1 The data protection principles
There are eight data protection principles that are central to the Act. The Company and all employees must comply with these principles at all times in their information-handling practices. In brief, the principles say that personal data must be:
1. Processed fairly and lawfully and must not be processed unless certain conditions are met in relation to personal data and additional conditions are met in relation to sensitive personal data. The conditions are either that the employee has given his consent to the processing, or the processing is necessary for the various purposes set out in the Act. Sensitive personal data may only be processed with the explicit consent of the employee and consists of information relating to:
· Race or ethnic origin.
· Political opinions and trade union membership.
· Religious or other beliefs.
· Physical or mental health or condition.
· Sexual life.
· Criminal offences, both committed and alleged.
2. Obtained only for one or more specified and lawful purposes, and must not be processed in any manner incompatible with those purposes.
3. Adequate, relevant and not excessive in relation to the purposes for which it is processed. The Company will review employees’ personnel files on a regular basis to ensure they do not contain a backlog of out-of-date or irrelevant information and to check there is a sound business reason requiring information to continue to be held.
4. Accurate and, where necessary, kept up-to-date. If your personal information changes, for example you change address or you get married and change your surname, you must inform your line manager as soon as practicable so that the Company’s records can be updated. The Company cannot be responsible for any such errors unless the employee has notified the Company of the relevant change.
5. Not kept for longer than is necessary. The Company will keep personnel files for no longer than six years after an employee has left the Company’s employment. Different categories of data will be retained for different periods of time, depending on legal, operational and financial requirements. Any data which the Company decides it does not need to hold for a particular period of time will be destroyed after approximately one year. Data relating to unsuccessful job applicants will only be retained for a period of one year.
6. Processed in accordance with the rights of employees under the Act.
7. Secure. Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, data. Personnel files are confidential and are stored as such in locked filing cabinets. Only authorised employees have access to these files. For a list of authorised employees, please contact (name), the Company’s Data Protection Officer. Files will not be removed from their normal place of storage without good reason. Data stored on memory sticks, discs, portable hard drives or other removable storage media is kept in locked filing cabinets. Data held on computer is also stored confidentially by means of password protection, encryption or coding and again only the above employees have access to that data. The Company has network back-up procedures to ensure that data on computer cannot be accidentally lost or destroyed.
8. Not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection relation to the processing of personal data.
2 Employees’ rights to access personal information
Under the Act, employees have the right on request to receive a copy of the personal data that the Company holds about them, including personal data held on personnel files that form part of a relevant filing system, and to demand that any inaccurate data held be corrected or removed. They also have the right to seek compensation where damage and distress have been caused to them as a result of any breach of the Act by the Company.
Employees have the right, on request:
· To be told by the Company whether and for what purpose personal data about them is being processed.
· To be given a description of the personal data concerned and the recipients to whom it is or may be disclosed.
· To have communicated in an intelligible form the personal data concerned, and any information available to the Company as to the source of the data.
· To be informed in certain circumstances of the logic involved in computerised decision-making.
Upon request, the Company will provide you with a statement regarding the personal data held about you. This will state all the types of personal data the Company holds and processes about you and the reasons for which they are processed.
If you wish to access a copy of any personal data being held about you, you must make a written request for this and the Company reserves the right to charge you a fee of £10.00 for the supply of the information requested. If you wish to make a request, please complete a Personal Data Request Form, which can be obtained from the Data Protection Officer. Once completed, it should be returned to the Data Protection Officer. The Company will respond promptly and in any case within 40 calendar days of receiving the request. Note that the Company will always check the identity of the employee making the request before processing it.
If you wish to make a complaint that this policy has not been followed in respect of personal data the Company holds about you, you should raise the matter with the Data Protection Officer. If the matter is not resolved, it should be raised as a formal grievance under the Company’s grievance procedure.
There are a number of exemptions from the data protection regime set out in the Act, for example:
· Confidential references that are given, but not those received by the Company from third parties. Only designated line managers can give Company references. Confidential references will not be provided unless the Company is sure this is the employee’s wish.
· Management forecasts and management planning (including documents setting out management plans for an employee’s future development and progress).
· Data which is required by law to be publicly available.
· Documents subject to legal professional privilege.
4 Secure storage, handling, use, retention and disposal of Disclosure and Barring Service (DBS) certificates and certificate information.
As an organisation using the Disclosure and Barring Service (DBS) checking service to help assess the suitability of applicants for positions of trust, the Company complies fully with the code of practice regarding the correct handling, use, storage, retention and disposal of certificates and certificate information.
It also complies fully with its obligations under the Data Protection Act 1998 and other relevant legislation pertaining to the safe handling, use, storage, retention and disposal of certificate information and has a written policy on these matters, which is available to those who wish to see it on request.
4.1 Storage and access
Certificate information should be kept securely, in lockable, non-portable, storage containers with access strictly controlled and limited to those who are entitled to see it as part of their duties.
In accordance with section 124 of the Police Act 1997, certificate information is only passed to those who are authorised to receive it in the course of their duties. We maintain a record of all those to whom certificates or certificate information has been revealed and it is a criminal offence to pass this information to anyone who is not entitled to receive it.
To note: those registered care homes which are inspected by the Care Quality Commission (CQC), those organisations which are inspected by Ofsted and those establishments which are inspected by the Care and Social Services Inspectorate for Wales (CSSIW) may retain the certificate until the next inspection.
Once the inspection has taken place the certificate should be destroyed in accordance with the code of practice.
Certificate information is only used for the specific purpose for which it was requested and for which the applicant’s full consent has been given.
Certificated shall be retained by the company for the purpose of demonstration to schools, should this be required. Passing of a copy of the DBS certificate shall only be with the express written consent individual concerned. The individual is required to carry a copy of the DBS certificate at all times during visiting a school.
Throughout this time, the usual conditions regarding the safe storage and strictly controlled access will prevail.
Once the retention period has elapsed, we will ensure that any DBS certificate information is immediately destroyed by secure means, for example by shredding, pulping or burning. While awaiting destruction, certificate information will not be kept in any insecure receptacle (e.g. waste bin or confidential waste sack).
We will not keep any photocopy or other image of the certificate or any copy or representation of the contents of a certificate. However, not withstanding the above, we may keep a record of the date of issue of a certificate, the name of the subject, the type of certificate requested, the position for which the certificate was requested, the unique reference number of the certificates and the details of the recruitment decision taken.
4.6 Acting as an umbrella body
Before acting as an umbrella body (an umbrella body being a registered body which countersigns applications and receives certificate information on behalf of other employers or recruiting organisations), we will take all reasonable steps to satisfy ourselves that they will handle, use, store, retain and dispose of certificate information in full compliance with the code of practice and in full accordance with this policy.
We will also ensure that any body or individual, at whose request applications for DBS certificates are countersigned, has such a written policy and, if necessary, will provide a model policy for that body or individual to use or adapt for this purpose.
4.7 DBS logo
The DBS logo is protected by crown copyright, the copying and use of the DBS logo is not permitted without prior approval of the DBS.
5 GDPR compliance
MTM take all necessary steps to comply with the General Data Protection Regulations, as set implemented from May 2018. The GDPR updates principles detailed in the Data Protection Act 1998. The purpose of this update is to protect individuals against infringements of their privacy that may cause harm.
The GDPR introduces a new transparency requirement, more robust data minimisation concept, allowance for data to be stored for longer for statistical research and controller accountability.
The seven core elements of this are:
Lawfulness, fairness & transparency
Personal data must be processed lawfully, fairly and in a transparent manner.
Limited lawful purpose
Personal data must be only collected for specified, explicit and legitimate purposes.
Personal data must be adequate, relevant and limited to what is necessary in relation to the intended purpose.
Personal data must be accurate and, where necessary, kept up to date
Personal data must not be kept in a form which permits identification for any longer than necessary for the given purpose.
