DATA PROTECTION POLICY – TWELVE MANAGEMENT LTD
1. INTRODUCTION
1.1 This Data Protection Policy sets out how TWELVE MANAGEMENT LTD ("the Company" or "we/us"), as an employer and a Data Controller Process your Personal Data. It also explains what is required of you when you when you Process any Personal Data during your employment or engagement by us.
1.2 This Data Protection Policy applies to all Personal Data Processed regardless where that data is stored or whether it relates to past or present employees or contractors employed or engaged by the Company.
1.3 You must read, understand and comply with this Data Protection Policy when Processing Personal Data on the Company's behalf. This Data Protection Policy sets out what is expected from you in order for the Company as a Data Controller, and you as a Data Processor, to comply with applicable law such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) (Data Protection Legislation). Your compliance with this Data Protection Policy is compulsory. Any breach of this Data Protection Policy may result in disciplinary action.
2. SCOPE
2.1 The Company is responsible for overseeing this Data Protection Policy.
2.2.1 if there has been a Personal Data Breach (paragraph 13); or
2.2.2 if you need any assistance dealing with any requests made by a Data Subject (see paragraph 14).
3. DATA PROTECTION PRINCIPLES
- 3.1.1 Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
- 3.1.2 collected only for specified, explicit and legitimate purposes (Purpose Limitation).
- 3.1.3 adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).
- 3.1.4 accurate and where necessary kept up to date (Accuracy).
- 3.1.5 not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation).
- 3.1.6 Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
- 3.1.7 Not transferred to another country outside the UK without appropriate safeguards being in place (Transfer Limitation).
- 3.1.8 Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their Personal Data (Data Subject's Rights and Requests).
3.2 We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).
4. LAWFULNESS AND FAIRNESS
4.1 Personal data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject. We may only collect, Process and share Personal Data fairly and lawfully and for specified lawful purposes, some of which are set out below:
4.1.1 the Data Subject has given his or her Consent
4.1.2 the Processing is necessary for the performance of a contract with the Data Subject;
4.1.3 to meet our legal compliance obligations;
4.1.4 to protect the Data Subject's vital interests;
4.1.5 to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we Process Personal Data for legitimate interests need to be set out in an applicable Privacy Notice.
4.2 An applicable Privacy Notice must identify and document the lawful basis being relied on for each Processing activity.
5. CONSENT
5.1 A Data Controller must only Process Personal Data on the basis of one or more of the lawful bases set out in the Data Protection Legislation, which include Consent.
5.2 A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters.
5.3 Data Subjects must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honoured. Consent may need to be refreshed if you intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented.
5.4 Unless we can rely on another legal basis of Processing, Explicit Consent may be required for Processing Special Categories of Personal Data.
5.5 We will need to evidence Consent captured and keep records of all Consents so that we can demonstrate compliance with Consent requirements.
6. TRANSPARENCY (NOTIFYING DATA SUBJECTS)
6.1 The Data Protection Legislation requires Data Controllers to provide detailed, specific information to Data Subjects through a Privacy Notice which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.
6.2 The Privacy Notice must include the identity of the Data Controller, set out the Personal Data that is Processed, how and why we Process the Personal Data, and identify the lawful basis for the Processing.
7. PURPOSE LIMITATION
7.1 Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.
7.2 We cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have Consented where necessary.
8. DATA MINIMISATION
8.1 Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
8.2 You may only Process Personal Data when performing your job duties requires it. You cannot Process Personal Data for any reason unrelated to your job duties. You may only collect Personal Data that you require for your job duties: do not collect excessive data. Ensure any Personal Data collected is adequate and relevant for the intended purposes.
8.3 We must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the data retention guidelines in this Data Protection Policy (see paragraph 10).
9. ACCURACY
9.1 Personal Data must be accurate, relevant to the purpose for which we collected it and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
10. STORAGE LIMITATION
10.1 Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. We must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the lawful basis for which we originally collected it.
10.2 Data Controllers must maintain retention policies and procedures to ensure Personal Data is deleted a reasonable time after the purposes for which it was being held has been fulfilled, unless the law requires the Personal Data to be kept for some other minimum time. You must comply with the guidelines on data retention (see below).
10.3 Data Subjects should be informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice.
11. DATA RETENTION GUIDELINES
11.1 We will retain personal data of employees (including you) and contractors for the duration of the employment or contractor relationship and for a reasonable time thereafter in order to comply with legal obligations, deal with enquiries from HMRC and any legal claims.
12. PROTECTING PERSONAL DATA
12.1 Personal Data must be secured by appropriate physical, technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage. You must follow all instructions and procedures put in place to maintain the security of all personal data.
