The General Data Protection Regulation (GDPR) regulates the processing of data relating to individuals. This includes the obtaining, holding, using or disclosing of such data and covers computerised records as well as manual filing systems and card indexes.
Ipswich Central (ICM) shall hold the minimum personal data necessary to enable it to perform its functions. All such data is confidential and needs to be treated with care in order to comply with the law.
We recognise that the lawful and correct treatment of personal data is very important to successful operations and to maintaining customers’ and employees’ confidence in ourselves.
Any personal data which we collect, record or use in any way whether it is held on paper, on computer or other media shall have appropriate safeguards applied to it to ensure that we comply with the GDPR.
This policy will cover the rules and also the implementation of best practice around data acquisition, usage, storage and protection.
1.2 Data Protection Principles
The Company is fully committed to adhering to the Principles of Data Protection, as set out in the GDPR.
In summary, the Principles state that personal data shall
• Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
• Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
• Be obtained for legitimate interests which cover the following: Company contact details (local manager, head office contact and any other contact relevant) to communicate during the BID term, personal/company contact details of Advisory Group, Board (and any other relevant group of people or businesses relevant to the work of the BID), Data collection for Annual Survey, Mid Term Review.
• Be adequate, relevant and not excessive for that purpose.
• Be accurate and kept up to date annually.
• Not be kept for longer than is necessary for that purpose.
• Be processed in accordance with the data subject’s rights
• Be kept safe from unauthorised access, accidental loss or destruction
• Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data
To comply with the law, information shall be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
Compliance and accountability
It is the responsibility of Ipswich Central to:
• Assess the understanding of the obligations of Ipswich Central under the GDPR
• Identify and monitor problem areas and risks and recommend solutions
• Promote clear and effective procedures and offer guidance to staff on Data Protection issues
• Review business changes and determine whether registration under the GDPR is required
Any staff members purchasing, renting or otherwise acquiring data are responsible for the following:
• Suppliers must verify that any purchased or rented data has been acquired in a compliant manner.
• Any data acquired for marketing purposes (email lists, phone numbers, addresses etc) must be acquired through legal methods or from reputable suppliers. Individuals must have opted to receive marketing messages.
• If the supplier cannot or will not supply an adequate Proof of Provenance, we cannot use their services.
• If possible, data should be acquired from the source rather than a supplier further down the chain.
Any data which is acquired – either by the Company or a third-party supplier – which individuals have not explicitly opted into cannot be used and could potentially put the Company at risk of sanctions from the ICO.
Staff members who regularly deal with personal data and store and transfer it are responsible for assessing the importance and sensitivity of the data and classifying it accordingly. This ensures that any recipients are aware of the precautions that they need to take when they are handling it.
Low: A dataset that does not contain any information which is directly personally-identifiable. It has either been completely anonymised or pseudonymised, or does not contain any personal information such as contact details, email addresses, addresses etc or any vital client information. An example would be a self-generated testing dataset used to create an analytical model, as this is something that is worthless to anyone outside the organisation. That said, care should still be taken around its storage, use and transference.
High: Any dataset which contains confidential information, either personal data such as email lists, CRM outputs, address targets and so on, or information which is vital to a client, such as transaction details. If you are unsure of the classification, err on the side of caution and assume it should be classified as High. This data should be stored for no longer than is needed, should be password protected and encrypted and would ideally only be transferred by secure means.
If you are unsure of the classification a piece of data should receive, discuss it with your manager who will be able to point you in the right direction.
When transferring sensitive data between yourself and other individuals, either within Ipswich Central or externally to members, partners and/or stakeholders you must ensure the following:
• The recipient is authorised to receive this data. You must not share confidential information with unauthorised persons either deliberately or through negligence. Doing so may lead to disciplinary action being taken or even a criminal prosecution.
• All reasonable steps to ensure a safe transfer have been taken.
• Data should not, unless absolutely required, be transferred outside the European Union. If it must be, sign off from a Company director must be obtained.
• If you must transfer the information via email, the following steps should be taken:
If possible, depersonalise the information. This obviously will not be possible with some pieces of data, but if it can be depersonalised, do so before transfer.
The file(s) must be encrypted and protected with a strong password.
Password must be sent separately to the dataset i.e text message or another email
The email should be deleted from the inbox/ sent items folder and the deleted items folder as soon as the dataset has been exported.
