate interests. 


    How long do we keep this data? 

    6 years. 

    Recruitment Data

    What personal data do we collect? 

    If you apply for an employment position with us, we may collect the following information in order to process your application and assess you as a candidate. We will collect your:  

    • First name;  
    • Last name;  
    • Email address;  
    • Postal address;  
    • Telephone number; and   
    • Any other personal data included in the body of your CV, cover letter or shared with us in the course of the application process (including special category data; ethnicity, health issues or disabilities which we may need to accommodate for).  


    Why do we collect this data? 

    We process this personal data in order to assess your suitability to the role and whether we would like to progress your application to an offer of employment. Please note that any personal data we collect that is recognised as one of the protected characteristics under Equality Act 2010 will in no manner have an impact on the outcome of your application. We ensure fairness throughout the recruitment process and do not treat any application less favourably because of these characteristics.   

    What’s our lawful basis for collecting this data? 

    Non-special category data:  

    • UK GDPR Article 6(1)(b) – performance of contract.  

    Special category data:  

    • UK GDPR Article 9(2)(b) – employment, social security and social protection.  


    How long do we keep this data?     

    For the duration of and immediately after the recruitment window. We will destroy all personal data held on unsuccessful applicants within 1 year of the recruitment period ending, save for any information we are required to hold by law.  

    Training Module and User Account Data 

    What personal data do we collect? 

    If you set up an account with us or purchase a training module through our website, we will collect the following information from you:  

    • First name;  
    • Last name;  
    • Company Name (optional);  
    • Email address;  
    • Postal address;  
    • Telephone number; and  
    • Credit/debit card details.  

     

    Why do we collect this data? 

    • Set up a user account for you as part of the training module access procedure;  
    • Take a payment transaction for you to access the training modules you have purchased;  
    • Provide user support regarding any issues with the training modules you have purchased; and  
    • Send you marketing communications using the contact details which you have provided, subject to compliance with applicable direct marketing laws. 


    What’s our lawful basis for collecting this data? 

    • UK GDPR Article 6(1)(b) – performance of contract; and  
    • UK GDPR Article 6(1)(f) – legitimate interests  


    How long do we keep this data? 

    6 years.

    LinkedIn Webinars  

    What personal data do we collect?  

    When you register for our online webinars, we collect personal information that may include:   

    • First name;  
    • Last name;  
    • Company Name (optional);  
    • Email address.  


    Why do we collect this data?  

    We use this information to:  

    • confirm and manage your registration; send joining instructions, reminders, and follow-up materials; and  
    • send you direct marketing communications via email, subject to compliance with applicable direct marketing laws.   


    What’s our lawful basis for collecting this data?     

    For the purposes of organising and informing you about the webinars, we rely on:  

    • UK GDPR Article 6(1)(a) – consent; and  
    • UK GDPR Article 6(1)(f) – legitimate interests.  


    Please note that we will rely on your consent if you choose to receive additional communications beyond essential event information such as direct marketing.       

    Where we rely on your consent, you have the right to withdraw your consent at any time by writing to our email address: info@informationgovernanceservices.com.  

    How long do we keep this data?  

    We will be able to download and access registrant data via LinkedIn up to one year from the day attendees register. After one year, the data can no longer be accessed. We will retain this data for as long as necessary to fulfil the purposes for which we have collected it, unless you exercise your right to opt-out. Please see the section on ‘How do we use your data for marketing including direct marketing’ for more information.    

  3. Do we collect or use personal information about children?

    We do not provide services targeted at children and therefore, do not collect or use personal information about children.

  4. How do we use your data for marketing including direct marketing?


    Subject to your consent or marketing preferences including your cookie preferences we may process your data for marketing purposes. Please see our Cookie Policy for more details on the cookies we use. Marketing communications you receive from us may include but it is not limited to offer about our products, services, newsletters.     

    For these marketing communications, we use your personal data as described in section 2 of this Privacy Policy and it may include your name, contact details, browsing habits, company name (if relevant).  

    We rely on your consent to process your personal data when the law requires it. 

    You will always have the option to withdraw/opt-out from receiving marketing communications from us. To do so, you can reach out to us at: info@informationgovernanceservices.com.    You can also unsubscribe from email marketing preferences by clicking on unsubscribe link in email. 

