This document highlights the key areas of the General Data Protection Regulation (GDPR) to help us understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements. It is aimed at those who have day-to-day responsibility for data protection. The GDPR came into force in the UK from 25 May 2018.
The General Data Protection Regulation (GDPR) is designed to protect the privacy of individuals. It requires that any personal information about an individual is processed securely and confidentially. This includes both staff and contractors. How the company obtains, shares and uses information is critical, as personal data is sensitive and private. Everyone alike, has the right to know how the information about them is used. The General Data Protection Regulation requires the company to strike the right balance in processing personal information so that an individual’s privacy is protected. Applying the principles to all information held by the company will typically achieve this balance and help to comply with the legislation.
We will respect the privacy of all personnel. We aim to ensure that all personnel can share their information in the confidence that it will only be used to for activities within the business. There are record-keeping systems in place that meet legal requirements; means of storing and sharing that information take place within the framework of the General Data Protection Regulation and the Human Rights Act.
To comply with GDPR, the company shall observe the eight ‘General Data Protection Regulation principles’, ensuring that:
Personal data is information that relates to an identifiable living individual that is processed as data. Processing amounts to collecting, using, disclosing, retaining or disposing of information. The General Data Protection Regulation principles apply to all information held electronically or in structured paper files.
The principles also extend to additional records – the names of employees and others, dates of birth, addresses, national insurance numbers, qualification, medical information, security checks, personal records and staff development reviews.
Sensitive personal data is information that relates to:
Sensitive personal data is given greater legal protection as individuals would expect certain information to be treated as private or confidential – for example, a security check may be required to work in certain areas within the scope of the business. The individual will be asked for consent prior to this being done and results are private and confidential and should only be available to those to whom consent had been granted.
It is important to differentiate between personal information that individuals would expect to be treated as private or confidential (whether or not legally classified as sensitive personal data) and personal information you can make freely available. For example: the company’s employees and contractors working on behalf of the company, the names would be expected to be known by client and personnel within the company. However, the address and personal contact number will be known as private unless permission is granted by the said person.
In the event of a personal data breach, the Data Protection Controller and Senior Management team should be notified immediately, and an investigation carried out.
The General Data Protection Regulation includes the following rights for individuals:
The General Data Protection Regulation entitles an individual the right to request the personal information that the company holds on their behalf – this is known as a Subject Access Request and includes all and any information held by the company, not just that information held on central files or electronically, so it could also include correspondence or notes held by others in the company.
Our website uses an SSL certificate which protects data as it is transferred from computer to computer. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
Our website and databases are hosted on a server in the EU with Siteground, who are fully compliant with GDPR regulations. Our website is kept up to date, manually reviewed on a weekly basis and protected by robust security tools, to defend it against hacking, phishing or any unauthorised entry.
Acceptable Usage covers the security and use of all company information and IT equipment. It also includes the use of email, internet, voice and mobile IT equipment. This applies to all employees, contractors and agents working on behalf of the company.
This applies to all information, in whatever form, relating to business activities, and to all information handled by PJC Surfacing Beech relating to other organisations with whom it deals. It also covers all IT and information communications facilities operated by PJC Surfacing Beech or on its behalf.
Computer Access Control – Individual’s Responsibility
Access to the IT systems is controlled by the use of User IDs and passwords. All User IDs and passwords are to be uniquely assigned to named individuals and consequently, individuals are accountable for all actions on the IT systems.
Use of internet and email is intended for business use. Personal use is permitted where such use does not affect the individual’s business performance, is not detrimental to the companies in any way, not in breach of any term and condition of employment and does not place the individual or the companies in breach of statutory or other legal obligations.
All individuals are accountable for their actions on the internet and email systems.
In order to reduce the risk of unauthorised access or loss of information, we enforce a clear desk and screen policy as follows:
It is accepted that laptops and mobile devices will be taken off-site. The following controls must be applied:
Mobile devices such as memory sticks, CDs, DVDs and removable hard drives must be used only in situations when network connectivity is unavailable or there is no other secure method of transferring data. Only company authorised mobile storage devices with must be used, when transferring sensitive or confidential data. The confidential data shall be erased from the mobile device at the earliest opportunity. The information of the device shall not be given to others unless to authorised.
Employees must use only software that is authorised by the company-on-company computers. Authorised software must be used in accordance with the software supplier’s licensing agreements. All software on our computers must be approved and installed by the companies IT support.
The IT support has been implemented via the employment of third-party specialists, automated virus detection, virus software updates, fire wall and blockers are in use. All PCs must have these installed prior to access to the server.
Use of the company’s voice equipment is intended for business use. Individuals must not use voice facilities for sending or receiving private communications on personal matters, except in exceptional circumstances. All non-urgent personal communications should be made at an individual’s own expense using alternative means of communications
All the company’s equipment and data, for example laptops and mobile devices including telephones, smartphones, USB memory devices and CDs/DVDs, must be returned to the company at termination of contract.
All the company’s data or intellectual property developed or gained during the period of employment remains the property of the company and must not be retained beyond termination or reused for any other purpose.
All data that is created and stored on the companies computers is the property of the companies and there is no official provision for individual data privacy, however wherever possible the companies will avoid opening personal emails.
IT system logging will take place where appropriate, and investigations will be commenced where reasonable suspicion exists of a breach of this or any other policy. The company has the right (under certain conditions) to monitor activity on its systems, including internet and email use, in order to ensure systems security and effective operation, and to protect against misuse.
Any monitoring will be carried out in accordance with audited, controlled internal processes, the UK Data Protection Act 1998, the Regulation of Investigatory Powers Act 2000 and the
Telecommunications (Lawful Business Practice Interception of Communications) Regulations 2000.
It is your responsibility to report suspected breaches of security policy without delay to the Management Team.
All breaches of information security policies will be investigated. Where investigations reveal misconduct, disciplinary action may follow in line with disciplinary procedures.
Signed
Pat Harte
Managing Director