When clients use our services, they trust us with their personal and commercial data. We want them to have confidence in the fact we have policies, procedures and systems in place that will keep their information safe and secure. Our Data Protection, Privacy and Information Assurance Policy explains how we handle and process data.
If you have comments or questions about our policy or wish to make a Subject Access Request, please email our Company Secretary, Rachel Kittle at firstname.lastname@example.org.
This document sets out the Company’s policy for the management of data to comply with legislation and to ensure it is handled in accordance with our clients and employees’ expectations that we will protect data they have entrusted to us.
It includes both personal data and commercial data.
This policy applies to all employees and associates.
It is published to provide clients and prospective clients with assurance of how we protect their data.
The creation, storage, transmission and destruction of all data will be managed in accordance with relevant legislation, notably, for personal data, the General Data Protection Regulation.
Many of the definitions used in this policy mirror the same terms as those used in the GDPR and in guidance produced by the Information Commissioner’s Office (ICO).
However, their use throughout the policy should not be interpreted as being an exact reflection of the requirements of the Regulation.
Data is any information that is:
|Processed by means of equipment operating automatically in response to instructions given to it||Clients’ bids created on a computer
Clients’ bids which are photocopied
|Recorded by an employee or an associate with the intention that it should be processed by such equipment||Information stored on a computer or a memory stick|
|Recorded as part of a relevant filing system or with the intention that it should form part of a filing system||Client invoices stored on a computer
Personal data is any information relating to a living person who can be identified from the data. It also includes any expression of opinion about the person.
Personal data also includes information about a person which is anonymous, but if put together with other data would identify them.
Commercial data is any information about a company (normally provided by a client) that is not readily available already in the public domain. Examples include:
- Organisation charts
- Business processes and procedures
- Pricing information (for bids)
- Staff profiles (which could also be covered by personal data).
Publicly available data is any information that is readily available in the public domain. Examples include:
- Company names
- Company registration numbers
- Published accounts.
Sensitive Personal Data is any information about an individual’s:
- Racial or ethnic origin
- Political opinions
- Religious beliefs or other beliefs of a similar nature
- Membership of a trade union
- Physical or mental health or condition
- Sexual preferences
- Criminal record – or investigations into alleged crimes or pending court hearings.
Processing is the way in which we obtain, record, hold, transmit and destroy data.
In most instances, the Company will process data on behalf of clients.
4.7. Data controller
The Data Controller is the company or individual who decides the purposes for which personal data is to be processed.
In most instances, our clients are the Data Controller – they provide us with personal information (e.g. on a CV) for us to process on their behalf by preparing a bid.
4.8. Data processor
Any person who processes data.
In most instances, the Company will be the Data Processor – we receive information (e.g. a CV) from clients and process it on their behalf to prepare a bid.
An external firm of printers will also be Data Processors where we pass personal data given to us by clients for them to print (e.g. where a bid needs to be submitted in hard copy).
The permanent deletion of all electronic records from equipment owned or used by the company (including all electronic storage devices such as memory sticks); and cloud-based storage.
Shredding of printed material by a cross-cut shredding machine before being recycled or incinerated.
Any person who receives data, including employees and associates.
4.11. Third parties
Any person or organisation other than:
- The data subject (e.g. the person named in a CV)
- The data controller (the client providing us with the data)
- The Company.
As a company that stores, processes and shares personal data, we have a legal duty to be registered with the Information Commissioner’s Office.
Our registration is renewed annually.
Our registration number will be displayed on our website.
The Company will comply with the following principles when processing data. They reflect the principles laid out in Article 5 of the GDPR:
To comply, we will:
- Only process data that is necessary for the operation of our business and where the law permits us to do so
- Determine the basis on which we are processing the data:
- Consent – the individual has given us permission to process their data (e.g. persons making enquiries via our website)
- Contract – processing is necessary to comply with a contract we have with the client
- Legal obligation – we are obliged by law to process the data (e.g. for taxation purposes).