  5. With whom do we share your personal data? 


    We do work with third parties with whom we have a contractual relationship to help us process your data so that we can provide you with our services and fulfil the purposes specified above. Where information is shared, it will be done on strictly need-to-know basis and limited to what is necessary. As such, all personal data will only be shared in order to facilitate or assist with our contractual and legal obligations, or to allow us to undertake our professional services to our clients.      

    A list of our current processors with whom your data may be shared, and the functions they undertake can be found below:  

    Third Party Organisation Name 

    Location of Third Party Data Storage Processing 

    Third Party Functions  

    LearnDash 

    United States (Adequacy decision as per UK Extension to EU-U.S Data Privacy Framework via Liquid Webb LLC) and Netherlands (EU)  

    Learning Management System Provider for training modules 

    Microsoft Limited 

    United Kingdom 

    Cloud storage, Email Service Provider 

    SumFactors Limited 

    United Kingdom 

    Website Hosting and Management Provider 

    Google 

    Republic of Ireland (EU) 

    Google Analytics service for analytical cookies for website analytics 

    Stripe, Inc. 

    United States (Adequacy decision as per UK Extension to EU-U.S Data Privacy Framework 

    Online payment processing platform 

    Mailerlite 

    Germany (EU) and Netherlands (EU) 

    Email direct marketing service provider 

    Trustpilot 

    Ireland (EU), Germany 
    (EU), United Kingdom, France (EU) 

    Online platform for businesses to collect reviews, resolve issues and improve services 
    • We are very careful when we choose these third parties and only transfer your data outside of the UK where we have a lawful way to do so. We take all reasonable steps to confirm that an equivalent level of data protection is ensured. 

     

    • Additionally, we may disclose your personal data in connection with court orders, legal proceedings, government inquiries or law enforcement authorities. If we do share, for these purposes, we will rely on UK GDPR Article 6(1)(c) – legal obligation.
  6. How do we keep your information confidential and safe?  


    We take the security of your personal data very seriously. We ensure that it is protected with multiple levels of security, including 256-bit AES encryption at rest which is widely considered to be one of the most secure methods of protecting data, and access controls. Access controls ensure that only a limited number of people have access to your data.     

    We ensure that all personal data is backed up, and we have a business continuity plan in place. In the event of an unexpected disruption to our service and business operation, we will be able to restore availability.  

    We store your data in data centres that are accredited to international and industry specific compliance standards such as ISO 27001:2022, SOC 2 Type II and SOC 3 Type II certifications.   

  7. Your personal data rights 

    As a data subject, you have various rights about how your personal data is used.

    Individual Right 

    Information about your rights 

    The right to object 

    In certain circumstances, as a data subject, you have the right to object to the processing of your data.   

    Where we use your data to carry out any direct marketing you have the absolute right to object to the processing of your personal data. The method of objection to such processing will appear in the subject of the direct marketing in question.  

     

    Please note that where the processing in question is not for direct marketing purposes, your right to object is not absolute. This means that we need to perform a balancing exercise comparing your interests with ours. We can refuse to comply with your request if we have overriding compelling legitimate grounds for the processing. If that is the case, we will inform you as soon as we can and let you know about our compelling legitimate grounds.   

     

    You also have the right to object to the processing of your data where a data controller processes personal data on for purpose of a public task or under legitimate interests. Please note that we do not carry out any data processing under either of these lawful mechanisms, as such, the right to object in these specific circumstances do not apply.  

    The right to be informed 

    As a data subject, you have the right to be informed about how your data is collected and used. This Privacy Notice serves as our transparency material for data subjects as to how your personal data is used, informing you of our uses.  

    This Privacy notice aims to provide you with information in a concise, transparent, intelligible way which is easily accessible and uses a clear and plain language.   

    The right of access 

    As a data subject, you have the right to access and receive a copy of the personal data we hold on you. You can make a subject access request to us for this information.   

    We will provide the information in an accessible, concise and intelligible format, and it will be disclosed in a secure way.  

    We have processes to ensure that you will receive it without undue delay and within one month of receipt, with the exception of circumstances in which we can lawfully extend the time limit to respond to your request.  

    We have the right to refuse such a request where there is a relevant restriction, or where the request is manifestly unfounded or excessive.  

