UK Data Protection Policy

INTRODUCTION

The Works Search Limited hereinafter referred to as TWS is a recruitment company which gathers information about employees, clients and candidates and other people TWS has a relationship with or may need to contact.

TWS mission is to aim to add value throughout the process:

  • To our clients – TWS add value by saving time through our first class recruitment and qualifying process
  • To our candidates – TWS add value by giving the choice of the very best roles in our area and through offering impartial advice and marketing knowledge to them.
  • To employees – TWS add value through our investment in continuous ongoing training and personal development

TWS values are incredibly important to us and under pin everything we do.

  • Quality – providing the highest standard of service we are capable of achieving.
  • Customer Service – Providing outstanding Customer Service & Care
  • Honesty and Transparency – Be open and honest with clients & candidates

This UK Data Protection Policy (the “Policy”) sets out how TWS (also referred to in this Policy us as “we”, “us”, “our”) seeks to protect personal data and ensure staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this Policy requires staff to ensure that our data protection champion Sarah Leembruggen (details can be found under “Key Contacts”) should be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed. Our further Key Contacts are: our Business & Marketing Manager [Sonia Shah].

SCOPE

This Policy applies to all staff, contractors, volunteers’ third parties, other people and any other individuals who process personal data on our behalf (“Staff”). Or have access to data held by TWS or for the purpose of recruitment

You must be familiar with this Policy and comply with its terms. This Policy details how data must be collected, handled and stored to meet the organisations data protection standards and date protection law.

We may supplement or amend this Policy by additional policies and guidelines from time to time. Any new or modified Policy will be circulated to staff before being adopted.

Who is responsible for this Policy?

Sarah Leembruggen has overall responsibility for this Policy. She is responsible for ensuring this Policy is adhered to by all staff.

Everyone including all staff members who work TWS have responsibility for ensuring data is collected, stored and handled appropriately. Each team/person who handles personal data must ensure that it is handled and processed in line with this Policy and data protection principles.

FAILURE TO COMPLY WITH THIS POLICY

We take compliance with this Policy very seriously. Failure to comply puts both you and the firm at risk. The importance of this Policy means that failure to comply with any requirement may lead to disciplinary action under our procedures, which may result in dismissal. In the case of third party service providers it may lead to the termination of our contract with you.

Any employee who considers that the Policy has not been followed by another member of staff or believes that another member of staff may be involved in a security breach should raise the matter with his/her line manager

If you have any questions or concerns about anything in this Policy, do not hesitate to contact Sarah Leembruggen by e-mail at Sarah Leembruggen sarah@the-works.co.uk

1. OUR ESTABLISHMENT

Our main establishment is determined according to where we exercise effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion does not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment.

2. DATA WE PROCESS

A list of the key definitions can be found in Appendix 1. We ask that you familiarise yourself with these key definitions before reading this Policy.

We hold personal data about our employees, clients, suppliers and other individuals for a variety of business purposes e.g. personnel, administrative, financial, regulatory, payroll and business development purposes including the following:

  • compliance with our legal, regulatory and corporate governance obligations and good practice
  • gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
  • ensuring business policies are adhered to (such as policies covering email and internet use)
  • operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
  • investigating complaints
  • checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
  • monitoring staff conduct, disciplinary matters
  • marketing our business
  • improving services
  • Staff administration
  • Adverting, marketing and public relations.
  • Accounts and records
  • Administration and processing of work-seekers personal data for the purpose of work-finding services.

As part of our business activity we process Personal data, that is information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts. Personal data we gather may include: individuals' contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, client materials, and CV's.

We may also process special categories of personal data—personal data about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings—any use of special categories of personal data should be strictly controlled in accordance with this Policy.

Criminal Convictions Data

UK Data Protection Bill and Law Enforcement Directive contains additional provisions regarding the processing of personal data for the purposes of Criminal Record Checks and Disclosure and Barring Service Checks. Further details and guidance can be found located via the ICO website. Our staff fair processing notice also contains details as to how we process criminal convictions data in the context of employment and HR.

3. THE PRINCIPLES

As we are responsible for and must be able to demonstrate compliance with the data protection requirements which apply to TWS, we adhere, and require our Staff to adhere to the principles of data processing, which in summary require that data must:

  • be processed fairly and lawfully and shall not be processed unless certain conditions are met.
  • be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
  • be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);).
  • be processed in accordance with the data subject's rights.
  • be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
  • be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
  • not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

These principles apply to obtaining, handling, processing, transportation and storage of personal data. Our Staff who obtain, handle, process, transport and store personal data for us must adhere to these principles at all times.

4. FAIR, TRANSPARENT AND LAWFUL PROCESSING

4.1. ESTABLISHING A LAWFUL GROUND FOR THE PROCESSING OF PERSONAL DATA

Any processing of personal data should be lawful and fair. It should be transparent to those persons whose data we process how their personal data will be collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.

The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.

We have an obligation to ensure that we inform individuals of the risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, this requires us to ensure that:

  • the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data
  • the personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed
  • the period for which the personal data are stored is limited to a strict minimum
  • personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means
  • establishing time limits for erasure or for a periodic review
  • taking every reasonable step to ensure that personal data which are inaccurate are rectified or deleted
  • personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing

4.1.1. Grounds for Processing

We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • the processing is necessary:
  • to perform legal obligations, entering into a contract or exercise legal rights, or
  • for compliance with a legal obligation to which the controller is subject; processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

In most cases this provision will apply to routine business data processing activities.

Where we are not basing our grounds for processing on consent or by law in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, we much take into account:

  • any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
  • the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
  • the nature of the personal data, in particular whether special categories of personal data are processed, or whether personal data related to criminal convictions and offences are
    processed;
  • the possible consequences of the intended further processing for data subjects;
  • the existence of appropriate safeguards, which may include encryption or pseudonymisation.

4.1.2. Consent

Where our processing is based on the data subject's consent, we must be able to demonstrate that the data subject has given consent to the processing operation and the extent to which consent is given.

This means that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
This could include:

  • ticking a box when visiting an internet website,
  • choosing technical settings for information society services or
  • another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.

Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Where we use consent, capture forms should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

4.1.2.1. Special Categories of Data

In most cases where we process Special Categories of Data we will require the data subject's explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

To process sensitive personal data, we must assess if one or more of the following grounds apply:

  • the data subject has given explicit consent to the processing of those personal data for one or more specified purposes
  • the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by law or a collective agreement made pursuant to the law, providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  • the processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  • the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  • the processing relates to personal data which are manifestly made public by the data subject;
  • the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  • the processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional (subject to certain conditions);
  • the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of applicable law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  • the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes and is proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

It is important to note that special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on a lawful ground which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health.

The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

4.1.2.2. Health Related Data

Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care, information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

4.1.2.3. Withdrawing Consent

Data subjects have the right to withdraw their consent at any time. We have to ensure that it is readily accessible for individuals to be able to withdraw their consent. The withdrawal of their consent does not affect the lawfulness of processing based on consent before its withdrawal.

4.1.3. Relying on our Legitimate Interests

Our legitimate interests, including those to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.

Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. We must carefully consider whether a data subject can reasonably expect at the time and in the context of the collection of personal data.

You must contact Sarah Leembruggen if seeking to rely on a legitimate interest to process data, prior to commencing such data processing activities.

4.1.4. Fraud Prevention

The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

4.2. WHAT INFORMATION MUST WE PROVIDE TO DATA SUBJECTS?

When we collect personal data, at the time when personal data are obtained, we need to provide the data subject with all of the following information:

  • the identity and the contact details of the controller and, where applicable, of the controller's representative;
  • the contact details of the data protection officer, where applicable; the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the legitimate interests pursued by the controller or by a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

4.3. Processing Data for New Purposes

Where we want to make use of personal data which we hold for a purpose other than those for which the personal data were initially collected, we can only do this where the processing is compatible with the purposes for which the personal data were initially collected. If we fall within this category, no legal basis separate from that which allowed the collection of the personal data is required.

In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, we have to take into account:

  • any link between those purposes and the purposes of the intended further processing;
  • the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use;
  • the nature of the personal data;
  • the consequences of the intended further processing for data subjects; and
  • the existence of appropriate safeguards in both the original and intended further processing operations.

5. ANONYMISATION AND PSYEUDONOMYMISATION

5.1. Anonymisation

The principles of data protection do not apply anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

5.2. Pseudonymisation

Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.

To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.

To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.

5.3. Online Identifiers

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. If an individual can be identified from the online identifiers we use them we must treat this as personal data and apply the principles contained within this policy to hem.

6. MARKETING

Where we undertake direct marketing activity we must comply with the Privacy and Electronic Communications Regulations 2003. Under Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), a company cannot send direct electronic marketing communications (e.g. by telephone, fax, text and email) to individuals who have not specifically opted in to receive it. The soft-opt in does not apply to third party marketing. Express opt-in consent must be obtained for such marketing, which is usually given through the user actively ticking a box. Under the GDPR it is likely that consent will be required for all types of marketing activity as the GDPR definition of consent required consent to be ‘freely given, explicit and informed’ which implies an active choice by the individual. The Information Commissioner has also stated that active consent models promote transparency in marketing activities and is the preferred legal basis for processing for the purpose of direct marketing.

