Data Protection and Data Security Policy

Statement and purpose of policy

1. Calserv Ltd is committed to ensuring that all personal, private and confidential data, handled by us, will be processed accordingly, to legally compliant standards of data protection and data security.

2. We confirm for the purposes of the data protection laws, that Calserv ltd is a data controller, of the personal data, in connection with your employment. This means that we determine the purposes for which, and the manner which, your personal data is processed.

3. The purpose of this policy, is to help us achieve our data protection and data security aims by:

  • Notifying our staff of the types of personal, private and confidential information, that we may hold, about them, our customers, suppliers, other third parties, and what we do with that information.
  • Setting out the rules on data protection and the legal conditions that must be satisfied, when we collect, receive, handle, process, transfer and store personal data and ensuring staff understand our rules, and the legal standards.
  • Clarifying the responsibilities and duties of staff, in respect of data protection and data security.

4. This is a statement of policy, and only does not form part of your contract of employment. We may amend this policy at any time, in our discretion.

5. For the purpose of this policy; Data Protection laws, mean all applicable laws relating to the processing of personal data, including the UK General Data Protection Regulations.

  • Data subject, means the individual to whom the personal data relates.
  • Personal data, means any information to whom the personal data relates.
  • Processing, means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.

Data protection principles

1. Staff whose work involves using personal data relating to staff, or others, must comply with this policy and with the following data protection principles, which require that personal information is;

  • Processed lawfully, fairly and in a transparent manner. We must always have a lawful basis to process personal data, as set out in the data protection laws. Personal data may be processed as necessary, to perform a contract with the data subject, to comply with a legal obligation which the data controller, is the subject of, or for the legitimate interest of the data controller, or the party to whom the data is disclosed. The data subject, must be told who controls the information (us), the purpose for which we are processing the information and to whom it may be disclosed.
  • Collected only for specific, explicit and legitimate purposes. Personal data must not be collected for one purpose, and then used for another. Disclosure to the data subject is required, in order to change the use of the data.
  • Processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing. We will only collect data to the extent required, and for the specific purpose notified to the subject.
  • Accurate, and Calserv Ltd, takes all reasonable steps to ensure that, information that is inaccurate is rectified, or deleted without delay.
  • Kept only for the period necessary for processing.
  • Secure, and appropriate measures, are adopted by Calserv ltd to ensure as such.

Who is responsible for data protection and data security?

1. Maintaining appropriate standards of data protection and security, is a collective task shared between Calserv Ltd and you. This policy, and the rules contained in it, apply to all staff, directors, and officers, consultants, suppliers, contractors, irrespective of seniority or working hours.

2. All staff have a personal responsibility to ensure compliance with this policy, to handle all personal data consistently, with the principles set out here, and to ensure that measures are taken to protect the data security. Managers have responsibilities for leading by example and monitoring, and enforcing compliance.

3. Any breach of this policy, will result in disciplinary action, including dismissal. Serious breaches, may constitute Gross Misconduct and lead to dismissal without notice.

What personal data and activities are covered by this policy?

1. This policy covers personal data;

  • Which relates to a natural living individual who can be identified either from that information in isolation, or by reading it together with other information we possess.
  • Is stored electronically or on a paper filing system.
  • In in the form of a statement of opinion, as well as facts.
  • Which relates to all staff, past or present, or to any other individual whose personal or private and confidential data, we handle or control.
  • Which we obtain, is provided to us, which we hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process or destroy.

What personal data do we process about staff?

1. We collect personal data about staff which;

  • Is provided by them, or that Calserv Ltd gather before, or during employment, or engagement with us.
  • Is provided by third parties, such as references, information from suppliers or parties that we do business with.
  • Is in the public domain.

2. The types of personal data that we may collect , store and use, about your include records related to your;

  • Home address , contact details, including next of kin.
  • Recruitment records
  • Pay records, national insurance number, tax information, employment benefits.
  • Telephone, email, internet use.
  • Performance and discipline records.

Sensitive Data

1. We may from time to time need to process sensitive personal information.

2. We will only process sensitive personal data if;

  • We have a lawful basis for doing so, eg, it is necessary for the performance of the employment contract.
  • One of the following special conditions for processing personal data applies,
  • The data subject has given consent.
  • The processing is necessary for the purposes of exercising the employment law rights or obligations of the company or the data subject.
  • The processing is necessary to protect the data subject’s vital interests.
  • Processing relates to personal data which are manifestly made public by the data subject.
  • Processing is necessary for the establishment of, exercise or defence or legal claims, or
  • The processing is necessary for reasons of substantial public interest.

How we use your personal data

1. We will tell you the reasons for processing your personal data, and how we use such information, and only for that reason.

2. In general, we will use information to carry out our business, to administer your employment, or engagement, and to deal with any problems or concerns that may arise, including but not limited to;

  • Sickness records, including doctors notes or other documents supplied to us in connection with your health, necessary to manage your sickness absence, to deal with high sickness rates, including, or pertinent to discipline hearings and outcomes.
  • Monitoring IT systems.
  • Performance reviews and the outcomes.
  • Other legal matters that may involve you.

