As an employer, it is necessary for us to collect, store and process personal data about our employees, workers, suppliers and other third parties who we engage to provide services for us or do business with.
General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018, the way personal data is kept and used has come under much greater scrutiny. This policy is therefore very important to us and sets out how we will use personal data we collect or receive about individuals and third parties.
This policy will help all of us comply with our legal obligations and ensure that individuals we hold personal data about have confidence in how we will use that data.
It is important that you read this policy carefully to ensure you comply with it. This policy does not form part of your contract of employment and may be amended at any time.
Data protection contact
The name(s) of the person(s) responsible for ensuring compliance with our data protection obligations is our Data Protection Officer. Any questions about the operation of this policy, or any concerns that this policy has not been followed, should be referred in the first instance to that person.
What do terms used in this policy mean?
There may be some data protection terminology in this policy which you are unfamiliar with, and which has a specific meaning under data protection laws. The most commonly used terms are defined below:
A data subject is a living, identified (or identifiable) individual we hold personal data about.
Personal data is data we hold about a data subject. What makes it personal data is the fact that the data subject can be identified (directly or indirectly) from that data (or from that data and other information in our possession or available to us). Personal data can be factual (e.g. a name, address or date of birth) or it can be an opinion about the data subject, their actions and behaviour. It can also include an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic (e.g. DNA or RNA), mental, economic, cultural or social status of that individual.
Processing is a term used to describe what we do with the personal data. It applies to most activities that might be undertaken in respect of the data, such as: collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, disclosing by transmission, dissemination or otherwise making it available, aligning or combining, restricting its use, erasing or destroying it. Processing also includes transferring (or disclosing) personal data to third parties.
A data controller is a term used to describe the person(s) who, or organisations which, determine how and why personal data is processed. We are the data controller of all personal data held by us.
Data users are those persons whose work involves processing personal data. Data users must protect the data they handle in accordance with this policy and any applicable data security procedures.
Data processors means any person or organisation that processes personal data on our behalf and on our instruction. Employees of data controllers are excluded from this definition, but it could include suppliers who handle personal data on our behalf.
Special categories of personal data is a term used to describe sensitive personal data, such as information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, genetic data and biometric data (where processed to uniquely identify a person or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings). Special categories of personal data can only be processed under strict conditions.
Responsibility for data protection
As a data controller, we are responsible for establishing practices and policies in line with the GDPR and any other laws governing data protection. It is important that we do more than just say that we are complying with data protection laws; we must also demonstrate compliance. We will do this by:
How should personal data be processed?
It is a legal requirement that any personal data we process must:
Lawfulness, fairness and transparency
The GDPR is not intended to prevent the processing of personal data, but ensure that it is done lawfully and transparently, minimising any adverse effect on the rights of the data subject.
For personal data to be processed lawfully, it must meet at least one of a number of conditions specified by legislation. We haven’t listed all those conditions here, but generally we will process data where it is necessary:
In addition to the above conditions, we can also process a data subject’s personal data where they have given consent for one or more specified purposes, provided that such consent is a freely given, specific, informed and unambiguous indication of the data subject’s wishes. A data subject will have the right to withdraw any consent given.
For special categories of personal data to be processed lawfully, there are additional conditions which must be met, in addition to satisfying one of the above conditions for processing personal data. Conditions for processing special categories of personal data include:
Central data record
We maintain a central record of what personal data we collect and why we collect it. We will only process personal data for the specific purposes set out in central record or for any other purposes specifically permitted by the GDPR. We will notify those purposes to the data subject when we first collect the data from them or as soon as possible thereafter.
We will only process personal data to the extent required for the purposes notified to the data subject. This means that we should not ask for, or record on our systems, more personal data than we need. We will use appropriate technical and organisational measures to ensure that personal data that we no longer need is erased/destroyed.
We will do our best to ensure that any personal data we hold is accurate and kept up to date. We aim to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. It is therefore important that you keep us up to date with any changes to your own personal details that we hold on you as an employee.
We will take all reasonable steps to erase/destroy or amend inaccurate or out-of-date data without undue delay, and in any event within one month of the data subject’s request (or two months where there are specific reasons why that is not possible).
Keeping personal data secure
When we process personal data, we will do our best to ensure that it remains secure and is protected against unauthorised or unlawful processing and accidental loss, destruction or damage.
We will do this by:
In assessing the appropriate level of security, we shall take into account the risks associated with the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data that we process.
Desks and cupboards should be kept locked if they hold personal data or confidential information of any kind. Data users must ensure that individual monitors/screens do not show personal data or confidential information to passers-by and that they log off from or lock their computer/tablet when it is left unattended.
Whenever we transfer personal data or confidential information outside our own systems or offices (for example when information is taken off site by employees to visit customers or for home working) there is a risk that the personal data or confidential information may be lost, misappropriated, or accidentally released.
Steps should be taken to minimise the risk of theft, loss, destruction, damage or unauthorised use of personal data or other confidential information when data is transferred. Such steps could include:
You should have permission from your manager before taking personal data off site. It must also be brought back and securely stored at the earliest opportunity.
Personal data breach
It is very important that we are alive to the risks of personal data breaches, and that we react quickly to an apparent breach.
A personal data breach may not be evident straightaway. However, there may be indicators of a personal data breach, system compromise, unauthorised activity, or signs of misuse. A personal data breach can happen in many ways, including:
As soon as you become aware of any personal data breach or have any reason to suspect a personal data breach has or is about to occur (for whatever reason), you should contact our data protection contact immediately or, if they are not available, your line manager.
Erasing or destroying personal data
Paper records that contain personal data must be shredded and disposed of securely when there is no longer a need to retain them. Paper records containing personal data must not be disposed of in any other way.
For electronically stored data, there is a significant difference between deleting personal data irretrievably, archiving it in a structured, retrievable manner, or moving it as unordered data to an electronic wastebasket. Personal data that is archived, for example, is subject to the same data protection rules as ‘live’ personal data.
When deleting electronic data, all possible steps should be taken to put the data in question beyond use. Where it is impossible to delete data from the electronic ether altogether, all reasonable steps should be taken to ensure that it is deleted to the fullest extent possible.
The IT Team will be responsible for destroying electronic equipment that contains personal data (e.g. laptops and desktops) securely.
Transferring personal data outside the EEA
We may transfer any personal data we hold to a country outside the European Economic Area (“EEA”), provided that one of the following conditions applies:
For each transfer of data outside the EEA, we will record which of the conditions we are relying on.
Transferring data to third Parties
If we need to use third parties to process personal data on our behalf, we will require those third parties to provide us with sufficient guarantees that they have appropriate technical and organisational measures in place to comply with the GDPR and to ensure the protection of the rights of the data subjects.
Notifying data subjects
We are required to provide information to data subjects about our processing of their personal data. This information is contained in our Privacy Notices. Such notices will provide information about:
If we receive personal data about a data subject from a third party, we will in addition provide the data subject with information on:
Rights of data subjects
If we process personal data, the data subjects will have the right to:
If a data subject exercises these rights and we have disclosed the personal data in question to a third party, we will do our best to ensure that the third party complies with the wishes of the data subject.
Subject access requests
Data subjects who wish to request information about the personal data we hold about them must do so in writing. If you receive such a request (whether in paper form or in an email or other electronic format) you should forward it to our data protection contact immediately.
Personal data breach response plan
In the event of a personal data breach, we must take quick action to minimise the impact of the breach and, in certain circumstances, must report the breach within 72 hours of it occurring. Therefore, if you become aware of any personal data breach or are unsure if a personal data breach has occurred, whether by you or someone else, you should contact our data protection contact immediately or, if they are not available, notify your line manager (see 1.9 above).
Once a personal data breach or a potential personal data breach has been reported, our data protection contact will be responsible for responding to the data breach. In most cases this will involve:
DPO: Gudmundur Hafsteinsson
Phone: +44 0129322 6933
If you would like to make a request for us to remove your data from our records then please complete the form below. We will contact you with confirmation.