Purey Cust (York) Estate Limited, as Data Controller, is committed to ensuring its compliance with the requirements of the law governing the management and storage of Personal Data (as defined below), which is set out in the UK’s Data Protection Act and the EU’s General Data Protection Regulation 2016 (“GDPR”).
We recognise the importance of Personal Data to our business and the importance of respecting the privacy rights of individuals. This Data Protection Policy (the Policy) sets out the principles which we will apply to our Processing (as defined below) of Personal Data so that we not only safeguard one of our most valuable assets but also Process Personal Data in accordance with applicable laws.
The UK data protection regulator oversees compliance with the GDPR, which is the Information Commissioner’s Office (“ICO”). Purey Cust (York) Estate Limited Limited is accountable to the ICO for its data protection compliance.
This Policy aims to protect and promote the data protection rights of individuals and the business, by informing everyone working for the company of their data protection obligations and of the business procedures that must be followed to ensure compliance with GDPR.
Information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.
This Policy covers all Personal Data and special categories of Personal Data, however, Processed (on computers or manually).
This Policy and the Guidance (which is set out in the following pages) applies to all staff (including managers), consultants and any third party that this Policy has been communicated to, as it is the responsibility of all to assist Purey Cust (York) Estate Limited Limited complying with its obligations as Data Controller. All members of staff should familiarise themselves with both this Policy and the Guidance and apply their provisions concerning any processing of Personal Data.
Failure to comply with the GDPR, the Policy and the Guidance could amount to misconduct, which is a disciplinary matter and could ultimately lead to summary dismissal. Serious breaches could also result in personal criminal liability.
For these reasons, all employees must familiarise themselves with this Policy and the Guidance and attend any training sessions concerning the care and handling of Personal Data.
This Policy and the Guidance may be amended from time to time to reflect any changes in practice or legislation. Mike Green, who is the business’s Privacy Manager, is responsible for monitoring the business’s compliance with this policy and any queries as to data protection procedures or requirements should be directed to him.
This Policy has been approved by Purey Cust (York) Estate Limited Limited Directors. It will be reviewed annually or as and when a change in the data protection regime requires it to be updated.
This Guidance Note (“the Guidance”) forms part of the Data Protection Policy and provides supplementary information to enable staff to better understand and comply with the Data Protection Policy.
Purey Cust (York) Estate Limited Limited, as Data Controller, is required to comply with the GDPR in respect of its Processing of Personal Data (such as information about our customers, employees and suppliers). Compliance with data protection legislation is the responsibility of all members of the business who process personal information, and it is, therefore, crucial for all staff to familiarise themselves with both the Data Protection Policy and this Guidance and act following their content.
Any day-to-day data protection issues or any questions about the Policy or the Guidance should be raised with the Privacy Manager.
The GDPR is intended to protect the rights and privacy of individuals and to ensure that data about them is not processed without their knowledge and, wherever possible, is treated with their consent. While the GDPR covers Personal Data relating to individuals, you should bear in mind that if you handle personal details of, for example, officers of companies, this will still constitute Personal Data and therefore be subject to the GDPR’s requirements.
It should be noted that the business is authorised to process data connected to staff administration, advertising and marketing, maintain accounts and records, instructing third parties to process data on its behalf in relation to performing contractual obligations, receiving data from third parties to process data in relation to performing contractual obligations and relating to the CCTV outside the office. Anyone who is or intends Processing data for purposes not included in the business’s entitlements should seek advice from the Privacy Manager.
In this Guidance, the following definitions are used:
Consent is an agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by explicit affirmative action, signifies agreement to the Processing of Personal Data relating to them.
Data Controllers means the natural or legal person, public authority, agency or other bodies who alone or jointly with others, determine the purposes for which and how any Personal Data is processed. They have a responsibility to establish practices and policies in line with the GDPR Purey Cust (York) Estate Limited Limited is the Data Controller of all Personal Data used in our business.
Data Processors include any person who processes Personal Data on behalf of a Data Controller. Employees of Data Controllers are excluded from this definition, but it could consist of suppliers, which handle Personal Data on our behalf. Data Subjects (for this Policy) include all living, identified or identifiable individuals about whom Purey Cust (York) Estate Limited Limited holds Personal Data.
A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their Personal Data. This will include and is not limited to, staff, customers, suppliers and business contacts.
Personal Data means data (however held) relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal Data can be factual (such as a name, address, date of birth or telephone number) or it can be an opinion (such as a performance appraisal). It will include passport or driving licence details. It also includes information that identifies the physical, physiological, genetic, mental, economic, cultural or social identity of a person. For the business’s purposes, our customers are Data Subjects (other individual third parties that we hold Personal Data about are also likely to be Data Subjects).
Processing (or Process) is any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation on or regarding the data including organising, accessing, amending, merging, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring or making available Personal Data to third parties.
Sensitive Personal Data includes information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such circumstances or the sentence of any court in such proceedings. Sensitive Personal Data can only be processed under strict conditions, and will usually require the express consent of the person concerned.
A. Overall Policy Statement and detailed Guidance
• All Data Subjects have rights about how their personal information is handled. During our activities, we will store and process personal data which includes information about our staff and our customers and suppliers. We recognise the requirement to treat this information correctly and in a lawful manner.
• Personal information, which may be held on paper or a computer, is subject to certain legal safeguards specified in the GDPR and other regulations. The GDPR imposes restrictions on how we may use that information.
• Purey Cust (York) Estate Limited Limited has to adhere to the Data Processing principles around which the GDPR is based. These principles deal with handling, Processing, transportation, destruction and storage of personal information. All staff must adhere to these principles in performing their day-to-day duties. The laws require the business to ensure that all Personal Data and Sensitive Personal Data:
• is processed fairly and lawfully and in a transparent manner in relation to the subject;
• shall be obtained for specified, explicit and legitimate purposes and not processed in a way that is incompatible with these purposes;
• shall be adequate, relevant and not excessive in relation to the use it is held;
• shall be accurate and kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay;
• shall be kept in a form which permits the identification of Data Subjects for no longer than is necessary for the purposes for which it is processed;
• shall be processed in accordance with the individuals’ rights; and
• shall be processed in a manner that ensures appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of Personal Data and accidental loss or destruction of, or damage to, Personal Data.
Additionally, Personal Data shall not be transferred to a country or territory outside the European Economic Area unless: (1) that country or region ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data; (2) appropriate, approved standard contractual clauses are in place; (3) the Data Subject has given explicit consent; or (4) the transfer is necessary for a reason set out in the GDPR. If this is envisaged, speak to the Privacy Manager for further guidance before transferring any data.
The business must be able to demonstrate its compliance with the above principles (‘accountability’).
To process all Personal Data in a manner that is compliant with GDPR, Purey Cust (York) Estate Limited Limited will:
• observe the conditions regarding the fair collection and use of Personal Data;
• meet its obligations to specify the purposes for which Personal Data is used;
• collect and process appropriate Personal Data only;
• ensure the quality of Personal Data used;
• apply strict checks to determine the length of time Personal Data is held;
• ensure that the rights of individuals about whom the Personal Data is retained can be fully exercised under applicable laws;
• take the appropriate technical and organisational security measures to safeguard Personal Data; and
• ensure that Personal Data is not transferred abroad without suitable safeguards.
To expand on the practical aspects of the principles:
Fair and Lawful Processing
The GDPR is intended not to prevent the processing of Personal Data, but to ensure that it is done fairly and without adversely affecting the rights of the Data Subject. In establishing our instructions from customers, they are informed of the purpose for which data is to be processed by us and the identities of anyone to whom it is envisaged that the data may be disclosed or transferred. If we ever need to process Personal Data for direct marketing to prospective customers, we will obtain opt-in Consent to allow the customer/recipient to specify whether they want their Personal Data to be used for this purpose or not. See below under “Direct Marketing” for marketing to part/ existing customers.
For Personal Data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the Data Subject has consented to the processing, that it is in connection with us delivering our services or products for the Data Subject. Furthermore, the processing is necessary for our legitimate interests, provided that processing for our legitimate interests does not adversely affect the interests or rights of Data Subjects. When sensitive personal data is processed, more than one condition must will be satisfied. In most cases, the Data Subject’s explicit consent to the Processing of such data will be required.
