As a business, we need to collect certain types of personal information about the people with whom we interact with including current, past and prospective employees and consultants, our clients and customers. This information has to be collected for administrative purposes (such as recruitment, employee benefit administration and the processing of customer requirements) and to fulfil our legal obligations.
The General Data Protection Regulation (GDPR) requires that this information should be collected and processed fairly and lawfully, stored safely and not disclosed to any other person unlawfully. We are committed to protecting the rights and privacy of individuals in accordance with the requirements of the GDPR.
This Data Protection Policy applies to all employees. Any breach of the policy may result in the Company, as the registered Data Controller, being liable in law for the consequences of the breach. Legal liability may also extend to the individual processing the data. In addition, breach of the Data Protection Policy by employees may be considered to be a disciplinary offence and will be dealt with according to the Company’s disciplinary procedures. Any employee who considers that the policy has not been followed with respect to Personal Data about themselves should raise the matter with the HR Director.
This policy applies to all Personal Data for which we are responsible, regardless of the format (paper or electronic data, including emails, photographs, video, CCTV and sound recordings).
Outside agencies and individuals who work with us, and who have access to personal information for which we are responsible, will be expected to comply with this policy and with the GDPR.
We will comply with the GDPR and adhere to the Data Protection Principles as described below.
Personal data shall be processed fairly and lawfully.
We will ensure that data is obtained fairly by making reasonable efforts to ensure that Data Subjects are told who the Data Controller is, what the data will be used for, how long the data will be kept and any third parties to whom the data will be disclosed. This will be in the form of a privacy notice.
In order for Processing to be lawful, data will only be processed if at least one of the following conditions has been met;
- The Data Subject has given his/her consent to the Processing.
- The Processing is necessary for the performance of a contract with the Data Subject, or for taking steps with a view towards entering into a contract.
- The Processing is required under a legal obligation other than a contract.
- The Processing is necessary to protect the Vital Interests of the Data Subject.
- The Processing is necessary for the administration of justice, the exercise of functions under an enactment, the exercise of functions of the Crown or a government department, or any other functions of a public nature exercised in the public interest.
- The Processing is necessary to pursue our legitimate interests or of third parties, and does not prejudice the rights, freedoms or legitimate interests of the Data Subject.
Processing of Special Categories of Personal data (Sensitive Personal Data) is subject to more stringent restrictions and the processing of such data will only be carried out if at least one of the above conditions, applicable to personal data, has been met and one of the following conditions can also be met;
- The Data Subject has given his/her explicit consent.
- The Processing is required by law in connection with employment.
- The Processing is necessary to protect the vital interests of the Data Subject or another person.
- The information has been made public by the Data Subject.
- The Processing is necessary for legal proceedings, obtaining legal advice, or establishing or defending legal rights.
- The Processing is required for the administration of justice, the exercise of functions under an enactment, or the exercise of functions of the Crown or a government department.
- The Processing is necessary for medical purposes, and is carried out by a health professional or a person with an equivalent duty of confidentiality.
- The Processing is necessary to trace equality of opportunity between people of different racial or ethnic backgrounds, different religious beliefs, or different states of physical or mental health.
- The Processing is in the substantial public interest; is necessary for the functions of a confidential counselling, advice, support or other service; and consent cannot be given by the Data Subject, we cannot reasonably be expected to obtain the explicit consent of the Data Subject, or the Processing must necessarily be carried out without consent so as not to prejudice the provision of that counselling, advice, support or other service.
- The Processing is in the substantial public interest, and is necessary for research purposes; provided that the Processing will not support measures or decisions with regard to individuals, and will not cause substantial damage or distress to the data subject or any other person.
Any uncertainty over whether there is a valid condition for Processing Personal Data should be raised with the HR Director.
Personal Data relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, and sexual life must also be processed in accordance with the Dignity at Work Policy.
Personal data shall be obtained only for a specified and lawful purpose or purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
We will ensure that Personal Data which is obtained for a specified purpose is not used for a different purpose, unless that use is done with the consent of the Data Subject, is covered or is otherwise permitted under the GDPR.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
We will ensure that we collect only the minimum Personal Data necessary for the purpose or purposes specified and will not collect or hold data on the basis that it might be useful in the future.
Personal data shall be accurate and, where necessary, kept up to date.
