Data Protection Policy
The Group understands the security of personal data is of paramount importance to individuals. Any personal data collected by the Group should be for a legitimate business purpose, stored securely and be adequately protected.
The aim of this policy is to ensure the Group are as transparent as possible about why personal data is required, how it is processed, and:
- Ensures compliance with the General Data Protection Regulation and Data Protection Act 2018 (the ‘Data Protection Legislation’)
- Protects the rights of individuals of whom the Group holds data
- Protects the Group from the risks of a data breach
This policy applies to all Workers within the Group (including, but not limited to employees (whether permanent, fixed term or temporary), self-employed personnel and agency workers).
Other personal data collected can include data for customers, suppliers, business contacts and other individuals with whom the Group has a relationship.
This policy has been approved by the Group’s Board of Directors.
This policy is non-contractual and it may be amended at any time. Any breach of this policy will be taken seriously and may result in disciplinary action.
Any questions or concerns about the operation of this policy should be referred in the first instance to the HR Department.
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the processing of personal data relating to them.
Data Subject: for the purpose of this policy includes all living, identified or identifiable individuals about whom we hold personal data.
Explicit Consent: consent which requires a very clear and specific statement.
Processing or Process: any activity that involves use of personal data. It includes obtaining, recording or the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Categories of Data
There are two types of data:
Personal Data – Classified as, any information relating to a living individual who can be identified from that data (or from that data and other information in our possession). This includes but is not limited to, name, address, Date of Birth, contact numbers, IP and e-mail addresses.
Special Categories of Personal Data – Classified as, any information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and personal data relating to criminal offences and convictions.
Data Protection Principles
All Group Workers that process personal data must comply with the data protection principles, which require personal data to be:
- Processed lawfully, fairly and in a transparent manner in relation to Data Subjects;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage;
We will demonstrate compliance with the data protection principles.
In addition to these principles Group Workers must also ensure data is:
- Not transferred to another country without appropriate safeguards in place; and
- Made available to Data Subjects and allow Data Subjects to exercise certain rights in relation to their data.
Processing Data – Lawfulness, Fairness and Transparency
Lawfulness and fairness: We may only collect, process and share personal data fairly and lawfully and for specified purposes.
For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the Data Subject has consented to the processing, or that the processing is necessary for our legitimate interests, or it is necessary for the performance of a contract, or to meet our legal obligations.
Further information on the processing of personal data is set out in our Privacy Notice available from the HR Department.
Consent: A Data Subject consents to processing of their personal data if they indicate agreement clearly either by a statement or positive action to the processing.
Where consent is given, a Data Subject will be able to easily withdraw their consent at any time. Consent may need to be refreshed if we intend to process personal data for a different and incompatible purpose which was not disclosed when the Data Subject first consented.
Usually we will be relying on another legal basis (and not require Explicit Consent) to process most types of special category data.
Transparency: Whenever we collect personal data directly from Data Subjects, including for HR or employment purposes, we will provide the Data Subject with specific information including:
• that we are the data controller; and
• how and why we will use, process, disclose, protect and retain that personal data.
This is provided through a Privacy Notice. This can be located via the HR Department.
Processing Data – Limited Purposes
Personal data may only be processed for specified, explicit and legitimate purposes. This means that personal data must not be collected for one purpose(s) and used for another unless we have informed you of the new purpose(s).
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. You may only process and collect personal data that you require for your job duties; you cannot process or collect personal data for any reason unrelated to your job duties.
We will ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Group’s Retention Guidelines.
Processing Data – Accuracy
The Group will review personal data regularly to ensure that it is accurate, relevant and up to date.
In order to ensure the Group’s files are accurate and up to date, Data Subjects must notify the HR Department as soon as possible of any change in their personal details.
Processing Data – Retention
The Group is committed to ensuring every Data Subject’s personal and special categories of data in an identifiable form are not kept for longer than is necessary for the purposes for which the data was gathered. We will take all reasonable steps to ensure that data is destroyed or erased from our systems when it is no longer required, unless a law requires such data to be kept for a minimum time. This includes requiring third parties to delete such data where applicable.
This policy provides a consistent approach to managing the retention of records regardless of their format (electronic or paper).
Data Subjects’ records and information will only be retained for legitimate business use.
Refer to Appendix 1 for details of the Group’s retention periods.
Processing Data – Security
We will ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
We will ensure that we have in place procedures and technologies appropriate to the size, scope and available resources of our business to maintain the security of all personal data from the point of collection to the point of destruction. We will regularly evaluate the effectiveness, or the safeguards put in place. Personal data may only be transferred to a third-party data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures. We will exercise particular care in protecting special categories of personal data.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
• Confidentiality means that only people who are authorised to use the data can access it.
• Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
• Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our business network instead of individual PCs.
Security procedures include:
• Entry controls. Any stranger seen in entry-controlled areas should be reported.
• Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
• Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required by giving them to the IT Department.
• Equipment. Data Users should ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
Processing Data – Sharing Data with Third Parties
There may be occasions where the Group are legitimately required to share some of your personal data with a third party (data processor). The Group will not share more data than is necessary.
We may only share the personal data we hold with third parties, such as our service providers if:
• they have a need to know the information for the purposes of providing the contracted services;
• sharing the personal data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s consent has been obtained;
• the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
• the transfer complies with any applicable cross border transfer restrictions; and
• a fully executed written contract that contains Data Protection Legislation approved third party clauses has been obtained.
Third parties may include, but are not limited to:
- Health and Safety Executive (HSE), where a reportable accident has occurred and needs to be investigated.
- Pension Scheme Providers
- HMRC, to meet legislative reporting requirements and access Tax and National Insurance information required for payroll purposes
- Training Companies and Colleges
- Membership / Funding Organisations
- Insurance Providers
We may also disclose personal data we hold to third parties:
• In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets.
• If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets.
• If we are under a duty to disclose or share a Data Subject’s personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the Data Subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
We will only transfer personal data we hold to a country outside the EEA in accordance with the Data Protection Legislation.
Processing Data – Individuals’ Rights
Data Subjects have rights when it comes to how we handle their personal data. These include rights to:
• withdraw consent to processing;
• receive certain information about our processing activities;
• request access to their personal data that we hold;
• prevent our use of their personal data for direct marketing purposes;
• ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
• restrict processing in specific circumstances;
• challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
• request a copy of an agreement under which personal data is transferred outside of the EEA;
• object to decisions based solely on Automated Processing, including profiling;
• prevent processing that is likely to cause damage or distress to the Data Subject or anyone else;
• be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
• make a complaint to the supervisory authority; and
• in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format.
Some of these rights are not automatic.
Workers must verify the identity of an individual requesting data under any of the rights listed above.
If a Data Subject wishes to exercise a right, the request must be immediately forwarded to the HR Department.
The Group will respond to any request to exercise a right within one month of receipt of the request unless it extends the response time. Where the request is complex or there is a large volume of requests, the Group may extend the deadline to respond by a further two months (three months in total). Where the deadline is extended, the HR Department will write to the Data Subject, within one month of the original request, detailing the reasons the extension is necessary.
In the event that the Group takes the decision not to respond to a request, the Data Subject will be notified in writing of the reasons together with their rights and process for making a complaint within one month of the request.
The key rights are set out below.
Subject Access Requests
Data Subjects have the right to access data held about them by making an application in the form of a Subject Access Request. The request must be submitted in writing to the HR Department.
Once collated, the Group will provide the personal data in either a hard copy format or electronically.
The Group may ask a Data Subject for further details in respect of their request to be able to locate the required information.
Where a request to access data is considered to be manifestly unfounded or excessive, the Group may:
- • Refuse to respond, or
- • Charge a reasonable fee to the Data Subject, taking into account the administrative costs of providing the information
Right of Erasure
Data Subjects can request the deletion or removal of their personal data, where the Group have no legitimate reason to continue processing the data. This can occur where:
- • the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- • Data Subjects withdraw consent to process personal data
- • Data Subjects object to the processing of personal data and there is no overriding legitimate reason for continuing to process
- • the personal data was unlawfully processed (i.e. in breach of the Data Protection Legislation)
- • the Data Subject objects to the processing for direct marketing purposes
- • the personal data has to be erased in order to comply with a legal obligation
- • the personal data is processed in relation to the offer of information society services to a child
Where the Group have disclosed the personal data in question to third parties (data processors), they must inform the processors of the requirement to delete the personal data.
Right of Rectification
Data Subjects are entitled to have to their personal data rectified where it is found to be inaccurate or incomplete.
Where the Group have disclosed the personal data in question to third parties (data processors), the Group will inform them of the rectification requirement, where possible. In addition, the Data Subject will be informed about the processors to whom the data has been disclosed, where appropriate.
Right to Restrict Processing
The Group will be required to restrict processing of a Data Subject’s personal data, where:
- A Data Subject contests the accuracy of the personal data. In this instance, the Group must restrict the processing until the accuracy of the personal data has been verified.
- A Data Subject has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and the Group is considering whether their legitimate grounds override that of the Data Subject.
- The Group processes data unlawfully and the Data Subject requests restriction instead of erasure.
- The Group no longer needs the personal data, however, the Data Subject requires it to establish, exercise or defend a legal claim.
Where the Group has disclosed the personal data in question to third parties, the Group will inform them of the restriction on processing, where possible.
The Right to Data Portability
This right allows Data Subjects to obtain and reuse their personal data for their own purposes across different services, such as move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The right only applies where a Data Subject has provided personal data to a data controller (i.e. the Group). The request should be submitted in writing to the HR Department.
The Group will provide the personal data free of charge and in a structured, commonly used and machine-readable format, such as a CSV file. Where the personal data concerns more than one Data Subject the Group will make a decision as to if providing the data would prejudice the right of any other Data Subject.
Right to Object
Data Subjects can object to the processing of their personal data for marketing and/or research purposes. The Data Subject must submit the request in writing to the HR Department.
The Group will be required to cease processing the personal data upon receipt of a request, unless it is demonstrated:
- There are compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the Data Subject
- The processing is for the establishment, exercise or defence of legal claims.
A personal data breach is defined as a security incident that has affected the confidentiality, integrity, or availability of personal data. This can include, but is not limited to:
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permission
- Loss of availability of personal data
Should an individual within the Group become aware of a breach, they should report it immediately by e-mailing firstname.lastname@example.org, detailing as a minimum, how the breach occurred, the personal data breached and names of Data Subjects affected. The individual should preserve all evidence relating to the potential personal data breach.
In the event there is a data breach the Group will assess the risks involved. Where the data breach is considered to be a ‘risk’ to the rights and freedoms of the Data Subject, the Group will report it to the ICO (Information Commissioners Office) within 72 hours. Where the data breach is considered to be a ‘high risk’ to the rights and freedoms of the Data Subject, they will be informed of the breach.
Upon notification of any data breach the Group will immediately assess whether any action should be taken to mitigate the risk of the same or similar breach happening again in the future.
A record of all data breaches will be kept by the HR Department, detailing the facts of the breach, it’s effects and the corrective action taken.
Accountability and Record-Keeping
The Group has adequate resources and controls in place to ensure and to document data protection compliance including:
implementing Privacy by Design when processing personal data and completing Privacy Impact Assessments where processing presents a high risk to rights and freedoms of Data Subjects;
• integrating data protection into internal documents including this Data Protection Policy and Privacy Notice;
• regularly training relevant staff on the Data Protection Legislation, this Data Protection Policy, related policies and data protection matters; and
• regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
We will keep and maintain accurate corporate records reflecting our processing.
Training and Audit
We will regularly review and test all the systems and processes under our control to ensure they comply with this Data Protection Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of personal data.
Automated Processing and Automated Decision-Making
Automated Decision-Making is where a decision is made based on the automatic processing of personal data which significantly affects a Data Subject. The Group does not take any decisions using automated means
Staff who have access to personal data must comply with the Data Protection Legislation and this policy at all times.
Failure to comply with this Policy and associated procedures may result in disciplinary action up to and including summary dismissal.
The Group have developed Privacy Notices which are designed to be clear documents detailing:
- How personal data collected is processed
- For what purposes the Group will use the data
- How data is stored
- How long it is retained for
Should an individual have any questions regarding the content of a privacy notice, please contact the HR Department.
Where an individual has concerns with the way the Group has or is handling their personal data, or feel the Group have failed to comply with GDPR, they should discuss this with the HR Department.
Monitoring and Review of the Policy
We reserve the right to change this policy at any time without notice to you. This policy is reviewed annually by the HR Department to ensure it is achieving its stated objectives.
Cookies that we use are;
- Tracking for Google Analytics: None of your personal data will be stored.
The table below shows how long the Group will retain data for. The Data Retention periods cover, but are not limited to the following types:
|Type of Information||Group Retention Period|
|Application Forms and Interview Notes (for unsuccessful candidates)||Up to 12 months|
|Personnel Files and Training Records (including holiday, working time records and general correspondence)||Six years after employment ceases|
|Conduct Paperwork||Disciplinaries – the life of the warning (6 or 12 months)
Counsellings – Twelve months
|Redundancy Details (including calculations of payments, refunds and notifications to the Secretary of State)||Six years from the date of redundancy|
|Accident Books, Records and Reports||Three years from the date of the last entry.
Where the information involves a child / young adult, the records will be retained until the individual reaches 21 years of age.
|DSE Self-assessment forms||Three years from completion|
|Equipment Issue Registers (inc. PAT Tester / Proving Units)||One year after employment ceases|
|Timesheet Information||Seven years from the date created|
|Pension Scheme Payments and Information||Seven years after employment ceases|
|Benefit Scheme Information (including but not limited to DIS, Private Health, Travel Insurance, PHI)||Seven Years from date activated|
|Statutory Maternity Pay, Records, Calculations, Certificates (Mat B1) or other Medical Evidence||Seven years after employment ceases|
|Income tax, NI returns and correspondence with HMRC||Rolling seven year period after the end of the financial year to which they relate.|
|Wage / Salary Records
Including, National Minimum Wage, Overtime, Bonus and Expenses Records
|Six years after employment ceases|
|Right to Work Checks||Six years after employment ceases|
|Health and Safety Site Records
Including Risk Assessments and Method Statements
|Six months after completion of the task|
|Medical Records as specified by COSHH Regulations (including Asbestos Register)||100 years for each entry|
|Records of Tests and Examinations of Control Systems Protective Equipment under the COSHH Regulations (lung function tests etc.)||Five years from the date the tests were carried out|
|Records relating to Children and Young Adults||Until the individual reaches 21 years of age|
|Records relating to Working Time||Six years after employment ceases|
|Consents for processing personal and special categories of personal data, where required||For as long as the data is processed and up to six years afterwards|
|Sickness records for the purposes of SSP||Seven years after employment ceases|