Data Protection Policy
Data Protection Policy
1. Policy Introduction
1.1. Introduction
1.1.1. This policy deals with the roles and responsibilities of The Employment Services Partnership Limited, ESP Solicitors Limited and ESP Safeguard Limited (“ESP”) and its staff with regard to the processing of personal data.
1.1.2. References to “we”, “us” or “our” refer to ESP itself.
1.1.3. We process personal data about a range of data subjects, such as employees, clients, employees of clients and suppliers. We process personal data for a number of purposes such as the provision of legal services to our clients as well as employee administration and the management of the business. It is critical to ESP that we are able to use personal data in this way. In order to continue to be able to do so, we must comply with the General Data Protection Regulation and Data Protection Act 2018 (the “Data Protection laws”).
1.2. Policy on Personal Data
1.2.1. We endeavour to ensure that personal data is processed in accordance with the Data Protection Laws and in particular the seven Data Protection Principles.
1.2.2. We have put in place systems of work and procedures to ensure that we comply with the Data Protection Laws. We aim to provide all employees with sufficient information, instruction and training as is necessary in order to identify personal data and process it appropriately.
1.2.3. Our directors have agreed this policy.
1.2.4. This policy will be reviewed at regular intervals and revised where it is considered appropriate to do so having regard to legislative change, codes of practice, guidance from the Information Commissioner’s Office (“ICO”), good data protection practice and case law.
1.2.5. Any breach of this policy will be taken seriously and may result in disciplinary action.
1.2.6. All employees and contractors of ESP have a duty to ensure that they are fully aware of this policy and that they comply with its directions.
1.2.7. If you have any questions or queries in relation to this policy, you must contact the Operations Team Leader at ESP.
2. Definition of Data Protection Terms
The following terms are used throughout this policy. It is important that you understand their meaning. Many of the terms are set out in the Data Protection Laws.
2.1. “Data” is information which is stored electronically, on a computer, or in certain paper-based filing systems. The Act is not restricted to information held on computers. Electronic data includes data kept on computer and other digital devices such as laptops, tablets, smart phones, mobile phones and digital cameras. Well ordered paper based filing systems such as an HR filing cabinet with employees listed alphabetically will be covered by the Data Protection Laws.
2.2. “Data subjects” for the purpose of this policy include all living individuals about whom we hold personal data. A data subject does not need to be a UK national or resident. All data subjects have legal rights in relation to their personal data.
2.3. “Personal data” is any information relating to an identified or identifiable living individual.
2.4. “Data controllers” are the people who, or organisations which, determine the purposes for which, and the manner in which, personal data is processed. They have a responsibility to establish practices and policies in line with the Data Protection Laws.
2.5. “Data processors” include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data behalf of ESP.
2.6. “Processing” is any activity that involves use of the data. We will process personal data when we obtain, record or hold the data, or carry out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
2.7. “Special category personal data” includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, genetic data, biometric data, physical or mental health or condition or sexual life. Special category personal data can only be processed under strict conditions and will usually require the express consent of the person concerned.
3. Legal obligations on Processing
3.1. If we process personal data we must do so in accordance with the six Data Protection Principles. These state that personal data must be:
3.1.1. Processed lawfully, fairly and transparently;
3.1.2. obtained for a specified and lawful purpose and processed compatibly with that purpose;
3.1.3. adequate, relevant and necessary for the purpose for which it is processed;
3.1.4. accurate and up to date;
3.1.5. kept in a form that identifies the Data Subjects for no longer than necessary; and
3.1.6. processed in a manner that ensures its appropriate security.
4. Notification
4.1. Unless an organisation is exempt, it must notify the ICO if it processes personal data. ESP, and all relevant group companies, are currently registered as Data Controllers with the ICO.
4.2. We are obliged to keep the notification up to date at all times. Should any of the details provided as part of the notification change, these must be notified to the ICO. ESP’s Operations Manager is the person tasked with keeping the notification up to date and any queries or concerns regarding this should be addressed to her.
4.3. It is important that we make sure the notification is accurate and up to date. Failure to notify the ICO could result in a criminal offence being committed by us or a person who has a duty to notify changes to the ICO.
5. Data Protection Best Practice
5.1. We must process personal data in accordance with the Data Protection Laws. We are responsible for:
5.1.1. Explaining to all relevant staff the importance of data protection;
5.1.2. providing staff with adequate training (where necessary), information, instruction and supervision to ensure personal data is processed in accordance with the Data Protection Laws;
5.1.3. assuming overall responsibility for compliance with the Data Protection Laws;
5.1.4.selecting someone to be responsible for ensuring compliance with the Data Protection Laws and making this person known to staff. This person is the Operations Team Leader.
