Data Protection Policy
Context and Overview
1. Introduction
The purpose of this policy is to ensure compliance with the General Data Protection Regulation and related national legislation (“Data Protection law”). Data Protection law applies to the processing of personal data.
Partington Engineering Ltd need to process personal data. ‘Processing’, in this context, means collecting, storing, using and erasing personal data, irrespective of its format.
We treat any information disclosed and entrusted to the Company as strictly confidential and only process personal information as permitted by current data protection laws.
2. Purpose
The purpose of this policy is to ensure that Partington Engineering Ltd meets its legal, statutory and regulatory requirements under the data protection laws and to ensure that all personal information is processed compliantly and, in the individuals best interest.
The data protection laws include provisions that promote accountability and governance and as such Partington Engineering Ltd has put comprehensive and effective governance measures into place to meet these provisions. The aim of such measures is to ultimately minimise the risk of breaches and uphold the protection of personal data. This policy also serves as a reference document for employees and third parties on the responsibilities of handling and accessing personal data and data subject requests.
3 Scope
This policy applies to all staff within Partington Engineering Ltd (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, engaged with Partington Engineering Limited). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
4 Data Protection Background
The UK initially had The Data Protection Act 1984 in place to regulate the use of processed information that related to individuals. However, in 1995 the introduction of EU Directive 95/46/EC which set aims and requirements for member states on the protection of personal data when processing or sharing, meant an updated Act was required. The UK subsequently developed and enacted The Data Protection Act 1998 (DPA) to ensure that British law complied with the EU Directive and to provide those with obligations under the Act, with updated rules, requirements and guidelines for processing and sharing personal data. 2018 marks the 20th anniversary of the DPA enactment and whilst there have been periodical additions or alterations to the Act. Technology has advanced at a far faster rate, necessitating new regulations for the current digital age. The past 20 years has also seen a vast increase in the number of businesses and services operating across borders, further highlighting the international inconsistency in Member States data protection laws. For this reason, in January 2012, the European Commission proposed a new regulation applying to all EU Member States and bringing a standardised and consistent approach to the processing and sharing of personal information across the EU.
4.1 National Data Protection Law
As Partington Engineering Ltd is in the UK, we are obligated under the GDPR and the UK’s Data Protection Act 2018 that implements the GDPR into UK law. Our data protection policies and procedures adhere to both the GDPR and Data Protection Bill requirements, as applicable to our business type.
4.2 GDPR
The General Data Protection Regulation (GDPR) (EU)2016/679) was approved by the European Commission in April 2016 and will apply to all EU Member States from 25th May 2018. As Partington Engineering Ltd processes personal information regarding individuals (staff and customers, we are obligated under the General Data Protection Regulation (GDPR) to protect such information, and to obtain, use, process, store and destroy it, only in compliance with its rules and principles.
4.2.1 Personal Data
Information protected under the GDPR is known as “personal data” and is defined as: –
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Partington Engineering Ltd ensures that a high level of care is afforded to personal data falling within the GDPR’s ‘special categories’ (previously sensitive personal data), due to the assumption that this type of information could be used in a negative or discriminatory way and is of a sensitive, personal nature to the persons it relates to. In relation to the ‘Special categories of Personal Data’ the GDPR advises that: –
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies.”
4.2.2 The GDPR Principles
Article 5 of the GDPR requires that personal data shall be: –
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be incompatible with the initial purposes (‘purpose limitation’)
c) adequate, relevant, and Ltd to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay (‘accuracy’)
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Article 5(2) requires that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the data protection laws principles’ (‘accountability’) and requires that firms show how they comply with the principles, detailing and summarising the measures and controls that they have in place to protect personal information and mitigate the risks of processing.
5 Objectives
We are committed to ensuring that all personal data processed by Partington Engineering Ltd is done so in accordance with the data protection laws and its principles, along with any associated regulations and/or codes of conduct laid down by the Information Commissioner and local law.
We ensure the safe, secure, ethical, and transparent processing of all personal data and have stringent measures to enable data subjects to exercise their rights.
Partington Engineering Ltd has developed the below objectives to meet our data protection obligations and to ensure continued compliance with the legal and regulatory requirements.
