Data Protection Policy
Any one who obtains personal information (“data”) about other individuals is a ‘data controller’ and is thus regulated by the Data Protection Act 1998. The Act controls what can lawfully be done with information.
It also gives individuals certain rights to control how information about them is obtained, used, stored and distributed. These rights include the right to find out what information a data controller has about them, and ask for copies of data.
We are necessarily a data controller in relation to all the information that we obtain about you as part of the process of providing you with employment.
In order to manage our business we keep records about our employees that necessarily include the following information:
• Name
• Date of birth
• Sex
• Address
• Next of kin
• Sickness record
• Disciplinary record
• CV
• References
• Qualifications
• Rate of pay
• Bank details
• Performance record
• Appraisals
• Criminal records
It is a requirement under the Act that you consent to our processing data about you. Some data is referred to in the Act as "sensitive personal data". This means personal data consisting of information as to:
• the racial or ethnic origin of the data subject,
• his political opinions,
• his religious beliefs or other beliefs of a similar nature,
• whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
• his physical or mental health or condition,
• his sexual life,
• the commission or alleged commission by him of any offence, or
• any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
We require that you expressly consent in your contract of employment to our processing data including sensitive personal data about you. Without this consent it is not necessarily lawful for us to process data in order to keep the records about your employment necessary for us to meet the needs of running our business.
Below is a summary of the legal obligations imposed upon us and the rights that you have under the Data Protection Act 1998 together with our policies about those rights and obligations. The Act contains transition periods under which its terms become fully effective over a period of years, however our policy assumes that the Act is fully in force.
Our Obligations
The principles for processing of personal data are that data must be:
1. Fairly and lawfully processed;
2. Processed for limited purposes;
3. Adequate, relevant and not excessive;
4. Accurate;
5. Not kept longer than necessary;
6. Processed in accordance with the data subject's rights;
7. Secure;
8. Not transferred to countries without adequate protection.
We are committed to following these principles and that is why your consent has been obtained so that all our data processing in relation to data of which you are the subject is lawful.
We will process data about you only so far as is necessary for the purpose of managing our business. Data will not be disclosed to anyone else other than our authorised employees, agents, contractors or advisors (except as required by law) unless you expressly authorise its disclosure. We will only obtain data about you that we require for the purpose of managing our business and dealing with you as an employee of that business.
We will take all reasonable steps to ensure that the data we process is accurate. Data will be retained as necessary during the course of your employment and records will be retained for up to six years after the data that you leave the employment in case legal proceedings arise during that period. Data will only be retained for a period of longer than six years if it is material to legal proceedings or should otherwise be retained in our interests after that period.
We will process data in accordance with your rights under the Act.
Data will be kept in a secure system whether manual or computerised to the best of our ability at all times.
The Act prohibits the transfer of data outside the European Economic area to countries that do not have similar protection of data except in some circumstances or with the subject’s consent. You have given us your consent to such transfers should they be necessary under your contract of employment. The reason for this is that with the use of the Internet and email data can be transferred to a computer or server in such a country in the course of a transfer between parties within the European Economic area. Also we may have offices or subsidiary companies or agents or contractors in such countries now or in the future and therefore transfers of data could be necessary as part of the management of our business and the performance of your contract of employment.
Your Rights under the Act
The Act gives you the following rights as a data subject:
1. Access to data
• To be told whether personal data on you is being processed by requesting this in writing and paying a fee currently not to exceed £10.00.
• To be given a description of the data and its recipients and to have a copy of the data within 40 days of the request. Confidential references given by the employer are excluded from disclosure (but not necessarily references given to the employer). The data subject is entitled to know the source of the data.
• The copy should be intelligible and in a permanent form unless to provide it in this form is impossible or would involve disproportionate effort or you agree to accept a non-permanent ‘copy’.
• If the data controller has previously complied with a request from you then no duty to comply with the request arises until a “reasonable interval” has elapsed between the two. Just what will constitute a “reasonable interval” will depend on the nature of the data, why it is processed and the frequency with which it alters.
• To be informed about the logic used to make automated decisions using the data. For example some employers will scan CV’s submitted for certain information in order to select candidates for further consideration and this right would entitle the candidate to know what the criteria used was unless this would necessitate divulgence of a trade secret.
