Data protection policy

1. POLICY STATEMENT
1.1.Everyone has rights with regard to how their personal information is handled. During the course
of our activities we will collect, store and process personal information about our staff, suppliers and
customers and any others we communicate with, and we recognise the need to treat it in an
appropriate and lawful manner.

1.2.The types of information that we may be required to handle include details of current, past and
prospective employees, suppliers, customers, and others that we communicate with. The
information, which may be held on paper or on a computer or other media, is subject to certain legal
safeguards specified in the EU General Data Protection Regulation (GDPR) and other UK data
protection law. These laws impose restrictions on how we may use that information.

1.3. We have a commitment to ensuring that personal data is processed in line with GDPR
and relevant UK law and that all our employees conduct themselves in line with this and
other related policies. Where third parties process data on our behalf, we will ensure that
the third party takes the necessary measures to maintain our commitment to protecting
personal data.

1.4. This Data Protection Policy, also known as a Privacy Standard, does not form part of any
employee’s contract of employment and it may be amended at any time. Any breach of this
policy will be taken seriously and may result in disciplinary action.

2. STATUS OF THE POLICY

2.1. This policy sets out our rules on data protection and the legal conditions that must be satisfied
in relation to the obtaining, handling, processing, storage, transportation and destruction of
personal information.

2.2. Our Privacy Officer is responsible for ensuring compliance with GDPR and with this policy. Your
manager can advise you who our Privacy Officer is. If we have cause to appoint a Data Protection
Officer (an official appointment) or use a different title for a Privacy Officer, we will let you know and
any reference to Privacy Officer shall include reference to a new title or a Data Protection Officer.
Any questions or concerns about the operation of this policy should be referred in the first instance
to the Privacy Officer.

2.3. If you consider that this policy has not been followed in respect of personal data about yourself
or others you should raise the matter with your manager or the Privacy Officer.

3. DEFINITION OF DATA PROTECTION TERMS

3.1. Data is personal information about an individual who can be directly or indirectly
identified from that information. Data can be factual (such as a name, address or date of birth) or it
can be an opinion (such as a performance appraisal). This personal information is referred to as
‘Data’ in the remainder of this policy.

3.2. Data Subjects for the purpose of this policy include all living individuals about whom
we hold Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal
rights in relation to their Data.

3.3.Data Controllers are the people who or organisations which determine the purposes for which,
and the manner in which, any Data is processed. They have a responsibility to establish practices and
policies in line with relevant laws. We are the Data Controller of all Data used in our business.

3.4. Data Users include employees whose work involves using Data. Data Users have a duty to
protect the Data they handle by following our data protection and security policies at all times. All
employees have a responsibility, when using Data, to comply with any security safeguards and
procedures we put in place.

3.5. Data Processors include any people who or organisations which process Data on behalf of a Data
Controller. Employees of Data Controllers are excluded from this definition but it could include third
party suppliers which handle Data on our behalf.

3.6.Processing is any activity that involves use of Data. It includes obtaining, recording or holding
Data, or carrying out any operation or set of operations on Data including organising, amending,
retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Data to
third parties.

3.7. Special Categories of Data are sensitive categories of Data about a person’s racial or ethnic
origin, political opinions, religious or similar beliefs, trade union membership, physical or mental
health or condition, sexual life, or sexual orientation. It also includes genetic and biometric Data
(where used for ID purposes). Special Categories of Data can only be processed under strict
conditions, and may require the explicit consent of the person concerned.

3.8. Criminal Offence Data is Data which relates to an individual’s criminal convictions and offences.
It can only be processed under strict conditions and may require the explicit consent of the person
concerned.

3.9.Data Breach is any act or omission which compromises the security, confidentiality, integrity or
availability of Data, or the safeguards that we or a third party put in place to protect the Data,
including losing the Data or disclosing it to unauthorised people.

4. DATA PROTECTION PRINCIPLES
4.1. Anyone processing Data must comply with the eight enforceable principles of
good practice. These provide that personal data must be:

1. (a) Processed fairly, lawfully, and in a transparent manner. (Fairness, Lawfulness and
Transparency)

2. (b) Processed for specified, explicit and legitimate purposes and in an appropriate way.
(Purpose Limitation)

3. (c) Adequate, relevant and limited to what is necessary for the stated purpose. (Data
Minimisation)

4. (d) Kept accurate and up to date(Accuracy)

5. (e) Not kept longer than necessary for the stated purpose. (Storage Limitation)

6. (f) Processed in a manner that ensures appropriate security of Data, including protection
against unauthorised or unlawful processing, accidental loss, destruction or damage, by
using appropriate technical or organisational measures. (Security, Integrity and
Confidentiality)

7. (g) Not transferred to another country without appropriate safeguards being in place.
(Transfer Limitation)

8. (h) Processed in line with Data Subjects’ rights. (Data Subject’s Rights and Requests)

4.2.We are responsible for and need to demonstrate compliance with the data protection principles
listed above (Accountability).

5. FAIRNESS AND LAWFULNESS

5.1. The purpose of GDPR and UK data protection laws is not to prevent the processing of Data, but
to ensure that it is done fairly and without adversely affecting the rights of the Data Subject. The
Data Subject must be told who the Data Controller is (in this case the Company), who the Data
Controller’s representative is (in this case the Privacy Officer), the purpose for which the data is to
be processed by us and the legal basis for doing so, and the identities of anyone to whom the Data
may be disclosed or transferred.

5.2.GDPR allows processing of Data for specific purposes, which are where it is needed

1.(a) for the performance of a contract, such as an employment contract

2. (b) to comply with a legal obligation

3. (c) in order to pursue our legitimate interests (or those of a third party) and where the
interests and fundamental rights of the Data Subject do not override those interests

4. (d) to protect the Data Subject’s vital interests

5. (e) in the public interest, or

6. (f) in situations where the Data Subject has given explicit consent.

5.3. We, as Data Controller, will only process Data on the basis of one or more of the lawful
bases set out in 5.2 above. Where consent is required, it is only effective if freely given,
specific, informed and unambiguous. The Data Subject must be able to withdraw consent
easily at any time and any withdrawal will be promptly honoured.

5.4. Special Categories of Data and Criminal Convictions Data will only be processed with
explicit consent of the Data Subject, unless the Data Controller can rely on one or more of
the other lawful bases set out in 5.2 above, and any additional legal bases for processing
specific to these types of data, details of which have been set out in an appropriate Privacy
Notice issued to the Data Subject.

6. TRANSPARENCY

6.1.We will provide all required, detailed and specific information to Data Subjects about the use of
their Data through appropriate Privacy Notices which will be concise, transparent, intelligible, easily
accessible and in clear and plain language.

7. PURPOSELIMITATION

7.1. Data may only be processed for the specific purposes notified to the Data Subject via the Privacy
Notice. This means that Data must not be collected for one purpose and then used for another. If it
becomes necessary to change the purpose for which the Data is processed, the Data Subject must be
informed of the new purpose via a new or amended Privacy Notice before any processing occurs.

8. DATA MINIMISATION

8.1.Data should only be collected to the extent that it is required for the specific purposes notified to
the Data Subject in the Privacy Notice. Any Data which is not necessary for those purposes should
not be collected in the first place.

9. ACCURACY

9.1.Data must be accurate, complete and kept up-to-date. Information which is incorrect is not
accurate and steps should therefore be taken to check the accuracy of any Data at the point of
collection and at regular intervals afterwards. Inaccurate or out-of-date Data should be amended or
destroyed.

10. STORAGE LIMITATION

10.1.Data should not be kept longer than is necessary to carry out the specified purposes. This
means that Data should be destroyed or erased from our systems when it is no longer required, and
in accordance with our Data Retention Policy.

11.SECURITY, INTEGRITY ANDCONFIDENTIALITY

11.1. We will ensure that appropriate technical and organisational security measures are
taken against unlawful or unauthorised processing of Data, and against the accidental loss
of, or damage to, Data. Data Subjects may apply to the courts for compensation if they have
suffered damage from such a loss.

11.2. We will put in place procedural and technological safeguards appropriate to our size,
scope and business, our available resources and the amount of Data we hold, to maintain
the security of all Data from the point of collection to the point of destruction.

11.3.We will consider and use, where appropriate, the safeguards of encryption,
anonymisation and pseudonymisation (replacing identifying information with artificial information
so that the Data Subject cannot be identified without the use of additional information which is kept
separately and secure).

11.4.We will regularly evaluate and test the effectiveness of these safeguards. Employees have a
responsibility to comply with any safeguards we put in place.

11.5. Maintaining data security means guaranteeing the confidentiality, integrity and availability of
the Data, defined as follows:

1. (a) Confidentiality means that only people who are authorised to use the Data can access it.

2. (b) Integrity means that Data should be accurate and suitable for the purpose for which it is
processed.

3. (c) Availability means that authorised users should be able to access the Data if they need it
for authorised purposes.

11.6.Failure to follow rules on data security may be dealt with via the Disciplinary Procedure.

12. TRANSFER LIMITATION

12.1. We will not transfer Data to any recipients outside the European Economic Area
(EEA)

13. DATA SUBJECT’S RIGHTS AND REQUESTS

13.1. Data must be processed in line with Data Subjects’ rights. Data Subjects have the
following rights which apply in certain circumstances:

A) The right to be informed about processing of Data
B) The right of access to their own Data
C) The right for any inaccuracies to be corrected (rectification)
D) The right to have information deleted (erasure)
E) The right to restrict the processing of Data
F) The right to portability
G) The right to object to the inclusion of Data
H) The right to regulate any automated decision-making and profiling of Data

9. (i) The right to withdraw consent when the only legal basis for processing Data is consent

10. (j) The right to be notified of a Data Breach which is likely to result in high risk to their rights
and freedoms

11. (k) The right to make a complaint to the Information Commissioner’s Office or other
supervisory authority.

13.2. A formal request from a Data Subject for details of Data that we hold about them must be
made in writing (Data Subject Access Request). Any member of staff who receives such a written
request should forward it to their manager immediately.

14. AUTOMATED PROCESSING (INCLUDING PROFILING) AND AUTOMATED DECISION-MAKING
(ADM)

14.1. Specific further rules to protect Data Subjects apply to any Automated Processing (including
Profiling) and ADM related to that person’s Data.

14.2.Where you are involved in any data processing activity by us that involves profiling or ADM, you
must comply with any separate guidelines we issue on profiling or ADM.

15.DIRECT MARKETING

15.1. We are also subject to further rules and privacy laws about the processing of Data when
marketing to our customers.

15.2. You must comply with any separate guidelines we issue on direct marketing to customers.

16. BREACH NOTIFICATION

1. 16.1. Where a Data Breach is likely to result in a risk to the rights and freedoms of the
individual(s) concerned, we will report it to the Information Commissioner’s Office within 72
hours of us becoming aware of it, and it may be reported in more than one instalment.

2. 16.2. Individuals will be informed directly if the breach is likely to result in a high risk to their
rights and freedoms.

16.3.If the breach is sufficient to warrant notification to the public, we will do so without undue
delay.

16.4.If you know or suspect that a Data Breach has occurred, do not attempt to investigate the
matter yourself but contact your manager or the Data Privacy Officer immediately. You should
preserve all evidence relating to the potential Data Breach.

17. TRAINING

17.1. New employees must read and understand this policy as part of their induction. All employees
receive training covering basic information about confidentiality, data protection and the actions to
take upon identifying a potential Data Breach. All employees are trained to protect individuals’ Data
to which they have access, to ensure data security and to understand the consequences to
themselves and us of any potential breaches of the provisions of this policy.