Partington Engineering Ltd ensures that: –
• We protect the rights of individuals with regards to the processing of personal information
• We develop, implement, and maintain a data protection policy, procedure, audit plan and training program for compliance with the data protection laws, Data Protection Policy & Procedures
• Every business practice, function and process carried out by Partington Engineering Limited, is monitored for compliance with the data protection laws and its principles
• Personal data is only processed where we have verified and met the lawfulness of processing requirements
• All employees are competent and knowledgeable about their GDPR obligations.
• All employees are aware that unauthorised disclosure of personal data will usually be a disciplinary matter and may be considered gross misconduct in some cases.
• Individuals feel secure when providing us with personal information and know that it will be handled in accordance with their rights under the data protection laws
• We maintain a continuous program of monitoring, review, and improvement with regards to compliance with the data protection laws and to identify gaps and non-compliance before they become a risk, affecting mitigating actions where necessary
• We provide clear reporting lines and supervision with regards to data protection
• We store and destroy all personal information confidentially and responsibly
• Any information provided to an individual in relation to personal data held or used about them, with be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language
• Employees are aware of their own rights under the data protection laws and are provided with information disclosures in the form of an Employee Privacy Notice
6. Accountability & Compliance
We have implemented adequate and appropriate technical and organisational measures to ensure the safeguarding of personal data and compliance with the data protection laws and can evidence such measures through our documentation and practices.
Our main objectives are to: –
• Educate senior management and employees about the requirements under the data protection laws and the possible impact of non-compliance
• Provide a dedicated and effective data protection training program for all employees
• Identify key stakeholders to support the data protection compliance program
• Allocate responsibility for data protection compliance and ensure that the designated person(s) has sufficient access, support, and budget to perform the role
6.1 Data Retention and Disposal
Partington Engineering Ltd has defined procedures for adhering to the retention periods as set out by the relevant laws, contracts and our business requirements, as well as adhering to the GDPR requirement to only hold and process personal information for as long as is necessary.
All personal data is disposed of in a way that protects the rights and privacy of data subjects (e.g., shredding, disposal as confidential waste, secure electronic deletion) and prioritises the protection of the personal data in all instances.
7 Data Subject Rights Procedures
7.1 CONSENT & THE RIGHT TO BE INFORMED
The collection of personal and sometimes special category data is a fundamental part of the services offered by Partington Engineering Ltd and we therefore have specific measures and controls in place to ensure that we comply with the conditions for consent under the data protection laws.
The data protection law defines consent as; ‘Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
Where processing is based on consent, Partington Engineering Ltd have reviewed and revised all consent mechanisms to ensure that: –
• Consent requests are transparent, using plain language and is void of any Data Protection Policy & Procedures
• It is freely given, specific and informed, as well as being an unambiguous indication of the individual’s wishes
• Consent is always given by a statement or a clear affirmative action (positive opt-in) which signifies agreement to the processing of personal data
• Consent mechanisms are upfront, clear, granular (in fine detail) and easy to use and understand
• Pre-ticked, opt-in boxes are never used
• Where consent is given as part of other matters (i.e., terms & conditions, agreements, contracts), we ensure that the consent is separate from the other matters and is not a precondition of any service (unless necessary for that service)
• Consent is always verifiable, and we have controls in place to ensure that we can demonstrate consent in every case
• We keep detailed records of consent
• We have ensured that withdrawing consent is as easy, clear and straightforward as giving it and is available through multiple option including: –
• Opt-out links in mailings or electronic communications.
• Opt-out process explanation and steps on website and in all written communications.
• Ability to opt-out verbally, in writing or by email.
• Consent withdrawal requests are processed immediately
8 Employee Personal Data
All employees are provided with a contract of employment and have access to all policies which informs them of their rights under the data protection laws and how to exercise these rights.
Any member of staff, who considers that the policy had not been followed in respect of personal data about themselves or other data subjects, should raise the matter with the HR Officer initially.
If the matter is not resolved it should be raised under the Company’s Disciplinary Policy. This in no way affects any statutory remedies available to that individual.
9 Responsibilities
Partington Engineering Ltd has an Administration Assistant whose role (in conjunction with the Directors) includes identifying and mitigating any risks to the protection of personal data, to act in an advisory capacity to the business, its employees, senior managers and directors, and to actively stay informed and up to date with all legislation and changes relating to data protection.
All staff who manage and process personal information will be provided with data protection training and will be subject to continuous development support and mentoring to ensure that they are competent and knowledge for the role they undertake.
Appropriate measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.