1. Purpose
We collect, store and process information relating to individuals (personal data) whilst carrying out our business activities. This document is necessary to help ensure compliance with our legal obligations in respect of data processing.
It is also intended to be a key tool toward demonstrating compliance measures to regulators and may be regarded by them as a top layer document and therefore comprises part of our layered approach to documenting practices in this area.
Through this policy and other practices, the organisation aims to create and operate a culture of openness in respect of data processing.
2. Scope
As a UK established organisation, this policy applies to all processing of personal data regardless of where in the world that processing, or any processing outsourced by us may take place.
This is an internal policy and it applies to all employees, workers and any other internal persons who may have responsibility for or a vested interest in the operations of the organisation.
The document may be shared with third parties, contractors and other self-employed persons who will be asked to comply with the policy. Where the organisation does undertake the services of a third party, that party will be required to make adequate assurances to the data controller and/or processor that their own processing is compliant with current applicable data protection laws.
The policy applies to all data processes in general but particularly to all activities relating to the acquisition, recording, processing, sharing storing and removal of personal data. In respect of carrying out general business activities and for illustrative purposes only, such processes include but are not limited to: recruitment activities, personnel records, payroll details, supplier and customer records.
3. Statement
3.1.1 We are committed to engendering a culture of accountability, integrity and confidentiality in all aspects of the organisation in regard to personal data and security. Our ultimate aim is to align every member of staff to these values such that they may be ambassadors of best practice data processing. We seek to achieve this by inducting new starters into our security practices and to maintain engagement and commitment to these values through transparent communication, providing regular training to staff and embedding privacy into our practices.
As an employer we process a significant amount of personal data about our staff. The type of information we require includes: nationality, date of birth, contact details and medical information. The grounds upon which this information is required will include legal and contractual obligations such as; demonstrating right to work checks, meeting statutory payment conditions and corresponding with individuals in respect of their employment.
Please refer to section the section ‘Roles and responsibilities’ for the details of the Controller. For a list of your rights as a data subject, please refer to section ‘The rights of data subjects’.
4. Principles
All persons who process personal data with our permission must endorse and adhere to these principles at all times and especially when they obtain, handle, process, transfer, store or erase personal data.
The six fundamental principles of personal data processing are as follows:
1. Fairness, lawfulness and transparency
All personal data must be processed fairly, lawfully and transparently.
2. Purpose limitation
All personal data must be collected for specified, explicit and legitimate purposes and shall not be further processed in any manner that is incompatible with those purposes.
3. Minimisation
All personal data must be adequate, relevant and limited to what is necessary for the purpose for which they are processed.
4. Accuracy
All personal data must be accurate and where necessary, kept up to date with regards to the purposes. Every reasonable step to rectify or erase inaccurate personal data must be taken without delay.
5. Storage limitation
No personal data should ever be kept in a form which permits identification of a data subject for longer than is necessary to achieve the purpose.
6.Integrity and confidentiality
All personal data must be processed in a manner that ensures appropriate security of the personal data. At the very least, it must always be protected against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical and organisational measures.
The data controller is ultimately accountable for each of these principles and is obliged by law to be able to demonstrate compliance at all times. It is for this reason that everyone in the organisation is required to take responsibility for their own strict adherence to these principles.
This policy is not contractual as it may be subject to change. However, it does indicate how we intend to meet our legal responsibilities for data protection. Therefore, any actionable points within it must be regarded as a legitimate management instruction. Explicit permission must always be sought and evidenced from a line manager before conducting yourself in a manner that varies from this policy. Failure to do so may result in disciplinary action.
Any additions or revisions to this policy will be communicated to staff where appropriate. We will notify data subjects of any changes that apply to them where appropriate, personally and in writing.
5. Definitions
5.1 Data
Information which is processed or is intended form part of a filing system. This applies to electronic or hard copy formats.
5.2 Data subject
An identified or identifiable, natural, legal person.
5.3 Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is also known as a Privacy Impact Assessment (PIA). It is a method which may be used to ensure privacy by design by conducting a prescribed risk assessment on data processes and making necessary adaptations, thereby implementing appropriate safeguarding measures. A DPIA is made mandatory by law in certain circumstances.
5.4 Data protection legislation
All privacy laws applicable to any Personal Data processed under or in connection with this Agreement, including, without limitation, the UK Data Protection Act 1998 , the Data Protection Directive 95/46/EC (as the same may be superseded by the General Data Protection Regulation 2016/679 (known as “GDPR”), the Privacy and Electronic Communication Directive 2002/58/EC and all national legislation implementing or supplementing the foregoing and all associated codes of practice and other guidance issued by any applicable Data Protection Authority, all as amended, re-enacted and/or replaced and in force from time to time.
5.5 Personal data (personal information)
Any ‘data’ relating to a ‘data subject’ who can be directly or indirectly identified by reference to a piece of data. This includes a name, identification number, location data or online identifier. It may be an identifier that relates to physical, physiological, genetic, mental, economic, cultural or social identity. It may also apply to data that has been pseudonymised.
The nature of the definition of data and personal data means that the expression of opinion or view about a data subject may also be regarded as personal data.
5.5.1 Special category data (sensitive data)
This is also more commonly referred to as ‘sensitive data’. In essence this is any data that has the potential to be used to discriminate against a natural person. It includes: racial, ethnic, political opinion, religious or philosophical belief, trade union membership, genetic, biometric data, sex life or sexual orientation data.
It does not include information pertaining to criminal convictions however, such information must be treated with a higher level of security than generic personal data.
5.6 Privacy by design
Privacy by design is the concept of ensuring that security, confidentiality and integrity of personal data is prioritised within the heart of the methods used for processing the data.
5.7 Processing
Any activity which is performed on personal data whether or not this is manual or automated, such as: recording, organising, structuring, storing, updating, retrieving, disclosing or erasing. Examples may include; sorting e-mail addresses into categories for marketing campaigns, recording absences from work, monitoring vehicle tracking etc.
5.8 Pseudonymise
To adapt how personal data is processed and presented such that the data cannot be attributed to a specific data subject, without additional personal data. The additional personal information must be kept separately and securely using appropriate technical and organisational measures.
5.9 Recipient
A natural person or organisation to whom personal data is disclosed or made available to. A recipient is not necessarily a third party with who the Company has professional dealings.