This Policy aims to highlight the obligations that are imposed on the Company and its staff by UK data protection laws including the UK Data Protection Act 2018 with respect to the processing of “personal data”. Data Protection laws in the UK safeguard individuals’ rights in relation to the Organisations handling of their personal data. The Organisation holds the Information Commissioners Office (ICO) Certificate of Registration No. Z1062670.
This Policy provides Rules and Explanations on how to process personal data as part of the Company’s day-to-day business operations.
- This Policy applies to all staff, along with every Policy included in the company Information Security Management system
- It is the ADS employee’s responsibility to familiarise themselves with the Rules and Explanations set out in this Policy and any other policies referred to herein
This Policy is reviewed on a regular basis by the Organisation.
What does “Personal Data” Mean?
“Personal Data” means any data that relates to and specifically identifies an individual living person. For example, personal data includes names and personal contact information, (e.g. addresses, telephone numbers, e-mail addresses), recruitment details (e.g. CVs) and opinions expressed about those individuals. Within the definitions of GDPR Personal Data is referenced as Personal Identifiable Information (PII).
All personal data stored in hard-copy format and electronic information (e.g. online applications and other electronic formats) is covered by this Policy.
Note that “Personal Data” also includes personal information held about individual staff or the Company’s clients.
Certain personal data is classed as “sensitive” and special caution is required in ensuring that adequate consent has been obtained to use this sensitive personal data.
Sensitive personal data is defined in Section 2 of this Policy.
Compliance with Data Protection Principles
RULE: ADS employee’s must comply with the Data Protection Principles contained in the Data Protection Act, as summarised below:
- All personal data must be obtained and processed fairly and lawfully and must not be processed except in compliance with these principles
- All personal data must be obtained for a specified and lawful purpose and must not be processed in any manner incompatible with that purpose
- All personal data collected and processed must be adequate, relevant and not excessive for that purpose
- All personal data must be accurate and kept up to date
- All personal data must not be kept for longer than is necessary for that purpose
- All personal data must be processed in accordance with the data subject’s rights
- All personal data must be kept secure from unauthorised access, accidental loss, damage or destruction
- Legal restrictions apply to the transfer of personal data to certain countries lacking adequate protection for such data. See section 8 below for more information on the cross-border transfer of personal data
If any ADS employee processes or uses personal data or supervise staff involved in these activities then they must ensure that they follow these principles at all times. The purpose of this Policy is to ensure compliance with these principles and to assist ADS employee’s in fulfilling their individual obligations.
1. Processing Personal Data
Personal data must only be processed for purposes which have been notified to the individual or which are permissible under this Policy.
The Company processes (see definition below) personal data relating to staff, clients, prospects, contractors, suppliers and agents from various national and international sources as part of the Company’s everyday legitimate operations and in order to promote its business and to comply with laws and regulations.
In order to comply with the Data Protection Act all “processing” of personal data within the Company must be lawful and any processing must be “adequate, relevant and not excessive” for the specific purposes for which the personal data was obtained.
In most respects this means that personal data must only be used if the data subject has consented to or been made aware of the processing for the legitimate business operations of the Organisation. Notification of the purposes for which Personal Data is collected by the Organisation is typically found in disclosures in the Organisations client agreements, notices through our websites, data collection forms etc.
If an ADS employee intend to carry out a new processing activity (e.g. create a new product or service) or process data for a new purpose then they should consult with their manager to determine the data protection implications.
“Processing” is a very wide term which in practice covers any use of personal data, including:
- obtaining, recording, holding, and carrying out any operation(s) on the personal data,
- organising or altering the personal data
- retrieval, disclosure or use of the personal data.
2. Sensitive Personal Data and Consent
ADS employee’s must not process or store any personal data unless absolutely necessary and only if the individual has consented.
The need to process personal data for normal business purposes is reasonably well defined by the nature of our business. In certain cases however an ADS employee may need to process “sensitive personal data” and in these cases you must obtain express consent from the data subject before processing that type of data.
“Sensitive Personal Data” is any information about an individual’s physical or mental health, racial or ethnic origin, sexual life, politics, religion, trade union membership, or any information about alleged or committed criminal offences.
There are few very limited exceptions where explicit consent is not required to process sensitive personal data (for example, monitoring of ethnic origin, sex or disability is an acceptable employment practice provided it is done in accordance with legal requirements and best practice to promote equality of opportunity). However, it will not be usual for an ADS employee to ever engage in processing sensitive data where consent is not required. Therefore remember that all ADS employee’s must obtain the data subject’s prior consent.