- Tell people (or their employer) where we hold and process their data:
- What we are holding
- Why we are holding it
- How we may process it
- Who we may share it with
- The basis for sharing it.
- Advise clients to notify their staff whose personal data we are processing and storing
- Be clear on our website how we process personal data provided to us (e.g. by publishing this policy).
- Disclose to individuals who make a request:
- Whether we are holding data about them
- What data we are holding
- How we process it
- Who we may have shared it with
- The basis for having shared it.
6.2. Data will only be collected for specific, explicit and legitimate purposes and processed in a manner that is compatible with those purposes
To comply we will:
- Only collect and use personal data that is required for the legitimate operation of our business (e.g. for the preparation of a bid that requires disclosure of personal data, for the administration of pay-roll and expenses)
- Only share data with third parties where:
- We are required by law or the Courts to do so (e.g. with HM Revenue and Customs)
- It is required for the legitimate operation of our business (e.g. our accountants for the preparation of pay roll)
- We have express permission to do so (e.g. from a client to submit a bid that contains personal data).
6.3. Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
To comply we will:
- Only collect the minimum amount of data to allow for the legitimate operation of our business.
- Maintain a Data Register of the types of personal data we collect, process, store and share and the reasons for doing so
- Advise clients to tell their staff whose personal data we are holding and processing and the reasons why
- Advise staff to tell their next of kin whose personal data we are holding and processing and the reasons why.
6.4. Personal data will be accurate and kept up to date, including the purposes for which the data is stored, and processed
To comply, we will:
- Review the Data Register annually
- Ask employees to validate annually the personal data we are holding for them and their next of kin
- Ask clients to validate the data we are holding for them and their employees that is to be included in their bids before the bids are submitted
- Update (and, if necessary, delete) any data promptly that is no longer up to date.
6.5. Personal will be kept for no longer than is necessary and for the purposes for which it was collected
To comply we will:
- Only keep personal data for as long as we are required to keep it by regulation or for the administration of our business. For example:
- Employee payroll data will be kept for the duration of the employee’s tenure and for 5 years after they leave to meet HMRC regulations
- Personal data contained in clients’ bids (e.g. CVs) will only be retained while the bid is under evaluation following which it will be destroyed, unless otherwise notified by the client.
- Destroy personal data that is no longer required for the legitimate operation of our business or we are no longer required by regulation to retain.
- Give clients 28 days’ notice of an intention to destroy data, giving them sufficient time to instruct us to hold it for longer if they require
- Offer clients who terminate their contracts to be sent a copy of all electronic files that we currently hold for them. A print-out of electronic files will be provided on request for a reasonable fee to cover printing, processing and postage costs.
- Provide on request a Certificate to clients who want confirmation their data has been destroyed.
Non-personal data may be held for longer periods for statistical and research purposes.
6.6. Data will be processed in a manner that ensures appropriate security
To comply, we will:
- Train staff annually on the importance of protecting all data (personal and commercial), how and when they may share it and safeguards to prevent it being lost or accidentally shared or destroyed
- Maintain a register of equipment that staff may use when working on company business
- Insert clauses in terms and conditions of employment and contracts that require staff and associates to:
- Adhere to the company’s policies and procedures, including this one
- Only use equipment on the register when working on company business
- Password protect computers and other electronic devices used to access the company’s data when not in use
- Only disclose data to company employees and associates on a ‘need to know’ basis
- Password protect files that contain personal data before it is e-mailed (e.g. pay-slips or CVs)
- Ensure those with access to the company’s filing systems have legitimate grounds for doing so
- Establish business rules on the company’s file storage system so that an alert is generated if files containing personal or commercial data is downloaded or deleted
- Back up data regularly to cloud-based solutions
- Store physical files (including data sent to us electronically but since printed) securely and destroy it using a cross-shredder when no longer required.