Please note that at the time of drafting the E-Privacy Regulations (which will replace PECR) are still in the process of negotiated at the European level. As and when the text is agreed this Policy will be updated accordingly.

Please seek advice of Sarah Leembruggen by emailing sarah@the-works.co.uk prior to undertaking any marketing activity, as all notices and literature must be signed off by that person.

7. AUTOMATED DECISION MAKING AND PROFILING

Individuals have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.

Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.

We can only undertake such profiling if expressly authorised by law e.g. for fraud and tax-evasion monitoring, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, our processing activities should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.

8. ACCURACY AND RELEVANCE

We must ensure that any personal data we process is accurate, adequate, relevant and not excessive given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform Sarah Leembruggen. We have a duty to investigate such matters.

9. ACCESS TO PERSONAL DATA

All individuals have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.

9.1. What information may be requested

Data subjects have the right to obtain from us confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards that we have put in place.

9.2. What we must provide

If we are a data controller of the data in question, we must provide a copy of the personal data undergoing processing. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

We have a duty to provide the data:

  • in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
  • in writing, or by other means, including, where appropriate, by electronic means.

9.3. Charing a fee

We must provide information relating to the initial request free of charge. We may charge a reasonable administrative fee for any further copies requested by the data subject. See also manifestly unreasonable requests below.

9.4. Verifying the Identity of the requestor

We must use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services. If we are not satisfied that we have been able to establish the identity of the requestor we may refuse to comply with the request until such time as we can successfully identify the requestor.

9.5. Timescales for compliance

We must provide the information requested without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

9.6. Unreasonable requests

Where requests from a data subject are manifestly unfounded or excessive, in particular, because of their repetitive character, we may either:

  • charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
  • refuse to act on the request.

We bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

9.7. Where to send requests

Data subjects are entitled to obtain access to their data on request and no fee is required to be paid. Subject access requests from individuals should be made by email or writing and addressed to Sarah Leembruggen at sarah@the-works.co.ukor sent to The Works Search Limited, Three Tuns House, 109 Borough High Street, London, SE1 1NL.

If you receive a request you must not respond to, acknowledge or reply in any way to it. Any member of staff who receives a written request should forward it to the Sarah Leembruggen immediately at sarah@the-works.co.uk.

10. INDIVIDUALS RIGHT TO ERASURE

Data subjects have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes the law to which the controller is subject. In particular, a data subject has the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise lawful. Please note that this right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet.

The further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

To strengthen the right to be forgotten in the online environment, the right to erasure extends to situations where we have made the data available to other controllers and must inform the other controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, we must take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject's request.

Methods by which to restrict the processing of personal data could include, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

11. INDIVIDUALS RIGHT TO DATA PORTABILITY

Individuals have a right to right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  • the processing is based on consent pursuant or on a contract; and
  • the processing is carried out by automated means.

Please note that in exercising his or her right to data portability, individuals have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

12. RIGHT TO OBJECT TO PROCESSING AND AUTOMATED INDIVIDUAL DECISION MAKING

Individuals have a right to object, to being subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This right does not apply where the processing is:

  • is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  • is authorised by law; or
  • is based on the data subject's explicit consent.

We must make sure that we have in place suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. Please note that special requirements apply to the processing of special categories of data and you should speak with Sarah Leembruggen regarding these requirements.

12.1. Where to send requests

If you receive a request you must not respond to, acknowledge or reply in any way to it. Any member of staff who receives a written request should forward it to Sarah Leembruggen or their line manager immediately.

13. PROVIDING INFORMATION TO THIRD PARTIES

Any member of staff dealing with enquiries from third parties should be careful about disclosing any personal information held by us. In particular they should:

  • Check the identity of the person making the enquiry and whether they are legally entitled to receive the information they have requested.
  • Suggest that the third party put their request in writing so the third party's identity and entitlement to the information may be verified.
  • Refer to their line manager or Sarah Leembruggen by emailing sarah@the-works.co.uk for assistance in difficult situations.
  • Where providing information to a third party, do so in accordance with the and principles referred to in Section 1.

14. OUTSOURCING

14.1. Engaging third party processors

Where third parties process personal data on our behalf, such processing shall be governed by a contract or other legal act, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

  • processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • takes into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
  • assists us controller in ensuring compliance with these obligations, taking into account the nature of processing and the information available to the processor;
  • at our direction, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless the law requires storage of the personal data;
  • makes available to us all information necessary to demonstrate compliance with these obligation and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by us.
  • contains an indemnity which covers breaches of the written contract.

