This document sets out the Company’s policy for the management of data, to comply with legislation and to ensure it is handled in accordance with our clients and employees’ expectations to protect it. It includes both personal data and commercial data.
The creation, storage, transmission and destruction of all data will be managed in accordance with
relevant legislation, notably, for personal data, the General Data Protection Regulation (GDPR), as
incorporated into UK legislation by the Data Protection Act 2018.
Many of the definitions used in this policy mirror the same terms as those used in the GDPR and in
guidance produced by the Information Commissioner’s Office (ICO).
However, their use throughout the policy should not be interpreted as being an exact reflection of
the requirements of the Regulation.
Data is any information that is:
4.2 Personal Data
Personal data is any information relating to a living person who can be identified from the data. It
also includes any expression of opinion about the person.
Personal data also includes information about a person which is anonymous, but if put together
with other data would identify them.
4.3 Commercial Data
Commercial data is any information about a company (normally provided by a client) that is not
readily available already in the public domain. Examples include:
4.4 Publicly Available Data
Publicly available data is any information that is readily available in the public domain. Examples
4.5 Sensitive Personal Data
Sensitive Personal Data is any information about an individual’s:
4.6 Processing Data
Processing is the way in which we obtain, record, hold, transmit, and destroy data.
In most instances, the Company will process data on behalf of clients.
4.7 Data Controller
The Data Controller is the company or individual who decides the purposes for which personal
data is to be processed.
In most instances, our clients are the Data Controller – they provide us with personal information
(e.g. on a CV) for us to process on their behalf by preparing a bid.
4.8 Data Processor
Any person who processes data.
In most instances, the Company will be the Data Processor – we receive information (e.g. a CV)
from clients and process it on their behalf to prepare a bid.
An external firm of printers will also be Data Processors where we pass personal data given to us
by clients for them to print (e.g. where a bid needs to be submitted in hard copy).
The permanent deletion of all electronic records from equipment owned or used by the company
(including all electronic storage devices such as memory sticks); and cloud-based storage.
Shredding of printed material by a cross-cut shredding machine before being recycled or
Any person who receives data, including employees.
4.11 Third Parties
Any person or organisation other than:
As a company that stores, processes and shares personal data, we have a legal duty to be
registered with the Information Commissioner’s Office.
Our registration is renewed annually.
Our registration number is displayed on our website and a copy of our certificate is available on our
The Company Secretary is responsible for ensuring the Company complies with registration
requirements, payment of the annual fee, and ensuring we have an up to date certificate.
The Company will comply with the following principles when processing data. They reflect the
principles laid out in Article 5 of the GDPR:
6.1 Data will be processed lawfully, fairly and in a transparent manner in relation to
To comply, we will:
6.2 Data will only be collected for specific, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes
To comply we will:
6.3 Data must be adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed
To comply we will:
6.4 Personal data will be accurate and kept up to date, including the purposes for which the
data is stored, and processed
To comply, we will:
6.5 Personal data will be kept for no longer than is necessary and for the purposes for which
it was collected
To comply we will:
Non-personal data may be held for longer periods for statistical and research purposes.
6.6 Data will be processed in a manner that ensures appropriate security
To comply, we will:
7.1 Publicly Available Data
Publicly available information will nonetheless be restricted to those people who need to know it
for the purposes of servicing the client’s account.
7.2 Personal Sensitive Data
The company will not store, process or transmit Personal Sensitive Data (PSD) other than where:
The company’s website will carry a clear statement telling visitors how personal data provided to
us through the website will be used.
8.1 Enquiries submitted through the website
Persons sending enquiries through the website or who contact us directly (e.g. by telephone) will
not be placed on any distribution lists for marketing purposes.
We will only contact them in response to their enquiry or as otherwise requested. Their details will
only be added to distribution lists for promotional messages or newsletters on request.
8.2 Free file downloads
The Company may make files available on its website for free download. The purpose is to identify
organisations who may be marketed in the future.
Those downloading free files on our website will be clearly told that in doing so their details will be
placed on a marketing list. By downloading the document, they are giving consent for us to
process their data in this way. If those do not wish us to process their data, they should not
download the material.
8.3 Changes in circumstances
Those who proceed to subscribe to marketing lists and then change their minds will be able to
unsubscribe at any time.
Unsubscribing will lead to us ceasing to process their personal data.
The Company may, from time to time, send promotional messages to companies who may be
interested in accessing our services. Distribution lists for such messages will only be gathered
from publicly-sourced information such as companies’ websites.
Messages will only be sent to companies where research shows there is a genuine match between
the company and the reason for our marketing them, for example, marketing about a particular
contract will only be sent to companies providing that service.
Messages will only be sent to named employees where their name and e-mail address is published
on their company’s website or on other promotional material.
We will not pay for data unless we are satisfied it has been legitimately sourced and complies with the GDPR.
The company may conduct telephone marketing campaigns (so-called ‘cold calling’) from time to
time. Calls will only be made to companies where:
Personal data will only be shared with third parties in the following instances:
People who ask to be included on our marketing list should note that their personal data will be
shared with third parties who administer marketing on our behalf. Personal data will never be
shared with third parties for other purposes.
Individuals may ask for a copy of personal data we hold about them.
Such requests will be responded to within 40 calendar days. Copies of information will be
provided in accordance with ICO Guidelines, including fees.
Clients may also make a request for information we are holding about their organisation or
employees. Such requests will be responded to as quickly as possible. There will be no charge for
disclosing what information is held. Reasonable charges may be levied where clients request
copies of material where there is a genuine administrative cost to the Company in servicing the
All employees will have training on this policy on induction. A copy of the policy will be available on
the Company’s intranet site for information.
Refresher training material will be provided annually.
In the event an employee or associate has reasonable grounds to suspect or knows there has
been a breach of this policy, the matter must be brought immediately to the attention of the Senior
Steps must be taken at once to try and recover the information, contain any further breach
pending an investigation and, where applicable, notify the party whose data has been disclosed,
and, if necessary, to the Office of the Information Commissioner.
Any breach will be subject to a thorough investigation to identify the root cause and to put in place
arrangements to reduce the risk of a re-occurrence in the future.