Data Protection Policy
1.Introduction
Combined Masonry Supplies Limited (CMS Ltd) is required to obtain and keep a certain amount of Personal Data in order to perform our day to day businesses and to meet our legal obligations to both their employees and customers. This Policy sets out how CMS handles the Personal Data of its employees, workers, customers, suppliers and other third parties.
This Policy has been approved by the CMS Ltd Board. This Policy applies to all personnel (including employees, contractors consultants, workers, directors and others). All personnel must comply with this Policy when processing Personal Data on behalf of CMS and personnel’s compliance with this Policy is mandatory. Any breach of this Policy will be taken seriously and may result in disciplinary action.
CMS reserves the right to change this Policy at any time without notice so please check back regularly to obtain and familiarise yourself with the latest version of this Policy. This Policy was last revised on 24th April 2018.
2.Definitions of Data Protection terms
Data Subjects, for the purpose of this Policy, include all living individuals about whom CMS hold Personal Data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their Personal Data.
Personal Data is defined as any information relating to a person who can be identified directly or indirectly from that data. This definition includes Personal Data held in both electronic and paper format. Personal Data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour and it can include CCTV images used in the course of CMS’ business.
Data Controllers are the people who or organisations which determine the purposes for which, and the manner in which, any Personal Data is processed. They are responsible for establishing practices and policies in line with the applicable data protection legislation.
Data Processors in the case of CMS include any person or organisation that processes Personal Data on that company’s behalf and on that company’s instructions.
Personal Data Breach is any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that are put in place to protect it. It also includes the loss of, or unauthorised access, disclosure or acquisition of Personal Data.
Processing (or “Processed” or similar expression) is any activity that involves use of the Personal Data. It includes obtaining, recording or holding the Personal Data, or carrying out any operation or set of operations on the Personal Data including organising, amending, retrieving, using, disclosing, erasing or destroying it.
Processing also includes transferring Personal Data to third parties.
Special Categories of Personal Data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life or sexual orientation, genetics or biometrics. Special Categories of Personal Data can only be processed under strict conditions, including a condition requiring the explicit consent of the Data Subject.
In this Policy, unless the context otherwise requires, references to ‘Personal Data’ includes ‘Special Categories of Personal Data’.
- Data Protection Manager
CMS fully accepts its responsibilities and has appointed Richard Chandler as its data protection manager.
The data protection manager is responsible for carrying out regular Data Protection Impact Assessments and dealing with and for reporting any Personal Data Breach to the Information Commissioner’s Office. 3
- Data Security
CMS fully accepts its responsibility to ensure that all Personal Data is held securely. To that end, appropriate security, technological and organisational measures will be taken against unlawful or unauthorised processing of Personal Data and against the accidental loss of, or damage to, Personal Data.
- Avoiding the copying of Personal Data to external systems, including ‘flash drives’ unless absolutely necessary.
- Avoiding the use of email as a method of transferring Personal Data if at all possible.
c.Ensuring that all Personal Data, both in electronic and paper form, is stored
securely. In the case of paper records, this means keeping Personal Data
behind two locked doors. In the case of electronic records, this means storing
data in secure locations approved by the HR Department and ensuring that
all files are protected by strong passwords.
- Keeping the Personal Data accurate and in good order and identifying
Personal Data that is no longer required.
d.Ensuring that all Personal Data which is no longer required is destroyed in an
acceptable manner and in line with the procedures set out in Schedule 1.
In addition to the above, CMS must implement privacy by
design measures when processing Personal Data by implementing appropriate
organisational and technical measures. CMS should assess
what privacy by design measures can be implemented on all processes,
systems and
programs taking into account the state of the art, the cost of implementation, the
nature of the processing and the risks to Data Subjects which is posed by the
processing.
CMS personnel should discuss any proposed Data Protection Impact Assessment and its results with the data protection manager (see section 3 above) to ensure compliance with the data protection legislation.
- Data Breaches
Data protection legislation requires Data Controllers to inform the applicable regulator and in certain circumstances the Data Subject of any Personal Data Breach.