14.2 Sub-Processing

Where our outsourced processors engage another processor for carrying out specific processing activities to fulfil the contract that they have with us, the same data protection obligations as set out in the contract or other legal act between the controller and the processor must be imposed on that other processor by way of a contract or other legal act, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.

You must therefore check to see if the contracts we enter into contain prohibitions on sub-contracting and must ensure that the processor flows down the requirements above to their sub-contractors and remain liable for the actions of their sub-contractors. Please contact the Data Protection Officer for further advice.

15. RECORD KEEPING

TWS are registered with the Information Commissioner’s office under registration number ZA394138 and our entry with the Commissioner can be found via the publically accessible record on ico.org.uk.

Regardless of the above register we must also maintain an electronic record of processing activities under its responsibility. These records may be made available to a supervisory authority on request. That record shall contain all of the following information:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller's privacy representative;
  • the purposes of the processing; a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures applied;

Our processors are also required to keep an electronic record of their processing activities which shall include:

  • the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's privacy representative;
  • the categories of processing carried out on behalf of each controller;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, the documentation of suitable safeguards;
  • where possible, a general description of the technical and organisational security measures adopted.

16 ASSESSING THE IMPACT OF OUR PROCESSING ACTIVITIES AND CARRYING OUT PRIVACY IMPACT ASESSMENTS

You must seek the advice of Sarah Leembruggen, where designated, when carrying out a data protection impact assessment.

In order to enhance compliance where processing operations are likely to result in a high risk, we are responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with the law.

A data protection impact assessment shall in particular be required in the case of:

  • a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
  • a systematic monitoring of a publicly accessible area on a large scale.

The assessment shall contain at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

Where necessary, we shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

17 DATA SECURITY

In order to maintain security we must evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we must implement (and ensure out pacers implement) appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted.

All staff are responsible for ensuring that any personal data which they hold is kept securely and that personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party. Failure to comply with our policies and compliance with staff duties of confidentiality may result in disciplinary action, that may result in dismissal.

Further information about our technical safeguards and employees' responsibilities in relation to data security can be found in our [Introduction to Policies and Procedures Policy, Social Media Policy, Mobile Phone and Device Policy, Email and Internet Acceptable Use Policy]

Where other organisations process personal data as a service on our behalf (e.g. payroll or outsourcing companies), Sarah Leembruggen will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations. You must not enter into such contracts without obtaining permission to proceed from Sarah Leembruggen at sarah@the-works.co.uk

Information security

From a security point of view, only the following staff are permitted to add, amend or delete personal data from the TWS database(s) (“database” includes paper records or records stored electronically):

However all staff are responsible for notifying those listed where information is known to be old, inaccurate or out of date. In addition all employees should ensure that adequate security measures are in place. For example:

  • Computer screens should not be left open by individuals who have access to personal data.
  • Passwords should not be disclosed.
  • Email should be used with care.
  • Personnel files and other personal data should be stored in a place in which any unauthorised attempts to access them will be noticed. They should not be removed from their usual place of storage without good reason.
  • Personnel files should always be locked away when not in use and when in use should not be left unattended.
  • Any breaches of security should be treated as a disciplinary issue.
  • Care should be taken when sending personal data in internal or external mail.
  • Destroying or disposing of personal data counts as processing. Therefore care should be taken in the disposal of any personal data to ensure that it is appropriate. Such material should be shredded or stored as confidential waste awaiting safe destruction.

It should be remembered that the incorrect processing of personal data e.g. sending an individual’s details to the wrong person, allowing unauthorised persons access to personal data, or sending information out for purposes for which the individual did not give their consent, may give rise to a breach of contract and/or negligence leading to a claim against TWS for damages from an employee, work-seeker or client contact. A failure to observe the contents of this policy will be treated as a disciplinary offence.

18 TRANSFER OF DATA OUTSIDE THE EEA

There are restrictions on international transfers of personal data. We endeavour have processes in place to ensure that data is transferred lawfully. Appropriate safeguards include:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • binding corporate rules in accordance with Article 47;
  • standard data protection clauses
  • contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation;;
  • an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subject's rights; or
  • an approved certification mechanism with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

If you are unsure as to whether a transfer is permitted or if it would involve the transfer of sensitive personal data without a data subjects consent, you must not transfer the personal data without first consulting the Data Protection Officer.

19 RETENTION AND DISPOSAL OF DATA

Information will be kept in line with our [Company Policies] which can be located via [email Sarah Leembruggen at sarah@the-works.co.uk. All employees are responsible for ensuring that information is not kept for longer than necessary.