A Data Subject provides Consent to Processing of their Personal Data if they clearly indicate agreement to the Processing either by a statement or positive action. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If consent is provided in a document that deals with other matters, then the Consent must be kept separate from those other matters.
Evidence of Consent and records of all Consents should be kept so that the business can demonstrate compliance with Consent requirements.
Specific Consent should be obtained to use Personal Data on the internet as such data could be accessed worldwide, and the final data principle outlined above may be breached.
Processing For Specific and Limited Purposes
Personal Data may only be processed for the specific purposes notified to the Data Subject when the data was first collected or for any other purposes specifically permitted by the GDPR. This means that Personal Data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the Data Subject must be informed of the new purpose and Consent obtained before any Processing occurs.
Adequate Relevant and Non-Excessive Processing
Personal Data should only be collected to the extent that it is required for the specific purpose notified to the Data Subject. Any data, which is not necessary for that purpose, should not be collected in the first place. If you are in possession of excessive data, it should be immediately deleted or destroyed.
We must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the business’s data retention guidelines.
Personal Data must be accurate and kept up to date. Information, which is incorrect or misleading, is not accurate and therefore you should check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. Inaccurate or out of date data should be destroyed or updated as appropriate. You should notify the business’s Office Manager with regard to any of your own Personal Data which needs updating, and you should also ensure that if any customer or a third party provide updated personal information, the update is acted upon without delay.
Personal Data should not be kept longer than is necessary for the purpose, meaning that data should be destroyed or erased from our systems when it is no longer required. For guidance on how certain long data is to be kept before being destroyed, contact the Privacy Manager.
Processing in Line With Data Subject Rights
Data must be processed in line with Data Subjects’ rights. Data Subjects have a right to:
• ask what information Purey Cust (York) Estate Limited Limited holds about them and why;
• request access to any Personal Data held about them by us;
• prevent the processing of their data for direct marketing purposes;
• ask to have inaccurate data amended;
• prevent Processing that is likely to cause damage or distress to themselves or anyone else;
• if we have any, be informed of the mechanics of any automated decision-making process that will significantly affect them;
• not have significant decisions that will affect them taken solely on an automated process;
• sue for compensation if they suffer damage as a consequence of an infringement of data protection laws; and
• request the Information Commissioner (the regulatory authority on this subject) to assess whether any provision of applicable laws has been contravened.
• To guard against the risk of unlawful or unauthorised processing of Personal Data, or against the accidental loss of, or damage to, Personal Data, we will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own and identified risks. Data Subjects may apply to the courts for compensation if they have suffered damage from such a loss.
• The GDPR requires us to put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. Personal Data may only be transferred to a third-party Data Processor if that third party agrees to comply with those procedures and policies, or if he puts in place adequate measures himself. As an example, you may wish to consider password protecting emails or documents being transmitted to third party recipients or if the email or document contains particularly delicate or Sensitive Personal Data, confirming by telephone (i.e. separately) to the intended recipient what the password is.
• Maintaining data security means guaranteeing the confidentiality, integrity and availability of the Personal Data. These are defined as follows:
– Confidentiality means that only people who are authorised to use the data can access it. All staff are responsible for ensuring that any Personal Data which they hold is kept securely and that it is not disclosed to an unauthorised third party;
– Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed;
– Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal Data should, therefore, be stored on our central computer system instead of on individual PCs.
• Security procedures include:
– Passwords. Computer passwords must be kept confidential.
• Entry controls. Any unannounced stranger seen in entry-controlled areas or beyond “normal” visitor access areas should be politely challenged as to their purpose, and their presence should be queried with the Office Manager.
– Secure lockable desks and cupboards. Such should be kept locked if they hold confidential information of any kind. Note that Personal Data is always considered confidential.
– Methods of disposal. Paper documents containing Personal Data, once no longer needed, should be placed in the shredding bins and disposed of. Hard drives or any permitted memory sticks should be specifically erased before disposal, and floppy disks and CD-ROMs should be physically destroyed when no longer required. In the event that any staff process Personal Data through working at home, for example, this Guidance and all it entails applies equally to such data.
