In the course of your employment with us, you are likely to collect, process or store personal information about employees, clients, customers and suppliers, for example, their names, telephone numbers and email addresses.
The Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR) came into force on 23rd and 25th May 2018, respectively. Once in effect, they repeal the current Data Protection Directive (Directive 95/46/EC) and override Data Protection Act 1998.
The GDPR contains strict principles and legal requirements that must be adhered to before and during any processing of any personal information.
You should be aware that everyone has a responsibility to comply with the GDPR and failure to meet those responsibilities are likely to lead to serious consequences.
A serious breach of data protection is likely to be a disciplinary offence and will be dealt with under the Company’s disciplinary procedure. If you access another employee’s personnel records or any sensitive personal information without authority, this will constitute a gross misconduct offence and could lead to your dismissal.
Additionally, if you knowingly or recklessly disclose personal data in breach of relevant legislation, you may be held personally criminally accountable for any such breach.
Breach of the data protection legislation, including the GDPR rules, can cause distress to the individuals affected by the breach and is likely to leave the Company at risk of serious financial consequences.
If you are in any doubt about what you can or cannot disclose and to whom, do not disclose the personal information until you have sought further advice from our Data Protection Officer.
This policy does not form part of a contract of employment. However, it is mandatory that all employees, workers or contractors must read, understand and comply with the content of this policy and you must attend associated training relating to its content and operation. Failure to adhere to this policy is likely to be regarded as a serious disciplinary matter and will be dealt with under the Company’s disciplinary rules and procedures.
A living individual to whom data pertains
The person or organisation determining the means and purpose of collecting and processing the personal data
A natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller
|Data Protection Legislation||
The General Data Protection Regulation (GDPR) and any national implementing laws, regulations and secondary legislation, for so long as the GDPR is effective in the UK; and any supplemental legislation to the GDPR, in particular the Data Protection Bill 2017-2019 and the E-Privacy Directive (and its proposed replacement), once it becomes law.
Data or information that identifies a living individual (data subject) either directly or indirectly. This also includes special categories of personal data.
Personal data does not include data which is entirely anonymous or the identity has been permanently removed making it impossible to link back to the data subject.
Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
|Special Category Data||
Includes any personal data which reveals a data subject’s, ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic, biometric or health data, sex life and sexual orientation.
The Data Protection Principles
As data controller, we are required by law to ensure that everyone who processes personal data during the course of their work with us does so in accordance with data protection legislation, including the GDPR principles. In brief, the principles say that personal data must be:
- Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Purpose limitation);
- Adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed (Data minimisation);
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate data are erased or rectified without delay (Accuracy);
- Kept in a form which permits identification of data subjects for no longer than is necessary (Storage limitation); and
- Processed in a manner that ensures appropriate security, using appropriate technical or organisational measures (Integrity and confidentiality).
The GDPR requires that, as data controller, we also:
- effectively uphold Individual’s Rights;
- ensure that the necessary measures and safeguards are in place if data is transferred outside the European Economic Area; and
- be able to demonstrate effective accountability and compliance with the GDPR.
The Company and its employees must comply with these principles at all times.
You must inform your line management and the Data Protection Officer immediately if you believe that any of these principles have been undermined, are likely to be undermined, or indeed if there has been any breach of personal data.
Please also make sure you are aware of the Company’s Data Breach Policy.
Lawful, Fair and Transparent Processing
During the course of your employment with us, you are likely to process personal data. We will only expect you to process personal data where the Company has a lawful basis (or bases) to do so.
The lawful basis may be any one of the following reasons or a combination of:
- With a data subject’s consent
This means we’ve collected, and can evidence, explicit consent from the data subject to process their data in a certain way.
- In the performance of a contract
This means we process personal data where it is necessary for the performance of a contract with the data subject, or to take steps, at the data subject’s request, before entering into such a contract.
- To comply with a legal or regulatory obligation
This means processing personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
- With legitimate interests
This means we process personal data in the legitimate the interest of our business, and in order that we may provide data subject’s with the best service or product, and the most secure experience. We always consider and balance any potential impact on the data subject and their rights before we process personal data for our legitimate interests.
We will not use personal data for activities where our interests are overridden by the impact on data subjects (unless we have their consent or are otherwise required or permitted to by law).
In any instance where we’re processing personal data based on legitimate interests, the data subject still has the right to object to their data being processed in that manner.
Very occasionally you may need to process personal data:
- where we need to protect the vital interests of the data subject (or someone else’s interests); or
- where it is needed for tasks in the public interest.
You should not be processing personal data unless the Company is aware of it. All the Company’s data processing activities should be reflected in the Company’s Data Register. To check if your data processing activities are properly recorded please contact our Data Protection Officer.
It is your responsibility to ensure that the Data Protection Officer is aware of each processing activity which you perform, and if it is necessary to the effective performance of the Company. If you have any questions or concerns, please contact the Data Protection Officer.
Personal data must be processed in a lawful, fair and transparent way. This means clearly communicating information about the personal data we collect, and how we process it. This information is communicated to data subjects through the Company's privacy policies.
Different notices are used for different purposes i.e. website use, employment or commercial. All privacy policies are intended to supplement one another, not override each other.
You must only use data collected indirectly if you have evidence that it has been collected in accordance with the GDPR principles.
Specific, explicit and legitimate processing - purpose limitation
The purpose for which the personal information is collected must be specific, explicit and legitimate. We detail and communicate this to data subjects in our privacy policies.
If it becomes necessary to use personal data for a reason other than the original purpose for which it collected, you must usually stop processing until you’ve discussed the matter with our Data Protection Officer.
However, in limited circumstances, you can continue to process the information provided that your new reason for processing the personal information remains compatible with your original lawful purpose (unless your original lawful basis was consent). This should only be decided with the support and input of the Data Protection Officer.
Only collecting data that is adequate and relevant - data minimisation
Any data collected by the Company must be adequate and relevant to meet the identified purpose. We must not collect any personal data that is over and above our identified need.
You must only process personal data where you have been authorised to do so because it relates to your work, or you have been delegated temporary responsibility to process the information.
You must not collect, store or use unnecessary personal data and you must ensure that personal data is deleted, erased or removed in line our Data Retention Schedule. You must not process or use personal data for non-work related purposes.
Ensuring personal data is accurate and up to date
We have a responsibility to make sure that the personal data we hold across all our systems are up to date and accurate. Data subjects have an explicit right to be able to update their details.
If you are ever in receipt of a request to update or change customer details you must inform the Data Protection Officer immediately. The Data Protection Officer will work to ensure that any change or update to personal data are effectively, and comprehensively updated across all of the Company’s systems and platforms.
You need to be aware that failure to comprehensively respond to a change of details request, and therefore having inaccurate data in Company records, counts as a data breach under the GDPR.
Keeping Data for no longer than is necessary - storage limitation
The personal data should not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which it is used.
Different categories of personal data will be retained for different periods of time, depending on legal, operational and financial requirements. These retention periods are detailed in the Company’s Retention Schedule.
Any data which the Company decides it does not need to hold will be destroyed in accordance with its Data Retention Policy and associated Retention Schedule.
We have a responsibility to ensure personal data must be kept confidential and secure and is only accessed and processed by authorised personnel.
To achieve this you must follow these steps:
- The Company has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to data. These procedures must always be adhered to and not overridden or ignored.
- Where the Company provides you with passwords to be used before releasing personal information, for example by telephone, you must strictly follow the Company’s requirements in this regard.
- Only transmit personal information between locations by e-mail if a secure network is in place
- Ensure that any personal data which you hold is kept securely, either in a locked filing cabinet or, if it is an electronic file, ensure it is password protected to prevent unintended destruction or change and is not seen by unauthorised persons.
- Do not access another employee’s records without authority as this will be treated as gross misconduct and it is also a criminal offence.
- Do not write down (in electronic or hard copy form) opinions or facts concerning a data subject which would be inappropriate to share with that data subject.
- Do not remove personal information from the workplace with the intention of processing it elsewhere unless this is necessary to enable you to carry out your job duties and has been authorised by your line manager.
- Ensure that when working on personal information as part of your job duties when away from your workplace and with the authorisation of your line manager, you continue to observe the terms of this policy and the data protection legislation, in particular in matters of data security.
- Ensure that hard copy personal information is disposed of securely, for example, cross-shredded.
- Manual personnel files and data subject files are confidential and are stored in locked filing cabinets.
- Only authorised employees have access to these files. For a list of authorised employees, please contact our Data Protection Officer.
- Data stored on Company approved memory sticks, discs, portable hard drives or other removable storage media is kept in locked filing cabinets or secured server rooms.
- Data held on computers are stored confidentially by means of password protection.
- The Company has network backup procedures to ensure that data on computers cannot be accidentally lost or destroyed.
The transfer of personal data to countries or organisations outside of the EEA should only take place if appropriate measures are in place to protect the security of that data.
We use a small number of GDPR compliant service providers based in the United States of America to support some of our e-commerce and marketing functions. These providers include Mailchimp, GSuite and SurveyMonkey.
All relevant service providers participate in the EU: US Privacy Shield and the Company has compliant data processing agreements in place.
Outside of the two instances mentioned above, you must not transfer personal data outside of the European Economic Area without the prior involvement and agreement of our Data Protection Officer.
This is because the Company has to ensure an adequate level of protection in relation to the processing of personal data outside of the EEA.
We always expect you to respect and honour the rights of our data subjects. If you are ever unsure or unclear about what’s expected of you, you must seek the input and support of our Data Protection Officer.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
At any time a data subject can request that we take action to support their aforementioned rights, with regard to their personal data.
Data subjects also have the right to be notified of a data security breach in certain circumstances.
There are different rules and procedural timeframes that we must adhere to when a data subject exercises their rights. Whenever you process or receive a request in relation to any of the above rights, you must immediately advise our Data Protection Officer.
Subject Access Requests
The Data Protection Officer is responsible for coordinating and managing the Company’s response to all subject access requests. This is to ensure that we properly and compliantly meet all requirements of us under data protection legislation which include:
- Verifying the identity of the person making the subject access request
- In addition to providing them with their personal data, we must also provide individuals with the following information:
- the purposes of processing;
- the categories of personal data concerned;
- the recipients or categories of recipient we disclose the personal data to;
- the retention period for storing the personal data;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards provided when personal data is transferred to a third country or international organisation.
- Not disclosing the personal data of third parties unless you have received the express consent from the data subject
- Not disclosing personal data to third parties, unless the data subject has given their explicit consent to do so. This is any party who is not the data subject and can include family members of the data subject
You must never attempt to handle a Subject Access Request in isolation, and if you do, this is likely to lead to the Company taking disciplinary measures against you.
Categories of information
When you handle special category data extra care should be taken to ensure the privacy and security of that data. This means that you should maintain a high level of security and you should only share this data with those who are also authorised to process that data.
In the context of employee relations the scenarios when you may be required to process special categories information may arise for one or more of the following reasons:
- In order to comply with employment and other laws when processing and managing situations connected with absences arising in relation to sickness or family/ dependant related leave.
- To ensure health and safety obligations and other employment-related obligations are met you may be required to process information about the physical or mental health or disability status of an employee in order to assess their capability to perform a role.
- You may also be required to monitor and manage sickness absence, recommend appropriate workplace adjustments and administer health-related benefits.
- Where it is needed in the public interest, for example for equal opportunity monitoring and reporting.
We will not require you to process special categories of information in connection with customers and other third parties.
There may be circumstances where we ask you to process this type of information in relation to assisting the Company with legal claims or to protect a data subjects interests (or someone else’s).
You may be asked to process information in relation to criminal convictions. This should be processed with the highest degree of confidentiality and in accordance with any data protection legislation and privacy policies that are in force in our business.
If you are unsure about how you should process general personal data or special categories of personal data, you must contact our Data Protection Officer.
There may be times during the course of your work that you may need consent from a data subject in order to process personal data. You will be provided with training and details of which circumstances consent is needed and the type of consent that should be sought.
However, in limited circumstances, you may find it necessary to request a data subject to provide written consent to allow the processing of special categories of personal data. You will be provided with training and details of which circumstances consent is needed and the type of consent that should be sought.
You must not compel a data subject to provide written consent. Giving consent will always be a decision made by free will and choice and is not a contractual condition. Consent can be withdrawn at any time without any reason provided. Consent means offering individuals real choice and control.
In the limited circumstance, there are certain categories of personal data which are exempt from the GDPR. In an employment for example:
- Confidential references that are given, but not those received by the Company from third parties. References will not be provided unless the Company is sure this is the employee’s wish.
- Management forecasts and management planning (including documents setting out management plans for an employee’s future development and progress).
- Data which is required by law to be publicly available.
- Documents subject to legal professional privilege.
A personal data breach will arise whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on a data subject.
In the event of a security incident or breach, do not try to handle this yourself. You must follow the Company’s Data Breach Policy which includes immediately informing the Data Protection Officer so that steps can be taken to:
- contain the breach;
- Assess the risk posed to data subjects as a result of that breach; and
- To limit the scope of the breach by taking steps to mitigate its impact on both the data subject and the Company.
The Data Protection Officer will determine within 72 hours the seriousness of the breach and if the Information Commissioner’s Office (ICO) and/or data subjects need to be notified of the breach.
In order to demonstrate our compliance with the GDPR, we keep records of all our processing activities. This means that our Data Protection Officer must be aware, at all times, of your activities in relation to data processing.
All employees that handle the personal information of individuals must have a basic understanding of the data protection legislation, including the GDPR.
Staff with duties such as computer and internet security, marketing and database management may need specialist training to make them aware of particular data protection requirements in their work area.
We will provide you with continuous training and updates on how to process personal data in a secure and confidential manner, and in accordance with data protection legislation, including the GDPR.
You will be required to attend all training and to keep yourself informed and aware of any changes made to privacy policies, consent procedures and any other policies and procedures associated with our internal processing of personal data.
Automated Processing and Decision Making
From time to time we may use computer programmes to process data and make automated decisions. We will provide you with a separate notice explaining when and how this happens.
Where automated processing or decision making does take place and the effect of that processing impacts on the freedoms and legitimate interests of the data subject, then in certain circumstances the data subject can ask for a human to review the machine made a decision.
Sharing Personal Data
We are subject to specific rules under the GDPR and the Privacy and Electronic Communications Regulations (PECR) in relation to marketing our services. Data subjects have the right to reject direct marketing and we must ensure that data subjects are given this option at the first point of contact.
When a data subject exercises their right to reject marketing you must desist immediately from sending further communications.
If you believe that this policy has been breached by a colleague or to exercise all relevant rights, queries or complaints please in the first instance contact our Data Protection Officer using the contact details provided below: