Data Protection

1. Kittle Group

Address: 2nd Floor, 33 Blagrave Street, Reading, Berkshire, RG1 1PW

2. Introduction

This document sets out the Company’s policy for the management of data, to comply with legislation and to ensure it is handled in accordance with our clients and employees’ expectations to protect it. It includes both personal data and commercial data.

3. Relevant Legislation

The creation, storage, transmission and destruction of all data will be managed in accordance with relevant legislation, notably, for personal data, the General Data Protection Regulation (GDPR), as incorporated into UK legislation by the Data Protection Act 2018.

4. Definitions

Many of the definitions used in this policy mirror the same terms as those used in the GDPR and in guidance produced by the Information Commissioner’s Office (ICO).
However, their use throughout the policy should not be interpreted as being an exact reflection of the requirements of the Regulation.

4.1 Data
Data is any information that is:

Definition

Example

Processed by means of equipment operating automatically in response to instructions given to it

Clients’ bids created on a computer Clients’ bids which are photocopied

Recorded by an employee with the intention that it should be processed by such equipment

Information stored on a computer or a memory stick

Recorded as part of a relevant filing system or with the intention that it
should form part of a filing system

Client invoices stored on a computer

4.2 Personal Data
Personal data is any information relating to a living person who can be identified from the data. It also includes any expression of opinion about the person.
Personal data also includes information about a person which is anonymous, but if put together with other data would identify them.

4.3 Commercial Data
Commercial data is any information about a company (normally provided by a client) that is not readily available already in the public domain. Examples include:

Organisation charts
Business processes and procedures
Pricing information (for bids)
Staff profiles (which could also be covered by personal data).

4.4 Publicly Available Data
Publicly available data is any information that is readily available in the public domain. Examples include:

Company names
Company registration numbers
Published accounts.

4.5 Sensitive Personal Data
Sensitive Personal Data is any information about an individual’s:

Racial or ethnic origin
Political opinions
Religious beliefs or other beliefs of a similar nature
Membership of a trade union
Physical or mental health or condition
Sexual preferences
Criminal record – or investigations into alleged crimes or pending court hearings.

4.6 Processing Data
Processing is the way in which we obtain, record, hold, transmit, and destroy data.
In most instances, the Company will process data on behalf of clients.

4.7 Data Controller
The Data Controller is the company or individual who decides the purposes for which personal data is to be processed.

In most instances, our clients are the Data Controller – they provide us with personal information (e.g. on a CV) for us to process on their behalf by preparing a bid.

4.8 Data Processor
Any person who processes data.

In most instances, the Company will be the Data Processor – we receive information (e.g. a CV) from clients and process it on their behalf to prepare a bid.

An external firm of printers will also be Data Processors where we pass personal data given to us by clients for them to print (e.g. where a bid needs to be submitted in hard copy).

4.9 Destruction
The permanent deletion of all electronic records from equipment owned or used by the company (including all electronic storage devices such as memory sticks); and cloud-based storage.
Shredding of printed material by a cross-cut shredding machine before being recycled or
incinerated.

4.10 Recipient
Any person who receives data, including employees.

4.11 Third Parties
Any person or organisation other than:

The data subject (e.g. the person named in a CV)
The data controller (the client providing us with the data)
The company.

5. Registration with the Information Commissioner’s Office

As a company that stores, processes and shares personal data, we have a legal duty to be registered with the Information Commissioner’s Office.
Our registration is renewed annually.
Our registration number is displayed on our website and a copy of our certificate is available on our intranet site.
The Company Secretary is responsible for ensuring the Company complies with registration requirements, payment of the annual fee, and ensuring we have an up to date certificate.

6. Data Protection principles

The Company will comply with the following principles when processing data. They reflect the principles laid out in Article 5 of the GDPR:

6.1 Data will be processed lawfully, fairly and in a transparent manner in relation to
individuals
To comply, we will:

Only process data that is necessary for the operation of our business, and where the law permits us to do so
Determine the basis on which we are processing the data:
- Consent – the individual has given us permission to process their data (e.g. persons making
  enquiries via our website)
- Contract – processing is necessary to comply with a contract we have with the client
- Legal obligation – we are obliged by law to process the data (e.g. for taxation purposes)
Tell people (or their employer) where we hold and process their data:
- What we are holding
- Why we are holding it
- How we may process it
- Who we may share it with
- The basis for sharing it
Advise clients to notify their staff whose personal data we are processing and storing
Be clear on our website how we process personal data provided to us (e.g. by publishing this
policy)
Disclose to individuals who make a request:
- Whether we are holding data about them
- What data we are holding
- How we process it
- Who we may have shared it with
- The basis for having shared it.

6.2 Data will only be collected for specific, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes
To comply we will:

Only collect and use personal data that is required for the legitimate operation of our business (e.g. for the preparation of a bid that requires disclosure of personal data, for the administration
of pay-roll and expenses)
Only share data with third parties where:
- We are required by law or the Courts to do so (e.g. with HM Revenue and Customs)
- It is required for the legitimate operation of our business (e.g. our accountants for the
  preparation of pay roll)
- We have express permission to do so (e.g. from a client to submit a bid that contains
  personal data).

6.3 Data must be adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed
To comply we will:

Only collect the minimum amount of data to allow for the legitimate operation of our business
Maintain a Data Register of the types of personal data we collect, process, store and share and the reasons for doing so
Advise clients to tell their staff whose personal data we are holding and processing and the reasons why
Advise staff to tell their next of kin whose personal data we are holding and processing and the reasons why.

6.4 Personal data will be accurate and kept up to date, including the purposes for which the
data is stored, and processed
To comply, we will:

Review the Data Register annually
Ask employees to validate annually the personal data we are holding for them and their next of kin
Ask clients to validate the data we are holding for them and their employees that is to be included in their bids before the bids are submitted
Update (and, if necessary, delete) any data promptly that is no longer up to date.

