Everyone has rights with regard to how their personal information is handled. During the course of our business activities, it is necessary for us to collect, store and process personal information about our staff, customers, suppliers and other third parties. The correct and lawful treatment of this data is an essential part of maintaining trustworthy business relationships and be an attractive employer, and, ultimately, provide for successful business operations.
This policy details individual rights and obligations in relation to information about current, past and prospective suppliers, clients and employees as well as other third parties we hold relationships with. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Data Protection Legislation.
This policy does not form part of any employee’s contract of employment and may be amended at any time.
Anybody with access to the personal, special categories or criminal records data of employees or of third parties must comply with this Policy.
The Company processes personal data in accordance with the following data protection principles:
Where we collect personal data directly from data subjects, we will inform them about the purpose(s) for which we intend to process the personal data.
If we receive personal data about a data subject from other sources, we will provide the data subject with this information as soon as possible thereafter, but always within one month of having collected the personal data.
The company process data only on the grounds permitted in data protection legislation;
The Company will process special categories and criminal records data primarily where it is necessary to enable the Company to meet its legal obligations and in particular to ensure adherence to health and safety legislation or for equal opportunities monitoring purposes.
If the company intends to process sensitive personal data, further details will be issued.
If at any time during delivery of contract, the company chooses to appoint a sub-contractor, it ensures that they are able to fulfil their data protection responsibilities to the same or higher standard than the terms outlined in this policy.
The sub-contractor’s right to process personal data terminates automatically, for whatever reason, on expiry or termination of this Agreement or the sub-contract, whichever is earlier.
We do not disclose personal data to a third party (including a sub-contractor) in any circumstances unless:
For third party requests, the Company shall use reasonable endeavours to advise the Client in advance of such disclosure, unless it is prohibited by law or regulation from notifying the Client of that disclosure, in which case it shall do so as soon as practicable thereafter (where permitted by law or regulation).
We shall not make (nor instruct or permit a third party to make) a data transfer unless European Commission recognised that the legal framework in place in that country, territory, sector or international organisation provides adequate protection for individuals’ rights and freedoms for their personal data.
We shall not retain Personal Data for longer than is necessary to perform the contract, fulfil a legal obligation, or protect other legitimate companies’ interests;
Data protection legislation prescribes the way in which the Company may collect, retain and handle personal data. It outlines that each data subject has the following rights:
The Company will comply with the requirements of data protection legislation and all employees, contractors and other third parties who handle personal data in the course of their work must also comply with it.
Data subjects have the right to make a subject access request. It has to be done formally, including what information is being requested and addressed to the Company’s nominated data officer.
Any requests sent to an employee will be immediately forwarded to the nominated data officer.
There is no fee for the information request, however, in cases where a request is unfounded or excessive (including repetitive requests), then a reasonable fee (based on the administrative cost) may be charged.
The company will respond to a request within one month from the date we receive it. In some cases, such as where the Company processes large amounts of the individual’s data, response time may be extended to three months of the date the request is received. In that instance, the individual will be informed about the extension within one month of receiving the original request.
The company may refuse to provide certain personal data in response to a request from an individual where the relevant legislation provides an exemption. There are very few exemptions for non-disclosure and the application of these exemptions require careful consideration.
We will process the personal data we hold in accordance with the objectives of the Information Security Policy.
We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if they agree to comply with those procedures or policies, or if they put in place adequate measures which are the same or higher standard.
The company employs the following security procedures:
Each employee is responsible for helping the Company keep your personal data accurate and up to date. This includes their own personal data provided to the Company as well as the information processed on behalf of the business.
An employee who has access to the personal data of other individuals, our clients in the course of their employment, contract, internship or apprenticeship is classed as a data processor and is relied on to help the company to meet its data protection obligations.
Any data processor is required to maintain data security by protecting the confidentiality, integrity and access of personal data, defined as follows:
The Company will review personal data regularly to ensure that it is accurate, relevant and up to date.
To ensure the Company’s files are accurate and up to date, and so that the Company is able to contact you or, in the case of an emergency, another designated person, you must notify the Company as soon as possible of any change in your personal details (e.g., change of name, address, telephone number, loss of driving licence where relevant, next of kin details, etc).
The Company will ensure that personal data is not processed unlawfully, lost or damaged. If you have access to personal data during the course of your employment, you must also comply with this obligation. If you believe you have lost any personal data in the course of your work, you must report it to your manager immediately. Failure to do so may result in disciplinary action up to and including dismissal without notice.
The Company will record all data breaches regardless of its effect.
A breach of personal data that poses a risk to the rights and freedoms of individuals, will be reported it to the
Information Commissioner within 72 hours of discovery.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, affected individuals will be informed about a breach, its likely consequences and the mitigation measures which have been taken.
If you have concerns about an organisation’s information rights practices, contact Commercial Director
Duncan Beach who is acting as a Data Protection Officer:
By email: duncan.beach@walterlilly.co.uk
By telephone: 020 8730 6238
If you feel that your concerns are not recognised or dealt in an inappropriate manner, the Information
Commissioner’s Office website is there for further support and advice.