Overview
The Scope and Purpose of the Policy
This policy applies to the processing of personal data by or on behalf of Jeakins Weir Limited. For definitions of terms, as set out in the Data Protection Act 2018, see Appendix 1 below, and the General Data Protection Regulations (GDPR).
Purpose of the Data Protection Policy
All staff who process personal data must comply with the Data Protection Act 2018. Section (4) of the Act states that:
'it shall be the duty of the data controller to comply with the data protection principles in relation to all personal data with respect to which he/she is the data controller'.
The purpose of the Data Protection Policy is to clarify the internal allocation of responsibilities and duties in respect of the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) and to set out the structure within which they will be discharged.
The Data Protection Act
The Data Protection Act 2018 requires Jeakins Weir Limited to notify the Information Commissioner of the purposes for which 'personal data' are 'processed' by the Company. Jeakins Weir Limited is required to adhere to the eight principles of data protection as laid down by the Act and to permit individuals to access their own personal data held by the Company (via a Subject Access Request) in accordance with the terms of the Act.
Data Protection Principles
In accordance with the Principles laid down by the Data Protection Act 2018, all Personal Data held by Jeakins Weir Limited shall be:
- Fairly and lawfully processed,
- Processed for specified purposes,
- Adequate, relevant and not excessive,
- Accurate,
- Not kept longer than necessary,
- Processed in accordance with the data subjects' rights,
- Secure,
- Not transferred to countries outside the European Economic Area without adequate protection.
Satisfaction of principles
In order to meet the requirements of the principles, the Company will:
- Observe fully the conditions regarding the fair collection and use of personal data;
- Meet its obligations to specify the purposes for which personal data is used;
- Collect and process appropriate personal data only to the extent that it is needed to fulfil operational or any legal requirements;
- Ensure the quality of personal data used;
- Apply strict checks to determine the length of time personal data is held;
- Ensure that the rights of individuals about whom the personal data is held, can be fully exercised under the Act;
- Take the appropriate technical and organisational security measures to safeguard personal data; and ensure that personal data is not transferred abroad without suitable safeguards.
GDPR Rights of the Individual
We will respect and process data in respect to the following GDPR rights. Individuals have a number of rights under data protection law, including:
- The Right to be Informed: We will inform individuals how we are processing data, via a privacy notice on our web site and through forms and other documents that we use to collect data in hard copy.
- The Right of Access: Individuals have a right to request access to data we hold on you.
- The Right of Rectification: Individuals are entitled to have inaccurate or incomplete data rectified.
- The Right to Erasure: Individuals have the right to request the removal of personal data, where there is no compelling reason for its continued processing.
- The Right to Restrict Processing: Individuals have the right to restrict the processing of personal data, where they contest the accuracy or lawful basis for processing data.
- The Right of Data Portability: Individuals have the right to obtain and reuse personal data for their own purposes.
- The Right to Object: Individuals have the right to object to processing of data including activities related to direct marketing, public interest and scientific or historical research activities.
Additionally, individuals have a right to make a complaint about our handling of personal data to the Information Commissioner’s Office.
GDPR Register
An information audit is carried out and a GDPR Register is maintained to detail all information assets and personal data. This register includes:
- Description of the record containing personal data
- Data subject/s
- Purpose of data retention/processing
- Legal basis for retention
- Recipients of data
- Location stored
- Retention period
- Details of the data held
The GDPR register is reviewed at least annually.
Subject Access
All individuals who are the subject of personal data held by the Company are entitled to:
- Ask what information the Company holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed what the Company is doing to comply with its obligations under the 2018 Data Protection Act and GDPR.
A Subject Access Request (SAR) Register is maintained for recording and documenting actions taken for all SAR’s.
Employee Responsibilities
All employees are responsible for:
- Checking that any personal data that they provide to the Company is accurate and up to date.
- Informing the Company of any changes to information which they have provided, e.g. changes of address.
- Checking any information that the Company may send out from time to time, giving details of information that is being kept and processed.
Data Security
The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff are responsible for ensuring that:
- Any personal data which they hold is kept securely
- Personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party.