DATA PROTECTION POLICY
The Data Protection Act 1998 (the Act) and the General Data Protection Regulations 2018 contain principles affecting employees’ and other personal records. Information protected by the Acts includes not only personal data held on computer, but also certain manual records containing personal data, for example employee personnel files. The purpose of these rules is to ensure that as an organisation, we all comply with Data Protection Regulations in full. If you are in any doubt about what you can or cannot disclose and to whom, do not disclose the personal information until you have sought further advice from the Company’s Data Protection Officer or a Director.
Individuals can be personally accountable for their actions and can be held criminally liable if knowingly, or recklessly, breach data protection rules. Any serious breach of data protection legislation will also be regarded as misconduct and will be dealt with under the Company’s disciplinary procedures. If an individual accesses the personnel records of another party without authority, this constitutes a gross misconduct offence and could lead to summary dismissal.
The company is committed to conducting its business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct.
Personal Data is any information (including opinions and intentions) which relates to an identified or Identifiable Natural Person. Personal Data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process Personal Data.
This will include information in employee files, on HR systems and other electronic data.
The GDPR regulates the processing of personal data including collection, storage, use, alteration, disclosure and destruction of information.
Organisations that collect data are known as “data controllers” and individuals to whom the data relates are “data subjects”. Generally for most this would be employer and employee but this also applies to contractors or job applicants.
Information related to an employee such as names, photos, bank details, email addresses, personal information or medical records qualifies as personal data.
This policy applies where a Data Subject’s Personal Data is processed:
- In the context of the business activities of the Company
- For the provision or offer of goods or services to individuals
- To actively monitor the behaviour of individuals.
- Monitoring the behaviour of individuals includes using data processing techniques
- Reviewing individuals with a view to taking a decision about them.
This policy applies to all Processing of Personal Data in electronic form (including electronic mail and documents created with word processing software) or where it is held in manual files that are structured in a way that allows ready access to information about individuals. The company processes personal data for the purpose of managing employees and candidates and the business. We process only the minimum amount of data required and this is held securely at all times with restricted access as detailed in this policy.
The Directors of the company must ensure that all employees responsible for the Processing of Personal Data are aware of and comply with the contents of this policy. In addition we will make sure all third parties engaged to process Personal Data on our behalf are aware of and comply with the contents of this policy.
Regular audits will be carried out of both our processes with regard to Data Protection, its processing, usage and storage and the accuracy of any personal data held.
The appointed Data Controller is Megan Foulger.
The data protection principles
There are eight data protection principles that are central to Data Protection. The Company and all its employees must comply with these principles at all times in its information-handling practices.
- The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.
- Personal data shall be held only for one or more specified and lawful purpose and must not be processed in any manner incompatible with such purpose(s).
- Personal data held for any purpose(s) shall be adequate, relevant and not excessive in relation to the purpose(s).
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data held for any purpose(s) shall not be kept for longer than is necessary for such purposes(s).
- Personal data shall have appropriate security surrounding it to protect it against unauthorised or unlawful processing and against accidental loss or destruction or damage.
- Personal data shall be processed in accordance with the rights of data subjects under the Act.
Personal data shall not be transferred to a country or territory outside the EU unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Consent to personal information being held
The Company holds personal data about individuals including employees and candidates in the recruitment process and contractors.
We seek written consent from all parties where we hold personal data, which seeks agreement to the Company holding and processing that data, for example sickness absence records, health needs and equal opportunities monitoring data.
Processing personal Data
The Company has strict rules on processing of personal data and any person appointed to process personal data as part of their position is required to comply with the following rules at all times.
- do not disclose confidential personal information to anyone except the data subject. In particular, it should not be:
- given to someone from the same family
- passed to any other unauthorised third party
- placed on the Company’s website
- posted on the Internet in any form unless the data subject has given their explicit prior written consent to this
- Always verify the identity of the data subject and the legitimacy of the request, particularly before releasing personal information by telephone
- Only transmit personal information between locations by e-mail if a secure network is in place and the security of the email system and receiving party has been verified.
- Ensure any personal data you hold is kept securely, either in a locked filing cabinet or, if computerised, it is password protected so that it is protected from unintended access, destruction or change and is not seen by unauthorised persons.
