J A Stott (Carpentry) Ltd collects and processes information about people with whom it communicates. This personal information must be dealt with properly and securely however it is collected, recorded and used – whether on paper, in a computer, or recorded on other material – and there are safeguards to endeavour this is covered under the General Data Protection Regulation.
J A Stott (Carpentry) Ltd regards the lawful and correct treatment of personal information as very important to the successful and efficient performance of its functions, and to maintain confidence between those with whom it deals. To this end J A Stott (Carpentry) Ltd fully endorses and adheres to the Principles of Data Protection, as set out in the General Data Protection Regulation.
The purpose of this policy is to endeavour that the employees, subcontractors and stakeholders are clear about the purpose and principles of Data Protection and to endeavour that it has guidelines and procedures in place which are consistently followed. Failure to adhere to the General Data Protection Regulation is unlawful and could result in legal action being taken against J A Stott (Carpentry) Ltd or its employees and subcontractors.
The General Data Protection Regulation regulates the processing of information relating to living and identifiable individuals. This includes the obtaining, holding, using or disclosing of such information, and covers computerised records as well as manual filing systems. Data users must comply with the data protection principles of good practice which underpin the Regulation. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
To do this J A Stott (Carpentry) Ltd follows the seven Data Protection Principles outlined in the General Data Protection Regulation, which are summarised below:
1. Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to individuals
2. Data shall only be collected and processed for specified, explicit, and legitimate purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall not be considered to be incompatible with the initial purposes.
3. Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
4. Data will be accurate and up to date
5. Personal data that can be used to identify any individual will not be held any longer than necessary
6. Data will be kept secure, including from unauthorised access or unlawful processing, accidental loss or damage, using appropriate technical and organisational measures
7. J A Stott (Carpentry) Ltd. shall be responsible for, and able to demonstrate compliance with the above principles.
The principles apply to “personal data” which is information held on computer or in manual filing systems from which they are identifiable. J A Stott Carpentry employees, subcontractors and stakeholders who process or use any personal information in the course of their duties will endeavour that these principles are followed at all times.
The General Data Protection Regulation requires the organisation to establish a lawful basis for the collection and use of personal data before processing any such information. In most cases the processing of personal data must be demonstrably necessary for a specific purpose.
Depending on the purpose and type of data collected, J A Stott (Carpentry) Ltd has identified the following lawful bases for its collecting and processing of personal data:
• Consent of the individual to process personal data for, and limited to, a specific purpose.
• Processing of the data is necessary for a contract.
• To fulfil a legal obligation.
• Processing of data is necessary to protect an individual’s vital interests.
• Processing of data is necessary to achieve a specific legitimate interest, be it personal, commercial, or societal, and be it the interest of JA Stott Carpentry or that of a third party
The General Data Protection Regulation provides the following rights for individuals in relation to their personal data:
1. The right to be informed about the collection and use of their personal data, including why and for how long it is being kept. This applies regardless of how the data was obtained.
2. The right to access their own personal data.
3. The right to have inaccurate personal data rectified, or completed if it is incomplete.
4. The right to have personal data held by the organisation erased, if there is no longer any lawful basis for keeping it.
5. The right to request that use of their personal data be restricted or suppressed.
6. The right to obtain the personal data they have provided, in a structured, commonly used, and machine-readable format, so that these data can be reused for their own purposes.
7. The right to object to the processing of their personal data.
8. Rights related to automated (i.e. no human involvement) decision-making including profiling.
These rights are not always absolute, and will depend on the lawful basis for which the data has been collected and processed. Requests relating to these rights may be made verbally or in writing, and must typically be answered within one calendar month. J A Stott Carpentry will endeavour that these rights are respected at all times.
The following procedures have been developed in order to endeavour that J A Stott (Carpentry) Ltd meets its responsibilities in terms of Data Protection. For the purposes of these procedures data collected, stored and used by J A Stott (Carpentry) Ltd falls into 2 broad categories:
1. J A Stott (Carpentry) Ltd’s internal data records; employees and subcontractors
2. J A Stott (Carpentry) Ltd’s external data records; clients.
J A Stott (Carpentry) Ltd is a DATA CONTROLLER under the Regulation, and the Directors are ultimately responsible for the policy’s implementation.
INTERNAL DATA RECORDS
J A Stott (Carpentry) Ltd obtains personal data (names, addresses, phone numbers, email addresses), application forms, and references and in some cases other documents from employees and subcontractors. This data is stored and processed for the following purposes:
• External applications e.g. for working on prisons, schools and M.O.D. etc.
• Equal Opportunities monitoring
• To distribute relevant organisational material e.g. meeting papers
The lawful bases for the processing of this information are:
• Contractual, for contact information (employment as a contract between the organisation and individuals)
• Legal obligation to establish right to work
• Vital interests for the collection of health data
The contact details of employees and subcontractors will only be made available to other authorised staff. Any other information supplied on application will be kept in a secure filing cabinet and electronically, and is only accessed by those authorised individuals involved in the delivery of the service. Contact details of non-supervisory personnel will not be passed on to anyone outside the organisation without their explicit consent. Contact details for supervisory personnel will be shared with site-specific client personnel per operational requirements. A copy of employee and subcontractor emergency contact details will be kept in the Emergency File for Health and Safety purposes to be used in emergency
January 2020 Uncontrolled when copied Page 2 of 4 IMS Reference 1.1.3
situations e.g. fire/ bomb evacuations. Employees and subcontractors will be supplied with a copy of their personal data held by the organisation if a request is made. All confidential post must be opened by the addressee only.
J A Stott (Carpentry) Ltd will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored for 40 years after an employee or subcontractor has worked for the organisation. Information will not be destroyed within the 40-year period as information and data has to be saved for Health and Safety legal reasons. The Director has responsibility for destroying personnel files.
Personal data is kept in paper-based systems and on a password-protected computer system. Every effort is made to endeavour that paper-based data are stored in organised and secure systems. J A Stott (Carpentry) Ltd operates a clear desk policy at all times.
Use of Photographs
Where practicable, J A Stott (Carpentry) Ltd will seek consent from individuals before displaying photographs in which they appear. If this is not possible (for example, a large group photo), the organisation will remove any photograph if a complaint is received. This policy also applies to photographs published on the organisation’s website or in the Newsletter.
EXTERNAL DATA RECORDS
J A Stott (Carpentry) Ltd obtains personal data (such as names, addresses, and phone numbers) from clients. This data is obtained, stored and processed solely to assist staff in the efficient running of services. Personal details supplied are only used to send material that is potentially useful. Most of this information is stored on the organisation’s database.
J A Stott (Carpentry) Ltd obtains personal data and information from clients in order to provide services. This data is stored and processed only for the purposes outlined in the agreement and service specification signed by the client.
Personal data is collected over the phone and using other methods such as e-mail. During this initial contact, the data owner is given an explanation of how this information will be used. Written consent is not requested as it is assumed that the consent has been granted when an individual freely gives their own details. Personal data will not be passed on to anyone outside the organisation without explicit consent from the data owner unless there is a legal duty of disclosure under other legislation, in which case the Director will discuss and agree disclosure with the employee. Contact details held on the organisation’s database may be made available to clients. Individuals are made aware of when their details are being collected for the database and their verbal or written consent is requested.
Only the organisation’s authorised staff will normally have access to personal data. All personnel are made aware of the Data Protection Policy and their obligation not to disclose personal data to anyone who is not authorised to have it. Information supplied is kept in a secure filing, paper and electronic system and is only accessed by those authorised individuals involved in the delivery of the service. Information will not be passed on to anyone outside the organisation without their explicit consent, excluding statutory bodies e.g. the Inland Revenue.
J A Stott (Carpentry) Ltd will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored for 40 years. Information will not be destroyed within the 40 year period as information and data has to be saved for Health and safety legal reasons. The Director has responsibility for destroying personnel files.
Use of Photographs
Where practicable, J A Stott (Carpentry) Ltd will seek consent of individuals before displaying photographs in which they appear. If this is not possible (for example, a large group photo), the organisation will remove any photograph if a complaint is received. This policy also applies to photographs published on the organisation’s website or in the Newsletter.
CRIMINAL RECORDS BUREAU
J A Stott (Carpentry) Ltd will act in accordance with the CRB’s Code of Practice. Copies of disclosures are kept for no longer than is required. In most cases this is no longer than 6 months. There may be circumstance where it is deemed appropriate to exceed this limit e.g. in the case of disputes.
January 2020 Uncontrolled when copied Page 3 of 4 IMS Reference 1.1.3
RESPONSIBILITIES OF EMPLOYEES AND SUBCONTRACTORS
During the course of their duties with J A Stott (Carpentry) Ltd, employees and subcontractors will be dealing with information such as names/addresses/phone numbers/e-mail addresses of clients. They may be told or overhear sensitive information while working for J A Stott (Carpentry) Ltd. The Information Commissioner’s Office (www.ico.org.uk) gives specific guidance on how this information should be dealt with under the General Data Protection Regulation. In short to comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. All personnel, whether paid or unpaid, must abide by this policy.
Name: John Kane
Position: Construction Director