DATA PROTECTION POLICY


INTRODUCTION

This Data Protection policy sets out how the Company handles the Personal Data of its employees, suppliers, clients and other third parties.

“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.

“Special categories of personal data” is data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).

“Criminal offence data” is data which relates to an individual’s criminal convictions and offences.

“Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The Company makes a commitment to ensuring that personal data, including special categories of personal data and criminal offence data (where appropriate) is processed in line with United Kingdom General Data Protection Regulation (UK GDPR) and domestic laws and all its employees conduct themselves in line with this, and other related policies. Where third parties process data on behalf of the Company, we will ensure that the third party takes such measures in order to maintain our commitment to protecting data. In line with current data protection legislation, we understand that the Company will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.

SCOPE

This policy applies to all Information Users, i.e., everybody working for the Company, including employees, freelancers, contractors, sub-contractors and agency workers and anyone else who may access, use or manage the Company’s information (e.g. visitors and partners). It extends to all situations where the Company is the data controller or a data processor of Personal Data and applies to all Personal Data processed regardless of the media on which the data is stored.

ROLES AND RESPONSIBILITIES

Managers are responsible for ensuring that Personal Data in their area is processed following this policy and any associated regulations, policies, and procedures, information.

Employees are personally responsible for the information they use and must follow relevant regulations, policies, and procedures. They can be held criminally liable if they knowingly or recklessly breach it. Any serious breach of data protection legislation will also be regarded as misconduct and will be dealt with under the Company disciplinary procedures. Accessing another employee’s personnel records without authority constitutes a gross misconduct and could lead to your summary dismissal.

All other parties working for the Company are also responsible for adhering to this policy. Failure to do so could lead to suspending or terminating any relevant contract, sub-contract or other agreement.

TYPES OF DATA HELD

Personal data is kept in personnel files or within the Company HR and payroll systems. The following types of data may be held by the Company, as appropriate, on relevant individuals:

  • name, address, phone numbers - for individual and next of kin,
  • CVs and other information gathered during recruitment,
  • references from former employers,
  • National Insurance numbers,
  • job title, job descriptions and pay grades,
  • conduct issues such as letters of concern, disciplinary proceedings,
  • holiday records,
  • internal performance information,
  • medical or health information,
  • sickness absence records,
  • tax codes,
  • terms and conditions of employment,
  • training details.

Relevant individuals should refer to the the Company privacy notice for more information on the reasons for its processing activities, the lawful bases it relies on for the processing and data retention periods.

DATA PROTECTION PRINCIPLES

  • Eight data protection principles are central to the Data Protection Act (2018). The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (UK GDPR). the Company and everybody working for us must always comply with these principles in its information-handling practices. In brief, the principles say that personal data must be:
  • processed fairly and lawfully and must not be processed unless certain conditions are met concerning personal data and additional conditions are met concerning sensitive personal data. The conditions are either that you have given consent to the processing or that the processing is necessary for the various purposes set out in the Act. Sensitive personal data may only be processed with the explicit consent of the employee and consists of information relating to race or ethnic origin; political opinions and trade union membership; religious or other beliefs; physical or mental health or condition; sexual life; criminal offences, both committed and alleged,
  • obtained only for one or more specified and lawful purposes and not processed in a manner incompatible with those purposes,
  • adequate, relevant and not excessive. the Company will review personnel files annually to ensure they do not contain a backlog of out-of-date information and to check for a sound business reason requiring information to continue to be held,
  • accurate and kept up to date. If your personal information changes, for example, you change address, you must update us as soon as practicable so that the Company records can be updated. the Company cannot be held responsible for any errors unless you have notified us of the relevant change,
  • not kept for longer than is necessary. the Company will keep personnel files for no longer than six years after termination of employment. Different categories of data will be retained for different time periods, depending on legal, operational and financial requirements. Any data the Company decides it does not need to hold for a period of time will be destroyed after one year. Data relating to unsuccessful job applicants will only be retained for one year,
  • processed following the rights under the Act,
  • appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data. Personnel files are confidential and are stored securely. Only authorised employees have access to these files. Files will not be removed from their normal storage place without good reason. Personal data stored on discs, memory sticks, portable hard drives or other removable storage media will be kept in locked filing cabinets or locked drawers when not in use by authorised employees. Data held on the computer will be stored confidentially through password protection, encryption or coding, and again only authorised employees to access that data. the Company has network backup procedures to ensure that computer data cannot be accidentally lost or destroyed,
  • not transferred to a country or territory outside the European Economic Area unless that country ensures adequate protection for processing personal data.

