INTRODUCTION
The Works Search Limited hereinafter referred to as TWS is a recruitment company which gathers information about employees, clients and candidates and other people TWS has a relationship with or may need to contact.
TWS mission is to aim to add value throughout the process:
TWS values are incredibly important to us and under pin everything we do.
This UK Data Protection Policy (the “Policy”) sets out how TWS (also referred to in this Policy us as “we”, “us”, “our”) seeks to protect personal data and ensure staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this Policy requires staff to ensure that our data protection champion Sarah Leembruggen (details can be found under “Key Contacts”) should be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed. Our further Key Contacts are: our Business & Marketing Manager [Sonia Shah].
SCOPE
This Policy applies to all staff, contractors, volunteers’ third parties, other people and any other individuals who process personal data on our behalf (“Staff”). Or have access to data held by TWS or for the purpose of recruitment
You must be familiar with this Policy and comply with its terms. This Policy details how data must be collected, handled and stored to meet the organisations data protection standards and date protection law.
We may supplement or amend this Policy by additional policies and guidelines from time to time. Any new or modified Policy will be circulated to staff before being adopted.
Who is responsible for this Policy?
Sarah Leembruggen has overall responsibility for this Policy. She is responsible for ensuring this Policy is adhered to by all staff.
Everyone including all staff members who work TWS have responsibility for ensuring data is collected, stored and handled appropriately. Each team/person who handles personal data must ensure that it is handled and processed in line with this Policy and data protection principles.
FAILURE TO COMPLY WITH THIS POLICY
We take compliance with this Policy very seriously. Failure to comply puts both you and the firm at risk. The importance of this Policy means that failure to comply with any requirement may lead to disciplinary action under our procedures, which may result in dismissal. In the case of third party service providers it may lead to the termination of our contract with you.
Any employee who considers that the Policy has not been followed by another member of staff or believes that another member of staff may be involved in a security breach should raise the matter with his/her line manager
If you have any questions or concerns about anything in this Policy, do not hesitate to contact Sarah Leembruggen by e-mail at Sarah Leembruggen sarah@the-works.co.uk
1. OUR ESTABLISHMENT
Our main establishment is determined according to where we exercise effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion does not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment.
2. DATA WE PROCESS
A list of the key definitions can be found in Appendix 1. We ask that you familiarise yourself with these key definitions before reading this Policy.
We hold personal data about our employees, clients, suppliers and other individuals for a variety of business purposes e.g. personnel, administrative, financial, regulatory, payroll and business development purposes including the following:
As part of our business activity we process Personal data, that is information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts. Personal data we gather may include: individuals' contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, client materials, and CV's.
We may also process special categories of personal data—personal data about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings—any use of special categories of personal data should be strictly controlled in accordance with this Policy.
Criminal Convictions Data
UK Data Protection Bill and Law Enforcement Directive contains additional provisions regarding the processing of personal data for the purposes of Criminal Record Checks and Disclosure and Barring Service Checks. Further details and guidance can be found located via the ICO website. Our staff fair processing notice also contains details as to how we process criminal convictions data in the context of employment and HR.
As we are responsible for and must be able to demonstrate compliance with the data protection requirements which apply to TWS, we adhere, and require our Staff to adhere to the principles of data processing, which in summary require that data must:
These principles apply to obtaining, handling, processing, transportation and storage of personal data. Our Staff who obtain, handle, process, transport and store personal data for us must adhere to these principles at all times.
4.1. ESTABLISHING A LAWFUL GROUND FOR THE PROCESSING OF PERSONAL DATA
Any processing of personal data should be lawful and fair. It should be transparent to those persons whose data we process how their personal data will be collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.
The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
We have an obligation to ensure that we inform individuals of the risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, this requires us to ensure that:
4.1.1. Grounds for Processing
We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless:
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
In most cases this provision will apply to routine business data processing activities.
Where we are not basing our grounds for processing on consent or by law in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, we much take into account:
4.1.2. Consent
Where our processing is based on the data subject's consent, we must be able to demonstrate that the data subject has given consent to the processing operation and the extent to which consent is given.
This means that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include:
Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Where we use consent, capture forms should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
4.1.2.1. Special Categories of Data
In most cases where we process Special Categories of Data we will require the data subject's explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
To process sensitive personal data, we must assess if one or more of the following grounds apply:
* the data subject has given explicit consent to the processing of those personal data for one or more specified purposes
* the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by law or a collective agreement made pursuant to the law, providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
It is important to note that special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on a lawful ground which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health.
The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.
4.1.2.2. Health Related Data
Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care, information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.
4.1.2.3. Withdrawing Consent
Data subjects have the right to withdraw their consent at any time. We have to ensure that it is readily accessible for individuals to be able to withdraw their consent. The withdrawal of their consent does not affect the lawfulness of processing based on consent before its withdrawal.
4.1.3. Relying on our Legitimate Interests
Our legitimate interests, including those to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. We must carefully consider whether a data subject can reasonably expect at the time and in the context of the collection of personal data.
You must contact Sarah Leembruggen if seeking to rely on a legitimate interest to process data, prior to commencing such data processing activities.
4.1.4. Fraud Prevention
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
When we collect personal data, at the time when personal data are obtained, we need to provide the data subject with all of the following information:
the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
Where we want to make use of personal data which we hold for a purpose other than those for which the personal data were initially collected, we can only do this where the processing is compatible with the purposes for which the personal data were initially collected. If we fall within this category, no legal basis separate from that which allowed the collection of the personal data is required.
In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, we have to take into account:
If we cannot establish these grounds apply, we must seek consent for new processing activities prior to that further processing with information on that other purpose and other necessary information. In such circumstances, we have to provide this information:
Unless:
5.1. Anonymisation
The principles of data protection do not apply anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
5.2. Pseudonymisation
Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.
5.3. Online Identifiers
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. If an individual can be identified from the online identifiers we use them we must treat this as personal data and apply the principles contained within this policy to hem.
Where we undertake direct marketing activity we must comply with the Privacy and Electronic Communications Regulations 2003. Under Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), a company cannot send direct electronic marketing communications (e.g. by telephone, fax, text and email) to individuals who have not specifically opted in to receive it. The soft-opt in does not apply to third party marketing. Express opt-in consent must be obtained for such marketing, which is usually given through the user actively ticking a box. Under the GDPR it is likely that consent will be required for all types of marketing activity as the GDPR definition of consent required consent to be ‘freely given, explicit and informed’ which implies an active choice by the individual. The Information Commissioner has also stated that active consent models promote transparency in marketing activities and is the preferred legal basis for processing for the purpose of direct marketing.
Please note that at the time of drafting the E-Privacy Regulations (which will replace PECR) are still in the process of negotiated at the European level. As and when the text is agreed this Policy will be updated accordingly.
Please seek advice of Sarah Leembruggen by emailing sarah@the-works.co.uk prior to undertaking any marketing activity, as all notices and literature must be signed off by that person.
Individuals have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.
Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.
We can only undertake such profiling if expressly authorised by law e.g. for fraud and tax-evasion monitoring, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, our processing activities should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.
We must ensure that any personal data we process is accurate, adequate, relevant and not excessive given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform Sarah Leembruggen. We have a duty to investigate such matters.
All individuals have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.
9.1. What information may be requested
Data subjects have the right to obtain from us confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
9.2. What we must provide
If we are a data controller of the data in question, we must provide a copy of the personal data undergoing processing. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
We have a duty to provide the data:
9.3. Charing a fee
We must provide information relating to the initial request free of charge. We may charge a reasonable administrative fee for any further copies requested by the data subject. See also manifestly unreasonable requests below.
9.4. Verifying the Identity of the requestor
We must use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services. If we are not satisfied that we have been able to establish the identity of the requestor we may refuse to comply with the request until such time as we can successfully identify the requestor.
