APS Group (“the Group”) recognises the need to comply with the various laws regulating the processing of personal data relating to individuals, including the General Data Protection Regulation (GDPR). The Group requires that members of staff recognise the risks involved when dealing with such information and fully understand the steps that must be taken in order to minimise such risks.
It is the Group’s policy to educate and inform staff about the dangers of inappropriate and illegal use of personal data which they may have access to.
The Information Security and Data Protection Officer can be reached using the email address email@example.com
This policy forms a part of the Information Security Management System (ISMS) operated by APS Group.
This policy applies to personal data stored and processed by the Group.
This data might relate to employees, contractors and agency staff working for the Group.
This policy also covers data relating to individuals not working for the Group who have provided their personal information, for example, job applicants, visitors, users of websites operated by the Group, customers, and suppliers.
This policy also covers personal data about individuals identified in data supplied to the Group by our customers.
Personal data is any data that can identify an individual, such as a name, National Insurance number, employee number or customer reference number. All personal data will fall within the Data Protection Act 1998 (“the Act”), including the personal data of customers, previous employees and job applicants. Sensitive Personal Data includes medical records and data on an individual’s religious beliefs or sexual orientation. For the purposes of this policy personal data will be taken to include sensitive personal data unless otherwise stated.
The term “processing” includes obtaining, recording and holding personal information as well as changing it, disclosing it, making it available to others and destroying it.
The Information Security and Data Protection Officer is responsible for data protection and data security. This person can be reached using the email address firstname.lastname@example.org
The directors of the Group are accountable for data protection and data security.
The Group shall only collect and use personal data if it has legitimate grounds to do so, and shall be transparent about how the data is used when collecting data from individuals.
The Group shall ensure that data collected is not used in any way that is unlawful or will have unjustified adverse effects on the individuals concerned.
The Group shall ensure that when personal data is collected:
Whenever members of staff are involved in processing any personal data they must ensure that the personal data stored is only used where required to properly perform their role and it is not processed unless it is necessary to do so. They must be aware that unlawful processing of personal data may constitute a criminal offence.
The Group shall practice “data minimisation” – storing sufficient personal information for the purpose it is needed, but no more.
When determining what data to store, the following factors shall be considered:
Special consideration shall be given where the data is a record of an opinion to ensure that it can be interpreted correctly.
The Group shall take reasonable steps to ensure that personal data stored is accurate and kept up-to-date. The source of personal data shall be clear and consideration shall be given as to whether it is necessary to update the information.
Any challenges to the accuracy of information stored shall be carefully considered and (if appropriate) recorded.
The Group shall dispose of personal data when it is no longer needed, so as to reduce the risk of the data becoming inaccurate, out of date or irrelevant.
In practice, the Group shall periodically:
Personal data will be held on a confidential basis and will only be disclosed to third parties with the individual’s consent or in accordance with a legal obligation.
The Group will take appropriate security measures to protect personal data that it holds, using a risk-based approach.
Security shall be designed and organised around the nature of the personal data held and potential harm resulting from a breach. Responsibility for security shall be made clear. Response to any security breach shall be timely and effective.
Whenever members of staff are involved in processing any personal data they must ensure that their computer equipment is maintained and that the personal data stored is secure.
The Group shall observe and uphold all rights of individuals in respect of personal data that it holds about them, including:
The Group shall respond promptly to all data subject requests, noting that for any requests received in respect of data where the Group is Data Processor, the responsibility for complying with a request lies with the Data Controller.
The Group will general only pass personal data to companies or organisations in other jurisdictions which provide an equivalent level of regulatory data protection standards as are conferred in the European Union. In situations where this aim cannot be met, the Group will try to ensure, as far as possible, that the data is processed fairly – for example through contractual protections.
The transmission of information via email (particularly outside Europe) may amount to unauthorised disclosure and expose the Group to an action or complaints under the Data Protection Act. If in doubt, checks should be made with the Compliance or Human Resources teams.
The Group has given notification under the Act and holds computerised and manual records containing personal details of all members of staff. The Group undertakes to ensure, as far as practicable, that personal data relating to members of staff will be processed in accordance with the Act and the Information Commissioner’s Code of Practice on the Use of Personal Data in Employer/Employee Relationships.
The Group processes data about its employees as necessary to fulfil legitimate interests as an employer. Some examples of the use of personnel information are:
Members of staff will be informed of the purposes for which their personal data will be processed and also the manner in which it will be processed. The Group may pass personal data to another company or organisation which undertakes tasks on behalf of the Group.
Staff should notify Human Resources of any changes in their details, for example, change of address, telephone number or next of kin. From time to time members of staff will be asked to update their personal information to ensure the personnel database remains current. If a worker believes data held about them is inaccurate they should inform the Human Resources department. This will be recorded on their file.
Employees have the right to access any of their personal data held and/or processed by the Group. You should make a request in writing to the Human Resources department. The Group will provide access within a month of receiving your request, unless the request is particularly complex or the Group is lawfully authorised to deny access, i.e. the Data Protection Act provides that employees do not have the right to access a reference written about them by the Group. Employees will be entitled to receive a copy of data held on their file in an intelligible form.
If members of staff have any concerns, questions or complaints regarding the processing or use of personal data they should contact the Human Resources department as soon as possible. If in any doubt, the Human Resources department should immediately cease to provide the information. Employees may invoke the grievance procedure if they are not satisfied by the response of the Human Resources department to any complaint.
All members of staff have the right to make a complaint to the Office of the Information Commissioner if they feel that the Group has not dealt correctly with their complaint.