- Follow guidance published by HM Government and the ICO from time to time about where it is safe to store and process data.
7.1. Publicly available data
Publicly available information will nonetheless be restricted to those people who need to know it for the purposes of servicing the client’s account.
The company will not store, process or transmit Personal Sensitive Data (PSD) other than where:
- A client is required to make a declaration about PSD in the submission of a bid (e.g. any previous criminal / fiscal offences or pending proceedings); and
- The company has been commissioned by the client to assist with the preparation of that bid.
Where clients disclose PSD, it will be treated particularly carefully and will only be disclosed on a “need to know” basis to employees and associates.
The company’s website will carry a clear statement telling visitors how personal data provided to us through the website will be used.
8.1. Enquiries submitted through the website
Persons sending enquiries through the website or who contact us directly (e.g. by telephone) will not be placed on any distribution lists for marketing purposes.
We will only contact them in response to their enquiry or as otherwise requested. Their details will only be added to distribution lists for promotional messages or newsletters on request.
8.2. Free file downloads
The Company may make files available on its website for free download. The purpose is to identify organisations who may be marketed in the future.
Those downloading free files on our website will be clearly told that in doing so their details will be placed on a marketing list. By downloading the document, they are giving consent for us to process their data in this way. If those do not wish us to process their data, they should not download the material.
8.3. Changes in circumstances
Those who proceed to subscribe to marketing lists and then change their minds will be able to unsubscribe at any time.
Unsubscribing will lead to us ceasing to process their personal data.
The Company may, from time to time, send promotional messages to companies who may be interested in accessing our services. Distribution lists for such messages will only be gathered from publically-sourced information such as companies’ websites.
Messages will only be sent to companies where research shows there is a genuine match between the company and the reason for our marketing them. For example, marketing about a particular contract will only be sent to companies providing that service.
Messages will only be sent to named employees where their name and e-mail address is published on their company’s website or on other promotional material.
We will not pay for data unless we are satisfied it has been legitimately sourced and complies with the GDPR.
The company may conduct telephone marketing campaigns (so-called ‘cold calling’) from time to time. Calls will only be made to companies where:
- The company being called does not appear on the Telephone Preference Service or
- An employee of the company has invited us to call.
Where companies request we do not call in future, we will refrain from doing so. A record will be kept of such companies for future reference.
Personal data will only be shared with 3rdparties in the following instances:
- We are required by law to do so (e.g. with HMRC to administer payroll)
- We have been instructed by the client to do so (e.g. submission of a bid on their behalf)
People who ask to be included on our marketing list should note that their personal data will be shared with 3rdparties who administer marketing on our behalf. Personal data will never be shared with 3rdparties for other purposes.
Individuals may ask for a copy of personal data we hold about them.
Such requests will be responded to within 40 calendar days. Copies of information will be provided in accordance with ICO Guidelines, including fees.
Clients may also make a request for information we are holding about their organisation or employees. Such requests will be responded to as quickly as possible. There will be no charge for disclosing what information is held. Reasonable charges may be levied where clients request copies of material where there is a genuine administrative cost to the Company in servicing the request.
All employees will have training on this policy on induction and will be provided with an information pack to highlight the main messages. A copy of the policy will be available on the Company’s intranet site for information.
Associates will be sent a copy of this policy with an information pack to highlight main messages.
Employees and associates will be required to confirm in writing they have read and understood the policy and will abide by it.
Refresher training material will be provided annually.
In the event an employee or associate has reasonable grounds to suspect or knows there has been a breach of this policy, the matter must be brought immediately to the attention of the Managing Director or, in his absence, the Company Secretary.
Steps must be taken at once to try and recover the information, contain any further breach pending an investigation and, where applicable, notify the party whose data has been disclosed, and, if necessary, to the Office of the Information Commissioner.
Any breach will be subject to a thorough investigation to identify the root cause and to put in place arrangements to reduce the risk of a re-occurrence in the future.