Cityscape at night, Data transfer

Data protection, privacy and information assurance

2. Introduction

This document sets out the Company’s policy for the management of data, to comply with legislation and to ensure it is handled in accordance with our clients and employees’ expectations to protect it. It includes both personal data and commercial data.

3. Relevant Legislation

The creation, storage, transmission and destruction of all data will be managed in accordance with
relevant legislation, notably, for personal data, the General Data Protection Regulation (GDPR), as
incorporated into UK legislation by the Data Protection Act 2018.

4. Definitions

Many of the definitions used in this policy mirror the same terms as those used in the GDPR and in
guidance produced by the Information Commissioner’s Office (ICO).
However, their use throughout the policy should not be interpreted as being an exact reflection of
the requirements of the Regulation. 

4.1 Data
Data is any information that is:

4.2 Personal Data
Personal data is any information relating to a living person who can be identified from the data. It
also includes any expression of opinion about the person.
Personal data also includes information about a person which is anonymous, but if put together
with other data would identify them.

4.3 Commercial Data
Commercial data is any information about a company (normally provided by a client) that is not
readily available already in the public domain. Examples include:

  • Organisation charts
  • Business processes and procedures
  • Pricing information (for bids)
  • Staff profiles (which could also be covered by personal data).

4.4 Publicly Available Data
Publicly available data is any information that is readily available in the public domain. Examples

  • Company names
  • Company registration numbers
  • Published accounts.

4.5 Sensitive Personal Data
Sensitive Personal Data is any information about an individual’s:

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs or other beliefs of a similar nature
  • Membership of a trade union
  • Physical or mental health or condition
  • Sexual preferences
  • Criminal record – or investigations into alleged crimes or pending court hearings.

4.6 Processing Data
Processing is the way in which we obtain, record, hold, transmit, and destroy data.
In most instances, the Company will process data on behalf of clients.

4.7 Data Controller
The Data Controller is the company or individual who decides the purposes for which personal
data is to be processed.

In most instances, our clients are the Data Controller – they provide us with personal information
(e.g. on a CV) for us to process on their behalf by preparing a bid.

4.8 Data Processor
Any person who processes data.

In most instances, the Company will be the Data Processor – we receive information (e.g. a CV)
from clients and process it on their behalf to prepare a bid.

An external firm of printers will also be Data Processors where we pass personal data given to us
by clients for them to print (e.g. where a bid needs to be submitted in hard copy).

4.9 Destruction
The permanent deletion of all electronic records from equipment owned or used by the company
(including all electronic storage devices such as memory sticks); and cloud-based storage.
Shredding of printed material by a cross-cut shredding machine before being recycled or

4.10 Recipient
Any person who receives data, including employees.

4.11 Third Parties
Any person or organisation other than:

  • The data subject (e.g. the person named in a CV)
  • The data controller (the client providing us with the data)
  • The company.

5. Registration with the Information Commissioner’s Office

As a company that stores, processes and shares personal data, we have a legal duty to be
registered with the Information Commissioner’s Office.
Our registration is renewed annually.
Our registration number is displayed on our website and a copy of our certificate is available on our
intranet site.
The Company Secretary is responsible for ensuring the Company complies with registration
requirements, payment of the annual fee, and ensuring we have an up to date certificate.

6. Data Protection principles

The Company will comply with the following principles when processing data. They reflect the
principles laid out in Article 5 of the GDPR:

6.1 Data will be processed lawfully, fairly and in a transparent manner in relation to
To comply, we will:

  • Only process data that is necessary for the operation of our business, and where the law permits us to do so
  • Determine the basis on which we are processing the data:
    • Consent – the individual has given us permission to process their data (e.g. persons making
      enquiries via our website)
    • Contract – processing is necessary to comply with a contract we have with the client
    • Legal obligation – we are obliged by law to process the data (e.g. for taxation purposes)
  • Tell people (or their employer) where we hold and process their data:
    • What we are holding
    • Why we are holding it
    • How we may process it
    • Who we may share it with
    • The basis for sharing it
  • Advise clients to notify their staff whose personal data we are processing and storing
  • Be clear on our website how we process personal data provided to us (e.g. by publishing this
  • Disclose to individuals who make a request:
    • Whether we are holding data about them
    • What data we are holding
    • How we process it
    • Who we may have shared it with
    • The basis for having shared it.

6.2 Data will only be collected for specific, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes
To comply we will:

  • Only collect and use personal data that is required for the legitimate operation of our business
    (e.g. for the preparation of a bid that requires disclosure of personal data, for the administration
    of pay-roll and expenses)
  • Only share data with third parties where:
    • We are required by law or the Courts to do so (e.g. with HM Revenue and Customs)
    • It is required for the legitimate operation of our business (e.g. our accountants for the
      preparation of pay roll)
    • We have express permission to do so (e.g. from a client to submit a bid that contains
      personal data).

6.3 Data must be adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed
To comply we will:

  • Only collect the minimum amount of data to allow for the legitimate operation of our business
  • Maintain a Data Register of the types of personal data we collect, process, store and share and
    the reasons for doing so
  • Advise clients to tell their staff whose personal data we are holding and processing and the reasons why
  • Advise staff to tell their next of kin whose personal data we are holding and processing and the
    reasons why.

6.4 Personal data will be accurate and kept up to date, including the purposes for which the
data is stored, and processed
To comply, we will:

  • Review the Data Register annually
  • Ask employees to validate annually the personal data we are holding for them and their next of
  • Ask clients to validate the data we are holding for them and their employees that is to be
    included in their bids before the bids are submitted
  • Update (and, if necessary, delete) any data promptly that is no longer up to date.

6.5 Personal data will be kept for no longer than is necessary and for the purposes for which
it was collected
To comply we will:

  • Only keep personal data for as long as we are required to keep it by regulation or for the
    administration of our business. For example:
    • Employee payroll data will be kept for the duration of the employee’s tenure and for 6 years
      after they leave to meet HMRC regulations
    • Personal data contained in clients’ bids (e.g. CVs) will only be retained while the bid is under
      evaluation following which it will be destroyed, unless otherwise notified by the client.
  • Destroy personal data that is no longer required for the legitimate operation of our business or
    we are no longer required by regulation to retain.
  • Offer clients who terminate their contracts to be sent a copy of all electronic files that we
    currently hold for them. A print-out of electronic files will be provided on request for a
    reasonable fee to cover printing, processing and postage costs.
  • Provide on request a Certificate to clients who want confirmation their data has been destroyed.

Non-personal data may be held for longer periods for statistical and research purposes.

6.6 Data will be processed in a manner that ensures appropriate security
To comply, we will:

  • Train staff on the importance of protecting all data (personal and commercial), how and when
    they may share it, and safeguards to prevent it being lost or accidentally shared or destroyed
  • Maintain a register of equipment that staff may use when working on company business
  • Password protect computers and other electronic devices used to access the company’s data
    when not in use
  • Only disclose data to company employees on a ‘need to know’ basis
  • Password protect files that contain personal data before it is emailed (e.g. pay-slips)
  • Ensure those with access to the company’s filing systems have legitimate grounds for doing so
  • Establish business rules on the company’s file storage system so that an alert is generated if
    files containing personal or commercial data is downloaded or deleted
  • Store physical files (including data sent to us electronically but since printed) securely and
    destroy it using a cross-shredder when no longer required
  • Follow guidance published by HM Government and the ICO from time to time about where it is
    safe to store and process data.

7. Additional Principles

7.1 Publicly Available Data
Publicly available information will nonetheless be restricted to those people who need to know it
for the purposes of servicing the client’s account.

7.2 Personal Sensitive Data
The company will not store, process or transmit Personal Sensitive Data (PSD) other than where:

  • A client is required to make a declaration about PSD in the submission of a bid (e.g. any
    previous criminal/fiscal offences or pending proceedings); and
  • The company has been commissioned by the client to assist with the preparation of that bid.
    Where clients disclose PSD, it will be treated particularly carefully and will only be disclosed on a
    “need to know” basis to employees.

8. Personal data provided through the Company’s website

The company’s website will carry a clear statement telling visitors how personal data provided to
us through the website will be used.

8.1 Enquiries submitted through the website
Persons sending enquiries through the website or who contact us directly (e.g. by telephone) will
not be placed on any distribution lists for marketing purposes.
We will only contact them in response to their enquiry or as otherwise requested. Their details will
only be added to distribution lists for promotional messages or newsletters on request.

8.2 Free file downloads
The Company may make files available on its website for free download. The purpose is to identify
organisations who may be marketed in the future.
Those downloading free files on our website will be clearly told that in doing so their details will be
placed on a marketing list. By downloading the document, they are giving consent for us to
process their data in this way. If those do not wish us to process their data, they should not
download the material.

8.3 Changes in circumstances
Those who proceed to subscribe to marketing lists and then change their minds will be able to
unsubscribe at any time.
Unsubscribing will lead to us ceasing to process their personal data.

9. Promotional Messages

The Company may, from time to time, send promotional messages to companies who may be
interested in accessing our services. Distribution lists for such messages will only be gathered
from publicly-sourced information such as companies’ websites.
Messages will only be sent to companies where research shows there is a genuine match between
the company and the reason for our marketing them, for example, marketing about a particular
contract will only be sent to companies providing that service.
Messages will only be sent to named employees where their name and e-mail address is published
on their company’s website or on other promotional material.
We will not pay for data unless we are satisfied it has been legitimately sourced and complies with the GDPR.

10. Telephone Marketing

The company may conduct telephone marketing campaigns (so-called ‘cold calling’) from time to
time. Calls will only be made to companies where:

  • The company being called does not appear on the Telephone Preference Service or
  • An employee of the company has invited us to call.
    Where companies request we do not call in future, we will refrain from doing so. A record will be
    kept of such companies for future reference.

11. Sharing Personal Data with third parties

Personal data will only be shared with third parties in the following instances:

  • We are required by law to do so (e.g. with HMRC to administer payroll)
  • We have been instructed by the client to do so (e.g. submission of a bid on their behalf).

People who ask to be included on our marketing list should note that their personal data will be
shared with third parties who administer marketing on our behalf. Personal data will never be
shared with third parties for other purposes.

12. Subject Access Requests

Individuals may ask for a copy of personal data we hold about them.
Such requests will be responded to within 40 calendar days. Copies of information will be
provided in accordance with ICO Guidelines, including fees.

Clients may also make a request for information we are holding about their organisation or
employees. Such requests will be responded to as quickly as possible. There will be no charge for
disclosing what information is held. Reasonable charges may be levied where clients request
copies of material where there is a genuine administrative cost to the Company in servicing the

13. Training

All employees will have training on this policy on induction. A copy of the policy will be available on
the Company’s intranet site for information.
Refresher training material will be provided annually.

14. Suspected or actual breaches of this policy

In the event an employee or associate has reasonable grounds to suspect or knows there has
been a breach of this policy, the matter must be brought immediately to the attention of the Senior
Management Team.

Steps must be taken at once to try and recover the information, contain any further breach
pending an investigation and, where applicable, notify the party whose data has been disclosed,
and, if necessary, to the Office of the Information Commissioner.
Any breach will be subject to a thorough investigation to identify the root cause and to put in place
arrangements to reduce the risk of a re-occurrence in the future.