- do not access another employee’s records without authority as this will be treated as gross misconduct and it is a criminal offence
- do not write down (in electronic or hard copy form) opinions or facts concerning a data subject which it would be inappropriate to share with that data subject
- do not remove personal information from the workplace with the intention of processing it elsewhere unless this is necessary to enable you to carry out your job duties and has been authorised by your line manager.
- ensure that hard copy personal information is disposed of securely
All employee files both paper or electronic are held securely with restricted access. Paper files are locked in a filing cabinet and electronic files are password protected. All personal data on employees is subject to restricted access.
The company regularly audits this information to ensure accuracy and that information no longer required is destroyed.
For employees leaving the organisation only relevant personal data is held for the process of references. All other information will be destroyed.
During the recruitment process the company will become party to personal data of candidates. All candidate information, both paper and electronic is held securely with restricted access. Paper files are locked in a filing cabinet and electronic files are password protected. All personal data on candidates is subject to restricted access.
The company regularly audits this information to ensure that information no longer required post selection is destroyed.
Should the company wish to hold data on candidates for future vacancies, written consent will be sought.
Subject Access Request
Individuals have the right, on request, to receive a copy of the personal information that the Company holds about them and to demand that any inaccurate data be corrected or removed.
Upon request, the Company will provide you with a statement regarding the personal data held about you. It will state all the types of personal data the Company holds and processes about you and the reasons for which they are processed. If you wish to access a copy of any personal data being held about you, you must make a written subject access request for this. To make a request, please complete a Personal Data Subject Access Request Form, which can be obtained from the Data Protection Officer or a Director.
The company will respond to your request within a one month period.
If you wish to make a complaint that these rules are not being followed in respect of personal data the Company holds about you, you should raise the matter with the Data Protection Officer or a Director.
If the matter is not resolved to your satisfaction, it should be raised as a formal grievance under the Company’s grievance procedure.
Under the GDPR regulation, any data breach will need to be reported to the DPA within 72 hours, unless the data is encrypted or doesn’t identify individuals.
The Company has in place a process whereby designated appointed people are trained in how to respond to and report any breach without undue delay.
Right to be Forgotten
Under the GDPR, the right to erasure does not provide an absolute ‘right to be forgotten’. But individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. The Company considers all erasure requests and should this be appropriate has systems in place which allow the timely collation and destruction of personal data.
There may be specific circumstances where the right to erasure does not apply and the company reserves the right to refuse a request where grounds are permitting.
Privacy By Design
The Company endeavours to ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through an approval process before continuing.
As a company, where appropriate we will carry out a Data Protection Impact Assessment (DPIA) before a new project is commenced. This will then be implemented into the project to ensure privacy is fully considered. Privacy impact assessments (PIAs) are a tool that you can use to identify and reduce the privacy risks of your projects. A PIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data.
Taking a privacy by design approach is an essential tool in minimising privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits which include:
- Potential problems are identified at an early stage, when addressing them will often be simpler and less costly.
- Increased awareness of privacy and data protection across the organisation.
- Meeting legal obligations
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.
Social Media Platforms
Communication, engagement and actions taken through external social media platforms that this website and its owners participate on are custom to the terms and conditions as well as the privacy policies held with each social media platform respectively.
Users are advised to use social media platforms wisely and communicate / engage upon them with due care and caution in regard to their own privacy and personal details. This website nor its owners will ever ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email.
This website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.
Information that is shared to us via Foulgers Dairy's social media platforms is treated securely and sensitively, and we do not share that information with any third party unless instructed by the individual that shares the information and instructs us to do so. We do not hold any personal data for any longer than deemed necessary other than to process the wishes of the person who has communicated to us. If any personal information shared on social media to us requires us to transfer or copy to a CRM or appropriate system internally, this information like all data is held within a secure encrypted location.
We may at some point utilise data we hold on our internal systems to create a custom audience on social media platforms. This data is supplied to our third party processor to cross reference the database with social media platform users in order to create a custom audience for advertising. The data is supplied via a secure transfer process, utilised to create a custom audience and then permanently deleted by our data processor.