In the course of your work with Ledatic Ltd you are likely to collect, use, transfer or store personal information about employees, clients, customers and suppliers, for example their names and home addresses. The UK’s data protection legislation, including the General Data Protection Regulations (GDPR) contains strict principles and legal conditions which must be followed before and during any processing of any personal information.
The purpose of this policy is to ensure that you are aware that everyone has a responsibility to comply with the principles and legal conditions provided by the data protection legislation, including the GDPR and failure to meet those responsibilities are likely to lead to serious consequences. Firstly, a serious breach of data protection is likely to be a disciplinary offence and will be dealt with under the Company’s disciplinary procedure. If you access another employee’s personnel records or any sensitive personal information without authority, this will constitute a gross misconduct offence and could lead to your summary dismissal. Additionally, if you knowingly or recklessly disclose personal data in breach of the data protection legislation, including the GDPR you may be held personally criminally accountable for any such breach.
Breach of the data protection legislation, including the GDPR rules can cause distress to the individuals affected by the breach and is likely to leave the Company at risk of serious financial consequences.
If you are in any doubt about what you can or cannot disclose and to whom, do not disclose the personal information until you have sought further advice from the Company’s data representative – [email protected]
This policy does not form part of a contract of employment. However, it is mandatory that all employees, workers or contractors must read, understand and comply with the content of this policy and you must attend associated training relating to its content and operation. Failure to adhere to this policy is likely to be regarded as a serious disciplinary matter and will be dealt with under the Company’s disciplinary rules and procedures.
Data Subject: a living individual.
Data Controller: the person or organisation that determines the means and the purpose of processing the personal data.
Data Protection Legislation: includes (i) the Data Protection Act 1998, until the effective date of its repeal (ii) the General Data Protection Regulation ((EU) 2016/679) (GDPR) and any national implementing laws, regulations and secondary legislation, for so long as the GDPR is effective in the UK, and (iii) any successor and supplemental legislation to the Data Protection Act 1998 and the GDPR, in particular the Data Protection Bill 2017-2019 and the E-Privacy Directive (and its proposed replacement), once it becomes law.
Personal data: is any information that identifies a living individual (data subject) either directly or indirectly. This also includes special categories of personal data. Personal data does not include data which is entirely anonymous or the identity has been permanently removed making it impossible to link back to the data subject.
Processing: is any activity relating to personal data which can include collecting, recording, storing, amending, disclosing, transferring, retrieving, using or destruction.
Special categories of personal data: this includes any personal data which reveals a data subject’s, ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic, biometric or health data, sex life and sexual orientation.
Criminal records data: means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
We are a data controller. This means that we are required by law to ensure that everyone who processes personal data and special categories of personal data during the course of their work with us does so in accordance with the data protection legislation, including the GDPR principles. In brief, the principles say that:
Other rules under the GDPR state that:
The Company and all employees must comply with these principles and rules at all times in their information-handling practices. We are committed to ensuring that these principles and rules are followed, as we take the security and protection of data very seriously.
You must inform us immediately if you become aware that any of these principles or rules have been breached or are likely to be breached.
What are the lawful reasons under which we would expect you to process personal data?
Whilst carrying out your work activities you are likely to process personal data. The Company will only expect you to process personal data where the business has a lawful basis to process that information. The lawful basis may be any one of the following reasons or a combination of:
a) Consent has been obtained the data subject to process their personal data for specified purposes.
b) Where we need to perform the contract we have entered into with the data subject either for employment or commercial purposes.
c) Where we need to comply with a legal obligation.
d) Where it is necessary for our legitimate interests (or those of a third party) and the interests and fundamental rights of the data subject do not override those interests.
There are other rare occasions where you may need to process the data subjects personal information, these include:
e) Where we need to protect the data subject’s interests (or someone else’s interests).
f) Where it is needed in the public interest or for official purposes.
You must always ensure that you keep a documentary inventory of the legal basis which is being relied on in respect of each processing activity which you perform.
Before you begin collecting or processing personal data directly from a data subject you must ensure that an appropriate privacy notice has been issued to the data subject. Different notices are used for employment and commercial purposes. The content of the privacy notice must provide accurate, transparent and unambiguous details of the lawful and fair reason for why we are processing the data. It must also explain how, when and for how long we propose to process the data subjects personal information. We need to include information around the data subjects’ rights and most importantly, the notice should also explain how we will keep the information secure and protected against unauthorised use.
Where you intend to collect data indirectly from a third party or a public source (i.e. electoral register), you must ensure that a privacy notice is issued to the data subject within a reasonable of period of obtaining the personal data and no later than one month; if the data is used to communicate with the individual, at the latest, when the first communication takes place; or if disclosure to someone else is envisaged, at the latest, when the data is disclosed.
You must only use data collected indirectly if you have evidence that it has been collected in accordance with the GDPR principles.
In all circumstances you must check that you are using an up to date version of the Company’s privacy notice and it is being used in accordance with the Company’s guidelines.
When you collect personal information you will set out in the privacy notice how that information will be used. If it becomes necessary to use that information for a reason other than the reason which you have previously identified you must usually stop processing that information. However, in limited circumstances you can continue to process the information provided that your new reason for processing the personal information remains compatible with your original lawful purpose (unless your original lawful basis was consent).
You must only process personal data where you have been authorised to do so because it relates to your work or you have been delegated temporary responsibility to process the information. You must not collect, store or use unnecessary personal data and you must ensure that personal data is deleted, erased or removed within the Company’s retention guidelines. You must not process or use personal data for non-work related purposes.