– Equipment. Staff should ensure that individual monitors do not show confidential information to passers-by or to any person to whom this Policy does not apply and that they lock or log off from their PC when it is left unattended.
– Memory Sticks. If you need to write data (including Personal Data) to a memory stick ensure that its content is password-secured as may be appropriate and take all precautions as to the security and location of the memory stick at all times. Delete its content as soon as appropriate.
The GDPR requires us to keep full and accurate records of all our data Processing activities. We must keep and maintain accurate records reflecting our Processing, including records of Data Subjects’ Consents and procedures for obtaining Consents. These records should include clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place.
If you have any concerns about Processing Personal Data, please contact the Privacy Manager who will be happy to discuss matters with you.
B. Dealing with subject access requests and other disclosures
The GDPR gives rights to individuals in respect of the Personal Data organisations hold about them. Everyone must be familiar with these rights and adhere to the business’s procedures to uphold these rights.
These rights include:
• Right of information and access to confirm details about Personal Data that is being processed about them and to obtain a copy;
• Right to rectification of any inaccurate Personal Data;
• Right to erasure of Personal Data held about them (in certain circumstances);
• Right to restriction on the use of Personal Data held about them (in certain circumstances);
• Right to portability – right to receive data processed by automated means and have it transferred to another data controller;
• Right to object to the Processing of Personal Data;
• Make a complaint to the regulatory authority, the Information Commissioner’s Office.
A formal request from a Data Subject for information that we hold about them need not be in any particular format. Still, it should specify the information that the Data Subject requires. If you receive a request for Personal Data and require guidance as to whether it is a “subject access request”, speak to the Privacy Manager. Purey Cust (York) Estate Limited Limited will require the Data Subject to provide evidence of their identity (so we are not disclosing to a third party). Any member of staff who receives a written request should forward it to the Privacy Manager immediately who will assist.
A request sent by email or fax is as valid as one sent in hard copy. Requests may also be validly made through social media. Note that information requested under a subject access request may not be fully disclosable as particular exemptions from disclosure may apply. Indeed, it may be that none of the information is disclosable. The Privacy Manager will advise as to what can be disclosed.
Purey Cust (York) Estate Limited Limited aims to comply with requests for access to personal information as quickly as possible, and, if we hold such information, will ensure that it is provided within one month of the request unless there is a proper reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.
We must ensure that Personal Data is not disclosed to unauthorised third parties which includes family members, friends, government bodies and, in certain circumstances, the Police. All staff should exercise caution when asked to disclose Personal Data on an individual to a third party. Speak to the Privacy Manager if in doubt.
Personal Data may be legitimately disclosed where one of the following conditions applies:
• The individual has given their consent (e.g. consenting to us speaking to their adviser or other named third party);
• Where disclosure is in the legitimate interests of the business (e.g. disclosure to other staff members);
• Where the business is legally required to disclose the data.
The GDPR contains some exemptions in respect of disclosures. If you are contacted by:
• the Police
• Any government department asking for information about customers
you must not confirm or deny whether or not we hold information about a Data Subject. If you receive a Production Order from the Police or an Order from a government department requiring information to be disclosed, contact the Privacy Manager.
C. Providing information over the telephone
Any member of staff dealing with telephone enquiries should be careful about disclosing any personal or confidential information held by us. In particular, they should:
• check the caller’s identity to make sure that information is only given to a person who is entitled to it;
• suggest that the caller put their request in writing if they are not sure about the caller’s identity or the purpose of the enquiry and where their identity cannot be checked;
• Refer to the Privacy Manager for assistance in difficult situations. No-one should be pressured into disclosing personal information. Every member of staff that holds information about identifiable living individuals has to comply with the GDPR in managing that information.
D. Retention and Disposal of Data
The business will not retain Personal Data for longer than necessary.
• Customers: Data for customers is generally retained for up to one year after their warranty period has expired in order to comply with legal and regulatory requirements.
• Staff: Purey Cust (York) Estate Limited Limited will create a personnel file for each member of staff and will keep this for the duration of employment and for a minimum of one year after a staff member leaves employment. After one year, we will review the personnel file and delete any Personal Data that we do not need.
