1.2 We take seriously our obligations under the General Data Protection Regulation (GDPR) and all other relevant regulation and legislation in relation to the personal data we hold.
1.3 We have appointed Angela Lawtey as our Data Compliance Manager (DCM) to have overall responsibility for monitoring how we collect and use personal data, data security and compliance with data protection regulations and laws.
1.4 This policy sets out how we seek to protect personal data and ensure staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the DCM should be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
2.1.1 Business purposes—the purposes for which personal data may be used by us, eg creating and administering customer accounts, personnel, administrative, financial, regulatory, payroll and business development purposes. These include the following:
(b) identification of new customers for anti-money laundering purposes
(c) contacting customers for reasons related to the services they have signed up for or to provide information they have requested
(d) contacting customers to notify them of any changes to our website or to our services that may affect them
(e) invoicing for and collecting payments due for services provided to customers
(f) collecting overdue payments
(g) compliance with our legal, regulatory and corporate governance obligations and good practice
(j) operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
(k) investigating complaints and resolving disputes
(o) following up leads and marketing our business
2.1.2 Personal data—information relating to identifiable individuals, such as customers, alternative contacts, suppliers, marketing contacts, job applicants, current and former employees, agency, contract and other staff. Personal data we gather may include: individuals' contact details, financial and payment details, details of education, qualifications and skills, marital status, nationality, job title, and CV.
2.1.3 Sensitive personal data—personal data about an individual's racial or ethnic origin, sexual orientation, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings, CCTV images and any other biometric data —any use of sensitive personal data should be strictly controlled in accordance with this policy.
5.1.1 we only hold data if we have a lawful basis for doing so, for example, where we have a contract with a customer, to administer the customer’s account and provide the services the customer requires, to comply with our legal obligations, if we have a genuine and legitimate business interest in processing that information or we have the consent of the person to whom the data relates
5.1.2 we keep that data confidential and secure
6 Our procedures
6.1 Fair and lawful processing – Privacy Notices
(b) highlights that we may be required to give information to third parties such as law enforcement agencies or need to share it with service providers such as insurers, credit reference agencies, debt collection agents and payroll providers, and
6.1.3 Our Privacy Notice needs to be given to the customer at the first point of contact. Our website will direct customers to our Privacy Notice when they make an enquiry on-line. If a customer makes an enquiry in the store or signs up a licence agreement in store, then you must give them a copy of our Privacy Notice at that time. If enquiries are made by telephone, you will need to let them know we take the privacy of their data seriously and let them know that they can view our Privacy Notice on-line or we can send it to them by post or email.
6.2.1 In almost all cases where we process sensitive personal data we will require the data subject's explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (eg to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
6.3.1 We will ensure that any personal data we process is accurate, adequate, relevant and not excessive given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
6.3.2 Individuals may ask that we correct inaccurate personal data relating to them and we need to respond to them within one month.. If any person makes a request to correct inaccurate information, you must inform the DCM immediately giving details of the request. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and pass this on to the DCM when you report that the request has been made.
6.4.2 Do not send direct marketing material to someone electronically (eg via email) unless the person has given their consent to this. Yu will need to follow industry guidance on following up on people who have made enquiries or asked for a quote for storage. [Please see our Policy on following up potential customers.]
6.5.1 Please note that under the Data Protection regulations, individuals are entitled (subject to certain exceptions) to request access to information held about them.
6.5.2 If you receive a subject access request, you should refer that request immediately to the DCM. We may ask you to help us comply with those requests.
6.5.3 Please contact DCM if you would like to correct or request information that we hold about you. There are also restrictions on the information to which you are entitled under applicable law.
6.6 Right to be forgotten or to restrict use of personal data
6.6.1 Please note that under the Data Protection regulations, individuals are entitled (subject to certain exceptions) to request that we restrict how we use the personal information we hold about them or that we delete it altogether.
6.6.2 If you receive a request of this kind, you should refer that request immediately to the DCM . We may ask you to help us comply with those requests.
6.7 Your personal data
6.7.1 You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required, eg if your personal circumstances change then please inform the DCM so that they can update your records.
