POLICY OVERVIEW

 

• Purpose
• Scope
• Procedure
• Related Policies
• Where to find further information
• Policy Owner
• Policy Review Date

Purpose

In the course of carrying out its business, the Company collects stores and uses a large amount of information relating to individuals.  The collection and use of this information is regulated by the UK Data Protection Act 1998 and by various other data privacy laws and regulations.  These laws and regulations impose a number of restrictions and controls on the manner in which the Company can process personal data.  They also grant a number of rights to the individuals whose information is processed by the Company.

This policy aims to serve as a guide to employees and contractors with brief details about the Data Protection Act and its implications for the Company. It is also intended to provide employees with basic information on the impact of the Act on their daily business, to enable them to use personal data in a way that does not put the company in breach of the Act. 

If the Company fails to comply with the Data Protection Act then this could have serious consequences for its reputation or business.  In extreme cases it could be found to have committed a criminal offence. 

This document is only a summary of the Act and the Company Data Protection Policy.  You should familiarise yourself with the full Act if appropriate.

Scope

This policy applies to all employees and also extends to consultants and subcontractors.

Data Controllers

• Data Controllers are those employees who have access to personal data, and who have responsibility for ensuring its accuracy and that it is kept secure.
• The Act places obligations on Data Controllers.  This will be the case whether the Company collects the personal data directly from the data subjects itself, or whether it collects the personal data from another source. 

Data Subjects

• A data subject is anyone of whom personal data is held on, this is typically employee information but will extend to consultants and also includes customers, suppliers, shareholders, job applicants and former employees.

Procedure/Definition

The Act covers the processing of personal data by data controllers.

The definition of processing in the Act is very wide and, generally, will cover all conceivable activities in relation to personal data.  Processing therefore includes:

• obtaining, recording, consulting or holding personal data;
• carrying out any operation or set of operations on personal data including:
  • organisation, adaptation or alteration;
  • retrieval, consultation or use;
  • disclosure (by transmission, dissemination or otherwise making available); or
  • Alignment, combination, blocking, erasure or destruction 

However, this list is not exhaustive and therefore other forms of processing are possible.

 

Personal Data

The Act only applies to “personal data”, and not to every piece of information held by the Company.

Personal data does not need to be factual or numerical and will include any expression of opinion about an individual and any indication of intention about an individual (whether by the Company or a third party).  Employment references and documents in relation to dismissal or promotion prospects or eligibility for sickness benefits will therefore all fall within the scope of the Act.

Information on deceased persons or companies will not be personal data but should still be treated with sensitivity. Information about individual contacts at companies will be personal data.

Manual Records

The Act applies to information held on paper-based files, microfiches, computerised systems, other portable electronic devices, or to any other manual personal data which is structured in such a way that specific information relating to a particular individual is readily accessible.  In summary therefore, you should assume that all computerised and paper-based data is covered by the Act, unless the paper-based data is so un-structured that information relating to an individual is difficult to retrieve (e.g. a disorganised pile of papers).

Sensitive Personal Data

Certain types of personal data are classed as sensitive personal data (i.e. information relating to a person’s racial origin, political opinions, physical and mental health etc.). All of the general compliance requirements in the Act apply to sensitive personal data in the same way as they apply to non-sensitive personal data.  However the conditions which must be satisfied before sensitive personal data can be processed are stricter.  

What are the rights of Data Subjects?

Data Subjects are granted various rights under the Act.  Those which are relevant to the business include:

• a right of access to personal data by written request;
• a right to prevent processing likely to cause damage or distress; and
• A right to prevent processing for purposes of direct marketing.

More detail on some of these rights is set out below.  Generally, if you receive a notification from any person that they wish to exercise any right under the Act, you should contact their manager in the first instance.

Dealing with Subject Access Requests

Individuals are entitled to request detailed information regarding the personal data held about them by the Company, together with copies of that data. 

In order to comply with this obligation in a systematic manner, the Data Controller will be responsible for responding to all subject access requests and for collating all personal data held in relation to an individual by the Company.

If you receive any request from an individual (whether an employee of the Company or a third party) to have access to or copies of your data you should:

• not respond directly to the individual concerned, other than to thank them for their request and to confirm that their request is being dealt with.  In particular you should not provide them with any copies of personnel files or other personal data; and
• forward the request (together with all information in your possession as to the nature and circumstances of the request e.g. the date it was made) to the Data Controller.  The Act requires a response within 40 days of receipt of the request and they should therefore be forwarded to the Managing Director immediately.

If you receive any requests from the Data Controller or your manager for copies of personal data in your possession or control relating to an individual (whether or not you received a subject access request directly from that individual) you should respond promptly to the Managing Director with a description of:

• any personal data which you hold relating to the individual concerned;
• the purposes for which you are processing that data; and
• the recipients to whom you may disclose that data;

You should also provide the Managing Director with:

• copies of the personal data which you hold in relation to the individual     concerned;
• any information in your possession as to the source of the data.

Please note that the definition of personal data is very wide and your response should encompass all personal data relating to the relevant individual in your possession or control.  It should include emails and data in electronic databases as well as paper based files.

