At Ukdrainage we process information about individuals (i.e. 'personal data') for business purposes, including employment, provision of our services, marketing, and business administration. This includes personal data relating to our staff, customers, suppliers and other third parties.
Compliance with data protection law is essential to ensure that personal data remains safe, our business operations are secure and the rights of individuals are respected. The Company is a 'controller' under data protection law, meaning it decides how and why it uses personal data. This Policy explains how we comply with data protection law, which applies to all Company employees and workers, including contractors, agency workers, consultants and directors.
Dave Prior (Managing Director) is ultimately responsible for the Company's compliance with data protection law.
Personal data is information relating to a living individual who can be identified by reference to an identifier (e.g. name, NI number, employee number).
Processing personal data means any activity that involves the use of personal data. It also includes sending or transferring personal data to third parties.
Data Protection Obligations
Here are our key obligations and how we aim to comply:
1. We process personal data in a fair, lawful and transparent manner
We process personal data only where there are legal grounds to do so. Examples of legal grounds for processing personal data include the following (at least one of these must be satisfied for each processing activity):
- - complying with a legal obligation;
- - entering into or performing a contract with the individual;
- - acting in the Company's or a third party's legitimate interests; and
- - obtaining the consent of the individual.
Where consent is relied on, it must be freely given, specific, informed and unambiguous, and the Company must be able to demonstrate this. The Company does not use consent as a legal ground for processing employee data unless the data processing activities concerned are genuinely optional.
Consent is not normally required for activities involving customer or supplier data.
We process personal data in a transparent way by providing individuals with appropriate information about how we process personal data.
2. We take care when handling special categories of personal data
Some categories of personal data are 'special' because they may reveal an individual's:
For special category personal data we must have an additional legal ground to justify using this sensitive information. This will depend on the circumstances, and include:
- - racial or ethnic origin;
- - political opinions;
- - religious or philosophical beliefs;
- - trade union membership;
- - physical or mental health;
- - sexual life or sexual orientation;
- - biometric or genetic data (if used to identify that individual); and
- - criminal offences or convictions.
- - complying with a legal obligation in the field of employment;
- - assessing working capacity (based on confidential expert medical opinion);
- - carrying out equalities monitoring;
- - exercising, establishing or defending legal claims;
- - preventing or detecting unlawful acts; or
- - explicit consent of the individual.
3. We process personal data for specified, explicit and legitimate purposes
The Company will only process personal data in accordance with our legitimate purposes to carry out business operations and administer employment and other business relationships.
4. We ensure that personal data is adequate, relevant and limited to what is necessary for legitimate purposes
Data protection law requires that personal data is adequate, relevant to our purposes and limited to what is necessary.
5. We keep personal data accurate and up-to-date
The Company takes steps to ensure that personal data is accurate and up-to-date. For example, we request that employees provide us with any change in personal information.
6. We keep personal data no longer than necessary
Records containing personal data should only be kept for as long as they are needed. The Company has a data retention policy for records that contain personal data.
We take steps to retain personal data only for as long as is necessary, taking into account:
- - the amount, nature, and sensitivity of the personal data;
- - the risk of harm from unauthorised use or disclosure;
- - the purposes for which we process the personal data;
- - how long the personal data is likely to remain accurate and up-to-date;
- - how long the personal data might be relevant to possible future legal claims; and
- - accounting, reporting or regulatory requirements.
7. We keep personal data secure
Keeping personal data safe and complying with the Company's procedures to protect the confidentiality of personal data is a key responsibility for the Company and its workforce.
Measures to achieve this include physical, technological and organisational controls, e.g. locked offices and filing cabinets, building security, access controls and passwords, encryption of hardware or software, anti-virus and network protection, software updates, security testing and incident management, secure disposal of records, backup and disaster recovery.
8. We take care when sharing or disclosing personal data
The sharing or disclosure of personal data is a type of processing:
Internal data sharing
The Company ensures that personal data is only shared internally on a 'need to know' basis.
External data sharing
We only share personal data with third parties where we have a legitimate purpose, and an appropriate legal ground. Commonly, this includes situations where we are legally obliged to provide the information or to perform our contractual duties to individuals.
We may appoint third party service providers to handle information on our behalf, for example to provide payroll, data storage or other services. The Company is responsible for ensuring that these also comply with data protection law.
9. We don't transfer personal data to another country
An overseas transfer of personal data takes place when the data is transmitted or sent to, viewed, accessed or otherwise processed in, a different country.
To ensure that data protection is not compromised when personal data is transferred to another country, the Company would assess the risks of any transfer of personal data outside of the UK and puts in place additional appropriate safeguards where required.
We do not currently transfer personal data outside the UK.
10. We report data protection breaches without delay
The Company takes data protection breaches very seriously. These include lost equipment or data, inaccurate data, failure to address an individual's rights, accidental sending of data to the wrong place, unauthorised use of data, and deliberate attacks on the Company's systems.
If there is accidental or unlawful loss, alteration or disclosure of personal data, the Company will take immediate steps to address it.
If the Company discovers that there has been a personal data breach posing a risk to the rights and freedoms of individuals, we will report it to the Information Commissioner's Office (ICO).
If a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, we will tell affected individuals and provide them with information about its likely consequences and the mitigation measures we have taken.
11. We integrate data protection into our operations
Data protection law requires the Company to build data protection considerations and security measures into all operations that involve the processing of personal data, particularly at the start of a new project or activity which may impact on the privacy of individuals, taking into account:
- - the risks posed by the processing;
- - technological capabilities;
- - the cost of implementation; and
- - the nature, scope, context and purposes of the processing.
Individual Rights and Requests
Under data protection law, individuals have certain rights when it comes to how we handle their personal data. For example, an individual has the following rights:
- - The right to make a 'subject access request'.
- - The right to request that we correct incomplete or inaccurate.
- - The right to withdraw consent which they have given.
- - The right to request that we delete personal data that we hold about them.
- - The right to object to our processing of personal data for direct marketing.
- - The right to request that we restrict our processing of personal data
- - The right to request that we transfer to them or another party, in a structured format, their personal data.
We are required to comply with these rights without undue delay and, in respect of certain rights, within a one month timeframe.
Individuals also have rights to complain to the ICO about, and to take action in court to enforce their rights and seek compensation for damage suffered from, any breaches.
In order to comply, and demonstrate our compliance, with data protection law, the Company keeps various records of our data processing activities. These include a Record of Processing which contains: the purposes of processing; categories of data subjects and personal data; categories of recipients of disclosures of data; information about international data transfers; envisaged retention periods; general descriptions of security measures applied; and certain additional details for special category data.