Aim and scope of policy
This policy applies to the processing of personal data in manual and electronic records kept by the Company in connection with its human resources function as described below. It also covers the Companys response to any data breach and other rights under the General Data Protection Regulation.
This policy applies to the personal data of job applicants, existing and former employees, apprentices, volunteers, placement students, workers and self-employed contractors. These are referred to in this policy as relevant individuals.
Personal data is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a persons name, identification number, location, online identifier. It can also include pseudonymised data.
Special categories of personal data is data which relates to an individuals health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).
Criminal offence data is data which relates to an individuals criminal convictions and offences.
Data processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Company makes a commitment to ensuring that personal data, including special categories of personal data and criminal offence data (where appropriate) is processed in line with GDPR and domestic laws and all its employees conduct themselves in line with this, and other related, policies. Where third parties process data on behalf of the Company, the Company will ensure that the third party takes such measures in order to maintain the Companys commitment to protecting data. In line with GDPR, the Company understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.
Types of data held
Personal data is kept in personnel files or within the Companys HR systems. The following types of data may be held by the Company, as appropriate, on relevant individuals:
Relevant individuals should refer to the Companys privacy notice for more information on the reasons for its processing activities, the lawful bases it relies on for the processing and data retention periods.
Data protection principles
All personal data obtained and held by the Company will:
In addition, personal data will be processed in recognition of an individuals data protection rights, as follows:
The Company has taken the following steps to protect the personal data of relevant individuals, which it holds or to which it has access:
Access to data
Relevant individuals have a right to be informed whether the Company processes personal data relating to them and to access the data that the Company holds about them. Requests for access to this data will be dealt with under the following summary guidelines:
Relevant individuals must inform the Company immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. The Company will take immediate steps to rectify the information.
For further information on making a subject access request, employees should refer to our subject access request policy, available from [insert name].
The Company may be required to disclose certain data/information to any person. The circumstances leading to such disclosures include:
These kinds of disclosures will only be made when strictly necessary for the purpose.
The Company adopts procedures designed to maintain the security of data when it is stored and transported. More information can be found in the data transfer security policy, available from [insert details].
In addition, employees must:
Personal data relating to employees should not be kept or transported on laptops, USB sticks, or similar devices, unless authorised by Cathy Yates. Where personal data is recorded on any such device it should be protected by:
Failure to follow the Companys rules on data security may be dealt with via the Companys disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.
The Company does not transfer personal data to any recipients outside of the EEA.
Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of the Company becoming aware of it and may be reported in more than one instalment.
Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.
If the breach is sufficient to warrant notification to the public, the Company will do so without undue delay.
New employees must read and understand the policies on data protection as part of their induction.
All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.
The nominated data controller/auditors/protection officers for the Company are trained appropriately in their roles under the GDPR.
All employees who need to use the computer system are trained to protect individuals private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of the Companys policies and procedures.
The Company keeps records of its processing activities including the purpose for the processing and retention periods in its HR Data Record. These records will be kept up to date so that they reflect current processing activities.
Data Protection Officer
The Companys Data Protection Officer is Cathy Yates and can be contacted on 01636 679281/07880 383231 or via email to firstname.lastname@example.org