6.8.2 Where other organisations process personal data as a service on our behalf (e.g. payroll or outsourcing companies), the DCM will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
6.9.1 We must retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our Data retention guidelines.
6.10.1 There are restrictions on international transfers of personal data. You must not transfer personal data internationally at all without first consulting the DCM
7.2 If you suspect or become aware of any data security breach or that we have failed to do something which may be a breach of our data compliance obligations, you should report these facts or your suspicions immediately to the DCM.
8.1 All staff will receive training on this policy. New employees will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.
8.4 The DCM will continually monitor training needs but if you feel that you need further training on any aspect of the relevant law or our data protection policy or procedures, please contact the DCM.
9.2 The DCM will review this policy at least annually to ensure it remains fit for purpose and compliant with the applicable legislation.
INFORMATION SECURITY SCHEDULE
1.3 The IT manager will review security event logs and error logs on a monthly basis and is responsible for downloading and installing any necessary software, security patches or system updates.
2.1.5 Information will be held only as long as is required, and disposed of in accordance with our Information retention and destruction policy.
2.2.1 Given the internal confidentiality and sensitivity of personnel files, access to such information is limited to the HR manager. Except as provided in individual roles, no other staff are authorised to access that information.
2.3.1 At the end of each day, or when desks are unoccupied, all files, backup systems and devices containing confidential information must be securely locked away or access disabled in case of temporary absence.
2.3.3 If you are dealing with a customer at reception or it becomes necessary for you to see customers in your own or another office area then no customer files or other client information should be visible which do not relate to that customer.
2.4.1 Computers must be password protected and those passwords must be se-up and changed in accordance with requirements issued by the DCM’s from time to time. Passwords should not be written down or given to others.
2.4.3 The use of memory sticks and other removable media is prohibited. No confidential information is to be copied onto floppy disk, removable hard drive, CD or DVD or memory stick/thumb drive without the express permission of the DCM and even then it must be encrypted.
2.4.4 Data copied to any of these devices must not be uploaded to out IT system until the device has been checked and cleared by our IT manager. Once this has happened, relevant Data should be stored on our computer network in order for it to be backed up and the Data on the removable device should be deleted.
2.5.3 Backup media that is retained on site prior to being sent for storage at a remote location must be stored securely in a locked safe and at a sufficient distance away from the original data to ensure both the original and backup copies are not compromised.
2.6.2 Postal, fax and email addresses and numbers should be checked and verified before information is sent to them. Particular care should be taken with email addresses where auto-complete features may have inserted incorrect addresses.
2.7.1 Personal email accounts, such as yahoo, google or hotmail and cloud storage services, such as dropbox, icloud and onedrive are vulnerable to hacking. They do not provide the same level of security as the services provided by our own IT systems.
2.7.2 Do not use a personal email account or cloud storage account for work purposes. Do not plug in or attach your personal devices to the business’s IT system – charge from a wall plug socket.
2.8.1 No confidential or other information should be taken to your home without the permission of the DCM and only then if they are satisfied that you have appropriate technical and practical measures in place to maintain the continued security and confidentiality of that information.]
4.3 The IT manager is responsible for the management of user accounts and will implement procedures to ensure:
4.3.2 all members of staff have the correct type of user account
4.5 New IT systems, or upgrades to existing systems, must be authorised by the IT manager and the DCM and the authorisation process must take account of security requirements. The information assets associated with any proposed new or updated systems must be identified and a risk assessment undertaken.
4.7 Software and applications must be managed to ensure their smooth day-to-day running and to preserve data security and integrity. The purchase or installation of new or upgraded software must be planned and managed and any information security risks must be mitigated. Specifications for new software or upgrades of existing software must specify the required information security controls.
5.1 The business has in place a Business continuity plan. That plan has been designed to ensure continued data security and to maintain confidentiality. You will be trained on what to do if this plan needs to be put into place.
6.1 If you suspect or become aware of any data security breach or that we have failed to do something which may be a breach of our data compliance obligations, you should report these facts or your suspicions immediately to the DCM.
Do you need 24 hour storage for your home or business? Request a quote