Data Protection Policy Couloir Partners and Associated Divisions
DATA PROTECTION POLICY
1.1.1 This policy is addressed to all staff members. It is valid in any circumstances where it can reasonably be applied.
1.1.2 We also have strict legal obligations to meet in the way we handle data, most particularly sensitive personal data.
1.1.3 This policy is not flexible. If you work for us or with us, you must comply. This policy is part of the contract of employment of every one of our employees.
1.1.4 If you come across any breach of this policy you should immediately report it, preferably in writing to a manager or director.
Aim of our data protection principles
1.1.1 The protection of data is of extreme importance. It is important for us as a business, for our customers and suppliers, for you and particularly for every individual, whether or not that person comes into one of those categories.
1.1.2 The aim of this policy is to ensure that everyone handling Personal Data is fully aware of the requirements and acts in accordance with these procedures.
1.1.3 As an employee of Couloir Partners (Ground floor flat, 33 Wymond Street, Putney London SW15 1DY) or (14-16 Great Pulteney Street, you should be aware of the importance of complying fully with all policies of the company.
1.1.4 The data protection policy exists to:
1.1.5 comply with the law;
1.1.6 protect your data;
1.1.7 protect the data of other staff members;
1.1.8 protect and manage the data of every third party with whom we deal, in accordance with the law;
1.1.9 protect the data of the company.
1.1.10 Please remember that data protection is the responsibility of all staff members at all times. It is very easy to disclose information about a colleague to a customer or friend, or about a customer to your spouse or relative. If you do so, you are in breach of this policy and of your contract of employment. To avoid this, you should avoid discussing any aspect of your work outside of work station and discuss issues about which you have strong feelings only with the appropriate person at work.
1.1.11 We are extremely concerned to protect your privacy and confidentiality. We understand that not only all employees, but also customers, suppliers and others with whom we come into contact in our working day are quite rightly concerned to know that your or their data will not be used for any purpose unintended by them, and will not fall into the hands of a third party. Our policy is both specific and strict. If you come across any instance of a failure of our policy, please do let us know.
1.1.12 Information may be unlawfully available to computer hackers and unlawful visitors. We will take reasonable precautions against such events, but we take no responsibility for any unlawful act of any person.
1.1.13 Except as set out below, we do not share, or sell, or disclose to a third party, any personally identifiable information we collect.
1.1.14 To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
Definitions used in this policy
"Personal Data"
means fact or opinion about any human individual processed or recorded electronically, whether or not automatically, whether or not intentionally, and accessible by any one or more human or corporate persons.
“Data Protection Officer”
means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed
Data security
3.1.1 James Latham is the Data Protection Officer in the Company.
3.1.2 Because Personal Data is or may be held on many computers within the office, please use the password system laid down. Do not change any password or insert password access where previously there was none.
3.1.3 The company has a backup procedure for all data. Those involved in any element of it are reminded of the crucial importance of timely compliance with the procedures.
3.1.4 The organisation will take steps to ensure that Personal Data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:
3.1.5 No data to be stored directly on any individual laptops or desktops
3.1.6 All data to be stored securely on the MS cloud, and/or using Invenias database for all candidate and client data.
3.1.7 All hard copies of personal data, candidate or client, to be shredded and recycled.
3.1.8 All PCs to have the latest software updates for IT security.
3.2. Any unauthorised disclosure of Personal Data to a third party by an employee may result in dismissal from the company.
Data Protection Principles: the Law
Personal Data must be:
4.1. processed fairly and lawfully meaning that the individual must give consent to the processing of it. For sensitive Personal Data, the individual must give explicit consent.
4.2. obtained only for specified and lawful purposes;
4.3. adequate, relevant and no more than is necessary;
4.4. accurate and up to date;
4.5. not kept for any longer than is necessary;
4.6. processed in keeping with the rights of the individual;
4.7. protected against unauthorised or unlawful processing, loss, destruction or damage.
Sensitive Personal Data
The Act defines eight categories of sensitive Personal Data. These are:
5.1.1 the racial or ethnic origin of data subjects;
5.1.2 their political opinions;
5.1.3 their religious beliefs or other beliefs of a similar nature;
5.1.4 whether they are a member of a trade union;
5.1.5 their physical or mental health or condition;
5.1.6 their sexual life;
5.1.7 the commission or alleged commission by them of any offence;
5.1.8 any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
5.2. We do hold data in one or more of the above categories. We do obtain the consent of the individual to hold such data. That consent is implicit in the individual giving the information to us to publish / act upon
5.3. Here is a list of the information we collect. This is necessary to discuss the candidate to prospective clients and agree a suitable employment package
5.3.1 Name
5.3.2 Age
5.3.3 Location
5.3.4 Email address
5.3.5 Phone number
5.3.6 Compensation data
Training
Training and awareness about the Data Protection Act and how it is followed in this organisation will take the following forms:
6.1. On induction: candidates to be made aware where and how data must be stored.
6.2. General training/ awareness program: candidates to be provided clear guidelines on how to adhere to the correct processes and policies, and advised of the risks of any failure to do so.
Employee information
This information is used:
7.1. to maintain proper employment records for our own use;
7.2. to maintain salary records and to pay staff in accordance with our obligations;
7.3. to comply with our legal obligations relating to tax and money;
7.4. to comply with legal obligations relating to employment.
Customer and client information
This information is used:
8.1. to provide customers and clients with the services they have requested;
8.2. for billing and accounting purposes;
8.3. to enable us to answer their enquiries;
8.4. for verifying their identity for security purposes;
8.5. for marketing our services and products;
Information which does not identify any individual may be used in a general way by us or third parties, to provide class information, for example relating to demographics or usage of a particular page or service.
Domain names and email addresses
You are recognised by our servers and the pages visited are recorded. This information is used:
9.1. in a collective way not referable to any particular individual, for the purpose of quality control and improvement of our site;
9.2. to send out news about the services to which web site visitors have signed up;
9.3. to tell customers and clients about other of our services.
Financial information, including credit card details
This information is used to obtain payment for goods and services ordered from us. We do not use it for any other purpose. We do not store this information longer than is necessary to process a payment. We are not responsible for such data once it has passed to our merchant service provider /bank.
Business associates’ information
This is information given to us in the course of business. This information is used:
11.1. to maintain our accounts and business records;
11.2. to enable us to answer enquiries;
11.3. to verify identities.
Disclosure to Government and their agencies
12.1.1 We are subject to the law like everyone else. We may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order.
Cookies
13.1.1 The Privacy and Electronic Communications (EC Directive) Regulations 2003, cover the use of cookies and similar technologies for storing information, and accessing information stored. This website complies with that law.
Information request
14.1.1 At any time you may review or update the personally identifiable information that we hold about you, by contacting us at the address below. To better safeguard your information, we will also take reasonable steps to verify your identity before granting access or making corrections to your information.
Confidentiality before and after termination of the employment
15.1.1 Between us and each employee, the provisions of this agreement shall remain valid and binding not only for the employment period but for a period of ten years after that. Breach of this provision is a breach of the contract of employment.
Explanatory notes:
Data protection policy
General notes
1. Compliance with the Data Protection Act 1998 consists in registration and the setting up of appropriate security procedures, then following them. This document does not alone provide compliance.
2. Your data protection policy is a matter for your discretion. This model policy is built around:
2.1. protecting you from contravening the Data Protection Act;
2.2. placing contractual obligations on staff;
2.3. providing re-assurance to your staff;
For compliance, it is essential that you specify what data is collected and what you do with it. The image you present to your staff is of course a matter for your choice.
3. For compliance, do include all uses to which you might wish to put Personal Data.
Here is the official government guidance, (Crown copyright acknowledged), from: https://ico.org.uk
Every data controller must take into account the privacy rights of an individual. That word means both employees and external third parties who might come to your website. The following points should be considered by data controllers in planning their Internet strategies.
3.1. Personal data placed on the Internet is available world-wide. In many countries the use of Personal Data is not protected by legislation. Because of this it is always advisable and will often be essential to obtain consent from individuals before publishing their Personal Data on your website.
3.2. When collecting information via the Internet always inform the user of who you are, what Personal Data you are collecting, processing and storing and for what purpose. Do this before a user gives you any information, when they visit your site and wherever they are asked to provide information, for example via an on-line application form.
3.3. It is good practice to ask for consent for the collection of all data and it is usually essential to get consent if you want to process sensitive Personal Data.
3.4. Always let individuals know when you intend to use 'Cookies' or other covert software to collect information about them. Never collect or retain Personal Data unless it is strictly necessary for your purposes. For example you should not require a persons name and full address to provide an on-line quotation. If extra information is required for marketing purposes this should be made clear and the provision of the information should be optional. Design your systems in such a way as to avoid or minimize the use of Personal Data.
3.5. Upon a user's request you should correct, change or delete inaccurate details. If information is altered notify the third parties to whom the original information was communicated.
3.6. Regularly delete data which is out of date or no longer required. Stop processing data if the user objects to it because the processing is causing him damage or distress.
3.7. When you have collected Personal Data online, you should obtain the permission of the data subject before using it for marketing purposes. If a user asks you to stop using his or her data for marketing purposes you must comply with that request. If the Personal Data is “sensitive Personal Data” you should use it only with the precise and express consent of the data subject.
3.8. Use the most up to date technologies to protect the Personal Data collected or stored on your site. Especially sensitive or valuable information, such as financial details should be protected by reliable encryption technologies.
4. Cookies
4.1. If you use cookies (as almost all websites do), you must obtain the consent of every computer user you communicate with via the Internet.
4.2. Consent can be either express consent or implied consent. It is a matter of fact for any occasion, as to whether consent is express or implied, or there is no consent.
4.3. Implied consent can be valid for the purposes of the Regulations. The most common instance of implied consent is when a computer user has consented on one occasion and returns to your site at some later time.
4.4. Express consent is most commonly given by the user taking some specific action to confirm agreement or acceptance. An example is ticking a box.
4.5. For informed consent, you should not rely on the fact that a user might have read a privacy policy that is perhaps hard to find or difficult to understand.
4.6. To comply with the law, we must obtain informed consent and provide clear and comprehensive information about any cookies you are using.
4.7. Although devices which process Personal Data give rise to greater privacy and security implications than those which process data from which the individual cannot be identified, the Regulations apply to all uses of such devices, not just those involving the processing of Personal Data.