• The request for access to data must be made in writing if the data controller so requires. The Data controller may also require payment of a fee not exceeding the statutory maximum which is currently £10.00.The data subject must provide the data controller with any information reasonably requested to enable the data controller to be satisfied as to the data subject’s identity and in order to locate the information.
• Where disclosure of data would necessarily mean that information relating to a third party would be disclosed the data controller may refuse to disclose it unless the third party consents or it is reasonable to disclose the information without such consent.
2. Rectification of data
You can apply to a court for an order that the data controller rectify, block, erase or destroy inaccurate data and where the court considers it reasonably practicable to do so inform third parties to whom the data has been disclosed of the fact
3. Compensation
Should you suffer damage as a result of the failure of a data controller to comply with the Act then you may be awarded compensation. Where a data subject suffers distress in certain types of case there may also be an award of compensation for distress as well as damage.
It is a defence in any claim for compensation that the data controller used such care as was reasonably required in all the circumstances to comply with the Act.
4. Information
The Act provides that Data will not be fairly processed unless the data controller ensures that as far as reasonably practicable the data subject has or has ready access to:
• The identity of the data controller
• Any representative of the data controller
• The purpose(s) for which the data is intended to be processed
• Any other information necessary to enable the processing to be fair
We have incorporated this information in of your contract of employment or otherwise given you a notice containing this information (including this policy).
However any data subject whose employer has not notified the Office of the Information Controller that he is a data controller and had these details entered in the public register is entitled to be given (within 21 days of making a written request) “relevant particulars” which are:
• The data controller’s name and address
• The name and address of any representative of the data controller
• a description of the personal data being or to be processed and the category of data subjects to which they relate
• a description of the intended purpose of the processing
• a description of the intended recipients of the data
• a list of the countries outside the European Economic area that will or may be in receipt of the data from the data controller
5. Direct Marketing
A data subject has the right to require in writing that the data controller within a reasonable time cease or not begin processing data of which he is the subject for the purpose of direct marketing. Failure to comply by the data controller can lead to a court order that he does so.
6. Right to stop data processing
A data subject has the right to require that a data controller cease or not begin data processing where the processing is causing or likely to cause unwarranted and substantial damage or unwarranted and substantial distress to the data subject or another by giving notice in writing specifying why the data processing is or will be the cause of distress or damage and the purpose and manner of processing to which objection is made. The data controller then has 21 days to respond with a written notice stating either that he has or intends to comply with the request or why he regards the notice as unjustified and the extent to which he has or intends to comply with it. The data subject can make an application to the court if the data controller will not comply. However where the data subject has consented to the data processing or it is necessary for the performance of a contract to which he is a party he requests it with a view to entering a contract or the data controller has a non contractual legal obligation which requires him to carry it out, the data subject has no right under this section to stop the data processing.
Our Policy on access to data
1. We will appoint a data protection compliance officer.
2. A request for access to any personal data that relates to you should be made by a written request using our Data Access Request form which may be obtained from us or after you have left employment by request to the data protection compliance officer at head office. While you remain in our employ no fee is payable but after you have ceased to be employed a fee of £10.00 or such higher amount as permitted by law from time to time must be paid before access can be granted. The completed form must be returned to the data protection compliance officer with the fee if applicable.
3. On receipt of a request it is our policy to provide copies of all data that we are obliged to disclose within 40 days of receipt of your request being received by the data protection compliance officer at head office.
4. We consider that if a period of less than one year has elapsed since any previous request for access to data was complied with it is not reasonable to expect us to be obliged to comply with a further request before a year has elapsed unless there are exceptional circumstances.
5. Should you wish to bring any inaccuracy in disclosed data to our attention you must do so in writing. In appropriate circumstances you may find that arranging an appointment to hand us your written notification of any inaccurate data is preferable.
6. It is our policy to ensure that all data is as accurate as possible and all necessary steps to ensure that this is the case and to rectify any inaccuracies will be taken.
Where we have requested a reference in confidence from a referee and that reference has been given on terms that it is confidential and that the person giving it wishes that it should not to be disclosed to you it is our policy that it would normally be unreasonable to disclose such a reference to you unless the consent of the person who gave the reference is obtained.
