Advanced Hygienic Contracting Limited, as Data Controller, is committed to ensuring its compliance with the requirements of the law governing the management and storage of Personal Data (as defined below), which is set out in the UK’s Data Protection Act and the EU’s General Data Protection Regulation 2016 (“GDPR”).
We recognise the importance of Personal Data to our business and the importance of respecting the privacy rights of individuals. This Data Protection Policy (the Policy) sets out the principles which we will apply to our Processing (as defined below) of Personal Data so that we not only safeguard one of our most valuable assets, but also Process Personal Data in accordance with applicable laws.
Compliance with the GDPR is overseen by the UK data protection regulator which is the Information Commissioner’s Office (“ICO”). Advanced Hygienic Contracting Limited is accountable to the ICO for its data protection compliance.
This Policy aims to protect and promote the data protection rights of individuals and of the business, by informing everyone working for the business of their data protection obligations and of the business procedures that must be followed in order to ensure compliance with GDPR. Information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.
This Policy covers all Personal Data and special categories of Personal Data, however Processed (on computers or manually).
This Policy and the Guidance (which is set out in the following pages) applies to all staff (including managers), consultants and any third party that this Policy has been communicated to, as it is the responsibility of all to assist Advanced Hygienic Contracting Limited complying with its obligations as Data Controller. All members of staff should familiarise themselves with both this Policy and the Guidance and apply their provisions in relation to any Processing of Personal Data. Failure to comply with the GDPR, the Policy and the Guidance could amount to misconduct, which is a disciplinary matter, and could ultimately lead to summary dismissal. Serious breaches could also result in personal criminal liability.
For these reasons, it is important that all employees familiarise themselves with this Policy and the Guidance and attend any training sessions in respect of the care and handling of Personal Data.
This Policy and the Guidance may be amended from time to time to reflect any changes in practice or legislation. Emma Blaker, who is the business’s Privacy Manager is responsible for monitoring the business’s compliance with this policy and any queries as to data protection procedures or requirements should be directed to him.
This Policy has been approved by Advanced Hygienic Contracting Limited Directors. It will be reviewed annually or as and when a change in the data protection regime requires it to be updated.
This Guidance Note (“the Guidance“) forms part of the Data Protection Policy and provides supplementary information to enable staff to better understand and comply with the Data Protection Policy.
Advanced Hygienic Contracting Limited, as Data Controller, is required to comply with the GDPR in respect of its Processing of Personal Data (such as information about our customers, employees and suppliers). Compliance with data protection legislation is the responsibility of all members of the business who process personal information and it is therefore important for all staff to familiarise themselves with both the Data Protection Policy and this Guidance and act in accordance with their content.
Any day-to-day data protection issues or any questions about the Policy or the Guidance should be raised with the Privacy Manager.
The GDPR is intended to protect the rights and privacy of individuals and to ensure that data about them is not processed without their knowledge and, wherever possible, is processed with their consent. Whilst the GDPR covers Personal Data relating to individuals, you should bear in mind that if you handle personal details of, for example, officers of companies, this will still constitute Personal Data and therefore be subject to the GDPR’s requirements.
It should be noted that the business is authorised to process data connected to staff administration, advertising and marketing, maintain accounts and records, instructing third parties to process data on its behalf in relation to performing contractual obligations, receiving data from third parties to process data in relation to performing contractual obligations and relating to the CCTV outside the office. Anyone who is or intends Processing data for purposes not included in the business’s entitlements should seek advice from the Privacy Manager.
In this Guidance, the following definitions are used:
Consent is agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.
Data Controllers means the natural or legal person, public authority, agency or other body who alone or jointly with others, determine the purposes for which, and the manner in which, any Personal Data is processed. They have a responsibility to establish practices and policies in line with the GDPR. Advanced Hygienic Contracting Limited is the Data Controller of all Personal Data used in our business.
Data Processors include any person who processes Personal Data on behalf of a Data Controller. Employees of Data Controllers are excluded from this definition but it could include suppliers which handle Personal Data on our behalf.
Data Subjects (for the purpose of this Policy) include all living, identified or identifiable individuals about whom Advanced Hygienic Contracting Limited holds Personal Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their Personal Data. This will include, and is not limited to, staff, customers, suppliers and business contacts.
Personal Data means data (however held) relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal Data can be factual (such as a name, address, date of birth or telephone number) or it can be an opinion (such as a performance appraisal). It will include passport or driving licence details. It also includes information that identifies the physical, physiological, genetic, mental, economic, cultural or social identity of a person. For the business’s purposes, our customers are Data Subjects (other individual third parties that we hold Personal Data about are also likely to be Data Subjects).
Processing (or Process) is any activity that involves use of the Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation on or regarding the data including organising, accessing, amending, merging, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring or making available Personal Data to third parties.
Sensitive Personal Data includes information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive Personal Data can only be processed under strict conditions, and will usually require the express consent of the person concerned.
