DATA PROTECTION POLICY
Sussex Payroll Services Ltd is fully committed to compliance with the requirements of General Data Protection Regulations 2018 (“GDPR”), which came into force on the 25th May 2018. The Company will therefore follow procedures that aim to ensure that all employees, contractors, agents, consultants, partners or other servants of the Company who have access to any personal data held by or on behalf of the Company, are fully aware of and abide by their duties and responsibilities under GDPR.
1 STATEMENT POLICY
a. In order to operate efficiently, The Company has to collect and use information about people with whom it works. These may include members of the public, current, past and prospective employees, clients and customers, and suppliers. In addition, it may be required by law to collect and use information in order to comply with the requirements of central government. This personal information will be handled and dealt with properly however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, there are safeguards within GDPR to ensure this.
b. The Company regards the lawful and correct treatment of personal information as very important to its successful operations and to maintaining confidence between the Company and those with whom it carries out business. The Company will ensure that it treats personal information lawfully, correctly and securely.
c. To this end the Company fully endorses and adheres to the Principles of Data Protection as set out in the General Data Protection Regulations 2018.
2 THE PRINCIPALS OF DATA PROTECTION
GDPR stipulates that anyone processing personal data must comply with Eight Principles of good practice. These Principles are legally enforceable.
The right to be informed – organisations are obliged to provide “fair processing information”, typically though a privacy notice and to be transparent over how they use personal data
The right of access – organisations are obliged to provide individuals with confirmation that their data is being process, access to the data held about them and any other supplementary information
The right to rectification – organisations are obliged to rectify any inaccurate or incomplete personal data, and where appropriate inform any third parties to whom the data has been disclosed
The right to erasure -organisations are obliged to provide individuals with “the right to be forgotten” such that all personal data is either deleted or removed
The right to restrict– organisations are obliged to provide individuals the ability to “block” or suppress processing of personal data held in certain circumstances
The right to portability – organisations are obliged to allow individuals to obtain and reuse their personal data for their own purposes and that this data be in a form that is open and accessible;
The right to object – organisations are obliged to inform individuals of this right and provide the ability to object to the processing of their data on ground relating to their particular situation
The right not to be subject to automated decision-making – organisation are obliged to provide safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
GDPR provides conditions for the processing of any personal data. It also makes a distinction between personal data and ‘sensitive’ personal data.
The GDPR states that the personal information it is concerned with is :-
Any information relating to an identified or an identifiable natural person (Data Subject); an identifiable person is one that can be identified either directly or indirectly in particular by reference to an identifier, such as a name or an identification number, location data, an online identifier or to one or more factors specific to the Physical, Physiological, Genetic, mental, economic, cultural or social identity of that natural person.
Sensitive personal data is defined as personal data consisting of information as to:
a. Racial or ethnic origin
b. Political opinion
c. Religious or other beliefs
d. Trade Union membership
e. Physical or mental health
f. Sexual Orientation
g. Genetic Data
h. Biometric Data
3 HANDLING OF PERSONAL/SENSITIVE INFORMATION
The Company will, through appropriate management and the use of strict criteria and controls:
a. Observe fully conditions regarding the fair collection and use of personal information.
b. Meet its legal obligations to specify the purpose for, which information is collected and used.
c. Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.
d. Ensure the quality of information used is correct and up to date.
e. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
f. Take appropriate technical and organisational security measures to safeguard personal information.
g. Ensure that personal information is not transferred abroad without suitable safeguards.
h. Ensure that the rights of people about whom the information is held can be fully exercised under GDPR.
These include:
a. The right to be informed that processing is being undertaken.
b. The right of access to one’s personal information within the statutory 30 days.
c. The right to prevent processing in certain circumstances.
d. The right to correct, rectify, block or erase information regarded as wrong information.
In addition, The Company will ensure that:
a. There is someone with specific responsibility for data protection in the organisation.
b. Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice.
c. Everyone managing and handling personal information is appropriately trained to do so.
d. Everyone managing and handling personal information is appropriately supervised.
e. Anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do.
f. Queries about handling personal information are promptly and courteously dealt with.
g. Methods of handling personal information are regularly assessed and evaluated.
h. Performance with handling personal information is regularly assessed and evaluated.
i. Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.
All employees are to be made fully aware of this policy and of their duties and responsibilities under GDPR.
All managers and staff within the Company’s directorates will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:
a. Paper files and other records or documents containing personal/sensitive data are kept in a secure environment.
b. Personal data held on computers and computer systems is protected by the use of encryption and secure passwords, which where possible have forced changes periodically.
c. Individual passwords should be such that they are not easily compromised.
All contractors, consultants, partners or other servants or agents of the Company must:
a. Ensure that they and all of their staff who have access to personal data held or processed for or on behalf of the Company, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under GDPR.
b. Any breach of any provision of GDPR will be deemed as being a breach of any contract between the Company, that individual and company, partner or firm.
c. Allow data protection audits by the Company of data held on its behalf (if requested).
d. Indemnify the Company against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.
All contractors who are users of personal information supplied by the Company will be required to confirm that they will abide by the requirements of GDPR with regard to information supplied by the Company.
4 IMPLEMENTATION
The Company has appointed a Compliance Officer. This officer will be responsible for ensuring that the Policy is implemented. Implementation will be led and monitored by the Compliance Officer. The Compliance Officer will also have overall responsibility for:
1) The General data protection training, for staff and anyone working within the Company.
2) For the development of best practice guidelines.
3) For carrying out compliance checks to ensure adherence, throughout the business, with the GDPR.
5 BREACH OF DATA PROTECTION
Any persons working for or on behalf of The Company who knowingly breaches the General Data Protection Regulations may be subject to disciplinary action up to and including termination of employment with immediate effect.
6 VARIATION OF POLICY
The Company reserves the right to amend this policy in line with legislation and business needs as these dictates.