18. RECORDS

18.1. We will keep full and accurate records of all our data processing activities.

19. MONITORING AND REVIEW OF THE POLICY

19.1. We will continue to review the effectiveness of this policy to ensure it is achieving its stated
objectives.

Data Security Policy

1. POLICY STATEMENT
1.1.This policy is to be read in conjunction with our Data Protection Policy and any other related
policies or documents, including any Data Protection Privacy Notices supplied to individuals we deal
with.

1.2.We have a commitment to ensuring that personal data is processed in line with GDPR and
relevant UK law and that all members of staff, and people who have access to personal data and
company systems, conduct themselves in line with this and other related policies. We have strict
obligations to process personal data securely and to adopt sufficient procedural and technological
safeguards.

1.3.This Data Security Policy does not form part of any employee’s contract of employment and it
may be amended at any time. Any breach of this policy will be taken seriously and may result in
disciplinary action.

2. STATUS OF THE POLICY

2.1.The purpose of this policy is to set our rules on how to safely and securely deal with personal and
confidential data.

2.2.Our Privacy Officer is responsible for ensuring compliance with GDPR and with this policy. Your
manager can advise you who our Privacy Officer is. If we have cause to appoint a Data Protection
Officer (an official appointment) or use a different title for a Privacy Officer, we will let you know and
any reference to Privacy Officer shall include reference to a new title or a Data Protection Officer.
Any questions or concerns about the operation of this policy should be referred in the first instance
to the Privacy Officer.

2.3.If you consider that this policy has not been followed in respect of personal data you should raise the matter with either your manager or the Privacy Officer.

3. TERMINOLOGY USED IN THIS POLICY

3.1.Our Data Protection Policy sets out clearly the key principles of good practice and sets out
definitions of the terminology commonly used.

3.2.For ease of reference we repeat the relevant definitions in our Data Protection Policy and set out
below some further definitions.

3.2.1. Data is personal information about an individual who can be directly or indirectly identified
from that information. Data can be factual (such as a name, address or date of birth) or it can be an
opinion (such as a performance appraisal).

3.2.2. Data Subjects for the purpose of this policy include all living individuals about whom we hold Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in
relation to their Data.

3.2.3. Data Controllers are the people who or organisations which determine the purposes for which,
and the manner in which, any Data is processed. They have a responsibility to establish practices and
policies in line with relevant laws. We are the Data Controller of all Data used in our business.

3.2.4. Data Users include employees whose work involves using Data. Data Users have a duty to
protect the Data they handle by following our data protection and security policies at all times. All
employees have a responsibility, when using Data, to comply with any security safeguards and
procedures we put in place.

3.2.5. Processing is any activity that involves use of Data. It includes obtaining, recording or holding
Data, or carrying out any operation or set of operations on Data including organising, amending,
retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Data to
third parties.

3.2.6. Special Categories of Data are sensitive categories of Data about a person’s racial or ethnic
origin, political opinions, religious or similar beliefs, trade union membership, physical or mental
health or condition, sexual life, or sexual orientation. It also includes genetic and biometric Data
(where used for ID purposes). Special Categories of Data can only be processed under strict
conditions, and may require the explicit consent of the person concerned.

3.2.7. Criminal Offence Data is Data which relates to an individual’s criminal convictions and
offences. It can only be processed under strict conditions and may require the explicit consent of the
person concerned.

3.2.8. Confidential Information is information which is marked as confidential or information which is
not marked confidential but when applying common sense it is clear that it is information we do not
want an unauthorised person to see. For example, details of our products, lists of our customers and
what they purchase from us, individual and company customers, business information about us which if it got into the hands of a competitor or someone setting up in competition would give them an unfair advantage over us. If you are in doubt whether something is confidential, please ask your Manager.

3.2.9. Sensitive Data is Special Categories of Data, Criminal Offence Data and sensitive and valuable
Confidential Information.

