Privacy Policy & GDPR

Policy Aims We hold personal data about our employees, clients, suppliers and other individuals for a variety of business purposes. This policy sets out how Lupton & Place Ltd seeks to protect personal data and ensure that everyone understands the rules governing their use of personal data to which they …

Read morePrivacy Policy & GDPR

  1. Policy Aims

    We hold personal data about our employees, clients, suppliers and other individuals for a variety of business purposes. This policy sets out how Lupton & Place Ltd seeks to protect personal data and ensure that everyone understands the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Managing Director be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.

  2. Scope

    This policy applies to all Lupton & Place Ltd Colleagues who process or use personal data or sensitive personal data (“Data users”), as well as supplier, client and marketing data.

  3. Principles

    1. Colleagues (“Data Users”) who process or use personal information must ensure that they adhere to the following principles at all times. These state that personal data shall be:
      • Obtained and processed fairly and lawfully (that the subject of the data has consented to its collection and use).
      • Held only for specified purposes
      • Adequate, relevant but not excessive
      • Accurate and kept up to date
      • Held for no longer than necessary. Please see Appendix 1 for further details
      • Accessible to data subjects.
      • Kept safe from unauthorised access, accidental loss or destruction
      • Only transferred within the European Economic Area (EEA)
  4. Responsibilities

    All colleagues are responsible for:

      • Checking that any information that they provide to the company in connection with their employment is accurate and up to date.
      • Informing the HR Manager or relevant Manager of any changes to the information that they have provided e.g. change of address etc.
      • If and when, as part of their responsibilities, colleagues collect information about other people, they must comply with the guidelines set out in this Policy and only process personal data where they have a clear purpose to do so.
  5. Data Security

    1. All colleagues whose work involves storing personal data, whether in electronic or paper form must take personal responsibility for ensuring that:
      • Any data that they hold is kept securely
      • Personal information is not disclosed either orally or in writing or by any other means to any unauthorised third party.
    2. Printed personal information should be kept in a locked filing cabinet, drawer or safe where unauthorised personnel cannot access it and should be shredded when it is no longer needed.
    3. If the information is computerised, it must be protected by strong passwords that are regularly changed and covered with access rights to authorised personnel only. Data stored on memory sticks or external drives must be locked away securely when they are not in use.
    4. Personal data must not be stored at colleague’s homes whether in manual or electronic form or saved directly to mobile devices such as laptops, tablets or smartphones.
    5. Servers containing personal data are kept in a secure location must be approved and protected by security software and strong firewalls. Data should be regularly backed up in line the company’s’ procedures.
  6. Rights to Access Information

    1. All colleagues have the right to access personal data that is being kept about them insofar as it falls within the scope of the Data Protection 1998 Act.All colleagues are entitled to know:
      • What information the company holds and processes about them and why.
      • How to gain access to the information and how it is kept up to date.
      • What the company is doing to comply with its obligations under the GDPR.
    2. Any colleague wishing to exercise their rights as defined in section 6.1 should make their request in writing to the HR department. If colleagues wish to see only specific documents, they must describe these.
    3. The HR Manager or relevant Manager will aim to comply with requests for access to personal information as quickly as possible, however they will ensure that the information is provided within one month.
    4. The company will provide this information in a format either electronically or paper based as requested by the colleague.
    5. The company does not need to comply with a request where it has received an identical or similar request from the same colleague, unless a reasonable interval has elapsed between compliance with the original request and the current request.
    6. A colleague also has the right to data portability and can request that their data be transferred to another system, again this will be done after a written request to the HR Manager or relevant director and within 1 month.
  7. Disclosures Outside of the Company

    1. General Requests

      1. Where a request to disclose or amend personal data relating to a colleague is received from an individual or organisation outside of the company, in general no data should be disclosed or amended, unless the authority and authenticity of the request can be established.
      2. Disclosures requested by those claiming to be relatives or friends must be refused.
    2. Reference requests

      1. All references must come through the HR Manager or the relevant Company Director.
    3. International data transfer

      1. No data may be transferred outside of the EEA without specific consent from the data subject.
  8. Consent

    1. In some cases, the company can only process personal data with the consent of the colleague.
    2. If the data is sensitive, as defined in the Data Protection 1998 Act, express consent must be obtained.
    3. Agreement to the company processing some specified classes of data is a condition of employment.
    4. The company may ask for information about a colleague’s health such as allergies or any medical condition. The company will only use this information in the protection of the health and safety of the colleague but will need consent to process this data in the event of a medical emergency.
    5. If a colleague considers that this policy has not been followed in respect of personal data about themselves, they must raise the matter with the HR Manager or a relevant Director.
  9. Right to be Forgotten & Retention of Data

