The Group needs to collect person-identifiable information about individuals in order to carry out its functions and fulfil its objectives. Personal data is defined as “information which relates to a living individual and from which they can be identified, either directly or indirectly”.
Personal data within the Group can include employees (past, present and prospective), clients, contractors and third parties, private and confidential information as well as sensitive information, whether in paper, electronic or other form.
Irrespective of how information is collected, recorded or processed person-identifiable information must be dealt with property to ensure compliance with the Data Protection Act (DPA) 1998 and the General Data Protection Regulations (GDPR).
The DPA & GDPR requires all companies within the Group to comply with the Data Protection Principles (please see Appendix A below) and GDPR Principles (please see Appendix B below) and to notify the Information Commissioner about the data that we hold and why we hold it. This is a formal notification and is renewed annually.
The DPA & GDPR give rights to data subjects (people that we hold information about) to access their own personal information, to have it corrected if wrong, in certain permitted circumstances to ask us to stop using it and to seek damages where we are using it improperly.
The lawful and correct treatment of person-identifiable information by the Group is paramount to the success of the companies within the group and to maintaining the confidence of its service users and employees. This policy will help the Group to ensure that all person-identifiable information is handled and processed lawfully and correctly.
What information is covered?
Personal data within the respective legislation and regulatory provisions covers “any data that can be used to identify a living individual either directly or indirectly”. Individuals can be identified by various means including but not limited to, their address, telephone number or email address. Anonymised or aggregated data is not regulated by the provisions, providing the anonymisation or aggregation of the data is irreversible.
This document defines the data protection policy for the Group. It applies to all person-identifiable information obtained and processed by the organisation and its employees.
It sets out:
- The groups policy for the protection of all person-identifiable information that is processed;
- Establishes the responsibilities and best practice for data protection;
- References the key principles of the Data Protection Act 1998 and GDPR.
The objective of this policy is to ensure the protection of the Group’s information in accordance with relevant legislation, namely:
- To ensure notification – annual notification to the Information Commissioner about the Group’s use of person-identifiable information.
- To ensure professionalism – all information is obtained, held and processed in a professional manner in accordance with the eight principles of the Data Protection Act 1998 and the provisions of the GDPR.
- To preserve security – all information is obtained, held, disclosed and disposed of in a secure manner.
- To ensure awareness – provision of appropriate training and promotion of awareness to inform all employees of their responsibilities.
- Data subject access – prompt and informed responses to subject access requests.
The policy will be reviewed periodically by the Group’s upper management team. Where review and update is necessary due to legislative changes this will be done immediately.
In accordance with the Group’s equal opportunities policy, this procedure will not discriminate, either directly or indirectly, on the ground of gender, race, colour, ethnic or national origin, sexual orientation, marital status, religion or belief, age, union membership, disability or any other personal characteristic.
Scope of this policy
This policy will ensure that person-identifiable information is processed, handled, transferred, disclosed and disposed of lawfully. Person-identifiable information should be handled in the most secure manner by authorised staff only, on a need to know basis.
The procedures cover all person identifiable information, whether electronic or paper which may relate to clients, employees, contractors and third parties about whom we hold information.
Notification of Data Held
The Group will notify all staff and customers and other relevant data subjects of the types of data held and processed by the Group concerning them, and the reasons for which it is processed. When processing for a new or different purpose is introduced, the individuals affected by that change will be informed and the Data Protection Register entry will be amended.
The Group obtains and processes person-identifiable information for a variety of different purposes, including but not limited to:
- Staff records and administrative records;
- Complaints and requests for information.
Such information may be kept in either computer or manual records. In processing such data, the Group will comply with the data protection principles within the Data Protection Act 1998.
The Group permits the company’s staff to use computers and relevant filing systems (manual records) in connection with their duties. The Group Directors have legal responsibility for the notification process and compliance of the Data Protection Act 1998 and GDPR.
The Group Directors, whilst retaining their legal responsibilities, have delegated data protection compliance to the Data Protection Manager.
Data Protection Manager’s Responsibilities
The Data Protection Manager’s responsibilities include:
- Ensuring that the policy is produced and kept up to date;
- Ensuring that the appropriate practice and procedures are adopted and followed by the Group;
- Providing advice and support to the Director’s on data protection issues within the organisation;
- Ensure that data protection notifications with the Information Commissioner is reviewed, maintained and renewed annually for all use of person-identifiable information;
- Ensure compliance with individual rights, including subject access requests;
- Acting as a central point of contact on data protection issues within the Group;
- Implementing an effective framework for the management of data protection.
Line Manager Responsibilities
All line managers across the organisation’s business units are directly responsible for:
- Ensuring their staff are made aware of this policy and any notices;
- Ensuring their staff are aware of their data protection responsibilities;
- Ensuring their staff receive suitable data protection training.
All staff shall:
- Ensure that all personal information which they provide to the Group in connection with their employment is accurate and up to date;
- Inform the Group of any changes to information, for example, changes of address;
- Check the information which the Group will make available from time to time, in written or automated form, and inform the Group of any errors or, where appropriate, follow procedures for updating entries on computer forms. The Group will not be held responsible for errors of which it has not been informed.
When staff hold or process information about customers, colleagues or other data subjects they should comply with the following:
- All personal information is kept securely;
- Personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter and may be considered gross misconduct in some cases.
All customers shall
- Ensure that all personal information which they provide to the Group is accurate and up to date;
- Inform the Group of any changes to that information, for example, changes of address;
- Check the information which the Group will make available from time to time, in written or automated form, and inform the Group of any errors. The Group will not be held responsible for errors of which it has not been informed.
Compliance with this policy will be monitored by the Data Protection Manager, together with internal audit reviews where necessary.
The Data Protection Manager is responsible for the monitoring, revision and updating of this policy document on an annual basis or sooner, should the need arise.
Rights to Access Information
Staff, customers and other data subjects in the Group have the right to access any personal data that is being kept about them either on a computer or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the data controller.
The group aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 28 days unless there is a good reason for the delay. In such cases, the reason for the delay will be explained in writing by the designated data controller to the data subject making the request.
In some cases, such as the handling of sensitive information, the Group is entitled to process personal data only with the consent of the individual. Agreement to the Group processing some specific classes of personal data is a condition of employment for staff.
The Group may process sensitive information about a person’ health, disabilities and a criminal conviction in pursuit of the legitimate interests of the Group. The Group may also require such information for the administration of the sick pay policy or absence policy.
The Group also asks for information about particular health needs, such as conditions such as asthma or diabetes. The Group will only use such information to protect the health and safety of the individual, for example, in the event of a medical emergency. The consent of the data subject will always be sought prior to the collection of any sensitive data as defined by the GDPR.
Retention of Data
The Group will keep different types of information for differing lengths of time, depending upon legal and operational requirements.
Reporting a Data Breach
Please refer to “Data Protection Breach” procedural flowchart.
Appendix A – Data Protection Act 1998 – Data Protection Principles
- Personal data should be processed fairly and lawfully
- Personal data should be obtained for a specified and lawful purpose and shall not be processed in any matter incompatible with the purpose;
- Personal data should be adequate, relevant and not excessive for the purpose;
- Personal data should be accurate and up to date;
- Personal data should not be kept for longer than necessary for the purpose;
- Personal data should be processed in accordance with the data subject’s rights;
- Personal data should be kept safe from unauthorised processing, and accidental loss, damage or destruction;
- Personal data should not be transferred to a country outside of the European Economic Area, unless that country has equivalent levels of protection for personal data, except in specified circumstances.
Appendix B – General Data Protection Regulations 2016 – Principles Relating to Processing of Personal Data
- Personal data shall be processed lawfully, fairly and in a transparent manner;
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Personal data shall be accurate and, where necessary, kept up to date;
- Personal data shall be kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.