3.2.10. Confidential Data means Data and Confidential Information.

3.2.11. Equipment means computers, devices including, iPhones, iPads, tablets and storage devices,
including USB sticks, whether personal or owned by us.

4. WHAT DO WE EXPECT FROM YOU?

4.1.As Data Users, you are expected to understand the key principles of data protection contained in
our policies relating to data protection and to understand the promises we are required to make to
Data Subjects in our Privacy Notices. If you fail to meet your obligations as a Data User and/or
unlawfully process Data and/or Sensitive Data, you may be held personally liable and may face legal
action. If in doubt about how you can comply with our data protection policies, please do not guess
but ask your manager.

4.2.You are also expected to safeguard Confidential Information of all levels of sensitivity and take
steps to ensure it does not fall into the wrong hands.

4.3.Your obligations include complying with any rules we give you on how you handle the
information you will have access to, whether about us, staff members, clients, customers,
candidates or any other individuals.

4.4.If you feel you require training or guidance on any of our policies or any instructions we give you,
it is your responsibility to speak to your manager.

5. RISKS TO CONFIDENTIAL DATA AND SENSITIVE DATA

5.1.You are required to consider and assess the security risks involved when working with
Confidential Data and Sensitive Data. In cases of Sensitive Data, you will need to be even more
vigilant.

5.2.The risks involved include:
5.2.1. Confidential Data being overheard by an unauthorised person.
5.2.2. Theft e.g. someone purposefully downloading customer records from the Company database
before leaving.

3. 5.2.3. Loss e.g. a database has been accidentally wiped and there is no back up
4. 5.2.4. Disclosure (intentional or unintentional) e.g. emailing the wrong recipient
5. 5.2.5. Hacking e.g someone purposefully accessing the Company network via an individual’s
account.
6. 5.2.6. Interception e.g. listening in to someone’s phone calls or interception through hacking
7. 5.2.7. Unauthorised storage e.g. backing up files onto a personal memory stick.

6. General Confidential Data and Sensitive Data safeguards

6.1.Do not process Confidential Data or Sensitive Data unless we have authorised you to do so.

6.2.If you are required to talk about Confidential Data or Sensitive Data, whether in the office,
consider carefully whether you can be overheard by unauthorised persons. If you are in any doubt,
consider delaying the conversation until you cannot be overheard or moving to a place you cannot
be overheard.

6.3.Set your Equipment to ‘sleep’ or ‘automatically lock’ after a short-period of non-use.

6.4.Use a secure password on Equipment to prevent unauthorised access and change your password
regularly. Do not share your password with anyone and do not use the same password for
any other services or devices. We recognise that your passwords need to be memorable to
avoid you needing to write them down, but we encourage you to use strong passwords
which are hard to predict by ensuring that each password is at least 10 characters long and
that each contains a mix of upper and lower case characters, numbers and symbols.

6.5.Ensure that passwords used to access any Confidential Data or Sensitive Data are not
automatically remembered.

6.6.Ensure that any Confidential Data or Sensitive Data is not on display on your desk or your screen
when not being used.

6.7.Ensure that you close down your work when you leave your desk and make sure you do not
allow others to use your Equipment unless there is no risk involved.

6.8.Lock away any paper copies of Confidential Data or Sensitive Data when not being used.

6.9.Unless it is absolutely necessary, and we have given you permission to do so, do not use personal
email accounts to send Confidential Data or Sensitive Data.

6.10. Unless it is absolutely necessary, and we have given you permission to do so, do not save
Confidential Data or Sensitive Data on the local drive of Equipment, external storage devices or on
external ‘cloud’ storage (eg drop box or icloud). Use our system so that it can be securely held and
backed up.

6.11. Unless it is absolutely necessary, and we have given you permission to do so do not store
Confidential Data or Sensitive Data on USB sticks or other storage devices. If you are given
permission to use such a storage device, the files must be encrypted and password protected. The
use of a storage device should only ever be a temporary measure and you should delete the files as
soon as you no longer need to store it there.

