This policy document applies to your employment at Westville (“the Organisation”) and all other Organisation sites that you may be asked to work at from time to time.
1. Your Individual Rights
The Organisation complies with the General Data Protection Regulation (GDPR) and all the Articles of the Regulation, this means:
The right to be informed – this policy details the information to be collected and how it will be processed and used. Your data and personal information will be fairly and lawfully processed.
The right of access – you are entitled to confirm that your data is being processed. You also have the right to see your personal data.
The right to rectification – you are entitled to have any inaccurate or incomplete personal data corrected. Where possible, any third parties that have access to such data should be informed by the Organisation of any subsequent correction or addition.
The right to erase – also known as the “right to be forgotten.” You are entitled to have your data erased and to prevent any further processing where:
- The use of your personal data is no longer necessary
- Where you withdraw your consent
- Where you object to the processing and no overriding legitimate interest exists
- Your data was unlawfully processed
- Your data has to be erased to comply with a legal obligation or court order
The right to restrict processing – you have the right to block further data processing in the following circumstances:
- Where you contest the accuracy of the data
- Where you have objected to processing, but a legitimate public interest may exist
- Where processing was unlawful, but you have requested restriction, not erasure
- Where the Organisation no longer needs the data, but you require it to establish, exercise or defend a legal claim, (this can include an employment-related claim)
In this situation, the Organisation will continue to hold your data, but cease to process it further. The Organisation will continue to hold such data as is necessary to respect your request to prevent further processing.
The right to data portability – you have the right to request that electronic personal data provided by you to the Organisation be provided by the Organisation back to you in an open format (and free of charge) that allows such data to be readily transferred back to you or a third party. This can only be personal data related to you, and not any data related to another party or employee.
The right to object – you have the right to object to any personal data used:
- As part of the performance of a task within the Organisation or where done in a legitimate public interest or in the exercise of an official duty.
- In direct marketing, including profiling.
- Any processing for scientific or historical research and statistical analysis.
Rights in relation to automated decision-making and profiling – you have the right not to be subject to a decision based upon an automated process where that decision has a significant (including legal) effect on you. In this situation you are entitled to human intervention in the decision, to express your views and receive an explanation of the decision and have the right to challenge the decision. The exceptions to this are where the process is necessary:
- To enter into a contract with the Organisation
- Where authorised by law, for example, to prevent fraud or tax evasion
- You have already given your explicit consent under Article 9 (2) of the GDPR.
2. GDPR Data Protection Principles
Under Article 5 of the GDPR the Organisation will comply with the following principles to ensure your personal data will be:
- Processed for limited purposes and not in any way incompatible with those purposes
- Adequate, relevant and will not be excessive
- Not kept for longer than necessary
- Processed in accordance with your individual rights
- Not transferred to countries without adequate data protection
3. Your Explicit Agreement & Consent
- As part of your employment within the Organisation, the Organisation will seek your explicit consent to the collection and storage of your personal data under the General Data Protection Regulation (GDPR) in accordance with Article 6 (a) of the GDPR.
- Furthermore, the Organisation also relies upon Article 6 (b) of the General Data Protection Regulation (GDPR) – due to the contractual relationship between you and the Organisation by virtue of your employment within the Organisation, and under Article 6 (c) of the General Data Protection Regulation (GDPR) – due to the Organisation’s legal obligations to collect and process your employment data.
- All employees should read this Policy and the attached Data Consent Letter and complete the attached Data Consent Letter and submit it to the Organisation on or before 25th May 2018.
4. Your Personal Data
- The Organisation only holds personal data directly relevant to your employment. This data is collected as, and when required from your first employment application form and your continuing employment within the Organisation, such information includes, but is not limited to:
i) Third-party employment references
ii) Employment reports or assessments, including performance reviews
iii) Disciplinary details, including informal or formal warnings
iv) Grievance procedures and outcomes
v) Salary reviews, benefits records and expenses claims
vi) Health Records
vii) Where required for your role within the Organisation, the Organisation may conduct enhanced criminal records checks under the Disclosure & Barring Service (DBS).
- This information is only collected to assist our personnel department in the smooth running of the Organisation and to ensure that the Organisation complies with other statutory responsibilities such as equal opportunities employment.
- Your personal data may be disclosed within the Organisation to those within the personnel department and management, including your immediate manager. Your personal data will not be disclosed to your peers or any other employees that do not require access to the data to carry out their roles within the Organisation.
5. Maintaining Records
The Organisation will take all reasonable steps to ensure that personal data held by the Organisation is accurate and kept up to date. To ensure accuracy, the Organisation will ask employees every 12 months to check that their personal information held by the Organisation is correct. As an employee you should always contact the personnel department should your personal information change for any reason, for example, a change of surname, home address or telephone numbers. Out of date information or information that is no longer required will be deleted by the Organisation once it is found to be no longer required or out of date.
6. Sickness & Health Records
For day-to-day management, the Organisation needs to keep records relating to the personal sickness and health records of each employee. Such personal data will record any periods of sickness or health matters, detailing the length and nature of the issue and the outcome. These records will be used to assess the health and welfare of employees and to highlight any issues that may require further investigation. Such data will only be disclosed to management and will not be disclosed to fellow employees, (except those employees within the personnel department who process such data). If for any reason you do not wish your health records to be kept, please contact [Insert manager’s name], [Insert manager’s position].
7. Data Security
- The Organisation is committed to the secure storage and where undertaken, the secure transmission of employees’ personal data. Only management and employees within the personnel department have access to such data. All such data is protected by physical security, such as locks, and technical security, such as usernames and passwords to access computer records and data. Such data is only disclosed on a “need to know” basis. To further ensure the security of such records the Organisation reserves the right to monitor and keep detailed log files and computer data analysis of all accesses to employees’ personal data. The Organisation also reserves the right to vet all employees who have access to such data in the course of their normal employment within the Organisation.
- If as an employee you have legitimate access to personal data and you pass or transmit the data within the Organisation to another party or parties who in turn have the right to see such data, the following rules apply:
1) If the data is transmitted by email, it must be sent in an encrypted form.
2) If the data is transmitted via a network, it must be done using a secure network. Wherever possible such data should not be sent via a wireless network where the risk of interception is greater.
3) Such data should not be kept within the email program on your PC after it has been sent or received. The data must be removed from the body of the email message or deleted from any temporary folders if sent as an attachment. Care should be taken at all times not to delete the original data source.
4) If the data is to be faxed ensure that the intended recipient knows in advance that the data is coming via fax and that they are standing by the fax machine to receive the data. Ensure that the fax number is correct. You should also confirm safe receipt of the data by the recipient.
5) If data is to be passed in hard copy form, it should be handed to the recipient personally. The recipient should ensure that the data is stored in a locked drawer or cabinet.
- Parties with legitimate access to such data should not use any third parties who do not have the authority to view the data to send or receive the data on their behalf.
- All employees are reminded that unauthorised attempts to gain access to such data or accessing such data are disciplinary offences and in certain situations may constitute gross misconduct leading to summary dismissal. Such breaches may also constitute a criminal offence under the General Data Protection Regulation (GDPR).
8. Data Breaches & Reporting
- Where the Organisation suspects that a data breach has occurred the Organisation has a duty to report the breach to the Information Commissioner’s Office (ICO) within 72 hours of discovery of the breach.
- The Organisation has a duty to report a breach if the breach is likely to result in a risk to the rights and freedoms of the individual(s) concerned, and where not acted upon is likely to have a significant detrimental effect on the individual(s) concerned, for example the data accessed could result in identity theft, loss of confidentiality or other significant loss.
- Where any such breach is potentially of high risk to the individual(s) concerned, they too should be notified of the breach as soon as the Organisation discovers the breach.
- A breach of data includes the destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
9. External Data Processing
- Where the Organisation uses third parties to process data and provide services or administer schemes around such data the Organisation will take all reasonable steps to ensure that such third parties have in place their own data protection policies.
- The Organisation will have in place and regularly review individual contracts with all third party data processors.
- The Organisation will not use any third party data processor that does not comply with the General Data Protection Regulation (GDPR) as a minimum standard.
10. Benefits Schemes
Where the Organisation provides additional benefits such as health insurance and pension schemes the Organisation will not make use of data collected by third parties administering the schemes where such data is not required for the day-to-day operation of the Organisation. The Organisation will provide employees with details of the information to be collected by these third parties, and how it will be used. Furthermore, the Organisation will seek permission for the collection and use of this data prior to collection.
11. Equal Opportunities Monitoring
The Organisation may collect information relating to ethnic origin, sex or disability as part of an equal opportunities policy. The Organisation will ensure that any questionnaires relating to such information are accurate and that where possible the results will identify employment trends within the Organisation, and not identify individual employees.
12. Employee Reviews & Appraisals
The Organisation will only collect data required for the day-to-day operation of the Organisation.
13. Data Transfers Outside The European Economic Area
If the Organisation seeks to transfer data outside the European Economic Area such data will only be transferred to countries deemed by the European Commission to provide adequate data protection. Furthermore, the Organisation will obtain the prior consent of all employees whose data is likely to be transferred.
14. Data Access & Disclosure
- All prospective, current or past employees have the right to request access to data directly relating to them, which is held by the Organisation. The Organisation will provide such information free of charge, subject to the right to charge for further requests where such requests are duplicated or excessive. The Organisation can request further information from the person making the request in order to provide
accurate and relevant results and to check the identity of the person making the request. The Organisation seeks to provide such information within 30 days of receiving a request. The Organisation will provide the person making the request with the following information:
1) Whether they hold any information regarding them, and if they do:
2) Descriptions of that information.
3) What it is used for.
4) The type of third party Organisations it is passed to.
5) Provide a breakdown of any technical terms or codes.
- The information where reasonably possible will be provided in a hard copy or permanent electronic form.
The Organisation will not disclose details of confidential references where to do so would disclose the identity of the author or where it may cause harm or detriment to the author.
16. External Disclosure Requests
- Where employees receive external requests for the disclosure of data the following guidelines should be observed:
1) Verify the identity of the person requesting the information.
2) Be on the lookout for fraud or deception.
3) Seek a written request.
4) Check any telephone numbers where an oral request is received.
5) Inform a member of the management team if any request appears suspicious.
6) A member of the management team should also be contacted where the party requesting the data states that disclosure is required by law.
7) Remember that a duty is owed to the employee whose data is to be disclosed, seek their prior permission unless doing so would alert them to a criminal investigation.
8) If the disclosure of the data is non-routine where possible provide the employee in question with a copy of the data disclosed. A record of all non-routine data disclosures should also be kept.
17. Other Disclosures
Where the Organisation wishes to disclose employee data for promotional, marketing or other business purposes, (for example incorporated into an advertisement or brochure) the consent of the employee will be sought in advance. The employee should also be told where the data will be published and how widely. The employee has the right to refuse any such request.
18. Trade Unions
The Organisation will only provide data to trade unions where the trade union is recognised by the employer. The data will be limited to name, job description and job location. The Organisation will also give each employee a prior right to object to the disclosure. Where any such data is provided for collective bargaining the data will not identify individual employees.
19. Employee Monitoring
The Organisation will inform all employees where employee monitoring is introduced or increased. The Organisation will take reasonable steps to ensure that employee’s privacy and autonomy are preserved. The Organisation will take reasonable steps to ensure that specific details of personal conversations or correspondence are not accessed. However, the Organisation retains the right to monitor the actual use of Organisation resources by employees.
20. CCTV Monitoring
- The Organisation reserves the right to introduce or extend the use of CCTV within the Organisation’s premises for security purposes. Where this occurs, signs will be displayed on the premises to make it clear to staff and visitors that CCTV is being used.
- CCTV will only be used for monitoring activity on the Organisation’s own premises.
- Recorded images will be stored securely; with only authorised Organisation employees and (where requested) the police will have access to them.
- Recorded images will only be retained for as long as necessary or where the police or courts require evidence.
- All CCTV equipment will be regularly inspected to ensure proper functioning.
21. Medical Testing
If the Organisation undertakes any form of medical testing of employees such testing will only be undertaken for clear health and safety reasons, for assessing an employee’s medical fitness for continued employment or to assess their entitlement to health benefits, such as sick pay. Prospective employees may be tested for similar reasons. The results of any testing required for a health or pension scheme shall not be given to the Organisation.
22. Retention of Employee Records
- The Organisation will retain employee records for the following periods:
1) Application Form: for period of employment.
2) References: 1 year.
3) Payroll and tax information: 6 years.
4) Sickness records: 3 years.
5) Annual leave records: 2 years.
6) Unpaid/special leave records: 3 years.
7) Annual appraisal/ assessments: 5 years.
8) Promotions: 1 year from end of employment.
9) Transfers: 1 year from end of employment.
10) Training: 1 year from end of employment.
11) Disciplinary matters: 1 year from end of employment.
12) References provided: 5 years from provided or end of employment.
13) Summary of service: 10 years from end of employment.
14) Injury or accident at work: 12 years from end of employment.
- The Organisation will ensure the safe and secure disposal of employee records that are no longer required.
23. Criminal Liability
Knowingly or recklessly disclosing the personal data of others without the express consent of the Organisation can constitute a criminal offence.
24. Date of Implementation
This policy is effective from [Insert date] and shall not apply to any actions that occurred prior to this date.
If you have any questions regarding this policy document and how it applies to you, including how to request access to your personal data, please consult a member of the management team.
26. Data Protection Impact Assessments (DPIAs)
- The Organisation will carry out Data Protection Impact Assessments (DPIAs) where the Organisation intends to use new technologies, platforms or software and the processing of the data is likely to result in a potentially high risk to the rights and freedoms of individuals.
- Any DPIA should include the following:
1) A description of the new process and the purpose behind it.
2) Assessment of necessity and proportionality of the data processing.
3) Assessment of risks to individuals.
4) The measures and security in place to address and minimise any such risk.
- The person in charge of this Data Protection Policy will conduct any required DPIAs.
27. Data Protection Officer
Where required the Organisation shall appoint the manager in charge of this Policy as the Organisation Data Protection Officer. This will be a board level post. Where the current Policy manager does not have the required seniority the Organisation will either promote the manager to a board level post or appoint a current director to the post of Data Protection Officer. The current data protection office is Sean Stevenson – Managing Director.
28. Alteration of this Policy
This policy will be subject to review, revision, change, updating, alteration and replacement in order to introduce new policies from time to time to reflect the changing needs of the business and to comply with legislation. Any alterations will be communicated to you by a member of the management team.