Olwg
Data Protection & Security Policy

03-03-22 Olwg Data Protection (1).png

Statement and purpose of policy

  • Olwg Ltd (“employer”, “company”, “we”, “our”, us”) is committed to ensuring that all personal data handled by us will be processed accordingly to legally compliant standards of data protection and data security.

  • We confirm for the purposes of data protection laws that the employer is a data controller in connection with your employment.  This means that we determine the purposes for which, and the manner in which, your personal data is processed.

  • The purpose of this policy is to help us achieve our data protection and data security aims by:

  1. Notifying our staff of the types of personal data that we may hold about them, our customers, suppliers and other third parties and what we do with that information;

  2. Setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring that staff understand our rules and the legal standards; and

  3. Clarifying the responsibilities and duties of staff in respect to data protection and data security.

  • This is a statement of policy only and does not form any part of any contract.  We may amend this policy at any time in our absolute discretion.

  • For the purposes of this policy:

  1. Data protection laws means all applicable lows relating to the processing of Personal Data, including for the period during which it is in force, the UK General Data Protection Regulation (GDPR)

  2. Data subject means the individual to whom the personal data relates.

  3. Personal data means any information that relates to an individual who can be identified from that information.

  4. Processing means any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

  5. Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

Data Protection Principles

  • Staff whose work involves personal data relating to staff or others must comply with this policy and with the following data protection principles which require personal information which is:

    1. Processed lawfully, fairly and in a transparent manner.  We must always have a lawful basis to process personal data, as set out in data protection laws.  Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed.  The data subject must be told who controls the information (us), the purpose (s) for which we are processing the information and to whom it may be disclosed.

    2. Collected only for specified, explicit and legitimate purposes.  Personal data must not be collected for one purpose and then used for another.  If we want to change the way we use personal data, we must first tell the data subject.

    3. Processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing.  We will only collect personal data to the extent required for the specific purpose notified to the data subject.

    4. Accurate and the Company takes all reasonable steps to ensure that information is inaccurate is deleted or rectified without delay.  Checks to personal data will be made when collected and regular checks must be made afterwards.  We will make reasonable efforts to rectify or erase inaccurate information.

    5. Kept only for the period necessary for processing.  Information will not be kept longer than it is needed an we will take all reasonable steps to del4ete information when we no longer need it.  Contact us for guidance on how long particular information should be kept.

    6. Secure and appropriate measures adopted by the company to ensure as such.

Who is responsible for data protection and security

  • Maintain appropriate standards of data protection and data security is a collective task and shared between you and us.  This policy and the rules contained in it apply to all staff of the Company, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers.

  • Contact us for any questions about this policy or requests for further information.

  • All staff have a personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that the measures are taken to protect the data security.  Managers have special responsibility for leading by example and monitoring and enforcing compliance.  We must be notified if this policy has not been followed as soon as reasonable practicable.

  • Any breach pf this policy will be taken seriously and may result in disciplinary action up to and including dismissal.  Significant or deliberate breaches, such as accessing staff or customer personal data without authorisation or legitimate reason to do so may constitute gross misconduct and could lead to dismissal without notice.

What personal data and activities are covered by this policy.  

  • This policy covers personal data:

    1. Which relates to a natural living individual who can be identified either from that information in isolation or reading it together with the information we possess.

    2. Is stored electronically or on paper in a filing system;

    3. In the form of statements of opinion as well as facts;

    4. Which relates to staff (present, past or future) or to any other individual whose personal data we handle or control;

    5. Which we obtain, or is provided to us, which we hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy;

  • This personal data is subject to the legal safeguards set out in the data protection laws.

What personal data do we process about staff?