6.12. Think carefully before sending any Confidential Data in the post and consider using special
delivery options or using a courier. Always follow up to ensure that Data or confidential information
has reached the intended recipient. Sensitive Data should not be sent in the post unless it is
absolutely necessary, and we have given you permission to do so.

6.13. If sending Confidential Data or Sensitive Data via email, check carefully that you have the
correct email address, the recipient is authorised to process the information and consider encrypting
and password protecting any files.

6.14. Securely dispose of paper copies of Confidential Data or Sensitive Data, for example, by
shredding them.

6.15. Do not use social media (Facebook, WhatsApp, Messenger etc) to process any Confidential or
Sensitive Data, even if you think it is safe.

6.16. Always report any breaches of security or suspicions of breaches or potential breaches to us
without any delay and comply with any policies we may introduce in this regard.

6.17. If you feel you need to derogate from these general rules, then speak to us so that we can
assess the risks involved.

7. Using Equipment that we do not manage

7.1.The general safeguarding rules above also apply to you using Equipment not owned by us and/or
not managed by us ‘Personal Equipment’.

7.2.As a general rule, we do not want you using Personal Equipment to process Confidential Data or
Sensitive Data but if this is unavoidable or you feel there are benefits to doing so, please let us know
so that we can assess the security risks involved and discuss the security measures you will need to
take. We may require you to sign additional documentation relating to making your personal
Equipment available for monitoring or agreeing to allow us to wipe its data in cases of security risks.
By using your Personal Equipment, you agree to give us access to it in the event of any security
issues and whilst we will not actively seek to access any personal files, eliminating the security issues
may result in such access. If you are concerned about this, we recommend that you do not use
Personal Equipment for work.

7.3.Most commonly, members of staff may wish to access our IT and communications systems via
their smartphones or devices or home computers. We recognise the flexibility this can give to
members of staff and the benefits to us. Please let us know you are doing this as information may
still be at risk.

7.4.If you lend, borrow, sell or give Personal Equipment, you need to think carefully about whether
the recipient could gain access to the work you were doing on it. If in doubt, please contact us and
we will assess the risks involved, which may involve wiping its data.

7.5.If you are accessing our system via programmes or apps, ensure that they are not accessible
without a password. For example, if you are accessing outlook on your iPhone, ensure that you have
a password to access your iPhone and that any apps or programmes you are using to access
information, are also password protected with a different password.

7.6.Ensure that passwords used in relation to work are not automatically remembered on Personal
Equipment.

7.7.Always back up any work you do on your Personal Equipment, please discuss this with your
manager, if you are unsure what this involves.

7.8.If you wish to use your own personal computer or laptop, you should ensure that it can encrypt
files and has the necessary security software. If in doubt, speak to us.

8. Remote/mobile/homeworking safeguards

8.1.When you are mobile, keep Equipment with you at all times, for example, do not use luggage
racks on public transport and do not leave equipment unattended in vehicles or public places.

8.2.When you have finished using Equipment, consider putting it in a locked cupboard or in a locked
room.

8.3.If you are working from home, ensure that your home is secure.

8.4.If you are processing Confidential Data or Sensitive Data, consider who can see your screen
whilst you are working (even if you are at home). If you are in a public place, e.g. on a train or whilst
sitting in a café, take extra care that no one can see your screen and never leave a screen open on
unattended Equipment.

8.5.Consider discussing with your manager any additional security measures that need to be taken,
for example installing remote wiping agents so that Equipment can be wiped of all data in the event
of loss or theft or installing software which prevents the hard-drive from being removed.

9. TRAINING

9.1. New employees must read and understand this policy as part of their induction and may, if
necessary, have training on data security. All employees receive training covering basic information
about confidentiality, data protection and the actions to take upon identifying a potential Data
Breach.

10. MONITORING AND REVIEW OF THE POLICY

10.1.We will continue to review the effectiveness of this policy to ensure it is achieving its stated
objectives.