Integration & confidentiality
Personal data must be processed in a manner which ensures its appropriate security
The data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles
Personal information, including DBS certificates, descriptions of skills (Bios), Resume / CVs and photographs of employees & subcontractors are used on our website and supplied directly to clients where requested. Clients may ask for additional information, and where the company deems that reasonable, we shall comply.
As a policy, we do not hold data on specific individuals, except where absolutely necessary for the continued success of the business (in accordance with Article 6). All employees are encouraged to have a working knowledge of Regulation (EU) 2016/679 (General Data Protection Regulation).
5.1 Handling Data that is Collected During Client Exercises
Client data shall not be sold or transferred to third parties acting on their own behalf. Customer’s data is customer’s data and is treated as such.
5.1.1 Physical Items
Physical items, such as prospectuses, school collateral and parent gifts shall be disposed of at the close of the exercise or within 1 year of collection, whichever is sooner.
5.1.2 Paper records
Paper records, such as post-its and documents generated during client events, shall be captured electronically and disposed of within 2 months or by the end of the exercise, whichever is sooner.
5.1.3 Electronic Records – inside the project
Electronic records such as focus group & telephone recordings and emails, shall be held for a period of 3 years, in order to compare and contrast where changes have occurred. Where examples are created or identified from the materials they shall be treated as reports. Should the client require either the early destruction of data or information to be stored for longer periods of time, this can be carried out at the Client’s request at any point prior to the destruction of the data.
– Survey and Research Tool Data
Whether the survey or research tool is completed by a parent, prospective parent, MTM trained researcher, or any other, the data collected by the tool is stored remotely for the MTM office team to access. There may be some portion of the data that is temporarily stored, in cookies and such like, or on the mobile phone app while it awaits an appropriate internet connection. No access to the ‘back end data’ is provided to users, unless expressly granted by MTM.
Survey shall be provided by means of a secure link.
Research tool data is accessed by a secure link and password (or equivalent).
– Emails – dedicated email addresses created within a client project
Researchers only have access to email accounts for the email addresses that they are personally responsible for monitoring. The password for the email accounts are centrally controlled, so researchers are unable to view emails in email clients such as installed on an iPhone or Android which saves some portion of the email content to the device. Emails are stored on MTM’s secure mail server, which is only accessible by MTM approved staff and developers. PDF copies are created, to be stored on the MTM centrally controlled OneDrive (or equivalent) and supplied to the Client SharePoint (or equivalent).
– Recorded materials
System recorded materials, including telephone recordings, are transferred directly to the research tool, where they can be reviewed by the researchers.
Researcher recorded materials are uploaded to the research tool and then removed from the portable device. Where requested, these can be edited to anonymise part or all of the content.
Recording copies are created, to be stored on the MTM centrally controlled OneDrive (or equivalent) and supplied to the Client SharePoint (or equivalent).
5.2 Handling Data Relevant to the General Running of the Business
5.2.1 Paper records
Paper shall be captured electronically, and the originals disposed after a period of 1 year. Electronic copies may be kept indefinitely.
5.2.2 Electronic Records – as part of the description, control, monitoring and modification of the project
Electronic records between clients and MTM, including emails, recordings and data included as attachments or otherwise, shall be kept indefinitely.
5.2.3 Data collect
MTM collects data from a wide variety of sources, including third parties, MTM aggregated data sets and other data sources. Data processed for the purpose of customer reports shall be retained indefinitely. In the unlikely situation of names, other than those of MTM staff, researchers and focus group attendees, are captured, these should be removed from record after a 2 year period where practicable.
– Paper records
Paper records shall be stored in a lockable cabinet in a lockable office. Efforts should be taken to prevent the need for printing documents and the need for paper records. No sensitive data should remain on employee’s desks overnight or outside of working hours. Sensitive documents shall be disposed of by shredding.
– Windows File Structure Files
Files such as word, excel, Alteryx, etc files shall be stored on a centrally controlled OneDrive (or equivalent) secure remote storage system. Access shall be restricted by email address or other appropriate authentication process. Dated backups of these files shall be encrypted and stored in a safe, or room with at least locking bolts.
– Databased Data
SQL Databases shall be stored on a centrally controlled Azure SQL (or equivalent), and accessed through an appropriate secure access system. Access shall be restricted by email address & password, IP address or other appropriate authentication process. Dated backups of these files shall be encrypted and stored in a safe, or room with at least locking bolts.
Reports, published or otherwise, shall be held indefinitely in order for MTM to provide the service our customers expect from us. They shall, however, only be shared with the party commissioning the report, unless the report is commissioned by MTM.
5.3 Data Governance transfer
MTM is also responsible for ensuring that the appropriate placards and notices are applied to the data prior to transfer. The data transfer is the responsibility of the client. MTM is responsible for the use of the transfer mechanism requested by the Client. Once MTM transfers data to the Client, it becomes the Client’s data governance policy responsibility, however the Client is not permitted to remove any notices, trademarks or copywrites from the data.
MTM uses both laptops and mobile phones to access data. Storage of files on un-encrypted devices should be minimised to prevent data being accessed in the event of theft.
All MTM devices shall be password protected, and have up-to-date antivirus software on them, where applicable. Files should be saved and operated from the cloud based file structure, and not directly save on the computer. As such the device, regardless of its physical location, operates as a terminal and is replaceable.
Minimal data held directly on the device helps for both the risk of physical data loss and the data being removed from the device by forced entry.
5.5 Data Traceability
The mechanism by which data is brought into the business should be recoded, and then each subsequent change or modification to the data should be logged. All data should be fully auditable, such that the original data is available, with auditable amendments to the current data set.
5.6 Backup control
Quarterly backups shall be carried out in order to ensure that disaster recovery is planned for. These encrypted hard drives shall only be accessible by a company director and no information shall be deleted from them.
6 Employees’ obligations in relation to personal information
If, as part of your job duties and responsibilities, you collect personal information about employees or other people such as clients or customers, you must comply with this policy. This includes ensuring the information is processed in accordance with the Act, is only processed for the purposes for which it is held, is kept secure and is not kept for longer than necessary. You must also ensure you comply with the following guidelines at all times:
· Do not give out confidential personal information except to the data subject. In particular, it should not be given to someone, either accidentally or otherwise, from the same family or to any other unauthorised third party unless the data subject has given their explicit prior consent to this.
· Be aware that those seeking information sometimes use deception in order to gain access to it. Always verify the identity of the data subject and the legitimacy of the request, particularly before releasing personal information by telephone.
· Where the Company provides you with code words or passwords to be used before releasing personal information, for example by telephone, you must strictly follow the Company’s requirements in this regard.
· Only transmit personal information between locations by fax or e-mail if a secure network is in place, for example, a confidential fax machine or encryption is used for e-mail.
· If you receive a request for personal information about another employee, you should forward this to the Data Protection Officer, who will be responsible for dealing with such requests.
· Ensure that any personal data which you hold is kept securely, either in a locked filing cabinet or, if it is computerised, it is password protected so that it is protected from unintended destruction or change and is not seen by unauthorised persons.
· Do not access another employee’s records without authority as this will be treated as gross misconduct and it is a criminal offence.
· Do not write down (in electronic or hard copy form) opinions or facts concerning a data subject which it would be inappropriate to share with that data subject.
· Do not remove personal information from the workplace with the intention of processing it elsewhere unless this is necessary to enable you to carry out your job duties and has been authorised by your line manager.
· Ensure that, when working on personal information as part of your job duties when away from your workplace and with the authorisation of your line manager, you continue to observe the terms of this policy and the Act, in particular in matters of data security.
· Ensure that hard copy personal information is disposed of securely, for example cross-shredded.
Compliance with the Act is the responsibility of all employees. Any questions or concerns about the interpretation of this policy should be raised with the Data Protection Officer.