Purpose of this privacy notice 


Purpose of this privacy notice 

BAE Systems, Inc. (“the Company”, “we”, “our” or “us”) is committed to protecting the privacy and security of your personal information.

This privacy notice describes how we collect, use, and share personal information about you before, during, and after your working relationship with us, in accordance with applicable data protection laws (together the “
Data Protection Laws”).

It applies to visitors and to all permanent and temporary employees, workers, contractors and any other individuals who are working for the Company but who are not directly employed (“
staff member” or “you”).

Please read this privacy notice carefully. If you have questions, please contact privacy@baesystems.com. If you are visually impaired, you may request that your supervisor or any member of Human Resources read this privacy notice to you.


1. Information we collect about you 

For the purposes of this privacy notice, “personal information” means any information about an identified or identifiable natural person regardless of whether it is held in paper, electronic or any other format.

We collect, maintain, and use different types of personal information in the context of our relationship or potential relationship with you. We also collect certain “special categories” of more sensitive personal information where permitted by applicable law. 

The following provides examples of the type of information that we collect from you and how we use the information.



ContextCategories of InformationPrimary Purpose for Collection and Use of Information
BenefitsWage and benefit information, including but not limited to salary, bonus, additional pay, variable compensation, annual leave, pension and related compensation history and benefits information.To perform our contractual obligation to provide employee benefits, including compensation, health insurance, expense reimbursements, etc. Our legitimate interest in maintaining accurate business accounts.
CCTVCCTV footage and other information obtained through electronic means such as swipe card records.Our legitimate interest in protecting the Company’s assets and property and maintaining the security of information held by the Company.
Certifications and Qualifications We collect information from individuals who have access to our facilities and equipment including licensing and certification, and when applicable, nationality and citizenship.We have a legitimate interest in securing our facilities and equipment, and tracking those individuals with access to either for security and maintenance purposes.  In some jurisdictions, we are also required by law to validate and record information about the individuals that access our facilities and equipment. 
Contact DetailsPersonal contact details such as name, title, addresses, telephone numbers, and work and personal email address.We have a legitimate interest in communicating with you. In some jurisdictions, we are also required to collect this information to comply with law.
Electronic CommunicationsInformation about your use of our information and communications systems. Information about your computer, including your IP address, operating system and browser type, traffic data, location data, weblogs, and other communication data and resources you access in accordance with our Cookie Policy.Our legitimate interest in monitoring your use of our information and communication systems, providing for security of the IT system to ensure compliance with our policies and applicable law, and to optimize your website experience. For information on how we collect information regarding the use of our website, please see our Cookie Policy.
Government IdentificationSocial security numbers, taxpayer identification numbers, passportOur legitimate interest to comply with applicable law.
Health RelatedInformation about your health, including any medical condition, health and sickness records, details of any absences from work (other than holidays), including time on statutory parental leave and sick leave.Our legitimate interest in ascertaining your fitness to work, managing sickness absence, to comply with legal obligations related to health and safety, and to perform our obligation to provide health benefits such as insurance.
IdentificationName, date of birth, and driver’s license.Our legitimate interest in identifying you personally.
InvestigationsDetails of any disciplinary investigations and proceedings or of investigations following an alert.Our legitimate interest in gathering evidence for possible grievance or disciplinary matters or to make arrangements for the termination of our working relationship if warranted. Our legitimate interest in determining whether you, or another employee, has complied with our policies, procedures, and protocols. 
Other Special Categories Of Sensitive InformationInformation about your gender, race, ethnicity, sexual orientation, religious beliefs, health and disability data, veteran status, and trade organization data.To comply with government regulations and our legitimate interest in promoting and monitoring equal opportunities and diversity (if permissible under applicable law).
Payroll, Pension, and TaxesPayroll information, including but not limited to social security number or equivalent, tax status information (i.e., marital status, dependents, etc.), payroll records, bank account details, direct deposit/credit arrangements, and information about pension plans.To perform our contractual obligation to calculate and pay your salary, tax, social security, and pension contributions. In some jurisdictions, to comply with legal obligations.
PhotographsPhotographsOur legitimate interest in maintaining external and internal directories and/or a security badge (if applicable).
RecruitmentRecruitment information, including copies of right to work documentation such as citizenship, work permit or visa; references and other information included in a CV, resume, or cover letter or as part of the application process; criminal background; references and  interview notes; letters of offer and acceptance of employment, and employment agreements.Our legitimate interest in making a decision about your recruitment or employment. In some jurisdictions, to comply with legal requirements to verify you are legally entitled to work in the country in which you are applying.
Terms of Employment