• The sender must log the date, time, recipient, format, method of transfer and classification of the data in the internal Ipswich Central log keep centrally.
• The sender should ask recipients outside the Company to acknowledge receipt of the data and then log the time that receipt was acknowledged.
It is the employee’s responsibility to ensure that all received and otherwise acquired data is stored correctly, in line with Ipswich Central Data Protection Policy. The company will provide regular backups and archiving facilities for electronic data and lockable cabinets for hard copies. All machines and backup devices shall be encrypted and protected with strong passwords.
Employees shall ensure that any personal information which they have access to is:
• Stored in the secure cloud based environment and only stored on their local machines for the duration they require to work on it (if appropriate).
• Protected with a strong password and encrypted.
• Removed from their local machine and any memory sticks, cloud storage platforms or other non-secure or Company-controlled areas as soon as it is no longer required.
• Removed from their secure data environment as soon as it is no longer required. This will require the performance of regular checks on their storage environment.
• All hard copies such as personnel information and financial statements must be kept in a locked cabinet or drawer and put away when not in use. Relevant members of the Operations Team and Senior Management shall be the only people with access to this.
• Any breach of this Data Protection Policy whether deliberate or through negligence may lead to disciplinary action being taken or even a criminal prosecution.
In the event of a breach (an incident where data is lost, either through the loss or theft of the laptop/ memory stick/ hard drive it is stored on, a breach in the security of the platform it is stored in, or the hard copies being lost or stolen), employees must inform the Data Protection Officer (DPO) immediately. Your DPO will then escalate this to the appropriate team members including Board of Directors.
The nominated team members will then assess the severity of the breach and work to ascertain the correct response.
In all instances, if clients have had their customer data compromised, either through actions or a breach on the employee’s part or on the part of a third party, clients shall be alerted to the fact by an Ipswich Central Director as soon as possible. This should take the form of a telephone call, but if this is not possible, an email. Follow-up calls with the individuals responsible for data storage and security may be arranged.
If it is found that the breach has occurred through negligence (loss of device/ documentation with data stored on it, poor password practices, storing data in a way which contravenes the Data Protection Policy), disciplinary or criminal action may be taken. If a complaint is raised against Ipswich Central due to breach of procedure this will be dealt in accordance with the company’s complaints procedure.
One of the rules under Data Protection gives you the right to see certain information held about you, that includes your personnel file. A fee of £10.00 will apply. Ipswich Central will respond within 5 working days.
Under the GDPR there could be some very rare situations where we would not disclose information in your file. For example if there is a document that also contains personal information about someone else.
Under the GDPR you have a right to request for your data to be removed from our database, with the exception of data we require for legal, statistical compliant and legitimate purposes i.e Company information.
Keeping your information up to date
Please help us to keep your information up to date and let us know if there are any changes such as:
• your address
• your name
• your home telephone telephone number
• next of kin, or who to notify in the event of an accident or emergency, and their contact details and
• anything (medical or otherwise) we need to know in an emergency
Please send these changes to datacontrollerIC@centralmanagementltd.com
Viewing your personnel record
Personal and salary records are confidential and access is restricted. Under the GDPR and employment law you are entitled to access to certain records kept of personal information about you and any request to view personal records should be made to the Manager or the Director who controls access to personnel information.
The procedure is that all employees should give a minimum of 10 working days’ notice of a request for access to their personal file and/or salary information.
• Files will be made available as soon as possible after the notice period and in any event within 21 days.
• Files may only be viewed within the Company Office.
• Files may not be copied or taken out of the Company Office.
Information that may NOT be viewed by employees
Employees may not view confidential employment references or personal data processed for the purposes of management forecasting and planning.
In addition, any data contained within personnel files that includes personal information on a third party who can be identified from that information may not be viewed. The only exceptions to this rule are:
• if the third party has consented to the disclosure of the information to the person making the request (this must be done in writing and logged)
• if the information is in a health record and the third party is a health professional who has complied or contributed to that health record; and
• if it is reasonable in all the circumstances to comply with the request without the consent of the third party.
Staff files are maintained by the Company’s human resources team. Files are kept at the office, in a locked cabinet and within the HR system.
Personal data will be used in connection with any aspect of the individual’s employment and for no other purpose. It will be a disciplinary offence to disclose personal data to a third party without prior authorisation.