DATA PROTECTION (PRIVACY) POLICY.

This Data Protection (Privacy) Policy contains important information about how and why the Company collects, processes, stores and shares Personal Data belonging to our employees, workers and third parties e.g., customers, suppliers (known as Third Party Data). The focus of this policy is on our duties and responsibilities in respect of the Personal Data (PD) of our employees and workers (Staff), and the duties and responsibilities our employees who must process the Personal Data of our Staff and Third-Party Data in accordance with our policies, procedures, and the law.


Data Privacy: The Basics

In legal terms, the process of collecting and processing PD means that Company is referred to as a Controller (Controller). Any external person or organisation that processes PD on our behalf and on our instructions (e.g., a service provider such as an insurance company) is referred to as a Data Processor. Any activity that involves the use of PD is referred to as Processing / Process / Processes. It includes obtaining, recording, or holding PD, carrying out any operation or set of operations on PD (e.g., organising, amending, retrieving, using, disclosing, erasing, or destroying it) and transmitting or transferring Personal Data to third parties. PD is any information identifying or relating to an identifiable Data Subject. A person is a Data Subject if they can be identified (directly or indirectly) from the PD. PD includes some Special Category Data and Criminal Conviction Data. The following is a non-exhaustive list of examples of what is included and excluded from these definitions:

    Personal Data

  • Name Address
  • Telephone number Date of birth Gender Qualifications
  • Opinions about an individual’s actions or behaviour (e.g. references, employee appraisals, disciplinary records)
  • Location data

    Special Category & Criminal Conviction Data (formerly called Sensitive Personal Data)

  • Racial or ethnic origin Political opinions Religious or similar beliefs Trade union membership
  • Physical or mental health conditions (e.g., sick notes, medical reports)
  • Sexual orientation Biometric or genetic data
  • Criminal offences and convictions (e.g., DBS checks)

    Excluded/Not Personal Data

  • Anonymous data - Data that has had the individual’s identity permanently removed (e.g.statistical information about the gender breakdown of our Staff from whom individuals cannot be identified).

Data that has had the individual’s identity permanently removed (e.g.statistical information about the gender breakdown of our Staff from whom individuals cannot be identified).


Your rights as a Data Subject

Each Data Subject has legal rights designed to protect the privacy of their PD. You are a Data Subject (regarding your own PD). Upon starting employment (and from time to time thereafter) you will have been provided with an Employee Data Privacy Notice which explains how the Company processes your PD and provides you with information about your rights as a Data Subject.


Third Party Data: your duties and responsibilities

To the extent that you are involved in the processing of PD, you will have legal duties and responsibilities to process the PD of others in accordance with this Data Protection (Privacy) Policy and the law governing data privacy, including the GDPR (see “Our commitment to complying with data protection procedures” below).


Data privacy: our collective responsibility

The Company takes its legal obligations and responsibilities regarding data privacy very seriously. We expect all employees to treat any PD they may encounter (whether it is part of their role to handle such data or not) sensitively and in accordance with our Data Protection (Privacy) Policy and procedures. You are reminded that any breach of this policy, our data privacy procedures, or the law governing data privacy, may result in disciplinary action.


Our commitment to complying with data protection principles

PD including that which is HR related, must be processed in compliance with the Data Protection Principles (DPP) relating to the Processing of PD as set out in the relevant legislation that requires PD to be:

  • Processed lawfully, fairly and in a transparent manner.
  • Collected only for specified, explicit and legitimate Purposes.
  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  • Accurate and where necessary kept up to date.
  • Not kept in a form that permits identification of a Data Subject for longer than is necessary for the purposes for which the data is processed.
  • Processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  • Made available to the Data Subject on request and that Data Subjects are allowed to exercise certain rights in relation to their PD.
  • Not transferred to people/organisations situated in countries without adequate protection.

Conditions for Processing

To be processed lawfully, PD must be processed based on one or more of the Conditions specified in the GDPR Condition(s). The Company will comply with its obligations on processing as set out in the relevant legislation.

Consent

Consent is one of the many conditions upon which the processing of PD can be based. However, in lots of circumstances the Company will rely on other conditions to process PD - e.g., we do not routinely rely on consent as a condition to justify the processing of the Personal Data of our employees. This is explained further in your Employee Data Privacy Notice.


What rights do Data Subjects have?

Data Subjects have rights when it comes to how we handle their PD. Some of these rights are dependant on the nature and purposes of the processing. These are set out in your Employee Privacy Statement. If you receive a written request from a Data Subject who wishes to exercise any of their GDPR or data privacy rights (for example, requesting the rectification or deletion of their PD) you should immediately forward it to a manager.


Subject Access Requests

Data Subjects may make a formal written request for details of the PD we hold about them (Subject Access Request). The GDPR requires us to deal with Subject Access Requests within strict time limits. Therefore, if you receive a written request for access to PD (whether the request specifies that it is a Subject Access Request) should immediately forward it to a manager. When receiving telephone enquiries, we will only disclose PD we hold on to our systems if we check the caller’s identity to make sure that information is only given to a person who is entitled to it. If we are not sure about the caller’s identity, or if their identity cannot be checked, we will ask that the caller put their request in writing. If an individual makes a subject access request, the organisation will tell him/her:

  • whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
  • to whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
  • for how long his/her personal data is stored (or how that period is decided);
  • his/her rights to rectification or erasure of data, or to restrict or object to processing;
  • his/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights; and
  • whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making.

The organisation will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise. If the individual wants additional copies, the organisation will charge a fee, which will be based on the administrative cost to the organisation of providing the additional copies. To make a subject access request, the individual should send the request to the Data Privacy Manager or use the organisation's form for making a subject access request. In some cases, the organisation may need to ask for proof of identification before the request can be processed. The organisation will inform the individual if it needs to verify his/her identity and the documents it requires. The organisation will normally respond to a request within a period of one month from the date it is received. In some cases, such as where the organisation processes large amounts of the individual's data, it may respond within three months of the date the request is received. The organisation will write to the individual within one month of receiving the original request to tell him/her if this is the case. If a subject access request is manifestly unfounded or excessive, the organisation is not obliged to comply with it. Alternatively, the organisation can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, the organisation will notify him/her that this is the case and whether or not it will respond to it.


Other rights

Individuals have several other rights in relation to their personal data. They can require the organisation to:

  • rectify inaccurate data;
  • stop processing or erase data that is no longer necessary for the purposes of processing;
  • stop processing or erase data if the individual's interests override the organisation's legitimate grounds for processing data (where the organisation relies on its legitimate interests as a reason for processing data);
  • stop processing or erase data if processing is unlawful; and
  • stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual's interests override the organisation's legitimate grounds for processing data.

To ask the organisation to take any of these steps, the individual should send the request to the Data Privacy Manager.


Your Employee Data Privacy Notice

This provides you with the information required under GDPR in relation to our processing of your Personal Data. The company tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons. Where the company relies on its legitimate interests as the basis for processing data, it will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals. Where the company processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with a policy on special categories of data and criminal records data. The company will update HR-related personal data promptly if an individual advises that his/her information has changed or is inaccurate. Personal data gathered during the employment relationship is held in the individual's personnel file (in hard copy or electronic format, or both), and on HR systems. The periods for which the organisation holds HR-related personal data are contained in its privacy notices to individuals. The organisation keeps a record of its processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).


Third Party Data: Privacy Notices

The point at which we must provide the Data Subject with a privacy notice depends upon how the PD is collected and if it is collected:

  • directly from the Data Subject, a notice containing all the required information must be provided to the Data Subject at the point when the PD is collected.
  • indirectly (e.g., from a third party or publicly available source), the Data Subject must be provided with a notice containing all the required information as soon as possible (but in any event within one month) after we receive the PD. Before processing PD, which has been obtained indirectly, we must also check that the PD was collected by the third party in accordance with the GDPR and on a basis which contemplates our proposed processing of that PD.

Purpose Limitation

PD must be collected only for specified, explicit and legitimate purposes and must not be further processed in any manner incompatible with those purposes. This means that we cannot use PD for new, different, or incompatible purposes from that disclosed when it was first obtained unless we have informed the Data Subject of the new purposes, and (if this is the Condition relied upon to process their Personal Data) they have given their Consent. You are reminded that processing Personal Data for purposes which are incompatible with the purposes for which the Personal Data was obtained, is considered a serious breach of our Data Protection Policy, and it may result in disciplinary action.


Data Minimisation

PD must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. This means that you may only collect or process PD when performing your job duties requires it; you cannot process PD for any reason unrelated to your job duties; you must not collect excessive PD, which is not relevant for the specified purposes and you must ensure that when any PD is no longer needed for the specified purposes, it is deleted or anonymised in accordance with current data retention guidelines.


Data Accuracy

PD must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate. To the extent that your job requires you to collect or process PD, this means that you must ensure the PD we use, and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it; check the accuracy of any PD at the point of collection and at regular intervals afterwards; and take all reasonable steps to destroy or amend inaccurate or out-of-date PD.


Storage Limitation

PD must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. Company (and to the extent that your duties involve the processing of PD, you) must not keep PD in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purposes for which we originally collected it. We will follow current data retention guidelines that are designed to ensure PD is deleted after a reasonable time unless a law requires such PD to be kept for a minimum time. The Company (and to the extent that your duties involve the processing of PD, you) will take all reasonable steps to destroy or erase from our systems all PD that we no longer require in accordance with the current guidelines on Data Retention; and ensure Data Subjects are informed in any applicable privacy notice of the period(s) for which their PD is stored.


Data Security

The Company will take appropriate security measures against unlawful or unauthorised processing of PD, and against the accidental loss of, or damage to, PD. We have procedures and technologies in place, which are designed to maintain the security of PD from the point of collection to the point of destruction. You are reminded that any breach of our data security procedures is considered a serious breach of this Data Protection Policy and may result in disciplinary action. Where the company engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.


Impact assessments

Some of the processing that the company carries out may result in risks to privacy. Where processing would result in a high risk to individual's rights and freedoms, the organisation will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

Mandatory Data Breach Reporting

Under the GDPR, the Company has certain obligations to mandatorily report PD breaches. A Personal Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, PD transmitted, stored, or otherwise processed. There are two levels of mandatory reporting obligation, which depend upon the level of risk arising from the PD Breach – the Company will act according to what the law requires. Failure to make the relevant mandatory PD Breach report may lead to a financial sanction against the Company. It is the responsibility of all employees to immediately report any PD Breach which comes to their attention – please report it to the Data Privacy Manager.


Individual (employee) responsibilities

Employees are responsible for helping the business keep their personal data up to date. Individuals should let the organisation know if data provided to the organisation changes, for example if an individual moves house or changes his/her bank details. Employees may have access to the personal data of other individuals and of our customers and clients in the course of their employment. Where this is the case, the company relies on individuals to help meet its data protection obligations to staff and to customers and clients. Individuals who have access to personal data are required:

  • to access only data that they have authority to access and only for authorised purposes;
  • not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;
  • to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
  • not to remove personal data, or devices containing or that can be used to access personal data, from the organisation's premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device;
  • not to store personal data on local drives or on personal devices that are used for work purposes; and
  • to report data breaches of which they become aware to the Data Privacy Manager immediately.

Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the organisation's disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.


Training

The organisation will provide training to all individuals about their data protection responsibilities as part of the induction process. Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.