Data Protection Policy (GDPR Compliant)
This document is a statement of the Company’s Data Protection Policy. The details are below. This policy is not part of your employment contract. You must be aware of this policy and procedure and apply it accordingly; failure to do so may result in disciplinary action being taken against you. You should consult your manager if there is anything that is not clear to you or if you are unsure about any aspect of this policy.NB.The wording of this policy reflects the requirements of the General Data Protection Regulation (GDPR) which is now in effect in the UK. The Data Protection Bill (which in part enacts the GDPR into UK law) is currently progressing through Parliament but has yet to become law. When it does, it will repeal and replace the Data Protection Act 1998. It is possible that the Data Protection Bill, when it becomes law will change some aspects of the implementation of the GDPR.
This policy applies to the holding and processing of personal data in any form, whether manually or electronically kept by the Company with regard to any aspect of function of the Company. It applies to the personal data of current and past employees, apprentices, full time, temporary and casual workers, job applicants, interns, volunteers and contractors (individuals).
The Company is committed to ensuring that personal data, including special categories of personal data and data about criminal offences is processed in accordance with the GDPR and any related UK legislation, and that all individuals abide by the requirements of this and any other related policies. The Company understands that it is accountable for the data processing of personal data.
The Company has appointed Nikki Thorne, HR Manager, responsible for data protection compliance within the Company. This person has responsibility for the processing and controlling of personal data held by the Company, auditing and reviewing of the data protection processes, systems and procedures and ensuring that all data is protected.
The Company is committed to ensuring that any third party that processes personal data on behalf of the Company undertakes such measures as required to fulfil the Company’s obligations and commitments to protecting personal data.
Personal Data: is any information that relates to an individual who can be directly or indirectly identified from that information. This could be the individual’s name, any identification number, code or information that could lead to identifying them or their location.
Data Processing: is any use that is made of the personal data, whether it is collecting, storing, amending, recording, disclosing by any means or destroying the personal data. Holding data, of itself, is data processing.
Special Categories of Personal Data: means data about an individual’s health, race, ethnic origin, sex life, sexual orientation, religion, philosophical beliefs, political opinions, trade union membership, genetic and biometric data.
Criminal Offence Data: is data about an individual’s criminal convictions, offences, any allegations or proceedings.
Data Protection Principles
All personal data obtained and held by the Company will be processed by the following Data Protection Principles. The Company will:
- Process personal data fairly, lawfully and in a transparent manner.
- Obtain personal data only for specific, explicit and legitimate purposes.
- Process personal data only were it is adequate, relevant and limited to what is necessary for the purposes of processing.
- Keep accurate personal data and take reasonable steps to correct inaccurate personal data or delete it without delay.
- Only keep personal data for the duration of time that it is necessary for processing and for no longer than is necessary for the stated purpose.
- Ensure that personal data is held securely and is protected from unauthorised or unlawful processing, accidental loss, destruction or damage.
- Ensure that any personal data that is transferred to any country outside the European Economic Area (EEA) will be on the basis of the required GDPR procedures for international transferring of personal data.
Individual Data Protection Rights
The Company recognises that individuals have data protection rights and commits that personal data will be processed according to these rights. Individuals have the right:
- To be informed about their data protection rights.
- To be informed about the reasons for processing data, the legal basis for which the data is processed, how the Company uses and protects the data, the source of the information if it has not been provided by the individual and the periods of time that the information will be held
- To make a subject access request.
- To have any inaccuracies in the information corrected (rectified) promptly.
- To have information deleted or erased.
- To stop the processing of data if the individual’s interests override the Company’s legitimate grounds for processing the data (where this is/was the reason for processing the data)
- To stop the processing of data for a period of time where the data is inaccurate or where there is a dispute about whether an individual’s interests override the Company’s legitimate grounds for processing the data.
- To stop the processing or require the erasing of data where the processing is unlawful.
- To complain to the Information Commissioner if the individual thinks that the Company has not complied with the individual’s data protection rights.
- To be informed to whom the individual’s data may be disclosed, if such recipients are located inside or outside the EEA and the safeguards that apply to such transfers.
- To know whether the Company uses any automated decision-making or profiling of personal data and the logical basis of such decision-making.
Company Actions to Implement Data Protection
The Company has appointed an individual to be responsible for implementing the Company’s duties and responsibilities for data protection. That role has been identified above.
The Company will keep records of, and account for, the personal data it has collected and holds, where the data has been obtained, with whom it is, or will be, shared and the processing of personal data that it undertakes.
The Company will inform all appropriate individuals of their data protection rights under the GDPR and this policy as required and by providing a Privacy Notice if appropriate.
The Company will train individuals on the importance of protection of personal data and how to implement the Company’s duties and responsibilities in their job and to maintain confidentiality of personal data.
The Company will review its personal data handling, carry out risk assessment and introduce processes and procedures to minimise the risk of data breaches or incorrect handling of personal data. To this end, the Company will put in place relevant internal policies, procedures, process and controls to protect personal data from loss, accidental destruction, misuse or disclosure. This will include policies and procedures to make sure that personal data is not accessed by anyone except those individuals who have the required permission and authority to do so in the proper performance of their duties for the Company.
In the event that the Company decides to use a third party or organisation to process personal data on its behalf, it will implement appropriate standards, policies and procedures to do so, which will include written agreements with the third party which will include commitments of confidentiality and security and the requirement to implement appropriate technical and other measures to ensure the security of the data.