9.5. Timescales for compliance
We must provide the information requested without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
9.6. Unreasonable requests
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, we may either:
We bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
9.7. Where to send requests
Data subjects are entitled to obtain access to their data on request and no fee is required to be paid. Subject access requests from individuals should be made by email or writing and addressed to Sarah Leembruggen at sarah@the-works.co.uk or sent to The Works Search Limited, International House, 24 Holborn Viaduct, London, EC1A 2BN0 Park Street, SE1 9EQ.
If you receive a request you must not respond to, acknowledge or reply in any way to it. Any member of staff who receives a written request should forward it to the Sarah Leembruggen immediately at sarah@the-works.co.uk.
Data subjects have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes the law to which the controller is subject. In particular, a data subject has the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise lawful. Please note that this right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet.
The further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
To strengthen the right to be forgotten in the online environment, the right to erasure extends to situations where we have made the data available to other controllers and must inform the other controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, we must take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject's request.
Methods by which to restrict the processing of personal data could include, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.
Individuals have a right to right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
Please note that in exercising his or her right to data portability, individuals have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Individuals have a right to object, to being subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
This right does not apply where the processing is:
We must make sure that we have in place suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. Please note that special requirements apply to the processing of special categories of data and you should speak with Sarah Leembruggen regarding these requirements.
12.1. Where to send requests
If you receive a request you must not respond to, acknowledge or reply in any way to it. Any member of staff who receives a written request should forward it to Sarah Leembruggen or their line manager immediately.
Any member of staff dealing with enquiries from third parties should be careful about disclosing any personal information held by us. In particular they should:
14.1. Engaging third party processors
Where third parties process personal data on our behalf, such processing shall be governed by a contract or other legal act, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
14.2 Sub-Processing
Where our outsourced processors engage another processor for carrying out specific processing activities to fulfil the contract that they have with us, the same data protection obligations as set out in the contract or other legal act between the controller and the processor must be imposed on that other processor by way of a contract or other legal act, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
You must therefore check to see if the contracts we enter into contain prohibitions on sub-contracting and must ensure that the processor flows down the requirements above to their sub-contractors and remain liable for the actions of their sub-contractors. Please contact the Data Protection Officer for further advice.
TWS are registered with the Information Commissioner’s office under registration number ZA394138 and our entry with the Commissioner can be found via the publically accessible record on ico.org.uk.
Regardless of the above register we must also maintain an electronic record of processing activities under its responsibility. These records may be made available to a supervisory authority on request. That record shall contain all of the following information:
a description of the categories of data subjects and of the categories of personal data;
Our processors are also required to keep an electronic record of their processing activities which shall include:
You must seek the advice of Sarah Leembruggen, where designated, when carrying out a data protection impact assessment.
In order to enhance compliance where processing operations are likely to result in a high risk, we are responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with the law.
A data protection impact assessment shall in particular be required in the case of:
The assessment shall contain at least:
Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
Where necessary, we shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.
In order to maintain security we must evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we must implement (and ensure out pacers implement) appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted.
All staff are responsible for ensuring that any personal data which they hold is kept securely and that personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party. Failure to comply with our policies and compliance with staff duties of confidentiality may result in disciplinary action, that may result in dismissal.
Further information about our technical safeguards and employees' responsibilities in relation to data security can be found in our [Introduction to Policies and Procedures Policy, Social Media Policy, Mobile Phone and Device Policy, Email and Internet Acceptable Use Policy]
Where other organisations process personal data as a service on our behalf (e.g. payroll or outsourcing companies), Sarah Leembruggen will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations. You must not enter into such contracts without obtaining permission to proceed from Sarah Leembruggen at sarah@the-works.co.uk
Information security
From a security point of view, only the following staff are permitted to add, amend or delete personal data from the TWS database(s) (“database” includes paper records or records stored electronically):
However all staff are responsible for notifying those listed where information is known to be old, inaccurate or out of date. In addition all employees should ensure that adequate security measures are in place. For example:
It should be remembered that the incorrect processing of personal data e.g. sending an individual’s details to the wrong person, allowing unauthorised persons access to personal data, or sending information out for purposes for which the individual did not give their consent, may give rise to a breach of contract and/or negligence leading to a claim against TWS for damages from an employee, work-seeker or client contact. A failure to observe the contents of this policy will be treated as a disciplinary offence.