13. PERSONAL DATA BREACHES
13.1 The Data Protection Legislation requires Data Controllers to notify any Personal Data Breach to the Information Commissioner's Office (ICO) and, in certain instances, the Data Subject. You must notify the Company immediately if you become aware of any incident which may amount to a Personal Data Breach so appropriate action can be taken.
14. DATA SUBJECT'S RIGHTS AND REQUESTS
14.1 Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:
14.1.1 withdraw Consent to Processing at any time;
14.1.2 receive certain information about the Data Controller's Processing activities;
14.1.3 request access to their Personal Data that we hold;
14.1.4 ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
14.1.5 restrict Processing in specific circumstances;
14.1.6 challenge Processing which has been justified on the basis of our legitimate interests;
14.1.7 request a copy of an agreement under which Personal Data is transferred outside of the UK;
14.1.8 prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
14.1.9 be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
14.1.10 make a complaint to the ICO in the UK.
14.2 You must notify the Company immediately if you become aware of any individual making any of the above requests so appropriate action can be taken.
15. ACCOUNTABILITY
15.1 The Data Controller must implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. The Data Controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
16. RECORD KEEPING
16.1 The Data Protection Legislation requires us to keep full and accurate records of all our data Processing activities.
17. SHARING PERSONAL DATA
17.1 Generally we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place. You may only share the Personal Data we hold with other employees or contractors if the recipient has a job-related need to know the information. You may only share the Personal Data we hold with third parties, such as our service providers if they have a need to know the information for the purposes of providing the contracted services.
18. CHANGES TO THIS PRIVACY STANDARD
18.1 We reserve the right to change this Data Protection Policy at any time and will notify you of any such changes.
18.2 This Data Protection Policy does not set terms or conditions of employment or engagement and it does not form part of an employment contract or other contract.
19. APPROPRIATE POLICY DOCUMENT
19.1 This Data Protection Policy meets the requirement of the Data Protection Act 2018 for an appropriate policy document to be in place when Processing Special Categories of Personal Data.
19.2 This Data Protection Policy sets out how we will protect Special Categories of Personal Data.
20. WHY WE PROCESS SPECIAL CATEGORIES OF PERSONAL DATA
20.1 We Process Special Categories of Personal Data for the following purposes:
20.1.1 assessing an employee's fitness to work;
20.1.2 complying with health and safety obligations;
20.1.3 complying with the Equality Act 2010;
20.1.4 checking applicants' and employees' right to work in the UK;
20.1.5 verifying that candidates are of suitable character when employed or engaged by us, by conducting criminal record checks.
20.2 We will Process Special Categories of Personal Data only when there is a legal ground for Processing. One of the specific Processing conditions relating to Special Categories of Personal Data must apply. We will identify and document the legal ground and specific Processing condition relied on for each Processing activity for Special Categories of Personal Data.
Lawful Processing basis (Article 6 UK GDPR) | Processing conditions for Special Categories of Personal Data (Article 9 UK GDPR |
|---|---|
Data concerning health The Data Subject has entered into an employment or engagement contract with us for the Processing of Personal Data for one or more specific purposes as identified in our Privacy Notice for Staff (Article 6 (1)(b) UK GDPR). | Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.) |
Criminal Convictions Data In the organisation's legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject. | Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the Controller or the Data Subject in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.) Meets one of the substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018 (such as preventing or detecting unlawful acts).(Paragraph 10(1), Schedule 1, DPA 2018.) |
Racial or ethnic origin data Compliance with a legal obligation (Article 6(1)(c)). | Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.) |
Equal opportunity data In the organisation's legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject. | Necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained. |
21. DEFINITIONS:
"Consent"
agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.
"Data Controller"
the person or organisation that determines when, why and how to Process Personal Data. It is responsible for establishing practices and policies in line with the Data Protection Legislation.
"Data Processor"
a natural or legal person that Processes Personal Data on behalf of, and under the instruction of, a Data Controller.
"Data Protection Legislation"
all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 ("DPA 2018") (and regulations made thereunder); and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other relevant data protection or supervisory authority and applicable to a party.
"Data Subject"
a living, identified or identifiable individual about whom we hold Personal Data.
"Explicit Consent"
consent which requires a very clear and specific statement (that is, not just action).
"UK GDPR"
Has the meaning given to it in section 3 (10) (as supplemented by section 205 (4)) of the Data Protection Act 2018.
"Personal Data"
any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special categories of Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.
"Personal Data Breach"
any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical and organisational safeguards put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
"Privacy Notice"
a notices setting out information that the Data Protection legislation requires to be provided to Data Subjects when a Data Controller collects their Personal Data. They are also referred to as a fair processing notice or privacy policy.
"Processing or Process"
any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
"Special Categories of Personal Data"
information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.