Data Protection Policy
As a business, and as an employer, it is necessary for us to collect, store and process personal data about our customers, suppliers, employees, workers, and other third parties who we engage to provide services for us or do business with.
With the introduction of the General Data Protection Regulation 2016 (GDPR) and associated legislation the way personal data is kept and used by businesses has come under much greater scrutiny. This policy is therefore very important to us and sets out how we will process personal data we collect or receive from data subjects and third parties.
This policy will help all of us to comply with our legal obligations and enable individuals about whom we hold personal data to have confidence in us. It is important that you read this policy carefully to ensure you comply with it. This policy does not form part of your contract of employment and may be amended at any time.
1. Data protection contact
We have appointed a data privacy manager who is responsible for ensuring compliance with our data protection obligations. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to that person via the [email protected] email address.
2. What do terms used in this policy mean?
There is likely to be a lot of data protection terminology with which you may be unfamiliar, and which has a specific meaning under data protection legislation. The terms that are used most frequently include:
Personal data means data relating to a “data subject” (explained below) who can be identified (directly or indirectly) from that data (or from that data and other information in our possession or available to us). Personal data can be factual (e.g. a name, address or date of birth) or it can be an opinion about the data subject, their actions and behaviour. It can also include an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic (e.g. DNA or RNA), mental, economic, cultural or social status of that individual.
Data controller is a term used to describe the people who, or organisations which, determine the purpose and manner for which any personal data is processed. We are the data controller of all personal data used in our business for our own commercial purposes.
Data subject means a living, identified or identifiable individual about whom we hold personal data.
Data users are those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this policy and any applicable data security procedures.
Data processors means any person or organisation that processes personal data on our behalf and on our instruction. Employees of data controllers are excluded from this definition, but it could include suppliers who handle personal data on our behalf.
Processing is a term used to describe what we do with the personal data. It applies to most activities that might be undertaken in respect of the data, such as: collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, disclosing by transmission, dissemination or otherwise making it available, aligning or combining, restricting its use, erasing or destroying it. Processing also includes transferring (or disclosing) personal data to third parties.
Special categories of personal data is a term used to describe sensitive personal data such as information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, genetic data and biometric data (where processed to uniquely identify a person or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings). Special categories of personal data can only be processed under strict conditions.
3. Responsibility for data protection
As a data controller, we are responsible for establishing practices and policies in line with the GDPR and any other laws governing data protection. It is important that we do more than just say that we are complying with data protection laws, but that we are also able to demonstrate compliance. We do this principally by:i
- implementing processes and policies that enable us to comply with data protection laws, such as not collecting more personal data than we need, providing comprehensive, clear and transparent privacy notices, and creating and improving security features;
- undertaking data protection impact assessments, where appropriate, when using new technologies where the processing is likely to result in a high risk to the rights and freedoms of data subjects;
- introducing new technical measures (such as new software, hardware, or processes) where appropriate;
- undertaking periodic internal audits of personal data held by us; and training staff.
4. How should personal data be processed?
Any personal data that we process must:
- be processed fairly, lawfully and in a transparent manner;
- be processed ONLY for specified, explicit and legitimate purposes;
- be relevant and limited to what is necessary for the legitimate purpose(s) for which it is processed;
- be accurate and kept up to date, ensuring, where reasonably possible, that inaccurate personal data is erased or rectified without delay;
- not be kept for any longer than is necessary to fulfil the purpose(s) for which it was collected; and
- be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5. Lawfulness, fairness and transparency
The GDPR is not intended to prevent the processing of personal data; rather, the GDPR aims to ensure that it is done lawfully and transparently, minimising any adverse effect on the rights of the data subject.For personal data to be processed lawfully, it must be processed for one of the specific reasons set out in the GDPR.
The following are some of the basis upon which we will rely as a business to process personal data. Where processing is necessary:
for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
- for compliance with a legal obligation to which we are subject; and/or
- in the pursuit of our legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.In addition to the basis set out above, we can also process a data subject’s personal data where they have given consent to the processing for one or more specified purposes, provided that the consent is a freely given, specific, informed and unambiguous indication of the data subject’s wishes. A data subject will have the right to withdraw any consent given.For special categories of personal data to be processed lawfully, there are additional conditions which must be met, in addition to satisfying one of the above bases for processing personal data. Legitimate basis for processing special categories of personal data include that:
- the data subject has given explicit consent to the processing of that data for one or more specified purposes;
- the processing is necessary for carrying out obligations under employment law, social security or social protection law, or a collective agreement;
- the processing is necessary for the purposes of preventive or occupational medicine, or for the assessment of the working capacity of an employee;
- the processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent;
- the processing relates to personal data which has been made public by the data subject; and/or
- the processing is necessary for establishing or defending legal claims. 6 Central data record
6. Central data record
We maintain a central record of what personal data we collect and why we collect it. We will only process personal data for the specific purposes set out in central record or for any other purposes specifically permitted by the GDPR. We will notify those purposes to the data subject when we first collect the data from them or as soon as possible thereafter.