6.5 Personal data will be kept for no longer than is necessary and for the purposes for which it was collected
To comply we will:

Only keep personal data for as long as we are required to keep it by regulation or for the administration of our business. For example:
- Employee payroll data will be kept for the duration of the employee’s tenure and for 6 years after they leave to meet HMRC regulations
- Personal data contained in clients’ bids (e.g. CVs) will only be retained while the bid is under evaluation following which it will be destroyed, unless otherwise notified by the client.
Destroy personal data that is no longer required for the legitimate operation of our business or we are no longer required by regulation to retain.
Offer clients who terminate their contracts to be sent a copy of all electronic files that we currently hold for them. A print-out of electronic files will be provided on request for a reasonable fee to cover printing, processing and postage costs.
Provide on request a Certificate to clients who want confirmation their data has been destroyed.

Non-personal data may be held for longer periods for statistical and research purposes.

6.6 Data will be processed in a manner that ensures appropriate security
To comply, we will:

Train staff on the importance of protecting all data (personal and commercial), how and when they may share it, and safeguards to prevent it being lost or accidentally shared or destroyed
Maintain a register of equipment that staff may use when working on company business
Password protect computers and other electronic devices used to access the company’s data when not in use
Only disclose data to company employees on a ‘need to know’ basis
Password protect files that contain personal data before it is emailed (e.g. pay-slips)
Ensure those with access to the company’s filing systems have legitimate grounds for doing so
Establish business rules on the company’s file storage system so that an alert is generated if files containing personal or commercial data is downloaded or deleted
Store physical files (including data sent to us electronically but since printed) securely and destroy it using a cross-shredder when no longer required
Follow guidance published by HM Government and the ICO from time to time about where it is safe to store and process data.

7. Additional Principles

7.1 Publicly Available Data
Publicly available information will nonetheless be restricted to those people who need to know it for the purposes of servicing the client’s account.

7.2 Personal Sensitive Data
The company will not store, process or transmit Personal Sensitive Data (PSD) other than where:

A client is required to make a declaration about PSD in the submission of a bid (e.g. any
previous criminal/fiscal offences or pending proceedings); and
The company has been commissioned by the client to assist with the preparation of that bid.
Where clients disclose PSD, it will be treated particularly carefully and will only be disclosed on a “need to know” basis to employees.

8. Personal data provided through the Company’s website

The company’s website will carry a clear statement telling visitors how personal data provided to us through the website will be used.

8.1 Enquiries submitted through the website
Persons sending enquiries through the website or who contact us directly (e.g. by telephone) will not be placed on any distribution lists for marketing purposes.
We will only contact them in response to their enquiry or as otherwise requested. Their details will only be added to distribution lists for promotional messages or newsletters on request.

8.2 Free file downloads
The Company may make files available on its website for free download. The purpose is to identify organisations who may be marketed in the future.
Those downloading free files on our website will be clearly told that in doing so their details will be placed on a marketing list. By downloading the document, they are giving consent for us to process their data in this way. If those do not wish us to process their data, they should not download the material.

8.3 Changes in circumstances
Those who proceed to subscribe to marketing lists and then change their minds will be able to unsubscribe at any time.
Unsubscribing will lead to us ceasing to process their personal data.

9. Promotional Messages

The Company may, from time to time, send promotional messages to companies who may be interested in accessing our services. Distribution lists for such messages will only be gathered from publicly-sourced information such as companies’ websites.
Messages will only be sent to companies where research shows there is a genuine match between the company and the reason for our marketing them, for example, marketing about a particular contract will only be sent to companies providing that service.
Messages will only be sent to named employees where their name and e-mail address is published on their company’s website or on other promotional material.
We will not pay for data unless we are satisfied it has been legitimately sourced and complies with the GDPR.

10. Telephone Marketing

The company may conduct telephone marketing campaigns (so-called ‘cold calling’) from time to time. Calls will only be made to companies where:

The company being called does not appear on the Telephone Preference Service or
An employee of the company has invited us to call.
Where companies request we do not call in future, we will refrain from doing so. A record will be kept of such companies for future reference.

11. Sharing Personal Data with third parties

Personal data will only be shared with third parties in the following instances:

We are required by law to do so (e.g. with HMRC to administer payroll)
We have been instructed by the client to do so (e.g. submission of a bid on their behalf).

People who ask to be included on our marketing list should note that their personal data will be shared with third parties who administer marketing on our behalf. Personal data will never be shared with third parties for other purposes.

12. Subject Access Requests

Individuals may ask for a copy of personal data we hold about them.
Such requests will be responded to within 40 calendar days. Copies of information will be
provided in accordance with ICO Guidelines, including fees.

Clients may also make a request for information we are holding about their organisation or employees. Such requests will be responded to as quickly as possible. There will be no charge for disclosing what information is held. Reasonable charges may be levied where clients request copies of material where there is a genuine administrative cost to the Company in servicing the request.

13. Training

All employees will have training on this policy on induction. A copy of the policy will be available on the Company’s intranet site for information.
Refresher training material will be provided annually.

14. Suspected or actual breaches of this policy

In the event an employee or associate has reasonable grounds to suspect or knows there has been a breach of this policy, the matter must be brought immediately to the attention of the Senior Management Team.

Steps must be taken at once to try and recover the information, contain any further breach pending an investigation and, where applicable, notify the party whose data has been disclosed, and, if necessary, to the Office of the Information Commissioner.
Any breach will be subject to a thorough investigation to identify the root cause and to put in place arrangements to reduce the risk of a re-occurrence in the future.