We will take reasonable steps to ensure the accuracy of Personal Data which we hold and will take steps to amend, update or correct inaccurate data when requested to do so by a Data Subject. Data will be inaccurate where it is incorrect or misleading as to any matters of fact.
Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
We will ensure that Personal Data is not kept for longer than is required by the purpose or purposes for which the data was gathered. Employees must ensure that Personal Data is securely destroyed once the purpose or purposes for Processing has come to an end and there is no legal requirement or valid operational reason for its continued retention.
Personal data shall be processed in accordance with the rights of data subjects under the GDPR
These rights are to:
- Gain access to their data via a subject access request.
- Prevent the Processing of data which is likely to cause them substantial damage or substantial distress.
- ‘Opt out’ of having their data used for direct marketing at any time.
- Have automated decisions reconsidered.
- Seek compensation for substantial damage or distress caused by their data not being processed in accordance with the DPA.
- Request the rectification, blocking, erasure or destruction of inaccurate data.
Appropriate technical and organisational measures shall be taken to prevent the unauthorised or unlawful processing of personal data and the accidental loss, destruction of, or damage to, personal data.
Personal Data will be safeguarded in accordance with our Company Operating Practices.
All employees must report any incident, or potential incident, likely to result in unauthorised disclosure, damage, destruction or loss of Personal Data directly to the HR Director and they must be consulted in the early stages of any project or proposed change to a business process that has implications for the Processing of Personal Data.
We will provide guidance, support and training on safeguarding Personal Data to all employees including those acting for or on behalf of us.
Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
We will comply with the restrictions in the GDPR on the transfer of Personal Data outside the European Economic Area. The HR Director must be consulted in advance of any such transfers being undertaken or agreed.
We are the Data Controller under the GDPR and we are required to notify the Information Commissioner of our Processing of Personal Data. A public register of Data Controllers and the type of data they process is available on the Information Commissioner’s website.
The HR Director deals with day-to-day data protection matters, such as subject access requests, and is a point of contact for issues relating to data protection.
When Processing Personal Data, employees must ensure they abide by the GDPR, this policy and any related policies. Employees who are uncertain as to whether their Processing of Personal Data meets these requirements should refer any queries to the HR Director. All new employees are required to have GDPR training. Existing employees should also attend training if they have not done so before or require a refresher.
Managers are responsible for ensuring that the Processing of Personal Data in their department conforms to the requirements of the GDPR and this policy. In particular, they should ensure that new and existing employees who are likely to process Personal Data are aware of their responsibilities under the Regulations. This includes drawing the attention of employees to the requirements of this policy, and ensuring that employees who have responsibility for handling Personal Data are provided with adequate training.
Managers must also see that correct information and records management procedures are followed in their departments. This includes establishing retention periods to ensure that Personal Data is not kept for longer than is required.
We are not responsible for any Processing of Personal Data by employees which is not related to their employment with us, even if the Processing is carried out using our equipment and facilities. Employees are personally responsible for complying with the GDPR in regard to data for which they are the Data Controller.
- Data Controller: a person or organisation who makes decisions in regard to Personal Data, including decisions regarding the purposes for which and the manner in which Personal Data may be processed.
- Data Protection Principles: a set of statutory requirements, which all Data to process Personal Data against the need to protect the privacy rights of the Data Subject.
- Data Subject: an individual who is the subject of Personal Data.
- Information Commissioner: the regulator appointed by the Crown to promote public access to official information and protect personal information. Compliance with the DPA is enforced by the Information Commissioner.
- Personal Data: information relating to a living individual who can be identified from the data, or from the data and other information which is in our possession (or likely to come into our possession). Personal data include information such as an individual’s name, home address, educational background, images and photographs (including CCTV footage), expressions of opinion about the individual, and our intentions in regard to the individual.
- Processing: any operation on Personal Data, including obtaining, recording, holding, organising, adapting, combining, altering, retrieving, consulting, disclosing, disseminating, deleting, destroying and otherwise using the data.
- Special Categories of personal: Personal Data relating to racial or ethnic origins, political opinions, religious beliefs, trade union membership, physical or mental health (including disabilities), sexual life, the commission or alleged commission of offences, and criminal proceedings.
- Subject Access Request: a request from an individual, under the DPA, for access to their Personal Data.
- Vital Interests: relating to life and death situations, e.g. the disclosure of a Data Subject’s medical details to a paramedic after a serious accident.