• We will retain the following Personal Data for the following periods of time:
Period of Retention - Data are confirming payments due to you — for example, your contract of employment and any information about salary or benefits.
Six years after you leave your employment
Data relating to taxes, National Insurance contributions and other charges paid in relation to you.
Seven years after you leave your employment
Data relating to any accidents or injuries at work.
Three years after you leave your employment
Data relating to any references given in relation to you.
One year after the date of the reference
• Recruitment Records: Information relating to unsuccessful applicants will be kept for up to 2 years from the date which it was decided not to proceed with their application. This data will be used to assist the recruitment process to keep a record of the names of applicants who have been shortlisted or interviewed.
• Disposal of Records: all Personal Data must be disposed of in a way that protects the rights and privacy of Data Subjects (e.g. shredding).
E. Publication of Information
The business publishes a number of items that include Personal Data and will continue to do so. These include:
• Internal telephone directory
• Staff information/photographs on the firm’s website
• Information including photographs in newsletters, tender applications etc.
F. Direct Marketing
Before any electronic direct marketing is undertaken, it must be clear that the people to be contacted have Consented to receive such marketing and that a valid, up to date, consent notice is held on file. There is a limited exception for existing customers known as “soft opt-in” – this allows us to send marketing texts or emails if we have obtained contact details in the course of a sale and/or providing services to that person, the correspondence is marketing similar products and/or services, and we gave the person an opportunity to opt-out of marketing when first collecting the details and in every subsequent correspondence.
For marketing by post, we are able to send postal marketing to our customers regarding new products or services, in reliance on our “legitimate interests” – we generally do not need consent to this type of mailing, but we will always need to offer customers an opt-out.
The right to object to direct marketing must be explicitly offered to the Data Subject. A Data Subject’s objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
G. Use of CCTV
To assist with the security of the premises, if CCTV cameras are installed inside and outside the premises and these cameras record activities in the office, the warehouse and the car park areas the recordings will be purely for security purposes and will not be used for any other purpose other than as evidence of criminal activity.
Privacy By Design and Data Protection Impact Assessments
Privacy by Design involves using appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Data Privacy Impact Assessments (“DPIA”) involve using tools and assessments to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.
We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures in an effective manner, to ensure compliance with data privacy principles. Privacy by Design is an ongoing measure. DPIAs will be carried out when introducing or making significant changes to, systems or projects involving the Processing of Personal Data. DPIAs are required to identify data protection risks and to assess the impact of these risks, as well as to determine the appropriate action to prevent or mitigate the impact of these risks.
This means thinking about whether we are likely to breach the GDPR and what the consequences might be if we use Personal Data in a particular way. It is also about deciding whether there is anything that we can do to stop or minimise the chances of potential problems identified, from happening.
DPIAs will be undertaken by the Privacy Manager and Management.
A data protection breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Everybody working for Purey Cust (York) Estate Limited Limited has a duty to report any actual or suspected data protection breach without delay to the Privacy Manager or, in their absence, their line manager.
Breaches will be reported to the ICO by the Privacy Manager without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless, we are able to demonstrate that the Personal Data breach is unlikely to result in a risk to the rights and freedom of Data Subjects. Where there is a high risk to the rights and freedoms of individuals, we must also notify the affected individuals.
The Privacy Manager will maintain a central register of the details of any data protection breaches.
Complaints relating to breaches of the GDPR and/or complaints that an individual’s Personal Data is not being processed in line with the data protection principles should be referred to the Privacy Manager without delay.
Everyone must understand the implications for the business if we fail to meet our data protection obligations. Failure to comply could result in:
• Criminal and civil action
• Personal accountability and liability
• Suspension/withdrawal of the right to process Personal Data by the ICO
• Loss of confidence in the integrity of our systems and procedures
• Irreparable damage to our reputation
Breaches can have serious consequences. Purey Cust (York) Estate Limited Limited could be fined up to 20,000,000 Euros, or up to 4% of the annual turnover of the preceding financial year, whichever is the higher and depending on the breach.
This guidance has been approved by Purey Cust (York) Estate Limited Limited Directors. It will be reviewed annually or as and when a change in the data protection regime requires it to be updated.