Data Protection Policy / Privacy Notice.
In order to operate efficiently the Company uses and stores sensitive information about staff and clients and other organisations. The Company collects, processes, safeguards and retains this information in line with the General Data Protection Regulations (GDPR.)
This policy sets out our commitment to protecting personal data lawfully and applies to all employees and agents of the Company.
We are committed to ensuring that we comply with the eight principles of data protection (see below); meet our legal obligations as laid down in the GDPR; provide adequate security measures to protect personal data; ensure a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues; provide adequate training for all staff responsible for personal data; ensure that all queries about data protection, internal and external, are dealt with effectively and promptly and regularly review data protection procedures and guidelines.
We regularly audit these principles internally to ensure that the Company and all staff comply with internal procedures which are determined by the current legislation requirements.
Definitions
• Data refers to all personal data stored both manually and on computer records.
• Data subject refers to all living and identifiable individuals about whom information is stored.
• Data controller is the person who decides how and why such data is processed.
• Data processor is any person who processes data on behalf of the data controller.
• Staff refers to all employees or agents of the Company.
Data Protection Principles
In accordance with the Act, all personal data will:
• be processed fairly and lawfully;
• be obtained only for specified and lawful purposes; and not be processed in a manner incompatible with those purposes;
• be adequate, relevant and not excessive in relation to the purpose for which it is being processed;
• be accurate and where necessary kept up to date;
• not be kept for longer than is necessary for the purposes for which it is being processed;
• be processed in accordance with the legal rights of the data subjects;
• be subject to appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss, destruction or damage; and
• not be transferred to a country or territory outside of the EEA unless that country or territory ensures an adequate level of data protection.
Processing Data Procedures
The following procedures have been developed in order to ensure that the Company meets its’ responsibilities in terms of data protection. For the purposes of these procedures, data collected and stored and used/processed by the Company falls into two broad categories:
Category 1 – the Company’s internal data records regarding staff (including personal data) stored and processed for legitimate business interests and legal obligations such as: recruitment; equal opportunities monitoring; payroll; contact details; training records; appraisal information and recording entry/leave times (this list is not exhaustive.)
Category 2 – the Company’s external data records regarding suppliers and customers stored and processed solely to assist staff in the efficient running and provision of services. Data is stored and processed only for the purposes agreed with our customers and suppliers.
Internal Data Records
At the start of employment staff will be asked to provide personal information which is essential to their employment such as personal details, emergency contact information and bank account details etc.
As employment progresses, the Company will gather personal, including sensitive, data such as: changes to personal details, recruitment information, employment references, payroll and tax information and other data including accidents/incidents, annual leave, sickness absence, other leave, training and appraisal, promotion/transfer, disciplinary, grievance and capability records (this list is not exhaustive.)
It is important that all information held by the Company is kept up to date. It is our staff’s responsibility to inform the Company in writing as soon as possible, should any of their personal data change. From time to time staff may be required to verify the personal data held by the Company. Staff should comply with any such request and ensure that the information provided is accurate.
The lawful basis for processing personal data is that it is necessary for the performance of our employees’ contracts of employment and for the Company to comply with legal obligations.
At commencement and at any stage during employment, if staff provide misleading or inaccurate information to the Company, it reserves the right to instigate the disciplinary procedure. If deliberate and sufficiently serious, this may be viewed as gross misconduct for which an employee may be summarily dismissed.
Storage
All data will be stored securely; electronic records via individual password restricted access to computer systems and manual or non-electronic records in locked filing systems with access only by authorised persons. No data will be stored for longer than is necessary and data which is no longer required will be securely destroyed.
Access
Staff must only access, vary, erase, copy or make use of any information in the Company’s records for the proper discharge of their duties and to the extent that they are authorised to do so and; not in any way that would place the Company in breach of its’ legal obligations.
Subject Access Requests
In the event that an employee wishes to access personal data which is stored by the Company, they are required to put a request in writing. The Company reserves the right to ask that staff pay any administration fee deemed reasonable and, request identification documents, both of which must be received by the Company before it responds to any such request within a designated period of 1 month. The Company reserves the right to refuse a request that is deemed to be manifestly unfounded or excessive.
Disclosure
Personal data will not be passed on to anyone outside of the organisation without either the explicit consent from the data subject; for a legitimate business interest (such as seeking support from an external service provider such as Occupational Health or HR) or to fulfil a legal obligation (such as cooperating with the authorities.)
Data Breaches
The Company will comply with its’ duty in line with the GDPR to report certain types of data breach to the ICO, and in some cases to individuals if the breach is likely to result in a risk to the rights and freedoms of individuals such as it could result in discrimination, reputational damage, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Queries
Please raise any queries or concerns regarding internal or external data to a Director. If we are not able to resolve your concern, you have the right to complain to the ICO if you believe there is a problem with the way we are handling your data.