If personnel know or suspect that a Personal Data Breach has occurred, they should not attempt to investigate the matter themselves. Personnel should immediately contact the data protection manager (see section 3 above) who will activate the relevant CMS procedures.
- Lawfulness and Fairness
Any Personal Data which CMS process must be processed lawfully, fairly and transparently.
Data protection legislation requires that Personal Data may only be processed for a lawful purpose. Those lawful purposes include:
CMS must set out in its privacy notices the lawful purpose on which it is processing Personal Data. These privacy notices will be available to Data Subjects so that they can understand how their Personal Data is processed by CMS.
Personal Data must not be processed in a way that is incompatible with the lawful purpose which was originally told to the Data Subject, unless they have been informed of the new purpose, and where relevant, consented to that new purpose. 6
Consent
In the very limited instances where we would rely on consent as the lawful purpose for processing a Data Subject’s Personal Data then we must gain that person’s consent in a clear way. Data protection legislation requires this consent to be given by positive action. This means that silence, pre-ticked boxes or inactivity will not constitute consent. If Data Subject’s give their consent as part of another document, then the consent should be separate from those other matters.
Data Subjects can withdraw their consent to us processing Personal Data for which they have given us their consent to hold at any time and no processing of this Personal Data should occur once they have withdrawn their consent. If their Personal Data is to be processed for a different and incompatible purpose to the one originally given to them when processing first began, then the Data Subject should be updated and consent should be refreshed.
If CMS relies on consent as the lawful purpose for processing Special Categories of Personal Data or for transferring Personal Data outside of the EEA (see section 12 below) then that consent must be explicit. Explicit consent requires a clear and specific statement from the Data Subject. However, if CMS wants to do these things, it will usually rely on another lawful purpose (other than consent) to do them.
If CMS does rely on consent as the lawful purpose then it must keep a record of the consent which includes the time, date and means by which consent was obtained and what information the Data Subject was given (for example, a privacy notice).
- Transparency and Privacy Notices
A key part of the data protection legislation is about being transparent with Data Subject’s about the collection and processing of their Personal Data. CMS will inform Data Subjects about this via a privacy notice. These privacy notices include those matters which Data Controllers must tell a Data Subject about under the data protection legislation.
If CMS collects the Personal Data directly from a Data Subject then the relevant privacy notice should be available to the Data Subject when the Personal Data is first collected.
If CMS collects the Personal Data indirectly (for example from a third party) then it must provide the privacy notice to the Data Subject as soon as possible after receiving the Personal Data. If CMS receives Personal Data indirectly from a third party it should ensure that that third party has collected the Personal Data in accordance with the data protection legislation and that such collection by the third party covers the processing which CMS is to carry out
- Data Minimisation
CMS should only collect Personal Data to the extent that it is necessary for the reasons for which it is collected. Collection of Personal Data should not be excessive.
Personnel must only process Personal Data where it is required for their job duties and they must not process it for any reasons which are unrelated to their job duties.
- Accuracy
CMS must ensure that any Personal Data which it holds is accurate, complete and up to date. CMS should check the accuracy of Personal Data when it is collected and at regular intervals thereafter.
Any incorrect or out of date Personal Data must be corrected, deleted or destroyed promptly and without undue delay.
- Data Retention
Personal Data which allows for Data Subjects to be identified should not be kept longer than is necessary for the reasons it was collected or for longer than is needed for the legitimate business purposes of CMS including any legal and accounting reasons).
If Personal Data is no longer required then it must be anonymised or deleted in accordance with CMS’ policy.
All privacy notices will include information about the period for which Data Subjects’
Personal Data will be stored.
- Third Party Disclosures
CMS keeps a register of all the third parties (companies and individuals) to whom they send Personal Data. The register details the type of information sent, the reason as to why it is sent and as to how it is used and the way in which it is transferred.
- that third party needs to know the Personal Data for the purposes of providing a contracted service;
- sharing the Personal Data complies with any privacy notice provided to the Data Subject (see section 8 above);
- that third party has agreed to comply with required data security standards policies and procedures and has put adequate measures in place;
- there is in place a written contract that contains data protection legislation compliant clauses; and
- (only if Personal Data is to be transferred outside of the EEA), applicable safeguards are in place (see the following paragraphs for more details).
Personal Data may only be shared with third parties if certain safeguards and contractual arrangements have been put in place. All third parties referred to above are required to sign a Data Sharing Agreement (or have provided us with an appropriate contractual arrangement) which will ensure that they are handling any Personal Data in the correct manner and in compliance with the data protection legislation.
Personal Data may only be shared with third parties (such as service providers) if:
CMS must not provide Personal Data to any third party which would involve the transfer, access, viewing or transmitting of Personal Data outside of the EEA unless one of the following conditions applies:
- the EU Commission has provided a decision that the country in question ensures an adequate level of protection for Data Subjects;
- appropriate safeguards are in place which include standard contractual clauses approved by the EU Commission, binding corporate rules, an approved code of conduct or certification mechanism;
- the Data Subject has provided their explicit consent to the transfer (see section 7);
- the transfer is necessary for one of the other reasons set out in the data protection legislation which include the performance of a contract between CMS and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims, to protect the vital interests of the Data Subject and in some other limited cases, for CMS’s legitimate interest.
In addition to the above, Personal Data may be disclosed to third parties:
- in the event of a sale or purchase of any business or assets owned by CMS, in which Personal Data may be disclosed to the prospective seller or buyer of such business or assets; or
- if CMS or substantially all of its assets are acquired by a third party, in which case Personal Data it holds will be one of the transferred assets. a. requesting access to the Personal Data held about them (see below for more details);
- withdrawing their consent to processing .
- receiving certain information about processing activities;
- preventing use of Personal Data for direct marketing purposes;
- requesting erasure of Personal Data if it is no longer necessary, requesting rectification of inaccurate Personal Data or completion of incomplete Personal Data;
- requesting for processing to be restricted in specific circumstances;
- challenging processing where the lawful purpose has been stated to be the legitimate interests of CMS
- requesting a copy of any agreement under which Personal Data is transferred outside of the EEA;
- preventing processing that is likely to cause damage or distress to the Data Subject or somebody else;
- to be notified of a Personal Data Breach where it is likely to result in a high risk to the rights and freedoms to Data Subjects; or
- to make a complaint to the relevant data protection regulator (in the UK this is the Information Commissioner’s Office).
CMS may disclose Personal Data if under a duty to disclose or share Personal Data in order to comply with any legal obligation.
- Data Subject’s rights in respect of Personal Data
Data Subjects have rights in respect of the Personal Data held and processed by CMS. These rights include:
Any request to exercise a Data Subject’s rights should immediately be passed to the data protection manager (see section 3 above).
In relation to a request for access to Personal Data, a CMS employee processing the Personal Data will need to meet its obligations by making the requested Personal Data available to the Data Subject in line with the data protection legislation and without undue delay and, at the latest, within one month of receipt of the request.
- Record Keeping
Data protection legislation requires CMSto keep details of its processing activities.
Records should include as a minimum: the name and contact details of the Data Controller and the relevant data protection manager; clear descriptions of the types of Personal Data; categories of Data Subjects; processing activities; the lawful purpose for processing; third party transfers; storage locations; retention periods and descriptions of the security measures in place.
- CCTV
The following paragraphs set out CMS’ policy in relation to CCTV, although other paragraphs of this policy will also be relevant to the personal data captured by any CCTV (such as section 5 relating to data security).
CMS believes that CCTV and other surveillance systems have a legitimate role to play in helping to maintain a safe and secure environment for all staff and visitors. However, we recognise that this may raise concerns about the effect on individuals and their privacy.
CMS currently use CCTV cameras to view and record events and individuals in or around our premises.
CMS recognises that images of individuals recorded by CCTV cameras in the workplace are Personal Data and therefore subject to data protection legislation.
We have set out in in our privacy notices the reasons for which we use CCTV and the lawful reason on which we are relying to do so. The reasons we use CCTV include ensuring that the buildings and stock are safe and secure and that those on the premises are behaving in a safe and responsible manner.
CCTV monitors parts of the exterior of the building. Generally they are in operation 24 hours a day and this data is continuously recorded. Camera locations are chosen to minimise viewing of spaces not relevant to the legitimate purpose of the monitoring. As far as practically possible, CCTV cameras will not focus on private homes, gardens or other areas of private property. Surveillance systems will not be used to record sound.
Images may be accessed and monitored by authorised personnel every day of the year. 11
Where CCTV cameras are placed in the workplace, we will ensure that signs are displayed at the entrance of the surveillance zone to alert individuals that their image may be recorded. Such signs will contain details of the organisation operating the system, the purpose for using the surveillance system and who to contact for further information, where these things are not obvious to those being monitored.
Prior to introducing any new surveillance system, including placing a new CCTV camera in any workplace location, we will carefully consider if they are appropriate by carrying out a Data Protection Impact Assessment.
Covert Monitoring
We will never engage in covert monitoring or surveillance (that is, where individuals are unaware that the monitoring or surveillance is taking place) unless, in highly exceptional circumstances, there are reasonable grounds to suspect that criminal activity or extremely serious malpractice is taking place and, after suitable consideration, we reasonably believe there is no less intrusive way to tackle the issue.
In the unlikely event that covert monitoring is considered to be justified, it will only be carried out with the express authorisation of the Managing Director or Chief Executive Officer .The decision to carry out covert monitoring will be fully documented and will include a Data Protection Impact Assessment and will set out how the decision to use covert means was reached and by whom. The risk of intrusion on innocent workers will always be a primary consideration in reaching any such decision.
Only limited numbers of people will be involved in any covert monitoring.
Covert monitoring will only be carried out for a limited and reasonable period of time consistent with the objectives of making the recording and will only relate to the specific suspected illegal or unauthorised activity.
Covert Monitoring
We will never engage in covert monitoring or surveillance (that is, where individuals are unaware that the monitoring or surveillance is taking place) unless, in highly exceptional circumstances, there are reasonable grounds to suspect that criminal activity or extremely serious malpractice is taking place and, after suitable consideration, we reasonably believe there is no less intrusive way to tackle the issue.
In the unlikely event that covert monitoring is considered to be justified, it will only be carried out with the express authorisation of the Managing Director . The decision to carry out covert monitoring will be fully documented and will include a Data Protection Impact Assessment and will set out how the decision to use covert means was reached and by whom. The risk of intrusion on innocent workers will always be a primary consideration in reaching any such decision.
Only limited numbers of people will be involved in any covert monitoring.
Covert monitoring will only be carried out for a limited and reasonable period of time consistent with the objectives of making the recording and will only relate to the specific suspected illegal or unauthorised activity.
Retention periods and Deletions
Unsuccessful candidates for roles | Job Application, CV and Interview Notes | 6 months after notifying candidates of the outcome of the recruitment process | |||
Employee | Job Application, CV and Interview Notes | 7 Years after leaving | |||
Employee | Offer Letter and Starter Forms | 7 Years after leaving | |||
Employee | References | 7 Years after leaving | |||
Employee | Contract of Employment | 7 Years after leaving | |||
Employee | Employee Details (including DOB, NI number and Nationality) | 7 years after leaving | |||
Employee | Employee Contact Details | 1 Year after leaving | |||
Employee | Next of Kin | 1 Year after leaving | |||
Employee | Bank Details | 2 Months after leaving | |||
Employee | Company Equipment issued | 6 Months after leaving | |||
Employee | Job Description | 7 years after leaving | |||
Employee | Holiday Entitlement | 7 Years after leaving | |||
Employee | Job and Salary Details | 7 Years after leaving | |||
Employee | Bonus and Commission Details | 7 Years after leaving | These must be kept for 3 Years beginning with the day on which the pay reference period immediately following that to which they relate ends. However, given their potential relevance to pay disputes they will be
retained for 7 Years after leaving. |
||
Employee | Benefits (Life Assurance, PHI, Childcare etc.) | 7 Years after leaving | These must be kept for 3 Years after the end of the tax year to which they relate. However, given their potential relevance to pay disputes they will be retained for 7 Years after
leaving. |
||
Employee | Gender Pay Details | 1 Year after leaving | |||
Employee | Work Performance Statistics | 7 years | |||