There are restrictions on international transfers of personal data. We endeavour have processes in place to ensure that data is transferred lawfully. Appropriate safeguards include:
If you are unsure as to whether a transfer is permitted or if it would involve the transfer of sensitive personal data without a data subjects consent, you must not transfer the personal data without first consulting the Data Protection Officer.
Information will be kept in line with our [Company Policies] which can be located via [email Sarah Leembruggen at sarah@the-works.co.uk. All employees are responsible for ensuring that information is not kept for longer than necessary.
Documents containing any personal information will be disposed of securely in our confidential waste bins, and paper copies will be shredded. Staff must not leave confidential materials on their desks. This is especially important in relation to price sensitive transactions or highly confidential matters. Failure to follow this Policy in such circumstances will be considered a serious matter and may result in disciplinary action.
All data which is connected to the recruitment services provided is required to be kept in accordance with HMRC legal requirements for a minimum period of 6 years. Any data which is not subject to HMRC’s requirements will be kept for 3 years.
Data Retention and Storage issues should be directed to Kate Bailey for paper storage and the ICT specialist for electronic storage. When data is stored in a paper format it will be kept in a secure locked place/safely where it can only be accessed by appropriate personnel, who require access to discharge their role. This policy applied to data, which has been stored electronically and printed data.
All computers containing data should be protected by approved security software and a firewall in accordance with data security and cyber security.
Requests for References
Any requests for access to a reference given by a third party must be referred to Sarah Leembruggen at sarah@the-works.co.uk and should be treated with caution even if the reference was given in relation to the individual making the request. This is because the person writing the reference also has a right to have their personal details handled in accordance with the GDPR law and the 8 Rights for Data Subjects of : -
And a reference must not be disclosed without a Data Subjects consent. Therefore when taking up references an staff member should obtain consent in writing to the disclosure of the reference to a third party from the Data Subject/the individual who is the subject of the reference. We must always process any such request in line with the ICO’s Employment Law Code of Practice, which can be accessed here
Whenever you are working away from the secure areas of the firm's offices, you need to be alert to protect client confidentiality. This affects any areas where third parties could be present. It is particularly easy and tempting for bored fellow travellers on trains to listen to what you are saying or read what you are working on.
Internally, you need to be careful who may overhear if you are discussing a matter which is subject to an information barrier and find a separate area to work in/take a telephone call if need be.
The risks and reputational damage that could come from leaving files unattended are obvious. The easiest things to misplace are discs, memory sticks, slim bundles of paper etc. but it's far from unknown for laptops and files to be left behind.
Think:
Always:
For any further clarification on this please contact Sarah Leembruggen at sarah@the-works.co.uk
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
Breaches must be reported to Sarah Leembruggen immediately. Failure to do so will be considered a serious matter and may result in formal disciplinary action.
REVIEW OF THIS POLICY
Any questions or concerns about the interpretation or operation of this Policy should be taken up in the first instance with the Data Controller, who is responsible for ensuring compliance with the General Data Protection Regulations and implementation of this Policy.
KEY CONTACTS
If you wish to discuss this Policy further please contact:
Sarah Leembruggen: at sarah@the-works.co.uk
APPENDIX 1
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physio logical or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
‘main establishment’ means:
1. (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
2. (b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
1. (a) the controller or processor is established on the territory of the Member State of that supervisory authority;
2. (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
3. (c) a complaint has been lodged with that supervisory authority;
‘cross-border processing’ means either:
1. (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
2. (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data
‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries