Data Protection Policy & Procedures - The Window Company Ltd
Our data protection policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.
We are committed to:
• ensuring that we comply with the eight data protection principles, as listed below
• meeting our legal obligations as laid down by the Data Protection Act 1998
• ensuring that data is collected and used fairly and lawfully
• processing personal data only in order to meet our operational needs or fulfil legal requirements
• taking steps to ensure that personal data is up to date and accurate
• establishing appropriate retention periods for personal data
• ensuring that data subjects' rights can be appropriately exercised
• providing adequate security measures to protect personal data
• ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues
• ensuring that all staff are made aware of good practice in data protection
• providing adequate training for all staff responsible for personal data
• ensuring that everyone handling personal data knows where to find further guidance
• ensuring that queries about data protection, internal and external to the organisation, is dealt with effectively and promptly
• regularly reviewing data protection procedures and guidelines within the organisation.
Data Protection Principles
1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
7. Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
When staff are required to collect personal data they must adhere to the requirements of this policy.
All staff must ensure that any personal information which they hold is kept securely and that they take appropriate security precautions by seeking to ensure the following:
• Source documents kept in a lockable cabinet or drawer or room;
• Computerised data is password protected;
• Data kept on discs or data storage devices are stored securely and encrypted;
• Ensure individual passwords are kept confidential and are not disclosed to other personnel enabling log-in under another individual’s personal username and password.
• Logged on PCs are not left unattended where data is visible on screen to unauthorised personnel.
• Screensavers are used at all times;
• Paper-based records must never be left where unauthorised personnel can read or gain access to them.
• When manual records are no longer required, they should be shredded or bagged and disposed of securely and the hard drives of redundant PCs should be wiped clean. Off-site use of personal data presents a greater risk of loss, theft or damage and the company and personal liability that may accrue from the off-site use of personal data is similarly increased. For these reasons staff should:
• only take personal data off-site when absolutely necessary and for the shortest possible time;
• take particular care that when laptops or other devices including mobile phones are used to process personal data at home or in locations outside of the Company, they are kept secure at all times.
Rights of Individuals
Under the Act, an individual has the following rights:
i. To request access to information held about them, the purpose for which the information is being used and those to whom it is, has or can be disclosed to;
ii. To prevent data processing that is likely to cause distress or damage;
iii. To prevent data processing for direct marketing reasons;
iv. To be informed about the reasons behind any automatic decision made;
v. To seek compensation if they suffer damage as a result of any breach of the Act by the Data Controller;
vi. To take action to stop the use of, rectify, erase, or dispose of inaccurate information;
vii. To ask the Information Commissioner to assess if any Personal Data processing has not been followed in accordance with the Act.
Access to Personal Data
Subject to exemptions, the Act gives any individual who has personal data kept about them by the Company the right to request in writing a copy of the information held relating to the individual in electronic format and also in some manual filling systems. Any person who wants to exercise this right should in the first instance make a written request to the Company.
After receipt of a written request and any information needed as proof of identity of the person making the request, the Company will ensure that the individual receives access within 1 Month, unless there is a valid reason for delay or an exemption is applicable.
The Act does not prevent an individual making a subject access request via a third party, including by a solicitor acting on behalf of a client. In these cases and prior to the disclosure of any personal information, the Company would need to be satisfied that the third party making the request is entitled to act on behalf of the individual and would require evidence of this entitlement.
Whilst the Act does not limit the number of subject access requests an individual can make to any organisation, the Company is not obliged to comply with an identical or similar request to one already dealt with, unless a reasonable interval has elapsed between the first request and any subsequent ones.
Overall responsibility for the policy implementation rests with the Board. However, all staff are obliged to adhere to, support and implement this policy.
The Window Company Ltd requires all staff to be vigilant and exercise caution when asked to provide personal data held on another individual. In particular, they must ensure that requests for personal information which they are concerned about being improper should be directed to the Data Protection Representative and under no circumstances should personal information be disclosed either orally or in writing to any external person, which includes family members and friends without the express prior consent of the relevant individual or the Data Protection Representative.
Accuracy of Data
Staff are responsible for:
i) ensuring that any information they provide to the Company relating to their employment is accurate and up to date;
ii) informing the Company of any information changes, eg. change of address; and
Retention and Disposal of Data
The Company is not permitted to keep personal information of staff for longer than is required for its purpose or is required by law.
Personal and confidential information will be disposed of by means that protect the rights of those individuals ie. shredding, disposal of confidential waste, secure electronic deletion.
The Company is dedicated to being compliant with the Act. Any member of staff or a student wishing to report concerns relating to the Act should, in the first instance, contact the Data Protection Representative who will aim to resolve any issue or will refer to the Board of Directors or if necessary the Information Commissioner’s Office.
Data Protection Representative: Kate Portsmouth firstname.lastname@example.org
For more information and advice on data protection contact:
Information Commissioner’s Office
Published 24th May 2018.