3. We will;

  • Ensure that personal data processed, is up to date, accurate, adequate, relevant, and not excessive, given the purpose for which it was collected.
  • Not process personal data obtained for one purpose, for another, unless it is reasonable expected.
  • If you should consider that any information held about you is inaccurate or out of date, you should notify Mr Wayne Crabb or Mr Nigel Crabb, then they will correct it, unless they disagree. In this instance, your comments will be recorded.

Storage and retention

1. Personal data will be kept securely, in accordance with current legislation regulations.

Individual rights

1. You have the right to make a subject access request. If you make a subject access request, we will tell you:

  • Whether or not your personal data is processed and why, the categories of personal data concerned, and the source of the data, if it is not collected from you.
  • To whom your data is, or may be disclosed.
  • For how long your personal data is stored and how that data period is decided.
  • Your rights of rectification, or erasure of data, or to restrict or object to processing.
  • Your right to complain to the Information Commissioner, if you think we have failed to comply with data protection rights.
  • Whether or not we carry out automated decision making, and the logic involved.

2. We will provide you with a copy of the personal data undergoing processing. This will normally be done electronically, unless agreed otherwise.

3. To make a subject access request, contact us at info@calservltd.co.uk or 01788 553666.

4. We may need proof of identity before a request is processed.

5. We normally respond to your request, within 28 days, from the date a request is received. In some cases, where there is a large amount of data being processed, we may respond within 3 months of the date the request is received. We will notify you within 28 days if this is the case.

6. If your request is manifestly unfounded or excessive, we are not obliged to comply.

Other rights

1. You have an number of other rights in relation to your personal data. You can require us to;

  • Rectify inaccurate data.
  • Stop processing or erase data, that is no longer necessary for the purpose of processing.
  • Stop processing data for a period, if the data is inaccurate, or if there is a dispute about whether your interests override our grounds for processing it.

2. To request that we take these steps, please send a written request to;

Calserv Ltd
5 Prospect Way
Rugby
CV21 3UU

Data Security

1. We will use appropriate technical and organisational measures, to keep private and confidential, or personal data secure, and in particular to protect from unauthorised or unlawful processing and against accidental loss, destruction or damage.

2. Maintaining data security means making sure that:

  • Only people whom are authorised to use the information can access it.
  • Where possible, personal data is pseudonymised or encrypted.
  • Information is accurate and suitable for the purpose for which it is processed.
  • Authorised persons can access information if they need it for authorised purposes.
  • By law, we must use procedures and technology, to secure private and confidential or personal data.

3. Personal or private data, must not be transferred to any person to process, unless that person has agreed to comply with our data security procedures, or we are satisfied that other adequate measures exist.

4. Security procedures include;

  • Any desk or cupboard containing confidential information, must be kept locked.
  • Computers should be locked with a strong password that is changed regularly, or shut down, when they are left unattended, and discretion should be used when viewing such data.
  • Data stored on CDs or memory sticks must be encrypted, or password protected and locked away when not being used.
  • Personal or private data should not be saved directly onto mobile devices.
  • All servers containing personal data, must be approved and protected by security software.
  • This data should be regularly backed up.

5. Particular care should be taken by staff when or if discussing private data on the telephone to avoid inappropriate disclosures, in particular,

  • The identity of any telephone caller must be verified before any private or personal data is disclosed.
  • If the caller’s identity cannot be verified, then the request for information must be done in writing.

6. Copies of personal information or private data, must be physically destroyed, when they are no longer needed.

Data breaches

1. If it is discovered that there has been a breach of staff personal data that poses a risk, to the rights and freedoms of individuals, we will report it to the Information Commissioner, within 72 hours of discovery.

2. We will record all data breaches regardless of their effect.

3. If the breach is likely to result in high risk to your rights and freedoms, we will inform affected individuals, that there has been a breach, and provide them with more information about its likely consequences, and the mitigation measures taken.

Individual responsibilities

1. Staff are responsible for helping us to keep their personal data, and confidential data of third parties, up to date.

2. Staff should inform the employer (Calserv ltd) if there are any changes to their personal data, such as moving house, or bank details.

3. You may have access to the personal data of other staff members, customers, suppliers, contractors or other third parties, in the course of your employment. Where this is the case, staff are specifically relied upon, to meet data protection obligations, of those parties.

4. Individuals whom have access to personal, private and confidential data, are required;

  • To access only personal data that they have authority to access, and only for authorised purposes.
  • Not to disclose said data, except to individuals, (inside or outside of the company) whom have the appropriate authorisation.
  • To keep personal data secure, and under password protected security.
  • Not to remove said data from the company premises, without approval of the employer, and under the appropriate security measures.

Acknowledgments

As part of Calserv ltd Employee Handbook policy, staff are required to acknowledge by signature, that they have read, and will comply with this policy.