G.D.P.R. Data Protection Policy

1. DATA PROTECTION policy

1.1 Employee data

This is our Policy and statement of the purposes for which we hold and process personal data about our employees and others who work for us in accordance with our statutory obligations including the EU General Data Protection Regulation ("GDPR").

Definitions

"data" means information which is stored either:

(a) electronically (whether on a computer, a removable drive or any other electronic device); or

(b) in a paper based filing system which is structured and can be browsed by criteria, regardless of whether that filing system is dispersed across multiple locations;

data controller” means a person (whether an individual or a corporate body) which determine the purposes for which, and the manner in which, any personal data is processed; 

data processor” means a person who processes personal data on behalf of a data controller, and does not in any way determine how or why data is processed;

data subject” means a living individual to whom personal data relates.  A data subject need not be a UK national or resident;

"ICO" means the Information Commissioner’s Office, the UK regulator for data protection law;

personal data” (sometimes known as ‘personal information’) means information relating to an individual who can be identified (directly and indirectly) from that information;

"processing" means obtaining, recording, organising, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it;

sensitive personal data” (sometimes known as ‘special categories’ of personal data/ or ‘sensitive personal data’) means personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs (or beliefs of a similar nature), membership of a trade union; genetic data, or biometric data for the purpose of uniquely identifying the relevant person; and information concerning an individual’s physical health, mental health, sex life or sexual orientation.

security breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1.2 General

1.2.1 The Company acts as a data controller, which means that during the course of our activities, we will collect, hold and process information consisting of personal data including sensitive personal data about all our employees, applicants for employment, self-employed contractors, agency workers and others who work for us.  The information, which may be held on paper, within computer files or on other media is subject to certain legal safeguards in accordance with GDPR and UK domestic legislation.

1.2.2 This policy sets out how we comply with our data protection obligations and seeks to protect personal information relating to our workplace.  Its purpose is also to ensure that staff understand and comply with the rules governing the collection, use and deletion of personal information to which they may have access in the course of their work.  It does not form part of your employment contract and we may update it at any time.  It applies to all employees.  In addition, we expect all agency staff, contractors, consultants and any other individual working for us to observe it.

1.2.3 We are committed to complying with our data protection obligations, and to being concise, clear and transparent about how we obtain and use personal information relating to our workforce, and how (and when) we delete that information once it is no longer required.

1.2.4 The Company’s data protection officer, [Reg Lawton], is responsible for informing and advising the Company and its staff on its data protection obligations, and for monitoring compliance with those obligations and with the Company’s policies.  If you have any questions or comments about the content of this policy or if you need further information, you should contact the data protection officer [Mobile 07885 965195 or email: Reglawton@saddlerscourtmfg.com]

1.2.5 Staff should refer to the Company’s [data protection privacy notice] and, where appropriate, to its other relevant policies including in relation to [internet, email and communications, monitoring and social media], which contain further information regarding the protection of personal information in those contexts.

1.3 Data Protection Principles

1.3.1 Anyone processing personal data must comply with six data protection principles.  Those are that personal data must be:

1.3.1.1 Processed lawfully, fairly and in a transparent manner.  This includes a requirement to:

1.3.1.1.1 have a “legal basis” for processing personal data (see below);

1.3.1.1.2 be transparent with data subjects, providing them specific information about the processing to be carried out before it is carried out; and

1.3.1.1.3 to give data subjects certain rights in relation to their personal data.

1.3.1.2 When processing personal data, we must:

1.3.1.2.1 not use personal data in a way that would have an unjustified adverse effect on the individual;

1.3.1.2.2 only handle people’s personal data in ways they would reasonably expect; and

1.3.1.2.3 not do anything unlawful with a person’s personal data.

1.3.1.3 Collected for a specific, explicit and legitimate purpose, and not further processed in a manner that is incompatible with those purposes.

1.3.1.4 Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted GDPR or other relevant legislation.