DATA SHARING

the Company will ensure data sharing is undertaken following the UK GDPR. All Information Users are responsible for identifying situations where data will be shared outside of the Company. Proposed sharing arrangements must be brought to the attention of senior management so that appropriate safeguards can be put in place. Where data is to be transferred to third-party service providers, the Company will ensure appropriate contracts are put in.

YOUR CONSENT TO PERSONAL INFORMATION BEING HELD

  • the Company holds personal data about you. By signing your employment contract, you have consented to that data being processed by us for any purpose related to your continuing employment or its termination, including, but not limited to, payroll, HR and business continuity planning purposes.
  • Agreement to the Company processing your personal data is a condition of your employment. It also includes supplying us with any personal data that it may request from you from time to time as necessary for the performance of your contract of employment or the conduct of the Company business, for example, supplying up-to-date contact telephone numbers to be held by Line Managers as part of its business continuity plan.
  • the Company also holds limited sensitive personal data about its employees. By signing your employment contract, you give your explicit consent to us holding and processing that data, for example, sickness absence records, health needs and equal opportunities monitoring data.

YOUR RIGHT TO ACCESS PERSONAL INFORMATION

Relevant individuals have a right to be informed whether the Company processes personal data relating to you and to access the data that we hold about you. Requests for access to this data will be dealt with under the following summary guidelines:

  • the request should be made to your Line Manager,
  • the Company will not charge for the supply of data unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request,
  • we will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within one month as a maximum. This may be extended by a further two months where requests are complex or numerous. Relevant individuals must inform the Company immediately if you believe that the data is inaccurate, either as a result of a subject access request or otherwise. We will take immediate steps to rectify the information.

YOUR OBLIGATIONS ABOUT PERSONAL INFORMATION

You must comply with this policy if you collect personal information about employees or other people, such as clients, as part of your job duties and responsibilities. This includes ensuring the information is processed per the Act, is only processed for the purposes for which it is held, is kept secure and is not kept for longer than necessary.

You must also comply with the following guidelines at all times:

  • do not disclose confidential personal information to anyone except the data subject. In particular, it should not be given to someone from the same family; passed to any other unauthorised third party; placed on the Company website; or posted on the internet in any form unless the data subject has given their explicit prior written consent to this,
  • be aware that those seeking information sometimes use deception to access it. Always verify the identity of the data subject and the legitimacy of the request, particularly before releasing personal information by telephone,
  • where the Company provides you with code words or passwords to be used before releasing personal information, for example, by telephone, you must strictly follow our requirements,
  • only transmit personal information between locations by e-mail if a secure network exists. For example, an encryption is used for e-mail.
  • if you receive a request for personal information about another employee, you should forward this to your Line Manager
  • ensure any personal data you hold is kept securely in a locked filing cabinet or, if computerised, password-protected so that it is protected from unintended destruction or change and is not seen by unauthorised persons,
  • do not access another employee’s records without authority; this will be treated as gross misconduct and a criminal offence.
  • do not write down (in electronic or hard copy form) opinions or facts concerning a data subject that it would be inappropriate to share with that data subject,
  • do not remove personal information from the workplace to process it elsewhere unless this is necessary to enable you to carry out your job duties and has been authorised by your Line Manager,
  • ensure that, when working on personal information as part of your job duties when away from your workplace and with the authorisation of management, you continue to observe the terms of this policy and the Act, particularly in matters of data security,
  • ensure that hard copy personal information is disposed of securely, for example, cross-shredded,
  • remember that compliance with the Act is your responsibility.

ENFORCEMENT

The Information Commissioner’s Office (ICO) is the independent supervisory authority for data protection in the UK.

They monitor compliance and deal with complaints about data sharing. If they consider that we have failed to comply with the UK GDPR, they have the power to take enforcement action. For serious breaches of the data protection principles, they have the power to issue fines of up to £17.5 million or 4% of our annual worldwide turnover, whichever is higher.

This policy is not contractual and may be amended or varied at any time.