Additionally, Personal Data shall not be transferred to a country or territory outside the European Economic Area unless: (1) that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data; (2) appropriate, approved standard contractual clauses are in place; (3) the Data Subject has given explicit consent; or (4) the transfer is necessary for a reason set out in the GDPR. If this is envisaged, speak to the Privacy Manager for further guidance before transferring any data.
The business must be able to demonstrate its compliance with the above principles (‘accountability’).
In order to process all Personal Data in a manner that is compliant with GDPR, Advanced Hygienic Contracting Limited will:
To expand on the practical aspects of the principles:
The GDPR is intended not to prevent the Processing of Personal Data, but to ensure that it is done fairly and without adversely affecting the rights of the Data Subject. In establishing our instructions from customers, they are informed of the purpose for which data is to be processed by us and the identities of anyone to whom it is envisaged that the data may be disclosed or transferred. If we ever need to process Personal Data for direct marketing to prospective customers, we will obtain opt in Consent to allow the customer/recipient to specify whether they want their Personal Data to be used for this purpose or not. See below under “Direct Marketing” for marketing to part/ existing customers.
For Personal Data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the Data Subject has Consented to the Processing, that it is in connection with us delivering our services or products for the Data Subject or that the Processing is necessary for our legitimate interests, provided that processing for our legitimate interests does not adversely affect the interests or rights of Data Subjects. When Sensitive Personal Data is being Processed, more than one condition must be met. In most cases, the Data Subject’s explicit consent to the Processing of such data will be required.
A Data Subject provides Consent to Processing of their Personal Data if they clearly indicate agreement to the Processing either by a statement or positive action. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters.
Evidence of Consent and records of all Consents should be kept so that the business can demonstrate compliance with Consent requirements.
Specific Consent should be obtained to use Personal Data on the internet as such data could be accessed worldwide and the final data principle outlined above may be breached.
Personal Data may only be processed for the specific purposes notified to the Data Subject when the data was first collected or for any other purposes specifically permitted by the GDPR. This means that Personal Data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the Data Subject must be informed of the new purpose and Consent obtained before any Processing occurs.
Personal Data should only be collected to the extent that it is required for the specific purpose notified to the Data Subject. Any data which is not necessary for that purpose should not be collected in the first place. If you are in possession of excessive data, it should be immediately deleted or destroyed.
We must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the business’s data retention guidelines.
Personal Data must be accurate and kept up to date. Information which is incorrect or misleading is not accurate and therefore you should check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. Inaccurate or out of date data should be destroyed or updated as appropriate. You should notify the business’s Office Manager with regard to any of your own Personal Data which needs updating and you should also ensure that if any customer or third party provides updated personal information, the update is acted upon without delay.
Personal Data should not be kept longer than is necessary for the purpose, meaning that data should be destroyed or erased from our systems when it is no longer required. For guidance on how long certain data is to be kept before being destroyed, contact the Privacy Manager.
Data must be processed in line with Data Subjects’ rights. Data Subjects have a right to:
Confidentiality means that only people who are authorised to use the data can access it. All staff are responsible for ensuring that any Personal Data which they hold is kept securely and that it is not disclosed to an unauthorised third party;
Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed;
Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal Data should therefore be stored on our central computer system instead of on individual PCs.
Passwords. Computer passwords must be kept confidential.
Secure lockable desks and cupboards. Such should be kept locked if they hold confidential information of any kind. Note that Personal Data is always considered confidential.
Methods of disposal. Paper documents containing Personal Data, once no longer needed, should be placed in the shredding bins and disposed of. Hard drives or any permitted memory sticks should be specifically erased before disposal and floppy disks and CD-ROMs should be physically destroyed when no longer required. In the event that any staff process Personal Data through working at home, for example, this Guidance and all it entails applies equally to such data.
Equipment. Staff should ensure that individual monitors do not show confidential information to passers-by or to any person to whom this Policy does not apply and that they lock or log off from their PC when it is left unattended.
Memory Sticks. If you need to write data (including Personal Data) to a memory stick ensure that its content is password-secured as may be appropriate and take all precautions as to the security and location of the memory stick at all times. Delete its content as soon as appropriate.
The GDPR requires us to keep full and accurate records of all our data Processing activities. We must keep and maintain accurate records reflecting our Processing including records of Data Subjects’ Consents and procedures for obtaining Consents. These records should include clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place.
If you have any concerns about Processing Personal Data, please contact the Privacy Manager who will be happy to discuss matters with you.
The GDPR gives rights to individuals in respect of the Personal Data organisations hold about them. Everyone must be familiar with these rights and adhere to the business’s procedures to uphold these rights.