Employment records including job titles/duties, job location, working arrangements, seniority data, employee identification number, performance ratings, hire/re-hire date, termination date, job history, training records, professional memberships, and business travel arrangements.

Our legitimate interest in business management and planning, including accounting and auditing; conducting performance reviews, managing performance and determining performance requirements; making decisions about salary reviews and compensation; assessing qualifications for a particular job or task, including decisions about promotions; making decisions about your continued employment or engagement. To perform our contractual obligation to provide salary and benefits to certain employees.
TrainingWe collect information from individuals concerning the training that they receive from us or from third parties.Our legitimate interest in understanding and recording the qualifications and training of the individuals that work with us.  We may also be required by law, or by contract, to share the training or qualification of certain staff with third parties such as regulators or clients.  We may also choose to share the training or qualification of certain staff with third parties as part of our effort to develop business. We have a legitimate interest in complying with any statutory, regulatory, or contractual obligation to disclose the training of our staff, and we have a legitimate interest in using the qualifications of our staff to help develop business.

In addition to the information that we collect from you directly, we may also receive information about you from other sources, including third parties, business partners, our affiliates, or publicly available sources.  For example, if you submit a job application or become an employee, we may conduct a background check or collect information from your references or previous employers.

2. How we collect your personal information

We collect personal information about staff members through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider where background checks are permitted. In addition, we may sometimes collect additional information from third parties including former employers, personal and professional references, credit reference agencies or other background check agencies, or government agencies (where permitted).
We will also collect additional personal information in the course of job-related activities throughout the period of you working for us. This may include monitoring communications and use of Company’s IT equipment and systems, or from other staff members or supervisors.


3. Monitoring use of the Company's information technology ("IT") equipment and systems

In the course of conducting our business, we may – under conditions permitted by applicable law- monitor employee activities and our premises and property. For example, some of our locations are equipped with surveillance cameras. Where in use, surveillance cameras are for the protection of employees and third parties, and to protect against theft, vandalism and damage to the Company’s property. They do not aim to control the working activity of the individual staff member. Recorded images are typically destroyed and not shared with third parties unless there is suspicion of a crime or wrongdoing, in which case they may be turned over to law enforcement, other appropriate government agency, or other appropriate third parties. If recorded, the images will be kept with a maximum of one month, except if law authorizes, expressly or explicitly, a longer period or prescribes a shorter period. 

Additionally, pursuant to BAE Systems, Inc. Management Policy 901 (Acceptable Use of Information Resources) and where permitted by law, the Company has the ability to monitor all employee’s activities using the Company’s IT Assets and communications systems including, without limitation, phone, email, instant messaging, VoIP, and internet browsing. For the purposes of your own personal privacy, you need to be aware that such monitoring might reveal personal information about you. By carrying out such activities using our facilities and assets you acknowledge that personal information about you may be revealed to the Company by such monitoring. 


4. How we use your personal information

In addition to the purposes and uses described above, we use your personal information for the following purposes:
  • To administer your relationship with us, including fulfilling any obligation that we have to provide you with compensation or benefits;
  • To carry out our business effectively;
  • To comply with applicable laws or regulations;
  • To comply with our contractual obligations;
  • To detect and prevent fraud or crime;
  • To enforce, exercise, or defend legal claims;
  • To investigate potential misconduct;
  • To keep your personal information and that of other staff members secure and to prevent unauthorised access, loss, damage, destruction or corruption of data. This may include monitoring communications and use of the Company’s IT equipment and systems;
  • To plan, organize, and carry out administration tasks within and across the Company; and
  • To protect the legitimate interest of the Company, including protecting the Company property.

Note that this privacy notice may be updated to notify you of additional purposes for which we process your personal information.

5. Sharing your personal information 

In addition to the specific situations discussed elsewhere in this policy, we share your personal information in the following situations:

  • Affiliates and Business Transfers. We may share information with our corporate affiliates (e.g., parent company, subsidiaries, joint ventures, or other companies under common control) in the course of our normal business operations. If another company acquires, or plans to acquire, our company, business, or our assets, we will also share information with that company, including at the negotiation stage. 
  • Legal or Regulatory Requests and Investigations. We may disclose information in response to subpoenas, warrants, or court orders, or in connection with any legal process, or to comply with relevant laws or regulations.  We may also need to share your personal information with tax authorities, courts, regulators, the police and other governmental authorities where we are required or permitted to do so by law.
  • Other Entities. We may disclose certain information such as name, work contact details (including your workplace ID photo), training and qualification records, certifications, and other information about your work arrangements to other third parties, such as customers, subcontractors, business partners, professional advisers (including lawyers, auditors and accountants), professional bodies, and regulatory authorities in the normal course of business.
  • Other Disclosures with Your Consent. We may ask to share your information with other third parties who are not described elsewhere in this privacy notice.
  • Protection of the Company or Others. We may share your information in order to establish or exercise our rights, to defend against a legal claim, to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property, or a violation of our policies.
  • Third-Party Service Providers. We may share your information with service providers. For example, we may share your personal information with payroll administrators, pension administrators, IT service providers, training providers, benefits providers, marketing/events agencies, and recruitment agencies.

6. Data Security

We maintain reasonable physical, technical and procedural safeguards that are appropriate to the sensitivity of the personal information in question. These safeguards are designed to help protect your personal information against loss, unauthorized access or disclosure, modification, or destruction. While we use reasonable efforts to protect your personal information, we cannot guarantee the security of your personal information. In the event that we are required by law to inform you of any privacy or security event relating to your personal information we may notify you electronically, in writing, or by telephone, if permitted to do so by law.

7. Registration, Passwords and Security

If you choose, or you are provided with, a user identification code, password or any other piece of information as part of our security procedures for one of the registration-only sections of the Company’s website, you are responsible for maintaining the confidentiality of your password and user name for the website and you are responsible for all activities that are carried out under them. We do not have the means to check the identities of people using the website and we will not be liable where your password or user name is used by someone else. We have the right to disable any user identification code or password at any time.

8. Your rights in relation to your personal information

Under applicable Data Protection Laws, you may have the right to request access to your personal information. If required by law, upon request, we will grant you reasonable access to your personal information. There may be instances where applicable law or regulatory requirements allow or require us to refuse to provide some or all of the personal information we hold about you. 

You may also request that we delete your personal information.  If required by law we will grant a request to delete information, but you should note that in many situations we must keep your personal information to comply with our legal obligations, resolve disputes, enforce our agreements, or for another one of our business purposes. 

To submit a request, please email us at bae.privacy@baesystems.com.
Note that, as required by law, we will require you to prove your identity.  We may verify your identity in person, by phone call, or via email. Depending on your request, we will ask for information such as your name, your employee ID, or the name of your direct supervisor. We may also ask you to provide a signed and notarized declaration confirming your identity.
In some circumstances, you may designate an authorized agent to submit requests to exercise certain privacy rights on your behalf.  We will require verification that you provided the authorized agent permission to make a request on your behalf.  You must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us. If you are an authorized agent submitting a request on behalf of an individual you must attach a copy of the following information to the request:

1. A completed Authorized Agent Designation Form indicating that you have authorization to act on the consumer’s behalf. For a copy of the form, please email bae.privacy@baesystems.com.

2.  If you are a business, proof that you are registered with the Secretary of State to conduct business in California.

If we do not receive both pieces of information, the request will be denied.



9. Miscellaneous

The following additional information relates to our privacy practices:
  • Changes to this Privacy Notice.  We may change our privacy policy and practices over time.  To the extent that our policy changes in a material way, the policy that was in place at the time that you submitted personal information to us generally will govern that information. Our privacy policy includes an “effective” and “last updated” date. The effective date refers to the date that the current version took effect. The last updated date refers to the date that the current version was last substantively modified.
  • Information for California Residents.  California Civil Code 1798.115(c), 1798.130(a)(5)(c), 1798.130(c), and 1798.140 indicate that organizations should disclose whether certain categories of information are “sold” or transferred for an organization’s “business purpose” as those terms are defined under California law. You can find a list of the categories of information that we share on the next page. Please note that because this list is comprehensive it may refer to types of information that we share about people other than yourself. We do not discriminate against California residents who exercise any of their rights described in this Privacy Policy.

Last Updated: July 1, 2020

Effective: July 1, 2020


California Information Sharing Disclosure

California Civil Code 1798.115(c), 1798.130(a)(5)(c), 1798.130(c), and 1798.140 indicates that companies should disclose whether the following categories of information are collected, transferred for consideration, or transferred for an organization’s “business purpose” as that term is defined under California law.  We do not “sell” your personal information. Note that while a category may be marked that does not necessarily mean that we have information in that category about you.  For example, while we transfer bank account numbers for our business purpose in paying some staff members (e.g., direct deposit) we do not collect or transfer bank account numbers of staff members that do not utilize direct deposit. 


Categories of Personal Information That We CollectCategories of Third Parties to Whom We Disclose Personal Information for Business Purpose
Identifiers – such as name, postal address, phone number, unique personal identifier, online identifier, internet protocol (IP) address, device ID, email address, account name, signature, social security number, driver’s license number, passport number, or other similar identifiers.
  • Service Providers
  • Product and service fulfilment companies
  • Internet service providers
  • Advertising Networks
  • Social Networks
  • Payment Processors and financial institutions
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
  • Data analytics providers
Financial information – such as bank account number, credit or debit card number, or other financial information.
  • Service Providers
  • Payment Processors and financial institutions
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
Medical / health insurance information – such as information from a healthcare provider regarding an individual’s medical history, mental or physical condition, or treatment;  an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in the individual’s application and claims history. 
  • Service Providers
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
Protected characteristics – such as race, gender, physical or mental disability, and religion.
  • Service Providers
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
Network activity data – internet or other electronic network activity information, such as browsing history, search history, and information regarding an individual’s interaction with an internet website, application, or advertisement.
  • Service Providers
  • Product and service fulfilment companies
  • Internet service providers
  • Advertising Networks
  • Social Networks
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
  • Data analytics providers
Biometric information – such as fingerprint, face print or voice print.
  • Service Providers
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
Geolocation data – such as precise physical location.
  • Service Providers
  • Internet service providers
  • Advertising Networks
  • Social Networks
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
  • Data analytics providers
Electronic and sensory data – such as audio, electronic, visual, thermal, olfactory, or similar information (e.g., pictures, a recording of a customer service call, security video surveillance footage).
  • Service Providers
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
Professional/employment information – such as occupation and professional references.
  • Service Providers
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
Education information – such as information contained in education records.
  • Service Providers
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
Inferences – drawn from any of the information listed above to create a profile
  • Service Providers
  • Advertising Networks
  • Social Networks
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
  • Data analytics providers