  • We collect personal data about you which:

    1. You provide or we gather before or during your employment or engagement with us;

    2. Is provided by third parties, such as references or information from suppliers or another party that we do business with;  or

    3. Is in the public domain.

  • The types of personal data that we may collect, store and use about you include records relating to your:

    1. Home address, contact details and contact details for your next of kin;

    2. Recruitment (including your application form or curriculum vitae, references received and details of your qualifications);

    3. Pay records, national insurance number and details of taxes and any employment benefits such as pension and health insurance (including details of any claims made);

    4. Telephone, email, internet or fax or instant messenger use;

    5. Performance and any disciplinary matters, grievances, complaints or concerns in which you are involved.

Sensitive personal data

  • We may from time to time need to process sensitive personal information (sometimes referred to ‘special categories of personal data’);

  • We will only process sensitive information if:

    1. We have a lawful basis for doing so, e.g. it is necessary for the performance of the contract;

    2. One of the following special conditions for processing personal information applied:

      1. The data subject has given explicit consent;

      2. The processing is necessary for the purposes of exercising the employment law rights or obligations of the company of the data subject;

      3. The processing is necessary to protect the data subjects vital interests, and the data subject is physically incapable of giving consent;

      4. Processing relates to personal data which are manifestly made public by the data subject;

      5. The processing is necessary for the establishment, exercise or defence or legal claims; or

      6. The processing is necessary for reasons of substantial public interest.

  • Before processing any sensitive personal information, you must inform us of the proposed processing in order for us to assess whether the processing complies with the criteria noted above.

  • Sensitive personal information will not be processes until the assessment above has taken place and the individual has been properly informed of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.

  • Our privacy notice sets out the type of sensitive personal information that we processes, which it is and the lawful basis for the processing.  

How we use your personal data

  • We will tell you the reasons for processing your personal data, how we use such information and the legal basis for processing in our privacy notice.  We will not process personal information for any other reason.

  • In general we will use information to carry out our business, to administer your employment or engagement and to deal with any problems or concerns you may have, including, but not limited to:

    1. Address list: to compile and circulate lists of home addresses and contact details to contact you outside working hours;

    2. Sickness records: to maintain a record of your sickness absences and copies of any doctors notes or any other documents supplied to us in connection with health to inform your colleagues that you are absent through sickness, as reasonable necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence level, to publish internally aggregated, anonymous details of sickness absence.

    3. Monitoring IT systems :to monitor your use of email, internet and telephone, computer or other communications or IT resources.

    4. Disciplinary, grievance or legal matters: in connection with any disciplinary, grievance, legal, regulatory or compliance matters or proceedings that may involve you.

    5. Performance reviews: to carry out performance reviews.

    6. Equal opportunities monitoring: to conduct monitoring for equal opportunities purposes and to publish anonymised, aggregated information about the breakdown of our workforce.

Accuracy and relevance

  • We will

    1. Ensure that any personal data processed is up to date, accurate, adequate, relevant and not excessive, given the purpose for which it was collected.

    2. Not process personal data obtained for one purpose for any purpose, unless you agree to this or reasonably expect this.

  • If you consider that any information held is about you or is inaccurate or out of date, then you should tell us.  If we agree that the information is inaccurate or out of date then we will correct it promptly.  If we do not agree with the correction we will note your comments.

Storage and retention

  • Personal date (and sensitive personal information will be kept securely in accordance with this policy.

  • Periods for which we hold personal data are contained in our privacy notices.

Individual Rights

  • You have the following rights in relation to your personal data.

  • Subject access requests:

    1. You have the right to make a subject access request.  If you make a subject access request we will tell you:

      1. Whether or not your personal data is processed and if so why the categories of personal data concerned and the source of the data if it is not collected from you;

      2. To whom your data is or may be disclosed;

      3. For how long your personal data is stored (or how that period is decided);

      4. Your right of rectification or erasure of data or to restrict or object to processing;

      5. Your right to complain to the information commissioner if you thing we have failed to comply with your data protection rights; and

      6. Whether or not we carry out automated decision-making and the logic involved in any such decision making.

    2. We will provide you with a copy of the personal data undergoing processing.  This will normally be in electronic form if you have made a request electronically unless we agree otherwise.

