Data Protection and Data Security Policy
We are bound by the General Data Protection Regulation (the Regulation) and the Data Protection Act.
Our obligations extend to any personal data that we hold relating to you. The Regulation defines ‘Personal Data’ as “any information relating to a data subject’. A data subject is the identifiable natural person to whom the personal data relates. In relation to these terms the data subject is you.
STATEMENT AND PURPOSE OF POLICY
- Stocks Taylor Benson (the employer) is committed to ensuring all personal information handled by us will be processes accordingly to legally compliant standards of data protection and data security
The purpose of this policy is to help us achieve our data protection and data security aims by:
- Notifying our employees of the types of personal information that we may hold about them and what we do with that information;
- Ensuring employees understand our rules and the legal standards for handling personal information relating to employees and others: and
- Clarifying the responsibilities and duties of employees in respect of data protection and data security
- This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, in our absolute discretion.
WHO IS RESPONSIBLE FOR DATA PROTECTION AND DATA SECURITY?
- Maintaining appropriate standards of data protection and data security is a collective task shared between us and you. This policy and the rules contained within it apply to all employees, irrespective of seniority, tenure and working hours, including all employees, directors, freelancers and contractors, agency staff, work experience and students.
- The Chief Executive has overall responsibility for ensuring that all personal information is handled in compliance with the law and he will have day-to-day responsibility for data processing and data security.
- All employees have personal responsibility to ensure compliance with this policy, to handle all personal information consistently with the principles set out here to ensure that all measures are taken to protect the data security. Directors and managers have special responsibility for leading by example and monitoring and enforcing compliance.
- Any breach of this policy will be taken seriously and may result in disciplinary action.
WHAT PERSONAL INFORMATION AND ACTIVITIES ARE COVERED BY THE POLICY?
This policy covers personal information:
- Which relates to a living individual who can be identified either from the information in isolation or by reading it together with other information we possess;
- In the form of statements of opinion as well as facts;
- Which relates to employees (present, past or future) or to any other individual whose personal information we handle or control;
- Which we obtain, hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
- This policy covers personal information:
THE TYPES OF PERSONAL INFORMATION THAT WE MAY COLLECT, STORE AND USE ABOUT YOU INCLUDE RECORDS RELATING TO YOUR:
We collect personal information about you which:
- You provide or we gather before or during your employment or engagement with us
- Is provided by third parties, such as references or information from suppliers or another party that we do business with; or
- Is in the public domain.
The types of personal information that we may collect, store and use about you include your:
- Home address and contact details as well as contact details for your next of kin;
- Recruitment (including your CV, any reference received and details of your qualifications);
- Pay records, national insurance number and details of your taxes and any employment benefits such as pension and health insurance including details of any claims made);
- Any sickness absence or medical information provided;
- Religious or philosophical beliefs (e.g. special dietary or holiday requirements)
- Telephone and email contact details
- Performance and any disciplinary matters, grievances, complaints or concerns in which you are involved.
We will use information to carry out our business, to administer your employment or engagement and to deal with any problems or concerns you may have including:
- Staff Address Lists: to compile lists of home address and contact details, to contact you outside of working hours.
- Sickness Records: to maintain a record of your sickness absence and copies of any doctors notes or other documents supplied to us in connection with your health, to inform you your colleagues and others that you are absent through sickness, as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence, to inform reviewers for appraisal purposes of your sickness absence level, to publish internally aggregated, anonymous details of sickness absence levels.
- Monitoring IT Systems: to monitor your use of emails, internet, telephone. Computer or other communications or IT resources.
- Disciplinary, Grievance or Legal Matters: in connection with any disciplinary, grievance, legal, regulatory or compliance matters or proceedings that may involve you.
- Performance Reviews: to carry out performance reviews.
- We confirm that for the purposes of Data Protection Legislation, the Employer is a data controller of the personal information in connection with your employment. This means that we determine the purpose for which, and the manner in which, your personal information is processed.
- If you consider that any information held about you is inaccurate then you should tell your line manager or and if we agree that the information is inaccurate then we will correct it. If we do not agree with the correction then we will note your comments.
We will take reasonable steps to ensure that your personal information is kept secure, as described later in this policy and in general, we will not disclose your personal information to others outside the Employer. However, we may need to disclose personal information about employees:
- For the administration of your employment and associated benefits e.g. to the providers of our pension or insurance schemes; or
- To comply with our legal obligations or assist in a criminal investigation or to seek legal or professional advise in relation to employment issues, which may involve disclosure to our lawyers, accountants or auditors and to legal and regulatory authorities such as HM Revenue and Customs;
- To other parties which provide products or services to us.
- 15. By providing your personal information to us, you consent to the use of your personal information (including any sensitive personal data) in accordance with this policy.
- We collect personal information about you which:
DATA PROTECTION PRINCIPLES
Staff whose work involves using personal data relating to employees or others must comply with this policy and with the eight legal data protection principles which require that personal information is:
- Processes fairly and lawfully: We must always have a lawful basis to process personal information. In most (but not all) cases, the person to whom the information relates (the Subject) must have given consent. The Subject must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be disclosed.
- Processed for limited purposes and in an appropriate way: Personal information must not be collected for one purpose and then used for another. If we want to change the way we use personal information we must first inform the Subject.
- Adequate, relevant and not excessive for the purpose.
- Accurate: Regular checks must be made to correct or destroy inaccurate information.
