We regard the lawful and correct treatment of personal data as vital to the achievement of our objectives, to the success of our operations, and to maintaining confidence between Eddisons and those with whom it carries out business. Eddisons will ensure that it treats personal data lawfully and correctly by endorsing and adhering to the Principles of Data Protection as set out in the Data Protection Act 1998 (‘the Act’).
In order to operate efficiently, Eddisons has to collect, store and process personal data about people with whom it works. These may include its staff (current, past and prospective), clients, customers, suppliers and other third parties with whom Eddisons conducts business. In addition, Eddisons may occasionally be required by law to collect and use certain types of information to comply with the requirements of government departments or other legislation such as the Money Laundering Regulations 2007.
We therefore need to ensure that as an organisation we treat personal information lawfully and correctly regardless of how it is collected, stored, recorded and used, and whether it is on paper within a filing system, stored electronically or recorded by any other means. To this end, we fully endorse and adhere to the Principles of data protection, as set out in the Data Protection Act 1998.
Any breach of this policy will be taken seriously and may result in disciplinary action.
The Data Compliance Manager is responsible for ensuring compliance with the Act and this policy. That post is held by the Group Company Secretary. Any questions of concerns about the operation of this policy should be directed to Charlotte Peel (firstname.lastname@example.org) in the first instance.
The eight Principles require that personal information:
- Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met;
- Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
- The use of personal information pursuant to this policy shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed/used;
- Shall be accurate and, where necessary, kept up to date and a periodic review shall be carried out to ensure that this happens and that inaccurate or out of date information will be destroyed;
- Shall not be kept for longer than is necessary for the specified purpose(s);
- Shall be processed in accordance with the rights of data subjects under the Act being the right for them to:
- (i) request access to any data held about them
- (ii) prevent the processing of their data for direct-marketing purposes
- (iii) ask to have inaccurate data amended
- (iv) prevent the processing of data that is likely to cause unwarranted substantial damage or
distress to themselves or anyone else
- (v) object to any decision that significantly affects them being taken solely by a computer or
other automated process;
- Should be subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data, or the accidental loss, destruction, or damage to personal data;
- Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Eddisons will, through appropriate management and strict application of criteria and controls:
- Observe fully conditions regarding the fair collection and use of information – including requirements for the data subject to consent to processing for data or that data is being processed for our legitimate interests;
- Meet its legal obligations to specify the purposes for which information is used;
- Collect and process appropriate information only to the extent that it is needed to fulfil our
operational needs or to comply with any legal requirements;
- Ensure the quality of information used;
- Ensure that the information is held for no longer than is necessary;
- Ensure that the rights of people about whom information is held can be fully exercised under the Act (i.e. the right to be informed that processing is being undertaken, to access one’s personal information; to prevent processing in certain circumstances, and to correct, rectify, block or erase information that is regarded as wrong information) including complying with any written request from a data subject regarding information that we hold about them – a subject access request;
- Take appropriate technical and organisational security measures to safeguard personal information;
- Ensure that personal information is not transferred abroad without suitable safeguards.
Disposal of Data
- We will dispose of paper files containing customer information by using shredders, locked bins for confidential waste or secure disposal companies.
- Confidential waste will be separated from general waste or all paper waste will be treated as confidential.
- We will make staff aware of the dangers of the loss of customer data through confidential paper waste and they will be provided with easy access to confidential waste collection points such as bins or shredders.
- We will only use secure disposal firms accredited by the British Security Industry Association (BSIA) for confidential waste disposal.
Disposing of Obsolete Computers and Other Electronic Equipment
- We are aware of the risk of loss of customers data through computers and other devices that we may discard
- We have a secure wiping technology and techniques such as wiping the hard drive using specialist software or by removing or physically destroying the hard drive. This applies equally to portable media such as USB sticks, CDs and cartridges
- To reduce the theft risk obsolete computers and other electronic equipment is disposed of and not stockpiled
This policy and the procedures arising from it are reviewed at least annually. Richard Roe is responsible for this policy.
This policy is implemented by order of the board of directors and will be monitored for effectiveness and reviewed every year and following major organisational or procedural changes, new legislation and audit recommendations.
This policy does not form part of any employee’s contract of employment and may therefore be amended at any time. Any amendments will be brought to the notice of all staff.
Richard Roe Managing Director
Issue Date: 24.03.2018