Who we are
Our website address is: https://www.ecologysurveysinnorfolk.co.uk.
PHILIP PARKER ASSOCIATES LTD
DATA PROTECTION POLICY
1.0 STATEMENT OF POLICY
1.1 Philip Parker Associates Ltd is committed to all aspects of data protection and takes
seriously its duties, and the duties of its employees, under the Data Protection Act 1998
(incorporating the EU’s GDPR standards). This policy sets out how the organisation deals
with personal data, including personnel files and data subject access requests, and
employees’ obligations in relation to personal data.
2.0 DATA PROTECTION OFFICER
2.1 Lisa Gabriel is the organisation’s data protection officer and is responsible for the
implementation of this policy. If employees have any questions about data protection in
general, this policy or their obligations under it, they should direct them to Lisa Gabriel.
3.0 DATA PROTECTION PRINCIPLES
3.1 The Data Protection Act 2018 requires that eight data protection principles be followed in
the handling of personal data. These principles require that personal data:
- shall be processed fairly and lawfully and according to conditions;
- shall be obtained only for one or more specified and lawful purposes, and shall not be
further processed in any manner incompatible with that purpose or those purposes;
- shall be adequate, relevant and not excessive in relation to the purpose or purposes
for which they are processed;
- shall be accurate and, where necessary, kept up to date;
- shall not be kept for longer than is necessary for that purpose or those purposes;
- shall be processed in accordance with the rights of data subjects;
- shall be subject to appropriate technical and organisational measures being taken
against unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data;
- shall not be transferred to a country or territory outside the European Economic Area
unless that country or territory ensures an adequate level of protection for the rights
and freedoms of data subjects in relation to the processing of personal data.
3.2 Personal data
The Data Protection Act 2018 applies only to information that constitutes
“personal data”. Information is “personal data” if it:
- Identifies a person, whether by itself, or together with other information in the
organisation’s possession, or is likely to come into its possession; and
- Is about a living person and affects that person’s privacy (whether in his/her
personal or family life, business or professional capacity) in the sense that the
information has the person as its focus or is otherwise biographical in nature.
3.3 Consequently, automated and computerised personal information about employees held by
employers is covered by the Act. Personal information stored physically (for example, on
paper) and held in any “relevant filing system” is also covered. In addition, information recorded with the intention that it will be stored in a relevant filing system or held on
computer is covered.
3.4 A “relevant filing system” means a well-structured manual system that amounts to more
than a bundle of documents about each employee filed in date order, i.e. a system to guide
a searcher to where specific information about a named employee can be located easily.
3.5 The use of personal information
The Data Protection Act 2018 applies to personal information that is “processed”. This
includes obtaining personal information, retaining and using it, allowing it to be accessed,
disclosing it and, finally, disposing of it.
3.6 Sensitive personal data
Sensitive personal data is information about an individual’s:
- Racial or ethnic origin;
- Political opinions;
- Religious beliefs or other beliefs of a similar nature;
- Trade union membership (within the meaning of the Trade Union and Labour
Relations (Consolidation) Act 1992);
- Genetics;
- Biometrics (where used for identification);
- Health;
- Sex life or orientation.
3.7 The organisation will not retain sensitive personal data without the express consent of the
employee in question.
3.8 The organisation will process sensitive personal data, including sickness and injury records
and references, in accordance with the eight data protection principles. If the organisation
enters into discussions about a merger or acquisition with a third party, the organisation will
seek to protect employees’ data in accordance with the data protection principles.
4.0 PERSONNEL FILES
4.1 An employee’s personnel file is likely to contain information about his/her work history with
the organisation and may, for example, include information about any disciplinary or
grievance procedures, warnings, absence records, appraisal or performance information
and personal information about the employee including address details and national
insurance number.
4.2 There may also be other information about the employee located within the organisation, for
example in his/her line manager’s inbox or desktop; with payroll; or within documents stored
in a relevant filing system.
4.3 The organisation may collect relevant sensitive personal information from employees for
equal opportunities monitoring purposes. Where such information is collected, the
organisation will anonymise it unless the purpose to which the information is put requires
the full use of the individual’s personal information. If the information is to be used, the
organisation will inform employees on any monitoring questionnaire of the use to which
the data will be put, the individuals or posts within the organisation who will have access to
that information and the security measures that the organisation will put in place to ensure
that there is no unauthorised access to it.
The organisation will ensure that personal information about an employee, including
information in personnel files, is securely retained. The organisation will keep hard copies of
information in a locked filing cabinet. Information stored electronically will be subject to
access controls and passwords and encryption software will be used where necessary.
4.5 The organisation provides [compulsory] training on data protection issues to all employees
who handle personal information in the course of their duties at work. The organisation will
continue to provide such employees with refresher training on a regular basis. Such
employees are also required to have confidentiality clauses in their contracts of
employment.
4.6 Where laptops are taken off site, employees must follow the organisation’s relevant policies
relating to the security of information and the use of computers for working at home/bringing
your own device to work.
5.0 DATA SUBJECT ACCESS REQUESTS
5.1 Philip Parker Associates Ltd will inform each employee of:
- The types of information that it keeps about him/her;
- The purpose for which it is used; and
- The types of organisation that it may be passed to, unless this is self-evident (for
example, it may be self-evident that an employee’s national insurance number is
given to HM Revenue & Customs).
5.2 An employee has the right to access information kept about him/her by the organisation,
including personnel files, sickness records, disciplinary or training records, appraisal or
performance review notes, emails in which the employee is the focus of the email and
documents that are about the employee.
5.3 Lisa Gabriel is responsible for dealing with data subject access requests.
5.4 The organisation will not charge] for allowing employees access to information about them.
The organisation will respond to any data subject access request within 10 working days.
5.5 The organisation will allow the employee access to hard copies of any personal information.
However, if this involves a disproportionate effort on the part of the organisation, the
employee shall be invited to view the information on-screen or inspect the original
documentation at a place and time to be agreed by the organisation.
5.6 The organisation may reserve its right to withhold the employee’s right to
access data where any statutory exemptions apply.
6.0 CORRECTION, UPDATING AND DELETION OF DATA
6.1 The organisation has a system in place that enables employees to check their personal
information on a regular basis so that they can correct, delete or update any data. If an
employee becomes aware that the organisation holds any inaccurate, irrelevant or out-ofdate
information about him/her, he/she must notify [name of individual/the data
protection officer/the HR department] immediately and provide any necessary corrections
and/or updates to the information.
6.2 Data that is likely to cause substantial damage or distress
If an employee believes that the processing of personal information about him/her is
causing, or is likely to cause, substantial and unwarranted damage or distress to him/her or
another person, he/she may notify the organisation in writing to [name of individual/the data
protection officer] to request the organisation to put a stop to the processing of that
information.
6.3 Within 21 days of receiving the employee’s notice, the organisation will reply to the
employee stating either:
- that it has complied with or intends to comply with the request; or
- the reasons why it regards the employee’s notice as unjustified to any extent and
the extent, if any, to which it has already complied or intends to comply with the
notice.
7.0 MONITORING
7.1 The organisation may monitor employees by various means including, but not limited to,
recording employees’ activities on CCTV, checking emails, listening to voicemails and
monitoring telephone conversations. If this is the case, the organisation will inform the
employee that monitoring is taking place, how data is being collected, how the data will be
securely processed and the purpose for which the data will be used. The employee will
usually be entitled to be given any data that has been collected about him/her. The
organisation will not retain such data for any longer than is absolutely necessary.
7.2 In exceptional circumstances, the organisation may use monitoring covertly. This may be
appropriate where there is, or could potentially be, damage caused to the organisation by
the activity being monitored and where the information cannot be obtained effectively by
any non-intrusive means (for example, where an employee is suspected of stealing
property belonging to the organisation). Covert monitoring will take place only with the
approval of Lisa Gabriel.
8.0 EMPLOYEES’ OBLIGATIONS REGARDING PERSONAL INFORMATION
8.1 If an employee acquires any personal information in the course of his/her duties, he/she
must ensure that:
- The information is accurate and up to date, insofar as it is practicable to do so;
- The use of the information is necessary for a relevant purpose and that it is not kept
longer than necessary; and
- The information is secure.
8.2 In particular, an employee should ensure that he/she:
- uses password-protected and encrypted software for the transmission and receipt
of emails;
- sends fax transmissions to a direct fax where possible and with a secure cover
sheet; and
- locks files in a secure cabinet.
8.2 Where information is disposed of, employees should ensure that it is destroyed. This may
involve the permanent removal of the information from the server, so that it does not remain
in an employee’s inbox or trash folder. Hard copies of information may need to be confidentially shredded. Employees should be careful to ensure that information is not
disposed of in a wastepaper basket/recycle bin.
8.3 If an employee acquires any personal information in error by whatever means, he/she shall
inform [name of individual/the data protection officer] immediately and, if it is not necessary
for him/her to retain that information, arrange for it to be handled by the appropriate
individual within the organisation.
8.4 Where an employee is required to disclose personal data to any other country, he/she must
ensure first that there are adequate safeguards for the protection of data in the host
country. For further guidance on the transfer of personal data outside the UK, please
contact Lisa Gabriel.
8.5 An employee must not take any personal information away from the organisation’s
premises [save in circumstances where he/she has obtained the prior consent of Lisa
Gabriel].
8.6 If an employee is in any doubt about what he/she may or may not do with personal
information, he/she should seek advice from [name of individual/line manager/the data
protection officer]. If he/she cannot get in touch with [name of individual/line
manager/the data protection officer], he/she should not disclose the information concerned.
8.7 Consequences of non-compliance
All employees are under an obligation to ensure that they have regard to the eight data
protection principles (see above) when accessing, using or disposing of personal
information. Failure to observe the data protection principles within this policy may result in
an employee incurring personal criminal liability. It may also result in disciplinary action up
to and including dismissal. For example, if an employee accesses another employee’s
employment records without the requisite authority, the organisation will treat this as gross
misconduct and instigate its disciplinary procedures. Such gross misconduct will also
constitute a criminal offence.
8.8 Taking employment records off site
An employee must not take employment records off site (whether in electronic or paper
format) without prior authorisation from Lisa Gabriel
8.9 An employee may take only certain employment records off site. These are documents
relating to [disciplinary or grievance meetings that cannot be held on site/meetings with
occupational health/discussions surrounding the sale of the business or specific monitoring
purposes/seeking professional advice]. An employee may also take employment records off
site for any other valid reason given by Lisa Gabriel.
8.10 Any employee taking records off site must ensure that he/she does not leave his/her laptop,
other device or any hard copies of employment records on the train, in the car or any other
public place. He/she must also take care when observing the information in hard copy or
on-screen that such information is not viewed by anyone who is not legitimately privy to that
information.
9.0 REVIEW OF PROCEDURES AND TRAINING
9.1 The organisation will provide training to all employees on data protection matters on
induction and on a regular basis thereafter. If an employee considers that he/she would
benefit from refresher training, he/she should contact Lisa Gabriel.
9.2 The organisation will review and ensure compliance with this policy at regular intervals.
Philip Parker Associates Ltd will revise and review this policy regularly.