These rights include:
A formal request from a Data Subject for information that we hold about them need not be in any particular format but it should specify the information that the Data Subject requires. If you receive a request for Personal Data and require guidance as to whether it is a “subject access request”, speak to the Privacy Manager. Advanced Hygienic Contracting Limited will require the Data Subject to provide evidence of their identity (so we are not disclosing to a third party). Any member of staff who receives a written request should forward it to the Privacy Manager immediately who will assist. A request sent by email or fax is as valid as one sent in hard copy. Requests may also be validly made by means of social media. Note that information requested under a subject access request may not be fully disclosable as particular exemptions from disclosure may apply. Indeed, it may be that none of the information is disclosable. The Privacy Manager will advise as to what can be disclosed.
Advanced Hygienic Contracting Limited aims to comply with requests for access to personal information as quickly as possible, and, if we hold such information, will ensure that it is provided within one month of the request unless there is a proper reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.
We must ensure that Personal Data is not disclosed to unauthorised third parties which includes family members, friends, government bodies and, in certain circumstances, the Police. All staff should exercise caution when asked to disclose Personal Data on an individual to a third party. Speak to the Privacy Manager if in doubt.
Personal Data may be legitimately disclosed where one of the following conditions applies:
The GDPR contains some exemptions in respect of disclosures. If you are contacted by:
you must not confirm or deny whether or not we hold information about a Data Subject. If you receive a Production Order from the Police or an Order from a government department requiring information to be disclosed, contact the Privacy Manager.
Any member of staff dealing with telephone enquiries should be careful about disclosing any personal or confidential information held by us. In particular they should:
Every member of staff that holds information about identifiable living individuals has to comply with the GDPR in managing that information.
The business will not retain Personal Data for longer than necessary.
|Data||Period of Retention|
|Data confirming payments due to you. For example, your contract of employment and any information about salary or benefits.||6 years after you leave your employment|
|Data relating to taxes, National Insurance contributions and other charges paid in relation to you.||7 years after you leave your employment|
|Data relating to any accidents or injuries at work.||3 years after you leave your employment|
|Data relating to any references given in relation to you.||1 year after the date of the reference|
The business publishes a number of items that includes Personal Data and will continue to do so. These include:
Before any electronic direct marketing is undertaken, it must be clear that the people to be contacted have Consented to receive such marketing and that a valid, up to date, consent notice is held on file. There is a limited exception for existing customers known as “soft opt in” – this allows us to send marketing texts or emails if we have obtained contact details in the course of a sale and/or providing services to that person, the correspondence is marketing similar products and/or services, and we gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent correspondence.
For marketing by post, we are able to send postal marketing to our customers regarding new products or services, in reliance on our “legitimate interests” – we generally do not need consent to this type of mailing but we will always need to offer customers an opt-out.
The right to object to direct marketing must be explicitly offered to the Data Subject. A Data Subject’s objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
To assist with the security of the premises, if CCTV cameras are installed inside and outside the premises and these cameras record activities in the office, the warehouse and the car park areas the recordings will be purely for security purposes and will not be used for any other purpose other than as evidence of criminal activity.
Privacy by Design involves using appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Data Privacy Impact Assessments (“DPIA”) involve using tools and assessments to identify and reduce risks of a data Processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.
We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures in an effective manner, to ensure compliance with data privacy principles. Privacy by Design is an ongoing measure.
DPIAs will be carried out when introducing, or making significant changes to, systems or projects involving the Processing of Personal Data. DPIAs are required to identify data protection risks and to assess the impact of these risks, as well as to determine appropriate action to prevent or mitigate the impact of these risks.
This means thinking about whether we are likely to breach the GDPR and what the consequences might be, if we use Personal Data in a particular way. It is also about deciding whether there is anything that we can do to stop or minimise the chances of potential problems identified, from happening.
DPIAs will be undertaken by the Privacy Manager and Management.
A data protection breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Everybody working for Advanced Hygienic Contracting Limited has a duty to report any actual or suspected data protection breach without delay to the Privacy Manager or, in their absence, their line manager.
Breaches will be reported to the ICO by the Privacy Manager without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless, we are able to demonstrate that the Personal Data breach is unlikely to result in a risk to the rights and freedom of Data Subjects. Where there is a high risk to the rights and freedoms of individuals, we must also notify the affected individuals.
The Privacy Manager will maintain a central register of the details of any data protection breaches.
Complaints relating to breaches of the GDPR and/or complaints that an individual’s Personal Data is not being processed in line with the data protection principles should be referred to the Privacy Manager without delay.
It is important that everyone understands the implications for the business if we fail to meet our data protection obligations. Failure to comply could result in:
Breaches can have serious consequences. Advanced Hygienic Contracting Limited could be fined up to 20,000,000 Euros, or up to 4% of annual turnover of the preceding financial year, whichever is the higher and depending on the breach.
This guidance has been approved by Advanced Hygienic Contracting Limited Directors. It will be reviewed annually or as and when a change in the data protection regime requires it to be updated.
This Policy was reviewed by 25th January 2019.