Data Protection Policy (High Level)

The company is registered under the Data Protection Act (DPA) and the General Data Protection Regulations (GDPR) of 2018

General Statement of the Company’s Duties
The company is required to process relevant personal data regarding staff and others connected with the business as part of its operation and shall take all reasonable steps to do so in accordance with this Policy. Processing may include obtaining, recording, holding, disclosing, destroying or otherwise using data. In this Policy any reference to staff includes current past or prospective staff.

Data Protection Controller
The company has appointed the Financial Director as Data Protection Controller (DPC) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of the Data Protection Act 1998and the GDPR of 2018

The Principles
The company shall so far as is reasonably practicable comply with the Data Protection Principles (“the Principles”) contained in the DPA and revised in GDPR to ensure all data is

  • fairly and lawfully processed
  • processed for lawful purpose
  • adequate, relevant and not excessive
  • accurate and up to date
  • not kept for longer than necessary
  • processed in accordance with the data subject’s rights secure.

Personal Data
Personal data covers both facts and opinions about an individual. The company may process a wide range of personal data of staff and staff applicants as part of its operation. This personal data may include (but is not limited to); names and addresses, bank details, records and references.
Individual names may be displayed on the company website and intranet from time to time, for example in news items or necessary lists of pupils representing the Company as a member of a team. However, names will not be associated with photographs or other identifying personal information without consent.

Processing of Personal Data
Consent may be required for the processing of personal data unless the processing is necessary for the company to undertake its obligations to staff and staff applicants. Any information which falls under the definition of personal data, and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with the consent of the appropriate individual or under the terms of this Policy.

Sensitive Personal Data
The company may, from time to time, be required to process sensitive personal data regarding staff and staff applicants. Sensitive personal data includes medical information and data relating to religion, race, or criminal records and proceedings. Where sensitive personal data is processed by the company, the explicit consent of the appropriate individual will generally be required in writing.

Rights of Access
Individuals have a right of access to information about them held by the company. Any individual wishing to access their personal data should put their request in writing to the Financial Director. The company will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 40 days of access to records and 21 days to provide a reply to an access to information request. The company will charge an administration fee of up to £10.00 for providing this information.

The company will also treat as confidential any reference given by the company for the purpose of the training or employment, of staff and staff applicants. The company acknowledges that an individual may have the right to access a reference relating to them received by the company. However, such a reference will only be disclosed if such disclosure will not identify the source of the reference or where, notwithstanding this, the referee has given their consent or if disclosure is reasonable in all the circumstances.

Whose Rights
The rights under the DPA and GDPR are the individual’s to whom the data relates.

Certain data is exempted from the provisions of the DPA and GDPR which includes the following

  • the prevention or detection of crime
  • the assessment of any tax or duty

Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the company. This is not a comprehensive list of examples only of some of the exemptions under the legislation.

Disclosure of Information
The company may receive requests from third parties to disclose personal data it holds about staff or staff applicants. The company confirms that it will not generally disclose information unless the individual has given their consent or one of the specific exemptions under the legislation applies.
However, the company does intend to disclose such data as is necessary to third parties for the following purposes
to disclose details of a staff member’s medical condition where it is in the staff member’s interests to do so, for example for medical advice or for insurance purposes.
to give a confidential reference relating to a staff member or past staff member.
Where a company receives a disclosure request from a third party it will take reasonable steps to verify the identity of that third party before making any disclosure.

Use of Personal Information by the Company
The company will, from time to time, make use of personal data relating staff in the following ways. Should you wish to limit or object to any such use please notify the Financial Director in writing.

  • To make use of photographic images of staff in company publications and on the company website. However, the company will not publish photographs of individual staff with their names on the company website without the express agreement of the appropriate individual.
  • For marketing or promotional purposes and to maintain relationships with staff of the company, including transferring information to any association society or club set up for the purpose of establishing or maintaining contact with staff or for marketing or promotional purposes.

The company will endeavour to ensure that all personal data held in relation to an individual is accurate. Individuals must notify the Financial Director of any changes to information held about them. An individual has the right to request that inaccurate information about them is erased or corrected.

The company will take reasonable steps to ensure that members of staff will only have access to personal data relating to staff or staff applicants where it is necessary for them to do so. All staff will be made aware of this policy and their duties under the legislation. The company will ensure that all personal information is held securely (in lockable cabinets within secure areas of the company).and is not accessible to unauthorised persons.
Staff should not print or retain personal information off-site.
At the end of staff appointments, the Company’s IT department will check personal laptops and computers for any inappropriate or personal material.

If an individual believes that the company has not complied with this Policy or acted otherwise than in accordance with the legislation, they should utilise the company complaints procedure and should also notify the Financial Director.

Policy Number: 52

Contacts: HR Dept.
Financial Director