1.3.1.5 This means that personal data must not be collected for one purpose and then used for another.  If it becomes necessary to change the purpose, or there is a new purpose, for which the data is processed, the data subject must be informed of the changed or new purpose before any processing occurs, and you must only use personal data for that changed or new purpose if it is compatible with the existing purpose.

1.3.2 Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.

Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject.  Any data which is not necessary for that purpose should not be collected in the first place.

1.3.3 If personal data later becomes excessive in relation to the purpose, it will need to be deleted unless there is another purpose (and associated legal basis) for keeping it.

1.3.4 Kept accurate and, where necessary, kept up to date.

Personal data must be accurate and kept up to date.  Personal which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards.

1.3.5 Inaccurate or out of date data that cannot be rectified should be destroyed.

1.3.6 Kept for no longer than is necessary for the purposes for which it is processed.

Personal data should not be kept longer than is necessary for the purpose.  Data should be destroyed or erased from our systems when it is no longer required for the purpose(s) originally notified to the data subject.

1.3.7 Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

1.3.8 We must maintain the security of all personal data from the point of collection to the point of destruction.  Personal data may only be transferred to a third party data processor if they agree to comply with our procedures and policies, or if they put in place adequate measures to ensure data security.

1.3.9 Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:

1.3.9.1 confidentiality means that only people who are authorised to use the data can access it;

1.3.9.2 integrity means that personal data should be accurate and suitable for the purpose for which it is processed; and

1.3.9.3 availability means that authorised users should be able to access the data if they need it for authorised purposes.  Personal data should therefore be stored on our central IT system instead of individual local files.

1.3.10 Security procedures include:

1.3.10.1 entry controls.  Any stranger seen in entry controlled areas should be reported;

1.3.10.2 secure lockable desks and cupboards.  Desks and cupboards should be kept locked if they hold confidential information of any kind  (personal data is always considered confidential);

1.3.10.3 methods of disposal.  Paper documents should be shredded.  Disks, USB sticks and CD ROMs should be physically destroyed using appropriate destruction methods when they are no longer required; and

1.3.10.4 All staff should ensure that individual monitors do not show confidential information to passers by and that they log off from their computer when it is left unattended.

1.4 Legal basis for processing

1.4.1 Personal data must be processed lawfully, fairly and in a transparent manner.

1.4.2 Under GDPR you must have a “legal basis” for processing.  One such legal basis must apply to our processing of personal data for it to be lawful.

1.4.3 The GDPR allows processing for specific purposes, some of which are set out below:

1.4.3.1 the data subject has given his or her consent;

1.4.3.2 the processing is necessary for the performance of a contract with the data subject;

1.4.3.3 to meet our legal compliance obligations;

1.4.3.4 to protect the data subject’s vital interests;

1.4.3.5 where the task is carried out in the public interest or in the exercise of official authority;

1.4.3.6 other than by public authorities to perform their tasks, to pursue our legitimate interests for purposes where they are not overridden because the processing prejudices the interests or fundamental rights and freedoms of data subjects.  The purposes for which we process personal data for legitimate interests need to be set out in applicable Privacy Statements/Notices or Fair Processing Notices.

1.4.4 If processing sensitive personal data, more stringent rules apply.  These include:

1.4.4.1 the data subject has explicitly consented to processing for a specific purpose (explicit consent being a clear statement in words, rather than by action);

1.4.4.2 the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Company or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by EU or UK law;

1.4.4.3 the processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

1.4.4.4 the processing relates to personal data which are manifestly made public by the data subject;

1.4.4.5 the processing is necessary for the establishment, exercise or defence of legal claims; and

1.4.4.6 the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or UK law or pursuant to contract with a health professional and subject to certain conditions and safeguards.

1.5 Data subject’s rights and requests 

1.5.1 Data subjects have rights when it comes to how we handle their personal data.  These include:

1.5.1.1 a right to receive a copy of their personal data which the Company holds; and

1.5.1.2 details of:

1.5.1.2.1 the purpose for processing;

1.5.1.2.2 the categories of data processed;

1.5.1.2.3 any recipients (or categories of recipients) to whom the personal data has been disclosed;

1.5.1.2.4 the envisaged period for processing;

1.5.1.2.5 the existence of the right to request rectification or erasure;

1.5.1.2.6 the source of the information (if not from the data subject themselves);

1.5.1.2.7 any automated decision making, including meaningful information about the logic involved, and the significance and envisaged consequences of such decisions; and

1.5.1.2.8 the safeguards put in place if the personal data has been transferred outside the European Economic Area;

1.5.2 The right to complain to the ICO.

1.5.3 In limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine readable format.

1.5.4 You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing personal data without proper authorisation).

1.5.5 You must immediately forward any data subject request you receive to your Manager OR [the Managing Director].

1.5.6 Right to rectification

We must rectify any inaccurate information held by us at the request of the data subject.  This includes having incomplete personal data completed.  This does not affect our primary obligation to keep personal data accurate and up-to-date.

1.5.7 Right to erasure*

We must erase personal data at the request of the data subject, but only in limited circumstances, namely where:

1.5.7.1 the personal data is no longer necessary for the purpose it was processed;

1.5.7.2 we originally relied on consent, that consent is withdrawn and we have no other legal basis for processing;

1.5.7.3 the personal data is unlawfully processed; or

1.5.7.4 the personal data has to be erased for compliance with a legal obligation to which we are subject.

1.5.8 Right to restriction of processing

We must restrict (i.e. limit the scope of) our processing at the request of the data subject where:

1.5.8.1 the accuracy of the personal data is contested by the data subject, but only for a period enabling us to verify the accuracy of the personal data;

1.5.8.2 the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

1.5.8.3 we no longer need the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or

1.5.8.4 the data subject has objected to processing pursuant to the right to object to legitimate interests processing (see below), but only pending the verification of whether our legitimate grounds override those of the data subject (if they do not, we would then have to permanently restrict processing).

1.6 Retention of Data

The categories of information which we will hold and the minimum time for which we will normally hold it will be as follows:

Application Form - Duration of Employment

References received - Duration of Employment

Payroll and tax information - 6 years

Sickness records - 3 years

Absence records - 3 years

Annual leave records - 1 year from end of employment

Unpaid leave/special leave records - 1 year from end of employment

Annual appraisal/assessment records - 5 years

Records relating to promotion, transfer, training, disciplinary matters - 1 year from end of employment

Summary of record of service e.g. name, position held, date of employment - 10 years from end of employment

Records relating to accident or injury at work - 12 years

1.7 The purpose for which we hold any information about data subjects after the end of employment (as indicated in the above table) is for use solely for any residual employment related matters including but not limited to the provision of job references, processing applications for re-employment, matters relating to retirement benefits and allowing us to fulfil contractual or statutory obligations.

1.8 [References

1.8.1Providing a reference involves the disclosure of personal data of the individual who is the subject of the reference.  So that we can ensure we protect our employees’ data no references (whether to prospective employers or other institutions) should be given on behalf of the Company without prior authorisation from the Managing Director [or another Director].

1.8.2This Policy does not prevent any employee from giving a reference in a personal capacity but employees should make clear that such references are personal and not on behalf of the Company and, if the reference is given on paper, that neither the Company’s name, address or logo appear on the paper.

1.8.3It is our policy to provide copies of references given by us to the individual who is the subject of the reference if they request a copy.]

1.9 Reporting a Personal Data Breach

1.9.1We may be required to report personal data breaches to the ICO and in certain instances, the data subject.

1.9.2If you know or suspect that a personal data breach has occurred, do not attempt to investigate the matter yourself.  Immediately contact your Manager OR [the Managing Director].  You should preserve all evidence relating to the potential breach.