Any deviation from this Rule on sensitive personal data or the wording used to obtain consent must have the prior approval of the Data Protection Officer.
3. Holding or Retention of Personal Data
Personal data must only be retained for long as it is relevant to the Organisations business or as agreed with a Client and personal data must be kept accurate and up to date.
Any specific ADS business area may have its own data retention periods in accordance with its own specific requirements. If an ADS employee are in any doubt, they should refer to their Line Manager or the ADS Data Protection Officer for further guidance on the current requirements for their business area.
Personal data held must at all times be accurate and up to date. Periodic reviews of the information held need to be considered to ensure ongoing accuracy.
Personal data generally must only be held at authorised locations, for example within Accurate Data Services office (or extension thereof). Please also see Section 4 on Data Security in relation to data held on portable devices such as tablets and laptop computers.
Client data must only be stored for as long as has been agreed by the Client in order to deal with dispute resolution. Every Client contract details how long their data can be stored for once the project has been completed. If no timescale has been determined, data will only be kept for 12 months after completion of a project.
Once the period of retention has ended, any Client data should be destroyed in accordance with the ADS Data Destruction Policy.
4. Data Security
Personal data must be stored and managed securely in compliance with this Policy and the Company’s Information Systems Security Policy.
Personal data must be kept and handled securely and all staff must take precautions against physical loss or damage occurring to personal data. ADS Employee’s must also ensure that both access to and disclosure of personal data is restricted as appropriate.
For example, personal data must be kept secure to prevent accidental loss or damage and to prevent unauthorised access or changes;
(a) Where personal data in a physical form is left unattended, then it must be secured, for example, within locked office furniture. Personal data in electronic format must be inaccessible when left unattended, for example, computers and wireless devices must be screen-locked and password protected.
(b) Files containing personal data should not be left in open view.
(c) Files containing personal data stored and processed on the Organisations systems must be protected by authentication systems (such as user ID and passwords) approved by the Organisation so that only authorised persons can access them.
(d) Personal data stored on PDA’s (e.g. electronic organisers such as tablets and Smart Phones), laptop computers and other mobile devices are subject to the provisions of this Policy and ADS employee’s must ensure that personal data is removed from such storage devices and all associated copies after it is no longer required. This is particularly important where synchronisation tools are used with such devices.
Managers have the responsibility for ensuring that their staff are aware of the restrictions for accessing personal data within their business area. Accurate Data Services Data Protection Policy – April 2021 v6
5. Data Subject’s Right To Access Information
A data subject has the right to access personal data that is being processed about him/her. If a “data subject access request” is made then an ADS employee must notify the Accurate Data Services Data Protection Officer immediately upon receiving the request.
The type of information typically requested by a data subject will be copies of e-mails between themselves and the Organisation (e.g. clients and other third parties). Where a request is made, the Organisation requires the data subject to make their request in writing specifying the personal data required.
The Organisation is not obligated to respond unless the request is made is writing, is accompanied by some form of identification (e.g. a copy of the data subject’s passport or driving license) and a fee of £10. The fee should be paid by cheque and made payable to “Accurate Data Services Ltd”.
If a data subject access request is made, the ADS Data Protection Officer will deal with the request for disclosure of personal information relating to the data subject.
Other key points to note are:
- The Company will deal with all properly made subject access requests within the statutory timeframe (currently 40 days of the written request or receipt of the fee, whichever is the latest)
- Personal data will be disclosed only to the person entitled to it.
Note that the Organisation is not under an obligation to disclose certain types of information, such as information that discloses the identity of another person, information that is used for management planning and information that is subject to legal professional privilege. This is not an exhaustive list of exceptions and the ADS employee should always refer data subject access requests to the Data Protection Officer.
6. Direct Marketing
Where the Organisation uses Personal Data for marketing, advertising or sending similar commercial information, whether by post, fax, telephone or electronic means (including e-mail and SMS) (“Direct Marketing”) the ADS employee must ensure that:
- the recipient has not already told the Organisation that they do not wish to receive such Direct Marketing materials
- upon receipt, the Direct Marketing communication is clearly identifiable as commercial in nature and the subject of the communication is immediately obvious
- each subsequent Direct Marketing communication sent to the recipient clearly sets out the recipient’s right to opt out of receiving further such marketing; and
- individual recipients must not be able to identify other recipients of the Direct Marketing communication.
In addition to the requirements above in Rule 1, where any ADS employee intend to carry out unsolicited Direct Marketing (for example, where there is no ongoing relationship with the recipient or for marketing new products and services) (“Unsolicited Direct Marketing”) to a recipient’s private (as opposed to business) addresses (e.g. home address or telephone number etc.) that employee must obtain prior consent from that recipient before carrying out such Unsolicited Direct Marketing.
The Company must observe various legal restrictions on Direct Marketing.
When storing data containing personal information which is going to be used for any Direct Marketing, it is the responsibility of the business owner of their designate to ensure that:
- the database is capable of recording opt outs via an indicator within the database
- the database is checked against the Corporate Telephone Preference Opt Out List.
Before using personal information for any Direct Marketing purposes (solicited or unsolicited), the ADS employee must first check that they are not tagged as an “opt out”. The ADS employee should not contact any individual by post, telephone, fax, e-mail or SMS (whichever is relevant) if the “opt out” tag has been activated and shows that the individual has chosen not to receive Direct Marketing by the particular method of communication the employee intend to use to contact that individual.
Where the recipients notify an ADS employee that they do not wish to be contacted by Direct Marketing purposes by a particular mode of communication (e.g. e-mail) the said employee must update the relevant database. An ADS employee can do this by activating the “opt out” tag for the particular individual and recording precise details of the individual’s wishes in respect to the specific mode of communication which they have opted out for.
IF YOU HAVE ANY QUESTIONS IN RESPECT OF THESE RULES PLEASE CONSULT THE ACCURATE DATA SERVICES DATA PROTECTION OFFICER.
7. External Data Processors
If any employee of ADS are dealing with an external data processor the employee must satisfy themsleves that any processor chosen adopts appropriate technical and organisational security measures and that such measures are managed appropriately.
External data processors are organisations or individuals that provide the Organisation with data processing services under the Organisation’s instructions (e.g. process data on behalf of the Organisation for specific purposes and services such as payroll, management of employee records, data archiving/destruction, website hosting). Personal data must not be disclosed either orally, in writing, electronically or otherwise to an unauthorised third party without a clear “need to know” reason being identified prior to disclosure or unless the disclosure is governed by an agreement which deals with data protection concerns.
The manager of the relationship with the external data processor must conduct due diligence and consider whether the processor has appropriate security measures in place before the services are engaged and personal data held by the Company is disclosed to the external processor. It is important that the Company’s security processes are followed, firstly to establish the appropriateness of the security measures adopted by the data processor, and secondly in relation to ongoing compliance thereafter. The external processor should be contractually bound to adhere to appropriate security measures.
ADS employee’s must consult with the Accurate Data Services Data Protection Officer if they are engaging with external data processors.
8. Cross-Border Transfer of Data
If personal data needs to be transferred to any country located outside the European Economic Area (“EEA”) or certain other countries approved by Europe (“Approved Countries”), ADS employee’s must ensure that after the transfer of such data, the treatment of such personal data will be in accordance with the UK data protection laws.
Guidance must be sought from the Data Protection Officer on any issue involving the cross-border transfer of personal data outside of the EEA, over to the Approved Countries. ‘Transfer’ of personal data would include any kind of processing of personal data (such as outsourcing data entry/validation to a third party organisation) outside of the EEA or the Approved Countries.
It is important that ADSemployees always liaise closely with their Line Manager on all recruitment matters.
The recruitment process by its very nature involves the processing of personal data. ADS employee’s must be very careful to safeguard a candidate’s rights in the recruitment process, including advertising,
short-listing, verifying information given, interviewing and offering a position.
The ADS employee’s Line Manager should be involved in all recruitment activities and will cover data protection concerns.
10. Staff Records
Accessing, disclosing, deleting or otherwise using staff records without authority is considered a serious disciplinary offence and may constitute a criminal offence.
Employess should refer to their Line Manager if they have any questions about this area.
11. Responsibilities & Contact Information
All ADS employees must observe this Policy. If you have any questions or concerns about data protection issues or any aspect of this Policy, your primary point of contact is the Accurate Data Services Data Protection Officer.
Failure to comply may subject individuals to disciplinary action by the Organisation up to and including termination of employment. In addition, conduct that is unlawful may subject individuals to civil, and in some cases, criminal liability.