We will only process personal data to the extent required for the purposes notified to the data subject. This means that we should not ask for, or record on our systems, more personal data than we need. We will use appropriate technical and organisational measures to ensure that personal data that we no longer need is erased/destroyed.
We will do our best to ensure that any personal data we hold is accurate and kept up to date. We aim to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. It is therefore important that you keep us up to date with any changes to your own personal details that we hold on you as an employee.
We will take all reasonable steps to erase/destroy or amend inaccurate or out-of-date data without undue delay, and in any event within one month of the data subject’s request (or two months where there are specific reasons why that is not possible).
7. Keeping personal data secure
When we process personal data, we will do our best to ensure that it remains secure and is protected against unauthorised or unlawful processing and accidental loss, destruction or damage.
We will do this by:
- encrypting personal data where appropriate/possible;
- ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data;
- ensuring the restoration of access to personal data in a timely manner in the event of a physical or technical incident; and
- facilitating regular testing, assessment and evaluation of the effectiveness of technical and organisational measures forensuring data security.
In assessing the appropriate level of security, we shall take into account the risks associated with the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data that we process.
Desks and cupboards should be kept locked if they hold personal data or confidential information of any kind. Data users must ensure that individual monitors/screens do not show personal data or confidential information to passers-by and that they log off from or lock their computer/tablet when it is left unattended.
Whenever we transfer personal data or confidential information outside our own systems or offices (for example when information is taken off site by employees to visit customers or for home working) there is a risk that the personal data or confidential information may be lost, misappropriated, or accidentally released.
Steps should be taken to minimise the risk of theft, loss, destruction, damage or unauthorised use of personal data or other confidential information when data is transferred. Such steps could include:
- taking only the personal data that you need to take, ensuring that it is anonymised where possible and kept secure;
- ensuring that bags or cases containing paper records are not left visible or unattended for longer than is absolutely necessary. If it is unavoidable to leave paper records in a vehicle (e.g. whilst refuelling) the data must be locked in a secure compartment or boot of the vehicle;
- ensuring that paper records are not carried ‘loosely’ but instead kept in a file or folder so that they are not visible to onlookers.
You should have permission from your manager before taking personal data off site. It must also be brought back and securely stored at the earliest opportunity.
8. Personal data breach
It is very important that we are alive to the risks of personal data breaches, and that we react quickly to an apparent breach.
A personal data breach may not be evident straightaway. However, there may be indicators of a personal data breach, system compromise, unauthorised activity, or signs of misuse. A personal data breach can happen in many ways, including:
- loss of a mobile device or hard copy file which contains personal data (e.g. leaving it on a train);
- theft of a mobile device or hard copy file which contains personal data (e.g. stolen from a vehicle or home);
- human error (e.g. a member of staff sending an email containing personal data to an unintended recipient, or accidentally altering or deleting personal data);
- cyber-attack (e.g. opening an attachment to an email from an unknown third party which contains ransomware or other malware);
- allowing unauthorised use/access (e.g. permitting an unauthorised third party to access secure areas of the office or our systems);
- unusual log-in and/or excessive system activity, in particular from any active user accounts;
- unusual remote access activity;
- the presence of any spoof wireless (Wi-Fi) networks visible or accessible from our working environment;
- equipment failure;
- hardware or software key-loggers found connected to or installed on our systems;
- unforeseen circumstances such as a fire or flood; or
- ‘blagging’ offences where information is obtained from us by a third party through deception.As soon as you become aware of any personal data breach or have any reason to suspect a personal data breach has or is about to occur (for whatever reason), you should contact our data protection contact immediately or, if they are not available, your line manager.
9. Data retention
We will only retain personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with a data subject.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of that personal data, the purposes for which we process that personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
For example, due to limitation periods we will usually retain the majority of the personal data we hold about employees (including contact, identity, and financial Data) for six years after they have ceased being an employee.
In some circumstances data subjects can ask us to delete their data: see paragraph 14 below for further information.
10. Erasing or destroying personal data
Paper records that contain personal data must be shredded and disposed of securely when there is no longer a need to retain them. Paper records containing personal data must not be disposed of in any other way.
For electronically stored data, there is a significant difference between deleting personal data irretrievably, archiving it in a structured, retrievable manner, or moving it as unordered data to an electronic wastebasket. Personal data that is archived, for example, is subject to the same data protection rules as ‘live’ personal data.