Security of Information

Access to personnel information is strictly controlled and limited to those who are entitled to see it as part of their duties.   The Company regards security of information as an extremely important issue and you should note the following:

• It is a criminal offence and will be a disciplinary matter if you obtain, pass on or discloses personal data unlawfully to a third party
• Computer print outs and other paper records should not be put in a general waste bin but should be disposed of properly by shredding
• The Company’s computer systems security procedures should be followed
• Computer discs, memory sticks, other portable electronic devices and paper records should be secured properly at all times
• Data on computers, discs, memory sticks, other portable electronic devices and in paper records should be maintained as accurately and securely as possible
• Any rules, procedures or instructions which the Company may issue from time to time to ensure the security of information process by the Company should be observed

Steps to Take to Ensure Compliance

In order to ensure that the Company is not in breach of its obligations under the Act, you should observe the guidelines set out below.

Consider each of the separate tasks and activities which comprise your job.  Identify which of these involve the processing of personal data and sensitive personal data.

Notify the Data Controller if you intend, or have started, to process personal data in a different way, or for different purposes to that carried on previously.  This will enable the Data Controller to make the necessary changes to the Company’s data protection registration. 

Ensure that personal data is being held and used in accordance with the data protection principles. 

You should ensure that personal data is processed fairly and lawfully.  In particular, personal data should only be used in connection with and to the extent necessary for the purposes of your employment. 

Where possible, you should obtain consent from the individual that the personal data relates to before the personal data is collected or used.  Employment application forms, pension application forms and other forms used to collect data should therefore include suitable data protection consents, where appropriate. 

When you collect or otherwise process personal data you should, where practicable, make sure that the individual concerned knows that the Company will be processing this data and what purposes the data will be processed for.  You should also ensure that the individual is provided with any additional information that may be necessary to ensure that the Company’s processing of their data is fair.  Where possible, this information should be provided as a standard notification in the form used to collect the data, as described above. 

You should only disclose personal data to a third party where this is necessary in the course of your employment.  When you disclose personal data to a third party, you should consider whether the data subject(s) concerned should be informed that the disclosure may be made. 

Where you have been requested to disclose personal data to a third party and such disclosure is not a routine part of your business (e.g. disclosures to the police, to the press or to mortgage providers for reference purposes), you should forward this request to the Data Controller before making such disclosure as in some cases it will be necessary to obtain the consent of the individual concerned. 

You should generally not seek to collect sensitive personal data. 

The Company may, however, collect such data where this is necessary for the purposes of employment, e.g. where necessary in connection with recruitment or HR administration. 

You should only collect personal data for a definite purpose and should not use the data for any other purposes, unless the individual(s) concerned are notified of this.  In particular, you should not collect personal data simply because it may become useful in the future. 

You should not collect personal data which is excessive having regard to the purposes for which it will be used.  Irrelevant data should not be collected.

You should ensure that any personal data which you collect and use is kept accurate and up to date.  

If a data subject notifies the Company that their personal data is inaccurate then this may be amended if it is agreed that the data is inaccurate.  If it is not agreed that the data is inaccurate then it should be left un-amended but a note of the data subject's views should be included with the data.

You should observe any relevant data retention policies and procedures in place in your area of work to ensure that personal data is deleted after a reasonable time.  If there are no such policies and procedures in place then you should delete personal data once it is no longer required for the purpose for which it was originally collected. 

The Company provides appropriate organisational, physical and technical security arrangements in relation to all of the personal data held on employees, and where employees hold additional personal information they should also ensure that appropriate levels of security are in place.

The level of security used should be appropriate to the nature of the data and the harm that could result if it is used in an unauthorised manner.  For example, employees should ensure that:

• Paper files are stored in locked cabinets;
• Computer printouts are not put in a waste paper bin but are correctly disposed of by shredding;
• Computer passwords are not disclosed to anybody other than the relevant authorised user;
• Computer discs, memory disks, other portable electronic devices, are secured properly when not in use; and
• All security procedures set out in the Company’s, Computer Usage, Email and Internet policies and in any other relevant policies or guidelines, are followed.

In general, you should not transfer personal data to any country outside the European Economic Area.  Such transfers may be permitted in certain circumstances, however, and you should contact the Managing Director where you need to make such transfers.

Individuals are granted various rights in relation to their data under the Act.  To ensure that the Company processes data in accordance with these rights it is essential that you notify the Data Controller or your Manager if you receive any query, request or complaint from any individual in relation to their data. 

In particular, you should contact the Data Controller or your Manager if you receive a request from an individual to be provided with copies of the data which the Company holds about them.  You should also contact the Data Controller of your Manager if you receive a notification or become aware that any personal data held by the Company may be inaccurate.

Whenever you record or use personal data (e.g. emails, computer files, performance reviews, personal rolodexes and contact lists, etc.), you should be aware that the material contained within these databases might have to be disclosed to the individuals which they relate to if a subject access request is made.  You should therefore ensure that the information is recorded in a business-like manner and does not include comments that could be considered offensive or inappropriate.

Non Compliance

Where individuals are deemed to have not complied with the principles of the Data Protection Act, and the guidance outlined above they may be subject to formal procedures being instigated under the Disciplinary Policy.

Where to find further information

If you require further information on this policy or procedure then please speak with your Manager in the first instance.

Policy Owner

This policy is owned and maintained by the Company Secretary