We value openness and transparency, and we have committed to and published a number of policies and processes to assist data subjects and to explain how we handle personal data.

We have built a network of Information Asset Owners who are responsible for ensuring that the information their department collects is necessary for the purposes required and is not kept in a manner that can identify the individual any longer than necessary. They are collectively responsible for ensuring that the Company’s Information Asset Register is kept up to date and accurately reflects the information the Company holds and the lawful basis for holding it. This network is supported by every member of staff undertaking mandatory data protection training each year and agreeing via a signed declaration that they will abide by the relevant legislation, that they understand the processes and policies the Company has in place to ensure that it is compliant, and that they understand how data protection fits into their job.

3. The data protection principles

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

The Company will:

• ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful;
• only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing;
• ensure that data subjects receive full privacy information through the relevant privacy notice so that any processing of personal data is transparent.

Principle 2

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

The Company will:

• only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in its privacy notice;
• not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose, we will inform the data subject first

Principle 3

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The Company will only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.

Principle 4

Personal data shall be accurate and, where necessary, kept up to date.

The Company will ensure that personal data is accurate, and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals. We will adhere to all requests for personal data to be amended or updated in a reasonable timeframe.

Principle 5

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

The Company will only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.

Principle 6

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Company will ensure that there appropriate organisational and technical measures in place to protect personal data that we process.

Principle 7

Accountability.

As controller of such personal data, the Company shall be responsible for, and be able to demonstrate compliance with these principles. The Directors are responsible for ensuring that the Company is compliant with these principles.

The Company will:

• ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request;
• carry out a Data Protection Impact Assessment for any high-risk personal data processing, and consult the Information Commissioner if appropriate;
• have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law.

4. Special category data

Special category data

Personal data refers to any information by which a living individual can be identified. Individual identification can be by information alone or in conjunction with other information. Certain categories of personal data have additional legal protections when being processed. These categories are referred to in the legislation as “special category data” and are data concerning:

• health
• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data
• sexual orientation

We will collect your special category data from yourself when you commence employment with us through health questionnaires.

We obtain and process this data for other statutory and legal obligations including, but not limited to:

• responding to data subject requests under data protection legislation
• responding to Freedom of Information Act requests
• in connection with our duties under the Equality Act 2010

We may also process your special category data if you are not directly involved in a particular purpose of processing, but we come into contact with you for any other reason that is related to our functions, as set out above.

The lawful basis for processing your special category data

Consent – The consent of a data subject to the processing of his/ her personal data.

Legitimate Interest – there is a weighed and balanced legitimate interest where processing is needed and the interest is not overridden by others.

The additional condition relied on for processing your special category data

The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject.

Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.

Who we share your personal data with

We are required to share your data with third parties where we have a legal obligation to do so.

We also share information with other third parties where we have a lawful basis for doing so, and for special category personal data, where we have relied on an additional condition and this will be outlined in the relevant privacy notices.

The categories of persons we share your special category data with are listed in the below table along with the lawful basis for us doing so and the additional condition relied upon;

Type of Personal Data: Health, racial, ethnic, political, religious, philosophical, trade union, sexual orientation
Purpose: This information is shared / disclosed only when necessary for the purposes of seeking advice for the purposes of HR / Employment Law / Health & Safety Law
Third Party: Wirehouse Employer Services
Lawful Basis: Legitimate interests
Additional Information: Necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment law.

5. Data controller’s policies as regards retention and erasure of special category personal data

We will ensure, where special category personal data is processed, that:

• there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data;
• where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous and this will be in line with our policy on data erasure;
• data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored.