As a business, and as an employer, it is necessary for us to collect, store and process personal data about our customers, suppliers, employees, workers, contractors and sub-contractors and other third parties who we engage to provide services for us or do business with.
With the introduction of the General Data Protection Regulation 2016 (GDPR) the way personal data is kept and used by businesses has come under much greater scrutiny. This policy is therefore very important to us and sets out how we will process personal data we collect or receive from data subjects and third parties.
This policy will help all of us to comply with our legal obligations and enable individuals about whom we hold personal data to have confidence in us. It is important that you read this policy carefully to ensure you comply with it. This policy does not form part of your contract of employment and may be amended at any time.
Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to Colin Southey Group Finance Director & Data Controller.
There is likely to be a lot of data protection terminology with which you may be unfamiliar, and which has a specific meaning under data protection legislation. The terms that are used most frequently include:
Personal data means data relating to a “data subject” (explained below) who can be identified (directly or indirectly) from that data (or from that data and other information in our possession or available to us). Personal data can be factual (e.g. a name, address or date of birth) or it can be an opinion about the data subject, their actions and behaviour. It can also include an identification number, a physical image of you (e.g. from a CCTV camera), location data (such as data from one of the vehicle trackers we use), an online identifier or one or more factors specific to the physical, physiological, genetic (e.g. DNA or RNA), mental, economic, cultural or social status of that individual.
Data controller is a term used to describe the people who, or organisations which, determine the purpose and manner for which any personal data is processed. We are the data controller of all personal data used in our business for our own commercial purposes.
Data subject means a living, identified or identifiable individual about whom we hold personal data.
Data users are those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this policy and any applicable data security procedures.
Data processors means any person or organisation that processes personal data on our behalf and on our instruction. Employees of data controllers are excluded from this definition, but it could include suppliers who handle personal data on our behalf.
Processing is a term used to describe what we do with the personal data. It applies to most activities that might be undertaken in respect of the data, such as: collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, disclosing by transmission, dissemination or otherwise making it available, aligning or combining, restricting its use, erasing or destroying it. Processing also includes transferring (or disclosing) personal data to third parties.
Special categories of personal data is a term used to describe sensitive personal data such as information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, genetic data and biometric data (where processed to uniquely identify a person or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings). Special categories of personal data can only be processed under strict conditions.
As a data controller, we are responsible for establishing practices and policies in line with the GDPR and any other laws governing data protection. It is important that we do more than just say that we are complying with data protection laws, but that we are also able to demonstrate compliance. We do this principally by:
Any personal data that we process must:
The GDPR is not intended to prevent the processing of personal data; rather, the GDPR aims to ensure that it is done lawfully and transparently, minimising any adverse effect on the rights of the data subject.
For personal data to be processed lawfully, it must be processed for one of the specific reasons set out in the GDPR.
The following are some of the basis upon which we will rely as a business to process personal data.
Where processing is necessary:
In addition to the basis set out above, we can also process a data subject’s personal data where they have given consent to the processing for one or more specified purposes, provided that the consent is a freely given, specific, informed and unambiguous indication of the data subject’s wishes. A data subject will have the right to withdraw any consent given.
For special categories of personal data to be processed lawfully, there are additional conditions which must be met, in addition to satisfying one of the above basis for processing personal data. Legitimate basis for processing special categories of personal data include that:
We maintain a central record of what personal data we collect and why we collect it. We will only process personal data for the specific purposes set out in central record or for any other purposes specifically permitted by the GDPR. We will notify those purposes to the data subject when we first collect the data from them or as soon as possible thereafter.
We will only process personal data to the extent required for the purposes notified to the data subject. This means that we should not ask for, or record on our systems, more personal data than we need. We will use appropriate technical and organisational measures to ensure that personal data that we no longer need is erased/destroyed.
We will do our best to ensure that any personal data we hold is accurate and kept up to date. We aim to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. It is therefore important that you keep us up to date with any changes to your own personal details that we hold on you as an employee.
We will take all reasonable steps to erase/destroy or amend inaccurate or out-of-date data without undue delay, and in any event within one month of the data subject’s request (or two months where there are specific reasons why that is not possible).
When we process personal data, we will do our best to ensure that it remains secure and is protected against unauthorised or unlawful processing and accidental loss, destruction or damage.
We will do this by:
In assessing the appropriate level of security, we shall take into account the risks associated with the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data that we process.
Desks and cupboards should be kept locked if they hold personal data or confidential information of any kind. Data users must ensure that individual monitors/screens do not show personal data or confidential information to passers-by and that they log off from or lock their computer/tablet when it is left unattended.
Whenever we transfer personal data or confidential information outside our own systems or offices (for example when information is taken off site by employees to attend other sites, visit customers or for home working) there is a risk that the personal data or confidential information may be lost, misappropriated, or accidentally released.
Steps should be taken to minimise the risk of theft, loss, destruction, damage or unauthorised use of personal data or other confidential information when data is transferred. Such steps could include:
You should have permission from your manager before taking personal data off site. It must also be brought back and securely stored at the earliest opportunity.
It is very important that we are alive to the risks of personal data breaches, and that we react quickly to an apparent breach.
A personal data breach may not be evident straightaway. However, there may be indicators of a personal data breach, system compromise, unauthorised activity, or signs of misuse. A personal data breach can happen in many ways, including:
As soon as you become aware of any personal data breach or have any reason to suspect a personal data breach has or is about to occur (for whatever reason), you should contact our data protection contact immediately or, if they are not available, your line manager.
Paper records that contain personal data must be shredded and disposed of securely when there is no longer a need to retain them. Paper records containing personal data must not be disposed of in any other way.
For electronically stored data, there is a significant difference between deleting personal data irretrievably, archiving it in a structured, retrievable manner, or moving it as unordered data to an electronic wastebasket. Personal data that is archived, for example, is subject to the same data protection rules as ‘live’ personal data.
When deleting electronic data, all possible steps should be taken to put the data in question beyond use. Where it is impossible to delete data from the electronic ether altogether, all reasonable steps should be taken to ensure that it is deleted to the fullest extent possible.
The IT Team will be responsible for destroying electronic equipment that contains personal data (e.g. laptops and desktops) securely.
We may transfer any personal data we hold to a country outside the European Economic Area (“EEA”) where there is an adequate level of protection in that country or where we have put appropriate terms and/or measures in place with the recipient of the data to ensure protection. Otherwise, we may transfer any personal data we hold to a country outside the EEA if one of the following conditions applies:
For each transfer of data outside the EEA, we will record which of the conditions we are relying on.
If we need to use third parties to process personal data on our behalf, we will require those third parties to provide us with sufficient guarantees that they have appropriate technical and organisational measures in place to comply with the GDPR and to ensure the protection of the rights of the data subjects.
We are required to provide information to data subjects about our processing of their personal data. This information is contained in our Privacy Notices. The Privacy Notices applicable to employees is available on the intranet. Such notices will provide information about:
If we receive personal data about a data subject from a third party, we will in addition provide the data subject with information on:
If we process personal data, the data subjects will have the right to:
If a data subject exercises these rights and we have disclosed the personal data in question to a third party, we will do our best to ensure that the third party complies with the wishes of the data subject.
Data subjects who wish to request information about the personal data we hold about them must do so in writing. If you receive such a request (whether in paper form or in an email or other electronic format) you should forward it to our data protection contact immediately.
In the event of a personal data breach, we must take quick action to minimise the impact of the breach and, in certain circumstances, must report the breach within 72 hours of it occurring. Therefore, if you become aware of any personal data breach or are unsure if a personal data breach has occurred, whether by you or someone else, you should contact our data
protection contact immediately or, if they are not available, notify your line manager (see [1.9] above).
Once a personal data breach or a potential personal data breach has been reported, our data protection contact will be responsible for responding to the data breach. In most cases this will involve: