Data Protection Policy
The Data Protection Act 1998 will be replaced by the General Data Protection Regulations (GDPR) from 25 May 2018. The company is committed fully to compliance with the requirements of data protection regulations.
In addition to the DPA 1998 principles, the company shall now abide by the requirements of GDPR that relate to data processing and consent and provide evidence of their compliance to the principles of data protection. Specifically, this would require the company to allow employees, service users and other contacts to withdraw consent or to see personal data held on them.
The scope of this policy is to ensure that all personal data processed and controlled by the company complies with the data protection standards as set out in the regulations. Specifically this policy describes how personal data must be collected, handled and stored. Personal data can include customers, suppliers, business contacts, employees and other people the company has a relationship with or may need to contact. Further it applies both to automated and manual data.
This policy must be read in line with the company’s Social Networking, Disciplinary and Technology, Security and Electronic Communications policies. Please also refer to Data Retention Schedule for information on how long data will be retained by the company.
Article 5 of the GDPR requires that personal data shall be:
• processed lawfully, fairly and in a transparent manner in relation to individuals;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Further Article 5(2) requires that the controller shall be responsible for and be able to demonstrate compliance with the principles.
Where an employee has provided personal information, this shall be processed fairly and lawfully and shall not be processed unless certain conditions are met in relation to personal data and additional conditions are met in relation to sensitive personal data.
The company shall actively seek separate consent for different data processing. The company shall also make it easy to withdraw consent at any time the employee chooses. The company shall seek fresh consents everytime the reason for data processing changes.
Subject Access Requests
If an individual, whose personal data is held by the company, requests information as below, this is called a subject access request. The individual can;
• Ask what information the company holds about them and why.
• Ask how to gain access to it.
• Be informed how to keep it up to date.
• Be informed how the company is meeting its data protection obligations
Subject access requests from individuals shall be made by email, addressed to the data controller, Daniel Freedman at firstname.lastname@example.org.
There shall be no charge for providing a copy of the information requested, however, the company may charge an administrative cost if further copies of the same information are requested. Information requested shall be provided within reasonable time and at least within one month of the request. Where the request is complex, the company may extend by a further two months and this can be done by informing the individual within one month of receipt along with an explanation of the reason for extension.
The data controller will always verify the identity of anyone making a subject access request before handing over any information.
The company shall ensure the following;
• There is a lawful basis (from the six lawful bases for processing) to process personal data and this is documented in line with Article 5(2) and 24.
• Employment contracts have clear and plainly worded provisions on data protection
• Consent is requested for intended purposes and allow for consent to be withdrawn at any time by the employee
• Clear records documenting the consent is maintained
• Data processed is held only for as long as required (please also refer to Data Retention Schedule)
• Employees will be advised on the following aspects of data held on them;
o Their right to be forgotten
o Their right to restrict processing
o Their right to data portability (this applies only in cases where personal data is provided to a controller; where processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means).
• Train staff responsible for processing data
• Carry out privacy impact assessments as outlined by the Information Commmissioner’s Office
• Carry out regular compliance checks
• Where sensitive personal data is being processed on a regular basis, appoint a Data Protection Office
• Make available easy to understand forms for consent and for withdrawing of consent
• All servers and computers containing data should be protected by approved security software and a firewall
• Data shall be regularly reviewed and updated if it is found to be out of date. If no longer required, it shall be deleted and disposed of.
• Employees who work with data must take reasonable steps to ensure it is kept as accurate and up to date as possible.
• Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
• Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
• Strong passwords must be used and they should only be shared with those who are allowed access to data.
• Personal data should not be disclosed to unauthorised people, either within the company or externally.
• Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
• When not required, the paper or files should be kept in a locked drawer or filing cabinet.
• If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
• Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
• Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
• When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
• Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
Where certain unlawful activity is suspected in relation to personal data, the Company will report the matter to the Information Commissioner’s Office within 72 hours, where feasible, of the breach for investigation. The company shall also carry out its own investigation in line with the disciplinary policy and may also need to report the alleged breach to a regulatory organisation or body. The company shall maintain records of any personal data breaches, irrespective of whether or not they have been reported.
Any serious breach of data protection legislation will also be regarded as gross misconduct and will be dealt with under the Company’s disciplinary procedures. Where an employee has accessed another employee’s personnel records without authority, or unlawfully obtained or personal data is disclosed (or procure its disclosure to a third party) without the Company’s consent, this constitutes a gross misconduct offence and could lead to summary dismissal.