Data Protection Policy

CONTENTS

​

1.0 Document Control

1.1 Document Details

1.2 Change History

1.3 Related Documents

1.4 Communication, Review and Maintenance

2.0 Document Purpose

3.0 Scope

4.0 Responsibilities

5.0 Policy statement

6.0 Governance and Accountability

6.1 Fair and lawful processing

6.2 Personal data quality

6.3 Subject Access Requests

6.4 Personal data storage and retention

6.5 Staff awareness

6.6 Information Handling

7.0 Audit

8.0 Compliance

Staff Records

​

1.0 DOCUMENT CONTROL

​

1.1 DOCUMENT DETAILS

​

Title: Data Protection Policy

Type: Policy

Revision: Period Annual

Owner: Melissa Wallbank / Function: Managing Director

Reviewed/authorised by: Phil Hindmarch / Function: Director

​

1.3 RELATED DOCUMENTS

​

This Policy is supported by a privacy notice and information security procedures. Both of these are available on request from our DPO – dpo@wilsonvale.co.uk

​

1.4 COMMUNICATION, REVIEW AND MAINTENANCE

​

This Policy is communicated to all staff as part of their induction and as part of the annual refresher programme. The Policy is held on the H/O filing system. Staff shall be informed of any changes to the Policy by their line manager. This Policy shall be made available to relevant interested parties as required.

​

This Policy shall be reviewed annually by the Policy Owner to ensure it remains fit for purpose and at other times as dictated by operational needs.

​

2.0 DOCUMENT PURPOSE

​

The purpose of this Policy is to ensure compliance with The General Data Protection Regulations 2018 and to ensure that

Wilson Vale discharges all of its legal obligations in this respect.

​

3.0 SCOPE

​

This policy applies to all activities for which Wilson Vale is the data controller and to all Wilson Vale staff (including permanent, temporary and contract staff). The term ‘personal data’ is defined as ‘information that relates to a living natural person who can be identified from the data’.

​

4.0 RESPONSIBILITIES

​

1. This Data Protection Policy has been approved by, and has the full support of, the Board who are ultimately responsible for compliance with GDPR legislation.

2. The Board have appointed a Data Protection Officer who has direct responsibility for maintaining this policy, the data protection system and providing advice and guidance on its implementation.

3. All managers will be responsible for implementing the policy within their areas of responsibility.

4. All staff will be provided with education and training and will be expected to comply with data protection legislation and adhere to the policies and procedures defined in the data protection system.

​

5.0 POLICY STATEMENT

​

It is the policy of Wilson Vale that personal data shall:

​

1. Be processed fairly and lawfully and in a transparent manner

2. Only be obtained for specified and lawful purposes and not processed for any additional incompatible purposes

3. Be adequate, relevant and limited to what is necessary) for the purposes for which they are processed

4. Be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data inaccurate data are erased or rectified without delay be kept in a form which permits identification of data subjects for no longer than is necessary for the specified purposes be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Not be transferred to a country or territory outside the EEA unless adequate safeguards are in place to protect the rights and freedoms of the data subject(s) in relation to their personal data.

​

6.0 GOVERNANCE AND ACCOUNTABILITY

​

Accountability is a consistent theme throughout data protection legislation. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance. 

​

Ultimately, it is the responsibility of Wilson Vale and all employees to minimise the risk of breaches and to protect personal data. All employees, whether permanent or temporary, must familiarise themselves with internal processes and procedures to ensure compliance with this policy.

​

To comply with the requirements of governance and accountability, Wilson Vale has:

​

• Implemented technical and organisational measures to ensure and demonstrate that we comply with requirements. This includes development and review of internal policies, employee training and internal audits of processing activities

• Produced a register of personal information, the purpose of processing, the lawful basis for processing and retention schedules

• Implemented measures that meet the principles of data protection by design and data protection by default. Measures we may use include: 
  – data minimisation 
  – pseudonymisation 
  – transparency

• Committed to a process of continuous improvement to ensure that we continuously assess our working practices to ensure that we comply with best practice

• Implemented a process of mandatory data protection impact assessments (DPIAs) whenever new business processes are introduced, new suppliers are engaged, new IT systems are specified or new technologies are introduced.

​

6.1 FAIR AND LAWFUL PROCESSING

​

The GDPR specifies the grounds (conditions) that can be used for lawful processing:

​

Wilson Vale processes employee personal data for the purposes of administration of employment and for managing our employees. We rely upon employment contracts or existing legal obligations (for example, employment legislation) to justify n(legitimise) that processing. We also rely upon a ‘processing in the context of employment’ exemption to justify the processing of special category (sensitive) PII where we are required to do so (e.g. administration of sickness records, health and safety and occupation health). Where processing of special category PII falls outside the employment contract, we always seek consent.

​

Business to Business (B2B) Contacts.

​

Wilson Vale also processes personal relating to our customers in the form of (B2B) contacts for the purposes of promoting our own goods and services and for managing our accounts and records. We rely on the Legitimate Interests condition to justify this processing but must not allow our business interests to over-ride the rights of data subjects.

​

1. When asking individuals to provide personal information, Wilson Vale shall be identified as the data controller and ensure that the data subjects are fully informed about how their data will be used and who it will be shared with. Employees are provided with this information via the Employee Handbook.

2. Wilson Vale will not use personal data for any purposes other than those advised to individuals directly

3. Any photographs will need prior consent before use.

4. Wilson Vale will obtain the explicit consent of the individual concerned for all processing of sensitive (special category) personal data; unless:

5. The processing is carried out in connection with the individual’s employment, or potential employment with Wilson Vale and for managing our employees.

6. It is information relating to racial/ethnic origin, religion or disability that is being collected purely for monitoring equality of opportunity or treatment

7. It is necessary for the provision of advice or support and the data subject cannot reasonably be expected to give explicit consent.

8. Wilson Vale will require all third party granted access to Wilson Vale personal data to formally agree that the personal data will not be used for any purpose other than in performance of the agreed services.

9. Wilson Vale will not disclose personal data to third parties unless: 
   – Required to by law 
   – There is an information sharing agreement in place to ensure that any processing by the third party will be within the law and safeguard the rights of data subjects. 
   – It is necessary in order to fulfil a legitimate purpose that has been advised to the data subject.

​

6.2 PERSONAL DATA QUALITY

​

1. All forms used to collect personal data shall only ask for information which is necessary to fulfil the purpose of the form

2. It is the responsibility of the data subject to ensure the data is accurate and up to date.

3. Changes in personal data relating to data subjects must be promptly and accurately updated on the appropriate computer system(s) and manual records

​

6.3 SUBJECT ACCESS REQUESTS

​

All employees must notify the DPO immediately if a data subject submits a request to receive a copy of the personal data held about them, rectify the content of any data held about them or the legitimate deletion/redaction of any data held about them.

​

All requests must be received in writing and forwarded immediately to the DPO for fulfilment. Data subjects are entitled to receive copies of their personal data within 30 days and all functional departments are required to support the DPO in locating the personal data requested as a matter of urgency.

​

Existing employees may contact HR to request copies of specific items of personal data should they wish to do so. HR will continue to handle such requests as part of routine HR administration where they are able. This does not prevent existing or former employees from submitting a formal (written) subject access request (SAR).

​

Employees must not attempt to fulfil formal data subject requests unless they are authorised by the DPO and trained to do so.

​

Personal data will only be disclosed to the data subject when:

​

1. The subject access request is made in writing, a form will then be issued and completed by the data subject.

2. The eligibility and identity of the individual making the request has been verified.

3. A written record of all requests will be created.

4. All manual data in relevant filing systems will be reviewed and any personal data relating to third parties either removed, anonymised or consent for its disclosure obtained from the third party.

5. Responses to subject access requests must include personal data processed by any relevant data processors.

6. Data provided to an individual will be in a readable format such as pdf.

​

6.4 PERSONAL DATA STORAGE AND RETENTION

​

1. Personal data that is processed in hard copy format shall be stored securely, with access restricted to authorised staff

2. Personal data shall be retained in accordance with the periods detailed in Appendix A of this policy.

3. Where a retention period is not specified in Appendix A, personal information will only be retained for the period of:

4. As long as it is necessary for the specified purpose

5. As required by law or regulations binding on Wilson Vale

6. Manual files relating to previous staff shall be purged of all non-essential information and this will be securely destroyed prior to being archived

7. Wilson Vale will require all contracted third-party data processors to formally agree that personal data will not be retained for longer than the purpose for which they are processing it.

​

6.5 STAFF AWARENESS

​

1. Data protection training will be included in the staff induction process

2. All new staff will receive data protection training relevant to their role as soon as possible after commencement of their employment

3. All staff will receive data protection refresher training periodically

4. Guidance material will be available to all staff who process personal data.

5. Employees are reminded that:

6. They must not access, use or disclose personal data relating to colleagues for their own purposes, however well intentioned.

7. Recorded opinions about an individual must be based on fact or professional opinion and are disclosable to the individual.

8. It is an offence to buy or offer personal data for sale without a legal basis for doing so.

9. It is an offence to attempt to re-identity personal data that has been anonymised without the permission of the Data Controller or to tamper with or destroy personal data that would otherwise be disclosed to the data subject under a subject access request.

​

6.6 INFORMATION HANDLING

​

1. Any personal data sent by email will be password protected prior to sending

2. The use of USB sticks for storing or transporting personal data is strictly prohibited unless written authorisation has been issued by the DPO

3. Any electronic data will only be retained in line with Appendix A

4. Only authorised staff will have access and be able to manage access to folders

​

7.0 AUDIT

​

Wilson Vale’s Data Protection controls will be audited periodically, as appropriate, in order to ensure on-going compliance with data protection legislation and this Policy.

​

The policy will be reviewed regularly, at least on an annual basis, by the DPO. Any changes will be passed to the Board for approval.

​

8.0 COMPLIANCE

​

All breaches or suspected breeches of this policy will be investigated and, where proven may result in disciplinary action up to and including dismissal for gross misconduct and referral to law enforcement bodies where warranted. Appendix A – Personal Data Retention.

​

The following table shows the types of personal data that may be held, as well as the legal or recommended retention period by an appropriate body.