- Not kept longer than necessary for the purpose: Information must be destroyed or deleted when we no longer need it. For guidance on how long particular information should be kept, please refer to ‘Data Retention’ below.
- Processed in line with Subjects’ rights: Subjects have a right to request access to their personal information, prevent their personal information being used for direct-marketing, request the correction of inaccurate data and to prevent their personal information being used in a way likely to cause them or another person damage or distress.
- Secure: See further information about data security below.
- Not transferred to people or organisations situated in countries without adequate protection.
- Some personal information needs even more careful handling. This includes information about a person’s racial or ethic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life or about criminal offences. Strict conditions apply to processing this sensitive personal information and the Subject must normally have given specific and express consent to each way in which the information is used.
- Staff whose work involves using personal data relating to employees or others must comply with this policy and with the eight legal data protection principles which require that personal information is:
- To ensure fair Processing, Personal Data will not be retained by us for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. The length of time for which we need to retain Personal Data is set out below. This takes into account the legal and contractual requirements, both minimum and maximum, that influence the retention periods set forth in the schedule. All Personal Data will be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
Our policy for data retention is as follows:
- Past employees. [6 Years from leaving date]
- Unsuccessful job applicants direct, by email, through our website or via a third party. [12 months]
- Current employees where certain personal data becomes out of date or obsolete. [6 years]
- Stocks Taylor Benson Limited are firmly committed to complying with our Data Protection obligations. In this context, and to achieve consistency and excellence of service, we believe that it is important to have a policy setting out how we manage document retention. Our ‘Data Retention Policy’ sets out how long we will hold different categories of records and data, a copy is available by request to: firstname.lastname@example.org
- We must all protect personal information in our possession from being accessed, lost, deleted or damaged unlawfully or without proper authorisation through the use of data security measures.
Maintaining data security means making sure that:
- Only people who are authorised to use the information can access it;
- Information is accurate and suitable for the purpose for which it is processed; and
- Authorised persons can access information if they need it for authorised purposes. Personal information therefore should not be stored on individual computers but instead on our server.
- By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining to destroying the information.
- Personal information must not be transferred to any person t process (e.g. while performing services for us or on our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other accurate measures exist.
Security procedures include:
- Physically securing information. Any desk or cupboard containing confidential information must be kept locked. Computers should be locked with a password or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
- Controlling access to premises. Staff should report to reception if they see any person they do not recognise unaccompanied in the office.
Telephone Precautions. Particular care must be taken by employees who deal with telephone enquiries to avoid inappropriate disclosures. In particular:
- The identity of any telephone caller must be verified before any personal information is disclosed;
- The caller’s identity cannot be verified satisfactorily then they should be asked to put their query in writing;
- Do not allow callers to bully you into disclosing information. In case of any problems or uncertainty, contact the Data Protection Officer.
- Methods of disposal. Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.
SUBJECT ACCESS REQUESTS (SARS)
- By law, any Subject (including employees) may make a formal request for information that we hold about them, provided that certain conditions are met. The request must be made in writing. In some circumstances it may not be possible to release the information about the Subject e.g. if it contains personal data about another person.
- Any employee who receives a written request should forward it to the Data Protection Officer immediately.
DATA PORTABILITY RIGHT
The right to Data Portability is distinct from the right to access personal data. Your rights to data portability include the right to:
- Receive a copy of your personal data from us as the Data Controller in a commonly used and machine readable format and store it for further personal use on a private device.
- Transmit the personal data to another Data Controller.
- Have your personal data transmitted directly from one Data Controller (i.e. us) to another where this is technically possible.
- The right to Data Portability is distinct from the right to access personal data. Your rights to data portability include the right to:
BREACH OF NOTIFICATION RIGHT
When a personal data breach is likely to result in a high risk to your rights we must notify you of the security breach without undue delay.
If we notify you of a personal data breach then we will do so in clear and plain language and include at least the following information:
- Name and contact details of the Data Protection Officer or other contact person within our organisation.
- The security breach’s likely consequences.
- The measures taken to address the security breach including measures to mitigate potential adverse effects.
- When a personal data breach is likely to result in a high risk to your rights we must notify you of the security breach without undue delay. If we notify you of a personal data breach then we will do so in clear and plain language and include at least the following information:
STEPS WE WILL TAKE AS DATA CONTROLLER TO HELP YOU EXERCISE YOUR DATA SUBJECT RIGHTS
To help satisfy the obligations imposed on us under the Regulation and to help you to exercise your data subject rights, we will take the following steps but not limited to the following:
- Implementing internal procedures and protocols to help the exercise of your rights.
- To review and revise privacy notices to ensure they comply with the Regulation and our obligations.
- Implement internal procedures and protocols for handling and responding to data subject requests in a timely and appropriate manner.
- Implement authentication procedures to verify the identity of data subjects making access or other requests.
- Develop template response letters and forms to collect additional information where necessary for preparing data subject request responses.
- Create an inventory or log for recording data subject requests and for tracking responses.
- Develop interoperable formats and other means that allow data portability.
- To help satisfy the obligations imposed on us under the Regulation and to help you to exercise your data subject rights, we will take the following steps but not limited to the following:
- Our policies, processes and systems to respond to any data subject access request, rectification, erasure, restriction of or objecting to processing, or data portability requests from you as an employee excludes privileged information, confidential references given by us as an employer and data relating to another individual where that individual has not consented and it is not reasonable to disclose that information without consent.