Documents containing any personal information will be disposed of securely in our confidential waste bins, and paper copies will be shredded. Staff must not leave confidential materials on their desks. This is especially important in relation to price sensitive transactions or highly confidential matters. Failure to follow this Policy in such circumstances will be considered a serious matter and may result in disciplinary action.

All data which is connected to the recruitment services provided is required to be kept in accordance with HMRC legal requirements for a minimum period of 6 years. Any data which is not subject to HMRC’s requirements will be kept for 3 years.

Data Retention and Storage issues should be directed to Kate Bailey for paper storage and the ICT specialist for electronic storage. When data is stored in a paper format it will be kept in a secure locked place/safely where it can only be accessed by appropriate personnel, who require access to discharge their role. This policy applied to data, which has been stored electronically and printed data.

  • Paper files should be kept in a locked drawer or filing cabinet.
  • All staff including employees should ensure that any paper printout of information of whatever content are not left in any open spaces or areas for example on a printer.
  • Data printouts should be shredded and disposed of securely in our confidential waste bins and paper copiers.
  • When data is stored electronically, it must be protected by way of password in terms of cyber security, accidental deletion and malicious hacking attempts. Where this involves data being stored on a Cloud or remotely the Business & Marketing Manager and Sarah Leembruggen need to be aware of the security arrangements with any third party providers and compliance with data protection procedures and the GDPR is required.
  • Data should be protected by strong passwords that are changed regularly and never shared between employees and/or any staff.
  • If data is stored on removable media (like a CD, DVD or external hard drive), these should be kept locked and secure.
  • Data of any description should never be saved directly to laptops or mobile devices like smart tablets or smart telephones. If a staff member is working with a mailing list for example, once you have completed the work relating to that list the list must be deleted.

All computers containing data should be protected by approved security software and a firewall in accordance with data security and cyber security.

Requests for References

Any requests for access to a reference given by a third party must be referred to Sarah Leembruggen at sarah@the-works.co.uk and should be treated with caution even if the reference was given in relation to the individual making the request. This is because the person writing the reference also has a right to have their personal details handled in accordance with the GDPR law and the 8 Rights for Data Subjects of : -

  • A right to be informed
  • A right of access for the Data Subject
  • A right to rectification
  • A right to restriction of processing
  • A right not to be subject to a decision based solely on automatic processing
  • A right to data portability
  • A right to erasure / to be forgotten

And a reference must not be disclosed without a Data Subjects consent. Therefore when taking up references an staff member should obtain consent in writing to the disclosure of the reference to a third party from the Data Subject/the individual who is the subject of the reference. We must always process any such request in line with the ICO’s Employment Law Code of Practice, which can be accessed here

14. OFFSITE WORKING AND COMMUNAL AREAS

Whenever you are working away from the secure areas of the firm's offices, you need to be alert to protect client confidentiality. This affects any areas where third parties could be present. It is particularly easy and tempting for bored fellow travellers on trains to listen to what you are saying or read what you are working on.

Internally, you need to be careful who may overhear if you are discussing a matter which is subject to an information barrier and find a separate area to work in/take a telephone call if need be.

The risks and reputational damage that could come from leaving files unattended are obvious. The easiest things to misplace are discs, memory sticks, slim bundles of paper etc. but it's far from unknown for laptops and files to be left behind.

Think:

  • about whether you really need to take client or other confidential information, in whatever format, out of the office;
  • of where you are and who is there too before you talk about client matters to anyone else;
  • whether it is really necessary for you to work on client matters outside of the office - can you be overhead, can someone else read the papers/laptop screen? If you feel uncomfortable, stop work or explain and terminate the call.

Always:

  • ensure any confidential information on laptops or memory sticks/discs which you intend to take out of the office is encrypted;
  • put papers in a blank file or envelope - if a third party realises from the file label that we act for a certain client, that could be a breach of confidentiality;
  • double check to see if anything has been left behind before you leave the place you have been working.

For any further clarification on this please contact Sarah Leembruggen at sarah@the-works.co.uk

15. REPORTING BREACHES

All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:

  • investigate the failure and take remedial steps if necessary
  • maintain a register of compliance failures
  • notify the Information Commissioners Office if required

Breaches must be reported to Sarah Leembruggen immediately. Failure to do so will be considered a serious matter and may result in formal disciplinary action.

REVIEW OF THIS POLICY

Any questions or concerns about the interpretation or operation of this Policy should be taken up in the first instance with the Data Controller, who is responsible for ensuring compliance with the General Data Protection Regulations and implementation of this Policy.

KEY CONTACTS

If you wish to discuss this Policy further please contact:

Sarah Leembruggen: at sarah@the-works.co.uk

APPENDIX 1

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptati