Statement of Intent
W. H. Davis Ltd is required to process and retain certain information about its staff members and business contacts in accordance with its legal obligation under the General Data Protection Regulation (GDPR).
W. H. Davis Ltd may, from time to time, be required to share personal information about its staff members and business contacts with other organisations such as local authorities and government agencies.
This policy is in place to ensure all staff members and business contacts are aware of their responsibilities and outlines how W. H. Davis Ltd complies with the following core principles of the GDPR.
Organisational methods for keeping data secure are imperative at W. H. Davis Ltd. We believe that it is good practice to keep clear practical policies that treat personal data with the utmost care and respect.
This policy complies with the requirements set out in the GDPR, which will come into effect on 25th May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
1. Legislation and Supporting Company Policies.
1.1. W.H. Davis Ltd. has an obligation to abide by all relevant UK legislation and European legislation. The relevant acts, which apply in UK law to privacy and personal data, include but are not limited to:
· The General Data Protection Regulation (GDPR)
· The Data Protection Act (1988/2003)
· European Communities Data Protection Regulations, (2016)
· European Communities (Data Protection and Privacy in Telecommunications)
· Data Protection EU Directive 95/46/EC
· Criminal Damages Act (1991)
· The Freedom of Information Act 2000
· The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulation 2004
· Health and Safety at work Act 1974
1.2. This Policy will be supported by the following company policies currently in operation:
· Information Technology Cyber Security Policy
· Information Breach Management Policy
1.3. This policy will also have regard to the following guidance:
· Information Commissioner’s Office (2017) ‘Overview of the General Data Protection Regulation (GDPR)’
· Information Commissioner’s Office (2017) ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’.
2. What is Personal Data and Special Category Data
2.1. For the purpose of this policy, personal data refers to the information relating to any identified or identifiable living individual, in particular by reference to name, ID number location data and is online identifier. Personal data under the GDPR has also been subcategorised known as ‘special category’ data with regards to sensitive information.
2.2 Special category data which can include, but not limited to, racial or ethnic origin, physical or mental health / condition and religious beliefs or beliefs of a similar nature which may be collected by W H Davis where there is a lawful basis and condition.
3.1. In accordance with the requirements outlined in the GDPR, personal data will be:
· Processed lawfully, fairly and in a transparent manner in relation to individuals.
· Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
· Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
· Accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
· Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
· Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3.2. The GDPR also requires that “the controller” shall be responsible for, and able to demonstrate, compliance with the principles”.
4.1. W. H. Davis Ltd will implement appropriate technical and organizational measures to demonstrate that personal data is processed in line with the principles set out in the GDPR.
4.2. W. H. Davis Ltd will provide clear, comprehensive and transparent privacy policies both on the company website as well as on request.
4.3. The secure storage of internal records of personal data that W. H. Davis Ltd are required to process will be overseen and monitored by the data controller responsible, as outlined in the data audit. All physical records will be stored securely when not in use and electronic records will be stored on W. H. Davis secure server which is backed up off-site regularly.
4.4. Records of activities relating to higher risk processing will be maintained, such as the processing of special categories data or that in relation to criminal convictions and offences.
4.5. W H Davis Ltd will implement measures that meet the principles of data protection by design and data protection by default such as:
· Data minimization
· Continuously improving security features
5. Lawful Processing
5.1. The legal basis for processing data will be disclosed prior to processing taking place.
5.2. Under the GDPR, ordinary personal data will be lawfully processed under the following conditions:
· Consent of the data subject has been obtained for a specified purpose(s).
· Necessary for legitimate business interests, including commercial benefit, provided it is not overridden by the negative effects to the rights and freedoms of the data subject. For example W. H. Davis ltd have a legitimate business interest in securely storing business contacts, both for customers and suppliers, in order to provide and acquire goods and services and to maintain a business relationship.
· For the performance of a contract with the data subject or to take steps to enter into a contract at the request of the data subject.
· Protecting the vital interests of a data subject or another person.
· Necessary for Compliance with a legal obligation.
5.3. Under the GDPR, as well as the conditions stated in 5.2., special category personal data will be lawfully processed under the following conditions:
· Explicit consent of the data subject has been obtained for a specified purpose(s).
· Processing relates to personal data manifestly been made public by the data subject.
· Necessary to exercise/ perform a legal right/obligation under employment law.
· Protecting the vital interests of a data subject or another person where the data subject is physically or legally incapable of giving consent.
· Necessary for occupational medicine or assessing the working capacity of an employee.
· Necessary for purposes of establishing, exercising or defending legal claims.
· Necessary for reasons of substantial public interest.
6.1. Under GDPR, Consent must be a positive indication. It cannot be inferred from silence, inactivity or pre-ticked boxes.
6.2. Consent can be withdrawn by a data subject at any time.
6.3. Consent will only be accepted when given freely, intention(s) specified, informed and an unambiguous indication of the data subjects wishes.
6.4. Where consent is given, a record will be kept documenting when and how consent was given in a secure filing system and backed up on W H Davis Ltd secure server.
6.5. W H Davis Ltd will ensure consent mechanisms meet the standard of the GDPR. Where the required standard of consent cannot be obtained an alternative legal basis stated in 5.2. must be identified, or processing will cease.
7. Personal Data Breach Policy
7.1. ‘Personal Data breach’ refers to a breach of security which has led to the loss, destruction, alteration, unauthorised disclosure of, or access to, personal data.
7.2. W H Davis will ensure all staff members are made aware of, and understand, what constitutes as a data breach as part of continuous training.
7.3. In the event of a personal data breach taking place, the ‘breach management plan’ stated in the ‘Information breach management policy’ will be followed.
7.4. In addition to 7.3. the relevant supervisory authority will be informed of the breach within 72 hours of the company becoming aware of the event.
7.5. In the event that a breach is likely to result in a high risk to the rights and freedoms of data subject, the company will notify those concerned directly.
7.6. A ‘high risk’ breach means that the threshold of notifying the data subject is higher than that of notifying the relevant supervisory authority.
7.7. Failure to report a breach when required to do so may result in disciplinary action being taken
8. Personal Data Security Measures
8.1. All paper documentation containing identifiable personal data will be stored securely, with restricted access when not in use.
8.2. All paper documentation containing personal data will not be left unattended or in clear view anywhere with general access.
8.3. Electronic records of personal data are stored on a secure server.
9. Policy Review
9.1. This policy will be reviewed and updated annually or more frequently if necessary, to ensure that any changes to the W.H. Davis Ltd. organisation structure and business practices are properly reflected in the policy.