    1. The company has a duty to retain some colleague data for a period of time following their departure from the company, mainly for legal reasons.
    2. Some of this material will be archived. Appendix 2 provides further information on the minimum retention periods for records containing personal data.
    3. Colleagues on leaving the company can request in writing for their data to be deleted or removed by the company and any third parties who process or use that data must also comply with the request. This means that all personal data must be disposed of unless it is to be kept for any of the legal reasons as in appendix 2. An erasure request can only be refused if an exemption applies.
  10. Disposal of Personal Data

    Where a record containing personal data is disposed of, the following procedures will be followed:

    1. All paper documentation containing personal data will be permanently destroyed by shredding.
    2. All computer equipment that is to be sold or scrapped will have had all personal data completely destroyed.
    3. All data stored on computers will be permanently deleted from the server.
  11. Reporting Breaches

    1. All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
      • Investigate the failure and take remedial steps if necessary
      • Maintain a register of compliance failures
      • Notify the Supervisory Authority (SA) of any compliance failures that are material either n their own right or as part of a pattern of failures.
  12. Data Audit & Register

    1. There will be regular data audits to manage and mitigate risk which will inform the data register. This contains information on what data is held, where it is stored, how I is used, who is responsible and any further regulations or retention timescales that may be relevant.
  13. Related Policies

    • The Reference Policy and Procedure
    • The Disciplinary Policy and Procedure
    • The Attendance Management Policy and Procedure
    • The social media & electronic communications policy
    • Shared Parental leave policy

APPENDIX ONE

Definitions

Business Purposes

The purpose for which personal data may be used by us: Personnel, administrative, financial, regulatory, payroll and business development purposes. Business purposes include the following:

  • Compliance with our legal, regulatory and corporate governance obligations and good practice
  • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
  • Ensuring business policies are adhered to (such as policies covering e-mail & internet use)
  • Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
  • Investigating complaints
  • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
  • Monitoring staff conduct, disciplinary matters
  • Marketing our business
  • Improving services

Personal Data

This is information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts.

Sensitive Personal Data

Personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings.

APPENDIX TWO

Minimum Retention Periods for Records Containing Personal Data

TYPE OF RECORD MINIMUM RETENTION PERIOD REASON FOR LENGTH OF PERIOD.
Personnel files including training records, notes of disciplinary and grievance hearings and appraisal forms 6 years from end of employment References and potential litigation
References 6 years from end of employment References and potential litigation
CV’s, application forms/interview
notes
At least 6 months from the date of
interviews
Time limits on litigation
Facts relating to redundancies where
fewer than 20
6 years from the date of redundancy As above
Facts relating to redundancies where
more than 20
12 years from the date of redundancy As above
Income tax and NI returns, including
correspondence with the tax office
At least 3 years after the end of the
financial year to which the records
relate
Income Tax (Employment) regulations
1993
Statutory maternity pay records and
calculations
As above Statutory Maternity Pay (General) regulations 1986
Statutory sick pay records and calculations As above Statutory Sick Pay (General) regulations 1982
Wage and salary records 6 years Taxes Management Act 1970
Accident book and records and reports of accidents 3 years after the date of the last
entry
Social Security (Claims and Payment)
Regs. 1979, RIDDOR 1985
Health records During employment Management of Health and Safety at
Work Regs.
Health records where reason for termination of employment is connected with health, including stress
related illness
3 years Limitation period for personal injury
claims
Medical records kept by reason of
Control of Substances Hazardous to
Health Regs. 1999
40 years Control of Substances Hazardous to
Health Regs. 1999
TUPE information to another company from this company. All as above in relation to the type
of information (record)
All as above in relation to the type of
information given over.
Supplier contact and bank details for
payments
For duration of contract Litigation
VAT records – invoices or purchases 6 years after the end of the financial year to which the records relate HMRC legislation
Supplier specifications, , audit reports, accreditations etc. Potential litigation & Customer audits
Customer specifications, account details, contracts, policy’s, price negotiations & costs etc. Potential litigation & Customer audits
Customers’ orders and forecasting Potential litigation & Customer audits
NPD – Briefs, timelines & submission
briefs from customers
Potential litigation & Customer audits

GDPR POLICY LUPTON & PLACE LTD MAY 2018