The Company will review its records and in particular employees’ personnel files on a regular basis to ensure they do not contain a backlog of out-of-date or irrelevant information and to check there are lawful reasons requiring information to continue to be held.
If your personal information changes, for example you change address or you get married and change your surname, you must inform your line manager as soon as practicable so that the Company’s records can be updated. The Company will not be responsible for any inaccurate personal data held on its systems where you have failed to notify it of the relevant change in circumstances.
Different categories of personal data will be retained for different periods of time, depending on legal, operational and financial requirements. Any data which the Company decides it does not need to hold for a particular period of time will be destroyed in accordance with its retention of data policy.
We do not generally have a need to transfer data outside of the European Economic Area (EEA). However, if you are requested to transfer personal data to a country or organisation outside of the EEA you must not transfer personal data to a country or organisation unless that country or organisation ensures an adequate level of protection in relation to the processing of personal data and you have in place safeguards to ensure this is done. You must speak to the Data Representative [email protected] before you send personal data outside of the EEA.
Under the GDPR, subject to certain legal limitations, data subjects have available a number of legal rights regarding how their personal data is processed. At any time a data subject can request that the Company should take any of the following actions, subject to certain legal limitations, with regard to their personal data:
There are different rules and time frames that apply to each of these rights. You must follow the Company’s policies and procedures whenever you process or receive a request in relation to any of the above rights.
You must follow the Company’s data subject access procedure which details how to deal with requests and it describes the circumstances where a fee may be charged. The procedure includes the following:
Be aware that those seeking information sometimes use deception in order to gain access to it.
During the course of your employment you may be required to process personal data which falls into different categories, general personal data and special categories of personal data. All data should be processed in accordance with the privacy notice and at all times in a confidential manner. However, where that data is classed as a special category extra care should be taken to ensure the privacy and security of that data. This means that you should maintain a high level of security and you should only share this data with those who are also authorised to process that data. In the context of employee relations the scenarios when you may be required to process special categories information may arise for one or more of the following reasons:
We may also require you to process special categories of information in connection with customers and other third parties.
There may also be circumstances where we ask you to process this type of information in relation to assisting the Company with legal claims or to protect a data subjects interests (or someone else’s).
You may be asked to process information in relation to criminal convictions. This should be processed with the highest degree of confidentiality and in accordance with any data protection legislation and privacy notices that are in force in our business.
If you are unsure about how you should process general personal data or special categories of personal data, you must contact [email protected]
In limited circumstances during your work you may need consent from a data subject in order to process personal data or special categories of data. You will be provided with training and details of which circumstances consent is needed and the type of consent that should be sought.
However, in limited circumstances, you may find it necessary to request a data subject to provide written consent to allow the processing of special categories of personal data. You will be provided with training and details of which circumstances consent is needed and the type of consent that should be sought. For example, in an employment context you should request the data subject’s written consent to instruct a medical practitioner to prepare a medical report. If it becomes necessary
to request consent to process special categories of personal data, you must provide the data subject with details of the information that will be required and why it is needed, so that they can make an informed decision as to whether they wish to provide consent.
You must not compel a data subject to provide written consent. Giving consent will always be a decision made by freewill and choice and is not a contractual condition. Consent can be withdrawn at any time without any reason provided. You must not subject a data subject to a sanction or detriment as a consequence of withdrawing consent. This would be viewed a serious disciplinary issue.
In limited circumstance there are certain categories of personal data which are exempt from the GDPR regime. In an employment for example:
A personal data breach will arise whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on a data subject.
In the event of a security incident or breach, do not try to handle this yourself.
You must follow the Company’s Data Breach Policy which includes immediately informing [email protected] so that steps can be taken to:
The Data Representative will determine within 72 hours the seriousness of the breach and if the Information Commissioner’s Office (ICO) and/or data subjects need to be notified of the breach.
As we have fewer than 250 employees, we only need to document processing activities that:
All employees that handle personal information of individuals must have a basic understanding of the data protection legislation, including the GDPR. Staff with duties such as computer and internet security, marketing and database management may need specialist training to make them aware of particular data protection requirements in their work area.
We will provide you with continuous training and updates on how to process personal data in a secure and confidential manner and in accordance with the spirit of the data protection legislation, including the GDPR. You will be required to attend all training and to keep yourself informed and aware of any changes made to privacy notices, consent procedures and any other policies and procedures associated with our internal processing of personal data.
You must regularly review all your data processing activities and ensure that you are acting in accordance with the most current best practice and legal obligations in relation to data security and confidentiality.
From time to time we may use computer programmes to process data and make automated decisions. We will provide you with a separate notice explaining when and how this happens. Where automated processing or decision making does take place and the effect of that processing impacts on the freedoms and legitimate interests of the data subject, then in certain circumstances the data subject can request for human intervention. This means that they can ask for a human to review the machine made outcome/decision.
We may share personal data internally as is necessary. You must always ensure that personal data is only shared with authorised persons and is shared in accordance with the purposes stated in any privacy notice or consents. Extra care and security must be taken when sharing special categories of data or transferring data outside of the Company to a third party.
We are subject to specific rules under the GDPR in relation to marketing our services. Data subjects have the right to reject direct marketing and we must ensure that data subjects are given this option at first point of contact. When a data subject exercises their right to reject marketing you must desist immediately from sending further communications.
If you believe that this policy has been breached by a colleague or to exercise all relevant rights, queries or complaints please in the first instance contact our data Representative on [email protected]
We reserve the right to change this policy at any time so please always check this document regularly to ensure you are following the correct procedures.
This policy was last updated on 21/05/2018