Data Protection/Retention of Personal Data Policy
The Data Protection Policy explains our obligations in relation to personal data and how we keep it secure, as well as what we expect from you when you are handling personal data in the course of your work.
The Data Protection Act 1998 was introduced to regulate personal data held either on computer or within a manual filing system. As an employer it is our responsibility to ensure that the documentation held is relevant, accurate and where necessary, kept up to date. Any data held shall be processed fairly and lawfully and in accordance with the rights of data subjects under the Act. As an employee you will have the right, upon written request, to be told what personal data about you is being processed. You will also have the right to be informed of the source of the data and to whom it may be disclosed.
We are not obliged to supply this information unless you make a written request and for such requests, a fee may be payable.
Who does this policy apply to?
This policy applies to:
The Policy Details
General Use of Personal Data
The Cyan Group holds data on; prospective, current, and former staff; and businesses interested in our services.
- The data is held securely in electronic and/or as a paper record.
- The processing of this data is subject to rules laid down under the Data Protection Act 1998.
- Personal data will only be used for the proper purposes of the employment business.
- The protection of your personal data will be governed by the provisions of the Data Protection Act 1998. Access to your data will be restricted to those personnel to whom it is necessary for proper purposes.
- Cyan Group will not sell your personal data to third parties. Your personal data will only be transferred to third parties where there is a proper purpose related to business matters and with your knowledge.
Data Protection Principles
In terms of the Data Protection Act 1998, we are the ‘data’ controller, and as such determine the purpose for which, and the manner in which, any personal data are, or are to be processed. We must ensure: -
- Process personal data fairly and lawfully. Cyan Group, we always put our logo on all paperwork, stating intentions on processing the data, and state if, and to whom, we intend to give the personal data.
- Obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner which is incompatible with the purpose or purposes for which it was obtained.
- Ensure that personal data is adequate, relevant, and not excessive for the purpose or purposes for which it is held.
- Ensure that personal data is accurate and, where necessary, kept up to date.
- Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
- Process personal data in accordance with the rights of the individuals to whom the information relates.
- Ensure that personal data is kept secure.
- Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which the information is to be sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.
Cyan Group is registered as a Data Controller under the Act and will adhere to these principles and the guidelines set out by the Information Commissioner. The Cyan Group uses secure and confidential means of destroying data after the relevant holding period.
You are entitled to have a copy of the information we hold about you. This right is the 'right to subject access' under the DPA. You are also entitled to be told where the information came from, what it is used for and if it is disclosed to anyone. There are some specific exceptions as set out in the Act; for example, we are allowed to refuse requests where releasing the information would prejudice the privacy rights of a third party.
You can contact us to request a copy of the information we hold, requests should be made either in writing or by email to the Managing Director, Graeme.Smith@cyan-group.com or by post to Cyan Group, Regal House, 70 London Rd, Twickenham TW1 3QS. We must be sure that we are releasing information to the right person so you will be asked to supply information to prove your identity.
Our Policy and Procedures are intended to ensure that personal information is always hard to steal and that only authorised people have access to it. We need to ensure that any personal customer information remains confidential and it is used with care.
- This means keeping it secure
- Only sharing it when need to
- Only allowing fit and proper people to see it
- And using it skillfully
Confidential customer information can be stolen in a matter of seconds.
Control access to customer information in several ways:
- Locking cabinets, rooms, and the building
- The installation of a burglar alarm to the premises and making sure it is regularly tested and serviced
- Using password protected screensavers, that automatically activate after ten minutes
- Restricting access to your building and ensuring any reception desk is always staffed. And operating a clear desk policy. This means keeping desks and other surfaces clear of any customer information and records of logins and passwords. It limits the risk of customer information being seen by a visitor and it reduces the possibility of opportunistic theft.
Vetting and keeping records of staff:
- References should also be obtained from previous employers in the last 12 months. These should not be provided by the staff member themselves.
- All these vetting procedures also apply to any third-party employees that might gain access to confidential information. IT support firms are obvious example, but cleaning and maintenance staff and firms often have access to office areas in and out of working hours.
When a staff member leaves the firm Managers have a responsibility to:
- Make sure keys and swipe cards are surrendered
- Cancelled all personal computer passwords and user accounts
- Returned portable IT equipment that belongs to the business and removed any Company software and customer data from machines they own themselves
- Changed any other passwords they might know
There are solutions to the problem of IT security:
- The golden rule is THINK. Don't be casual about where you open your laptop. Treat portable devices as jewellery.
- All smartphones and tablets must be PIN protected as an absolute minimum and have the ability to remotely wipe their contents in the event of loss or theft.
- All computers must be equipped with anti-virus software, kept up to date.
- Passwords should be checked and changed regularly.
- Should maintain up to date and securely stored backups.
- Like any physical record, computers should also be securely disposed of when they come to the end of their useful life. Always remove information before you dispose of a computer, either by physically destroying the hard drive or storage medium. Or by using specialist software to erase the disks.
You only have to look at some of the leaked emails that come out of the government to realise that email is never a secure means of communication.
- It’s happened to us all. Emails can be wrongly addressed
- Forwarded accidentally
- Forwarded to third parties against our wishes
- Intercepted by third parties maliciously or otherwise
- Or simply viewed on the recipient's computer screen.
So, it is simple. Never communicate personal information by email unless:
- You have got permission from the subject and can prove you have
- Or you have used adequate password or encryption protection
- The same applies to fax communications. Only send a fax if it cannot be replaced by email
- Phone ahead to warm the recipient if the fax contains personal information
- And never send personal medical details by fax
Data Protection — Key Definitions
A Data Processor is anyone who processes information on behalf of a Data Controller but isn't an employee. In practice this usually means another company rather than an individual. However, responsibility for the use and security of information always remains with the Data Controller.
And a Third Party is any person other than the Data Subject, Controller or Processor.
The act to regulate and control the processing of personal information. It gives everyone the right to know what information is held about them and sets rules to make sure this information is handled properly.
Information becomes personal as soon as it consists of more than just a person's name and address. However, the law draws a distinction between basic information, such as a name or an NI number, which only become personal if they are linked to other information affecting that person's privacy.
And Sensitive Personal Information, which relates to a living, identifiable individual's ethnic origin, political opinion, religion, trade union membership, sexual life, physical and mental health and any offences they have committed or been alleged to have committed. This includes ongoing legal proceedings.
In order to hold and process this information, you must formally explain to your customer why you are doing so, provide details about the information you hold and correct any errors. You should then notify your customer how the data will be processed and to whom it may be disclosed and ensure they've given their absolute permission for this to happen by consenting to the action being made or providing other written confirmation.