When deleting electronic data, all possible steps should be taken to put the data in question beyond use. Where it is impossible to delete data from the electronic ether altogether, all reasonable steps should be taken to ensure that it is deleted to the fullest extent possible.
The IT Team will be responsible for destroying electronic equipment that contains personal data (e.g. laptops and desktops) securely.
11. Transferring personal data outside the EEA
We may transfer any personal data we hold to a country outside the European Economic Area (“EEA”), provided that one of the following conditions applies:
- the data subject has given their explicit consent to the proposed transfer, after we have informed them of any possible risk associated with such transfers (e.g. the absence in that country of equivalent safeguards);
- the transfer is necessary for the performance of a contract to which the data subject is a party, or which is in the interest of the data subject, or to take steps at the request of the data subject prior to entering into a contract;
- the transfer is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or
- the transfer is necessary for the establishment or defence of a legal claim.
For each transfer of data outside the EEA, we will record which of the conditions we are relying on.
12. Transferring data to third Parties
If we need to use third parties to process personal data on our behalf, we will require those third parties to provide us with sufficient guarantees that they have appropriate technical and organisational measures in place to comply with the GDPR and to ensure the protection of the rights of the data subjects.
13. Notifying data subjects
We are required to provide information to data subjects about our processing of their personal data. This information is contained in our Privacy Notices. The Privacy Notices applicable to employees is available on the intranet. Such notices will provide information about:
- the types of personal data we process;
- the purpose and the legal basis for processing their personal data;
- whether the personal data will be disclosed to any third parties in the course of processing;
- whether the personal data will be transferred outside of the EEA and, if so, what safeguards will be put in place in this regard;
- how long the personal data will be processed for or, if that is not possible, the criteria we will use to determine the period;
- how the data subject can obtain a copy of the personal data held about them;
- details of their rights, including how to make a complaint;
- if the personal data has to be processed in order to comply with a law or a contract, the possible consequences of the data subject failing to provide the data and/or (where applicable) objecting to the processing of it;
- the existence and details of any automated decision-making processes.
If we receive personal data about a data subject from a third party, we will in addition provide the data subject with information on:
- the type of personal data we have received from a third party; and
- the source of the data and whether it came from a publicly accessible source (e.g. a website accessible to the public).
14. Rights of data subjects
If we process personal data, the data subjects will have the right to:
- request information about the personal data we hold in respect of them;
- have any inaccurate personal data about them corrected and incomplete personal data completed, subject to us satisfying ourselves that the data is in fact inaccurate or incomplete;
- object to us processing their personal data where we are doing so in pursuit of our own legitimate interests. We can continue processing the personal data notwithstanding an objection if our legitimate interests outweigh those of the data subject, or if we need to do so for the establishment or defence of a legal claim;
- ask us to destroy personal data about them. We can refuse this request if the personal data is still necessary in relation to the purposes for which it is being processed, and there is a legitimate basis for us to continue processing;
- ask us to restrict the processing of their personal data to merely storing it. This can only be requested if: the accuracy of personal data has been contested and remains unverified, if we no longer require the personal data but the data subject needs it to establish or defend a legal claim, if the data subject has objected to the processing of personal data and we are deciding whether our legitimate interests override theirs, or if our processing is unlawful.
If a data subject exercises these rights and we have disclosed the personal data in question to a third party, we will do our best to ensure that the third party complies with the wishes of the data subject.
15. Subject access requests
Data subjects who wish to request information about the personal data we hold about them must do so in writing. If you receive such a request (whether in paper form or in an email or other electronic format) you should forward it to our data protection contact immediately.
16. Personal data breach response plan
In the event of a personal data breach, we must take quick action to minimise the impact of the breach and, in certain circumstances, must report the breach within 72 hours of it occurring. Therefore, if you become aware of any personal data breach or are unsure if a personal data breach has occurred, whether by you or someone else, you should contact our data protection contact immediately or, if they are not available, notify your line manager (see 8 above).
Once a personal data breach or a potential personal data breach has been reported, our data protection contact will be responsible for responding to the data breach. In most cases this will involve:
- investigating the breach to determine the nature and cause of it, and the extent of the damage or harm that may result;
- implementing the necessary steps to stop the breach from continuing or recurring, and limiting the harm to data subjects associated with the breach;
- assessing whether there is an obligation to notify other parties, in particular, the Information Commissioner’s Office (“ICO”) and the affected data subjects and, if so, making those notifications. If there is an obligation to make a notification to the ICO, this will normally need to be done within 72 hours of us becoming aware of the breach and therefore it is essential that any suspected or actual breaches are reported immediately;
- recording information about the personal data breach and the steps taken in response to it.