    The right of rectification 

    As a data subject, you have the right to rectify inaccurate personal data which we hold on you. You can make a request to us verbally or in writing if you believe that information we hold on you is inaccurate. To update or edit your personal data held by us, including your communication preferences, please contact us using the contact details set out under “Making a complaint”.  

    We have the right to refuse a request, and we are aware of the information we need to provide to you.   

    We have processes to ensure the response to a request for rectification without undue delay and within one month of receipt. In certain circumstances, we can extend the time limit to respond to a request.   

    The right of erasure 

    In certain circumstances, as a data subject, you have the right to request verbally or in writing that we erase the personal data we hold about you. You can only request the personal data is erased where: it is no longer necessary for the purposes we collected it, if you provided the information by consent and you withdraw your consent, we have processed the information unlawfully, the erasure is in line with a legal obligation.  

    The right of restricting processing 

    In certain circumstances, as a data subject you have the right to request verbally or in writing that we restrict the processing of your data for a period of time. You can only request the processing of personal data is restricted where: you are contesting the accuracy of the personal data and it is being verified, the data has been unlawfully processed, we no longer need the personal data but you require us to keep it in order to establish, exercise or defend a claim.  

    The right of data portability 

    As a data subject, you have the right of data portability, meaning you have the right to receive a copy of your personal data in a structured, commonly used and machine- readable format.  

    The right of portability only applies where we have collected this information via consent or the performance of a contract (see lawful bases above) and we are processing the data by automated means (i.e. not paper files).  

    Rights related to automated decision-making including profiling 

    We do not make any automated decisions or automated profiling about any data subjects.  

    You can find out more about your rights by visiting the Information Commissioner’s Office’s website: 

    https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights 

    You can exercise your rights by using our contact details displayed within this privacy notice.  

  8. What is the timeframe for receiving a response?  


    We will always aim to respond to your request as soon as we can, and always within one month upon receipt of the request.       

    In certain circumstances, we are entitled to extend this period by another two months. This will be the case where your request is complex. We will notify you about this extension as soon as we can. 

  9. Verifying your identity


    In order to     comply with your request, we will need to verify your identity. This will be done so that we do not accidentally disclose your personal information to an unauthorised person. To that end, we may ask for confirmation of your identity as part of the process which may include requesting further documentation and processing of personal information where we have reasonable doubts about your identity.      

  10. When can we refuse to comply with your requests or charge a fee?


    Usually, we will be happy to comply with your requests without undue delay and free of charge. However, there are certain circumstances where we are legally allowed to refuse to comply or charge a reasonable fee. This will be the case where your request is manifestly unfounded or excessive. If we decide to refuse to comply or charge you a reasonable fee, we will inform you about our decision.     

    Furthermore, your right to object might be further restricted if the processing is occurring for historical or scientific research purposes.  Office website 

  11. Do we make decisions based solely on automated processing? 

    We do not make decisions based on automated processing without human involvement. 

  12. Making a complaint


    Should you have any queries about the how your information is used, or wish to make a complaint about how your data has been used, then please contact our team at:      

    info@informationgovernanceservices.com   

    If you are unhappy with the way we use your information or about our response to your request, you have the option of contacting the Information Commissioner’s Office (ICO), who is the UK’s independent data protection supervisory authority, for further information or to make a complaint:  

    Address: 

    Information Commissioner’s Office  
    Wycliffe House  
    Water Lane  
    Wilmslow  
    Cheshire SK9 5AF  

    The ICO have multiple ways of which they can be contacted, including telephone and live chat. More information about how you can get in contact with the ICO can be found below:  

    Telephone number: 0303 123 1113 Online:  

    You can make a complaint or raise a concern via ICO’s website:  

    Report a concern on the ICO website 

  13. How can you contact us? 


    If you would like to contact us in respect of any element of this     Privacy Notice, or where you wish to raise a complaint or grievance, you can do so using the contact details provided below:      
    Address:Furlong House, 10A Chandos Street, London, W1G 9DQ, United Kingdom 
    Phone Number: 0208 8106 7936 
    E-mail:info@informationgovernanceservices.com 

  14. Changes to this Notice

    We may update this Notice from time to time. If we make any material changes to this Notice, we will change the “last updated” date of the Notice and notify you by your chosen form of communication, where applicable and appropriate. Changes to this Notice are effective when they are posted on this page.  

Send Us A Message