The Company understands and will implement its responsibilities to obtain the consent of individuals for obtaining, holding, using and sharing their personal data. Further, the Company understands that such consent must be freely given, informed, specific and unambiguous. It also recognises that individuals have the right to withdraw such consent at any time.
The Company has put in place and will maintain the required processes and procedures for detecting, investigating and reporting suspected or actual personal data breaches and that it must report serious breaches that could or will cause significant harm to affected individuals to the Information Commissioner. The Company understands the consequences of such data breaches.
Subject Access Requests
Individuals have the right to make a subject access request which is a request to access the data the Company holds on that individual. If an individual makes a subject access request, the Company will provide the following information:
- A copy of the personal data that the Company holds and is processing.
- The categories of personal data that are processed and why it is processed.
- The source of the personal data if it has not been provided by the individual.
- The period of time that the personal data is or will be stored.
- The individual’s right to correct any inaccuracy (rectification) or delete any of the data (erasure) or to restrict or object to the processing.
- The right to complain to the Information Commissioner if the individual thinks the Company has failed to comply with their data protection rights.
- Whether or not the Company uses automated decision-making in the processing of the data and if so, the logic underlying such automated decision-making.
To make a subject access request, the individual should contact Nikki Thorne, HR Manager, to obtain the required form. The request must be made directly to Nikki Thorne, HR Manager. In some circumstances, the Company may request proof of identification before processing a request. If this is the case, the individual will be informed of the details of the documents required.
The Company will respond to a request without delay. Subject to any legally permitted exceptions the Company will respond within one month of a request but this may be extended to three months in total if there are a number of requests or they are complex. If this is the case, the Company will write to the individual within one month of receiving the request to inform them that the response will be within a maximum of a three month period.
The Company will not charge for responding to a subject access request unless the request is manifestly unfounded or excessive or there is a request for further, duplicate copies to be sent to persons other than the individual making the request. Further, where a request is manifestly unfounded or excessive, the Company is not required to respond to it, or may respond to it but charge a fee related to the administrative cost of responding to the request. Where this is the case, the Company will inform the individual making the request of the approach it intends to take with regard to the request.
Where an individual believes that the data held and processed by the Company is inaccurate, they must inform the Company as soon as possible. The Company will rectify the information without delay.
If the Company discovers that a data breach has taken place and the breach is such that it is likely to risk the rights and freedoms of individuals, such breach will be reported to the Information Commissioner within 72 hours of the Company becoming aware of the breach. It is possible that it might be necessary to report any such breach in a number of stages or instalments. A record of all breaches will be maintained.
If a data breach is likely to result in a high risk to the rights and freedoms of individuals, the Company will inform the individuals who are affected.
International Data Transfer
Personal data is not transferred to countries outside the EEA.
From time-to-time, it may or will be necessary for the Company to disclose personal data to other persons or organisations. Any such disclosure will only be made where this must be made for the required purpose. Any such disclosure could be for a variety of reasons which may include:
- Statutory Pay requirements.
- HR management and administration.
- Employee benefits administration where this service is provided by a third party.
- Establishing where reasonable adjustments are required for a disabled employee.
- Pension and insurance plan administration.
- Employee health data to fulfil Company obligations regarding health and safety.
The Company will provide individuals with training about data protection, confidentiality and any actions they should take in the event of a data breach. This information will be given to individuals during Company induction and Company training sessions.
All individuals who are required to use the Company’s computer systems, to implement this policy, respond to subject access requests or have access to confidential and personal data will be trained to protect personal data to ensure that they understand their duties and responsibilities. They will be trained in their personal responsibilities and the consequences for them and the Company for any data breaches or personal failures to uphold the Company’s policies and procedures.
Employees’ responsibilities for Data Protection
Every employee has a personal responsibility to help to keep personal data safe and secure and to comply with the requirements of the GDPR. All employees must uphold the requirements placed on the Company for data protection. It is the responsibility of every employee to protect any personal data with which they come into contact, they hold, or for which they are responsible on behalf or the Company. In particular you must comply with and implement the provisions of the Company’s Privacy Notices and Data Protection Policy together with any other policies and procedures that the Company may put in place to protect any data and personal data in particular.
Where an individual has access to personal data, they must:
- Keep data secure by using the password protection and the secure file storage provided by the Company at all times.
- Never to abuse passwords by disclosing passwords to others, especially to those who are not authorised to have access to such passwords or the information which can be accessed using the password.
- Only access such information that they are authorised to access and only for the purpose for which such authorised access was granted.
- Never to disclose personal data to others who are not authorised to have access to such data.
- Ensure that all written information or files (whether electronic or paper based) containing confidential information are kept securely and cannot be seen or accessed by individuals who do not have the authority to read or access them.
- Ensure that all personal data that is entered into the Company records is accurate.
- Never to keep personal data on transportable data storage devices, such as laptops, USB sticks, portable back-up disks or in “cloud” based storage without the express authority of the Company. Where such authority is granted, any such data must be stored in a secure manner, as prescribed by the Company but in any event must be encrypted. The physical security of the portable devices must also be protected to ensure that they cannot be stolen.
- Never to remove personal data or any portable device holding personal data from the Company’s premises without the express authority of the Company and if so authorised to ensure that any data is stored securely as prescribed by the Company and is encrypted.
Any employee who is found to have failed to apply the Company’s Data Protection Policy or in any way prejudiced, lost, revealed or disclosed any personal data to any unauthorised person or organisation will be in breach of Company policy and will be subject to disciplinary action, which may, dependent on the nature of the offence, be regarded as gross misconduct and subject to dismissal without notice. Any such disclosure may also be treated as a criminal offence.