    3. To make a subject request, contact us at info@olwg.co.uk.

    4. We may need to ask for proof of identification before your request can be processed.  We will let you know if we need to verify your identify and the documents we require.

    5. We will normally respond to your request as quickly as possible.  We will advise if a delay is expected.

    6. If your request is manifestly unfounded or excessive we are not obliged to comply with it.

  • Other rights:

    1. You have a number of other rights in relation to your personal data.  You can require us to:

      1. Rectify inaccurate data;

      2. Stop processing or erase data that is no longer necessary for purposes of processing;

      3. Stop processing or erase data if your interests override our legitimate grounds for processing data (where we rely on our legitimate interests are a reason for processing data);

      4. Stop processing data for a period if data is inaccurate of there is a dispute about whether or not your interests override our legitimate grounds for processing the data.

      5. To request that wea take any of these steps, please sent the request to, info@olwg.co.uk.

Data Security

  • We will use appropriate technical and organisational measures to keep personal data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.

  • Maintaining data security means making sure that:

    1. Only people who are authorised to use the information can access it;

    2. Where possible, personal data is pseudonymised or encrypted;

    3. Information is accurate and suitable for the purpose for which it is processed; and

    4. Authorised persons can access information if they need it for authorised purposes.

  • By law we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining and destroying the information.

  • Personal information must not be transferred to any person to process (e.g. while performing services for us or on our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.

  • Security procedures include:

    1. Any desk or cupboard containing confidential information must be kept locked;

    2. Computers should be locked with a strong password that is changed regularly or shut down when left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others;

    3. Data stored on CDs or memory sticks must be encrypted or password protected and locked away securely when not being used.

    4. The directors must approve of any cloud used to store data.

    5. Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.

    6. All servers containing sensitive personal data must be approved and protected by security software.

    7. Servers containing personal data must be kept in a secure location away from general office space.

    8. Data should be regularly backed up.

  • Telephone Precautions: particular care should be taken when dealing with telephone enquiries to avoid inappropriate disclosures.  In particular:

    1. The identity of the telephone caller must be verified before any personal data is disclosed;

    2. If  the callers identity cannot be verified satisfactorily then they should be asked to put their query in writing;

  • Methods of disposal.  Copies of personal information, whether on paper or any physical storage device must be physically destroyed when they are no longer needed.  Paper documents should be shredded and CDs or memory sticks must be rendered permanently unreadable.

Data Impact Assessments

  • Some of the processing we carry out may result in risks to privacy.

  • When processing would result to high risks to rights and freedoms we will carry out a data protection impact assessment to determine the necessity and proportionality of processing.  This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

Data Breaches

  • If we discover that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals we will report it to the Information Commissioner within 72 hours of discovery.

  • We will record all data breaches regardless of their effect.

  • If the breach is likely to result in high risk to your rights and freedoms we will tell affected individuals that there has been a breach and provide them with more information about its likely consequences and the mitigation measures it has taken.

 

Individual Responsibilities

  • Everyone is responsible for helping the company keep their personal data up to date.

  • You should let us know if personal data provided changes e.g. if you move house or change your bank details.

  • You may have access to the personal details of other employees and customers over the course of employment.  Where this is the case, we rely on you to help us mees the data obligations to everyone.

  • Individuals who have access to personal data are required:

    1. To access only personal data that they authority to access and only for authorised purposes;

    2. Not to disclose personal data except to individuals (whether inside or outside of the company) who have appropriate authorisation;

    3. To keep personal data secure e.g. by complying with the rules on access to premises, computer access, including password protection, and secure file storage and destruction;

    4. Not to remove personal data or devices that can be used to access personal data from the company's premises without adopting appropriate security measures to secure the data and the device; and

    5. Not to store personal data on local drives or on personal devices that are used for work purposes.