APS Group (“the Group”) recognises the need to comply with the various laws regulating the processing of personal data relating to individuals, including the General Data Protection Regulation (GDPR). The Group requires that members of staff recognise the risks involved when dealing with such information and fully understand the steps that must be taken in order to minimise such risks.
It is the Group’s policy to educate and inform staff about the dangers of inappropriate and illegal use of personal data which they may have access to.
The Information Security and Data Protection Officer can be reached using the email address email@example.com
This policy forms a part of the Information Security Management System (ISMS) operated by APS Group.
Scope of this policy
This policy applies to personal data stored and processed by the Group.
This data might relate to employees, contractors and agency staff working for the Group.
This policy also covers data relating to individuals not working for the Group who have provided their personal information, for example, job applicants, visitors, users of websites operated by the Group, customers, and suppliers.
This policy also covers personal data about individuals identified in data supplied to the Group by our customers.
Personal data is any data that can identify an individual, such as a name, National Insurance number, employee number or customer reference number. All personal data will fall within the Data Protection Act 1998 (“the Act”), including the personal data of customers, previous employees and job applicants. Sensitive Personal Data includes medical records and data on an individual’s religious beliefs or sexual orientation. For the purposes of this policy personal data will be taken to include sensitive personal data unless otherwise stated.
The term “processing” includes obtaining, recording and holding personal information as well as changing it, disclosing it, making it available to others and destroying it.
Roles and responsibilities
The Information Security and Data Protection Officer is responsible for data protection and data security. This person can be reached using the email address firstname.lastname@example.org
The directors of the Group are accountable for data protection and data security.
Lawfulness, fairness and transparency – Article 5, 1 (a)
The Group shall only collect and use personal data if it has legitimate grounds to do so, and shall be transparent about how the data is used when collecting data from individuals.
The Group shall ensure that data collected is not used in any way that is unlawful or will have unjustified adverse effects on the individuals concerned.
Purpose limitation – Article 5, 1 (b)
The Group shall ensure that when personal data is collected:
- this is for purposes which are explicitly specified and appropriate;
- the individual is clearly informed of the purposes and appropriate privacy (fair processing) notices are issued; and that
- this data is not processed further in a manner incompatible with the purpose for which is was collected.
Whenever members of staff are involved in processing any personal data they must ensure that the personal data stored is only used where required to properly perform their role and it is not processed unless it is necessary to do so. They must be aware that unlawful processing of personal data may constitute a criminal offence.
Data minimisation – Article 5, 1 (c)
The Group shall practice “data minimisation” – storing sufficient personal information for the purpose it is needed, but no more.
When determining what data to store, the following factors shall be considered:
- The purpose for which the data is being stored;
- Applicability of the purpose to the individual or group of individuals whose data is to be stored;
- Whether the data is actually sufficient for the purpose. Insufficient data shall not be stored.
Special consideration shall be given where the data is a record of an opinion to ensure that it can be interpreted correctly.
Accuracy – Article 5, 1 (d)
The Group shall take reasonable steps to ensure that personal data stored is accurate and kept up-to-date. The source of personal data shall be clear and consideration shall be given as to whether it is necessary to update the information.
Any challenges to the accuracy of information stored shall be carefully considered and (if appropriate) recorded.
Storage limitation – Article 5, 1 (e)
The Group shall dispose of personal data when it is no longer needed, so as to reduce the risk of the data becoming inaccurate, out of date or irrelevant.
In practice, the Group shall periodically:
- Review the length of time for which personal data is kept;
- Consider the purposes for which information is held; and
- Securely delete data which is no longer needed.
Confidentiality and integrity – Article 5, 1 (f)
Personal data will be held on a confidential basis and will only be disclosed to third parties with the individual’s consent or in accordance with a legal obligation.
The Group will take appropriate security measures to protect personal data that it holds, using a risk-based approach.
Security shall be designed and organised around the nature of the personal data held and potential harm resulting from a breach. Responsibility for security shall be made clear. Response to any security breach shall be timely and effective.
Whenever members of staff are involved in processing any personal data they must ensure that their computer equipment is maintained and that the personal data stored is secure.
Rights of the data subject
The Group shall observe and uphold all rights of individuals in respect of personal data that it holds about them, including:
- right to be informed – through issuing ‘fair processing’ notices as appropriate;
- right of access;
- right to rectification;
- right to erasure;
- right to restrict processing;
- right to data portability;
- right to object; and
- rights related to automated decision making including profiling.
The Group shall respond promptly to all data subject requests, noting that for any requests received in respect of data where the Group is Data Processor, the responsibility for complying with a request lies with the Data Controller.
The Group will general only pass personal data to companies or organisations in other jurisdictions which provide an equivalent level of regulatory data protection standards as are conferred in the European Union. In situations where this aim cannot be met, the Group will try to ensure, as far as possible, that the data is processed fairly – for example through contractual protections.
Email and internet use
The transmission of information via email (particularly outside Europe) may amount to unauthorised disclosure and expose the Group to an action or complaints under the Data Protection Act. If in doubt, checks should be made with the Compliance or Human Resources teams.
The Group has given notification under the Act and holds computerised and manual records containing personal details of all members of staff. The Group undertakes to ensure, as far as practicable, that personal data relating to members of staff will be processed in accordance with the Act and the Information Commissioner’s Code of Practice on the Use of Personal Data in Employer/Employee Relationships.
The Group processes data about its employees as necessary to fulfil legitimate interests as an employer. Some examples of the use of personnel information are:
- processing personal data for administrative purposes such as paying wages;
- equal opportunities monitoring;
- statistical data in the context of commercial bidding;
- staff turnover statistics; and
- recording and monitoring of staff absence and sickness.
Members of staff will be informed of the purposes for which their personal data will be processed and also the manner in which it will be processed. The Group may pass personal data to another company or organisation which undertakes tasks on behalf of the Group.
Staff should notify Human Resources of any changes in their details, for example, change of address, telephone number or next of kin. From time to time members of staff will be asked to update their personal information to ensure the personnel database remains current. If a worker believes data held about them is inaccurate they should inform the Human Resources department. This will be recorded on their file.
Right of Access to Personal Data
Employees have the right to access any of their personal data held and/or processed by the Group. You should make a request in writing to the Human Resources department. The Group will provide access within a month of receiving your request, unless the request is particularly complex or the Group is lawfully authorised to deny access, i.e. the Data Protection Act provides that employees do not have the right to access a reference written about them by the Group. Employees will be entitled to receive a copy of data held on their file in an intelligible form.
Right to Complain
If members of staff have any concerns, questions or complaints regarding the processing or use of personal data they should contact the Human Resources department as soon as possible. If in any doubt, the Human Resources department should immediately cease to provide the information. Employees may invoke the grievance procedure if they are not satisfied by the response of the Human Resources department to any complaint.
All members of staff have the right to make a complaint to the Office of the Information Commissioner if they feel that the Group has not dealt correctly with their complaint.
Websites operated by APS Group
Personal information stored in relation to websites
- As a user of this website, we will only collect, store and use your personal information for defined purposes. These purposes include:
- To provide services to you as requested;
- To provide information to you about our product and services, or as requested;
- To manage our relationship with you; and
- To manage and maintain our website.
- User consent is the legal basis for our processing of personal data.
- We do not sell your personal information.
- We may share your personal data across APS Group or outside APS Group, including to countries outside the EEA where the level of legal protection for data may be less than within the EEA.
- We will retain personal data as long as required to fulfil the purposes stated.
- You may contact APS Group at any time with any privacy questions or concerns you may have. Please use this email address: email@example.com.
- You may ask at any time to see the personal data you have given us and request correction or deletion.
- We strive to protect the security of your personal data by use of appropriate measures and processes.