GDPR Data Protection and Data Security Policy

Statement and purpose of policy

Bower HR Consultancy (the Company) is committed to ensuring that all personal information handled by us will be processed according to legal compliant standards of data protection and data security.

The purpose of this policy is to help us achieve our data protection and data security aims by:

  1. Setting out how the Company uses and protects any personal information that we may hold about individuals
  2. Ensuring our staff understand our rules and the legal standards for handling personal information relating to staff and others
  3. Clarifying the responsibilities and duties of staff in respect of data protection and data

We may amend this policy at any time, at our discretion.

 

Responsibility for data protection and data security

Maintaining appropriate standards of data protection and data security is a collective task shared between the company and the staff. This policy and the rules contained in it apply to all staff of the company, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers (Staff).

Serena Bower, Proprietor, is appointed as the Data Protection Officer and has overall responsibility for ensuring that all personal information is handled in compliance with the law.

All Staff have personal responsibility to ensure compliance with this policy, to handle all personal information consistently with the principles set out here and to ensure that measures are taken to protect the data security. Managers have special responsibility for leading by example and monitoring and enforcing compliance.

Any breach of this policy will be taken seriously and may result in disciplinary action.

Personal information and activities covered by this policy

This policy covers personal information:

  1. Which relates to a living individual who can be identified either from that information in isolation or by reading it together with other information we possess
  2. Is stored electronically or on paper in a filing system
  3. In the form of statements of opinion as well as facts
  4. Which relates to Staff (present, past or future) or to any other individual whose personal information we handle or control
  5. Which we obtain, hold or store, organise, disclose or transfer, amend, retrieve, use handle process, transport or

Data protection principles

Staff whose work involves using personal data must comply with this policy and with the legal data protection principles which require that personal information is:

  1. Processed fairly and lawfully. We must always have a lawful basis to process personal information. In most (but not all) cases, the person to whom the information relates (the Subject) must have given consent. The Subject must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be
  2. Collected for specified, explicit and legitimate purposes. Personal information must not be collected for one purpose and then used for If we want to change the way we use personal information, we must first tell the Subject.

c. Adequate, relevant and limited to what is necessary.

  1. Accurate and kept up to date. Regular checks must be made to correct or destroy inaccurate
  2. Kept for no longer than is necessary. Information must be destroyed or deleted when we no longer need it. For guidance on how long particular information should be kept, contact the Data Protection
  3. Processed in a manner that ensures appropriate security. See section on data security

Data subjects’ rights

The company will process personal data in line with data subjects’ rights. Data subjects have the right to:

  1. Be informed. About the identity and contact details of the controller/processor, the purpose and/or legal basis for processing the data, how the data is to be processed, how long the data will be kept, which parties are involved in the processing of data and the privacy policy of the controller/processor.
  2. There must be a Subject Access Request process so that Subjects may request a copy of their data.
  3. Rectify incorrect personal information. Subjects must have a facility to request that incorrect information is
  4. Be forgotten. Subjects may withdraw consent and ask for personal information to be erased. There are certain exemptions to this (e.g. employees)
  5. Request their data be moved. Subjects can request that their data be moved elsewhere (e.g. to a competitor).
  6. Subjects must be allowed to object to their personal information being processed. They must be able to opt-out if their personal information is being processed based on legitimate interests, the public interest, exercise of official authority, for direct marketing and for purposes of scientific/historical research and statistics.
  7. Restrict processing of their data. When processing is restricted, storage of the data is permitted, but further processing is
  8. Not have their data used for automated decision making and profiling. Such processing must have specific consent, be necessary for the performance of a contract or must be authorised by

Data security

We must all protect personal information in our possession from being accessed, lost deleted or damaged unlawfully or without proper authorisation through the use of data security measures.

Maintaining data security means making sure that:

 

  1. Only people with are authorised to use the information can access it
  2. Information is accurate and suitable for the purpose for which it is processed
  3. Authorised persons can access information if they need it for authorised purposes. Personal information therefore should not be stored on individual computers but instead on our central

By law, we must use procedures and technology to secure personal information throughout the period that we hold or control if, from obtaining to destroying the information.

Personal information must not be transferred to any person to process (e.g. while performing services for us or on our behalf) unless that person has either agreed to comply with our data security procedures, or we are satisfied that other adequate measures exist.

Security procedures include:

  1. Physically securing information. Any desk or cupboard containing confidential information must be kept locked. Computers should be locked with a password or shut down when left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
  2. Controlling access to premises. Staff should report any person they do not recognise in an entry-controlled

Particular care must be taken by Staff who deal with telephone enquiries to avoid inappropriate disclosures. In particular:

  1. The identity of any telephone call must be verified before any personal information is disclosed
  2. If the caller’s identity cannot be verified satisfactorily, then they should be asked to put their enquiry in
  3. Do not allow callers to bully you into disclosing information. In case of any problems or uncertainty, contact the Data Protection

Any personal data we control or process may be held in the following systems and locations, and we are satisfied that there are adequate data protection and data security measures in place:

  1. Email system – Microsoft Outlook
  2. Online banking – TSB
  3. Electronic files held – Dropbox

Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.

Personal data breaches

A personal data breach is defined as a security incident that has affected the confidentiality, integrity or availability of personal data. There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

If a personal data breach has occurred, the Company will take immediate steps to contain it and assess the risk of potential adverse consequences for individuals. If

there is a risk to people’s rights and freedoms it will be reported to the ICO within 72 hours of becoming aware of the breach. If there is a high risk to those concerned, they will be informed directly and without undue delay. If the breach is unlikely to result in a risk to rights and freedoms, the breach will be investigated, recorded and steps taken to avoid a future recurrence.

Personal information we process and what we do with it

Staff

We collect personal information about Staff which:

  1. You provide, or we gather, before or during your employment or engagement with us
  2. Is provided by third parties, such as references or information from suppliers or another party that we do business with
  3. Is in the public domain

The types of personal information that we may collect, store and use about Staff include records relating to:

  1. Home address and contact details as well as contact details for your next of kin
  2. Recruitment (including your application form or cv, any references received and details of your qualifications)

 

  1. Pay records, national insurance number and details of your taxes and any employment benefits such as pension and health insurance (including details of any claims made)
  2. Any sickness absence or medical information provided
  3. Telephone, email, internet, fax or instant messenger use
  4. Performance and any disciplinary matters, grievances, complaints or concerns in which you are

We will use information to carry out our business, to administer your employment or engagement and to deal with any problems or concerns you may have, including:

  1. Sickness records. To maintain a record of your sickness absence and copies of any doctor’s notes or other document supplied to us in connection with your health, to inform your colleagues and others that you are absent, as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence, to inform reviewers for appraisal purposes of your sickness absence level, to publish internally aggregated, anonymous details of sickness absence
  2. Monitoring IT systems. To monitor your use of emails, internet, telephone and fax, computer or other communications or IT
  3. Disciplinary, grievance or legal matters. In connection with any disciplinary, grievance, legal, regulatory or compliance matters or proceedings that may involve
  4. Performance review To carry out performance reviews.

We confirm that the company is a Data Controller of the personal information in connection with your employment. This means that we determine the purposes for which, and the manner in which, your personal information is processed.

We will take reasonable steps to ensure that your personal information is kept secure, as described in this policy and in general, we will not disclose your personal information to others outside the company. However, we may need to disclose personal information about Staff:

  1. For the administration of your employment and associated benefits, e.g. to the providers of our payroll, pension or insurance schemes
  2. To comply with our legal obligations or assist in a criminal investigation or to seek legal or professional advice in relation to employment issues, which may involve disclosure to our lawyers, accounts or auditors and to legal and regulatory authorities, such as HM Revenue and Customs
  3. To other parties which provide products or services to

We will seek on a yearly basis staff’s written confirmation that data may be continued to be held in line with the above.

Clients (Including domestic clients, corporate clients) We collect personal information about clients which:

  1. You provide, or we gather, before or during your engagement with us
  2. Is provided by third parties, such as information from suppliers or another party that we do business with
  3. Is in the public domain

The types of personal information that we may collect, store and use about clients include records relating to:

  1. Name and job title
  2. Contact information including address, telephone number and email address
  3. Bank account details, sort code and account number
  4. Information about your employees (another person)

We will use information to carry out our business in order to provide you with the services of Bower HR Consultancy in line with the overall agreement between the company and you/your business. We will not collect any personal data from you we do not need in order to provide and administer this service to you.

We may also use your email address to send our newsletters to you, if you have requested us to.

We will take reasonable steps to ensure that your personal information is kept secure, as described in this policy and in general, we will not disclose your personal information to others outside the company unless we have your permission or we are required by law to do so.

By providing your personal information to us, you consent to the use of your personal information in accordance with this policy.

Suppliers

We collect personal information about suppliers which:

  1. You provide, or we gather, before or during your engagement with us
  2. Is provided by third parties, such as information from other suppliers or another party that we do business with
  3. Is in the public domain

The types of personal information that we may collect, store and use about suppliers include records relating to:

  1. Name and job title
  2. Contact information including address, telephone number and email address
  3. Bank account details, sort code and account number

We will use information to carry out our business with you/your business such as contacting you to discuss your products and services, place orders with you and pay your invoices. We will not collect any personal data from you we do not need in order to carry out these transactions.

We may also use your email address to send our newsletters to you, if you have requested us to.

We will take reasonable steps to ensure that your personal information is kept secure, as described in this policy and in general, we will not disclose your personal information to others outside the company unless we have your permission or we are required by law to do so.

By providing your personal information to us, you consent to the use of your personal information in accordance with this policy.

Other third parties (e.g. prospective clients, business contacts, networking associates

We collect personal information about other third parties which:

  1. You provide, or we gather from you
  2. Is provided by third parties, such as information from other parties that we do business with
  3. Is in the public domain

The types of personal information that we may collect, store and use about suppliers include records relating to:

  1. Name and job title
  2. Contact information including address, telephone number and email address

We will use information to carry out business with you/your business such as contacting you to discuss your products and services. We will not collect any personal data from you if we do not need to do so.

We may also use your email address to send our newsletters to you, if you have requested us to.

We will take reasonable steps to ensure that your personal information is kept secure, as described in this policy and in general, we will not disclose your personal information to others outside the company unless we have your permission or we are required by law to do so.

By providing your personal information to us, you consent to the use of your personal information in accordance with this policy.

Subject access requests 

By law, any Subject (including Staff) may make a formal request for information that we hold about them, by completing a Subject Access Request (SAR). If you would like a copy of the information we hold on you please write to us at Bower HR Consultancy, Marlborough House, 33 Park Street West, Luton, LU1 3BE.

If you believe that any information we are holding on you is incorrect or incomplete, or if you wish to have it deleted, please write to us at Bower HR Consultancy, Marlborough House, 33 Park Street West, Luton, LU1 3BE. We will correct any information found to be incorrect or delete it if requested.

In the case of staff we will only delete the information once the employment or engagement has ceased and it is no longer required to comply with our legal obligations, assist in a criminal investigation or for legal and regulatory authorities, such as HM Revenue and Customs.

Any member of Staff who receives such a request from a third party should forward it to the Data Protection Officer immediately.

Complaints

If any Subject wishes to raise a complaint on how we have handled their personal data, they can contact our Data Protection Officer who will investigate the matter. If they are not satisfied with the response or believe we are not processing their personal data in accordance with the law they can complain to the Information Commissioner’s Office (ICO). Our Data Protection Officer is Serena Bower and she can be contacted at serena@bowerhr.co.uk.

 

Date Issued:   May 2018 Review Date: May 2021