5.1.5. maintaining a record of how personal data is kept and processed and notifying the ICO in accordance with the Data Protection Laws;
5.1.6. maintaining a record of any breaches of our obligations under the Data Protection Laws and, where necessary, notifying the ICO and, on some occasions, the data subjects of any such breaches.
5.2. We must:
5.2.1. Be aware of the issues regarding data protection;
5.2.2. consider the rights of data subjects who may be affected by our data processing actions;
5.2.3. process personal data in accordance with this policy;
5.2.4.report any data subject access requests or other questions regarding data protection to the Operations Team Leader; and
5.2.5. report any actual or suspected breach of this policy to the Operations Team Leader immediately.
6. Processing Personal Data
6.1. All personal data should be processed in accordance with the Data Protection Laws, ESP’s Privacy Policy and this policy.
6.2. Personal data is data relating to an individual. It includes employee data, supplier data, customer data and prospect data. It will not include data relating to a company or organisation, although any data relating to individuals within companies or organisations will be covered.
6.3. Examples of personal data are employee details including employment records, any third party data, for example information relating to a supplier and any information processed by us in relation to the employees of our clients to whom our trusted third party legal advisors provide legal advice. Recorded telephone conversations, notes of legal advice given by our trusted third party legal advisors relating to a specific individual as well as photographs taken of staff or CCTV images are also personal data.
6.4. We will process personal data when we obtain, record or hold the information or data or carry out any operation with the personal data.
6.5. We must assume that whatever we do with personal data will be considered to involve processing it in accordance with the Data Protection Laws and we must therefore only process data if:
6.5.1. We have consent to do so. If we are relying on consent to process the data we must make sure that the consent covers us for the precise reason we want to process the personal data. Any consent relied on must be clear, specific as to the use intended and unambiguous;
6.5.2. it is necessary to fulfil a contractual or legal obligation or as part of the employer/employee relationship (for example processing the payroll); or
6.5.3. there is another legitimate reason to process the data, and the data subject’s rights are unduly impacted by the processing (for example, reviewing personnel records for a business being acquired); or
6.5.4. doing so is necessary to protect someone’s life (for example, passing on medical information in the case of a medical emergency).
6.6.If paragraph 6.5 is not satisfied, we must contact the Operations Team Leader before processing the personal data to ensure that ESP can legally carry out the proposed activity.
7. Information, Instruction and Supervision
7.1. Data protection advice for ESP employees is available from the Operations Team Leader who will arrange for advice from external advisers if necessary.
7.2. We will ensure that all new staff, particularly those with access to personal data, are trained on our data protection policy as soon as possible after they are recruited. The level of training for each individual employee will depend on the level of access and responsibility for processing personal data. Please also see section 8 (Competency for Tasks and Training).
7.3. If any member of staff feels that they need additional training, they should contact the Operations Team Leader who will arrange for additional training to be provided.
7.4. If any member of staff considers that any task or work they have been asked to undertake involves the processing of personal data and are unsure whether or not the task or work would be in breach of the Data Protection Laws, this should be discussed with the Operations Team Leader who will be able to provide guidance and advice as to what to do.
8. Competency for Tasks and Training
8.1. We recognise that our employees are a key factor in supporting our effective and efficient operation and helping us to comply with data protection laws and good practice. We are committed to ensuring they receive training and development to help fulfil our legal and good practice obligations regarding the processing of personal data.
8.2. In the first instance, all new employees will receive an appropriate “on the job” induction into ESP. The induction will cover data protection. The level of training will be dependent on the employee’s position.
8.3. In addition, all new employees will undertake a probationary period under the supervision of an experienced employee until they achieve the appropriate standards and efficiency required for our employees. Additional training on data protection issues may be provided as appropriate.
8.4. Employees should only process personal data where they have received adequate training to do so. This applies equally to full time, part time and temporary employees.
8.5. Records of training undertaken by employees are kept by ESP’s HR department.
9. Monitoring the Use of Personal Data
9.1. We are committed to ensuring this policy is put into practice and that appropriate working practices are being followed. To this end, the following steps will be taken:
9.1.1. All employees who deal with personal data will be made aware of data protection issues and encouraged to work towards continuous improvement in the way we process personal data;
9.1.2. employees who handle personal data on a regular basis or who process sensitive or other confidential personal data will be monitored;
9.1.3. spot checks may be carried out by managers; and
9.1.4. The Operations Team Leader shall submit to the directors a report on, amongst other things, the level of compliance with or variance from good data protection practices. The directors will consider what steps, if any, are necessary in order to improve data protection performance.
9.2. Complaints on our data protection practices may be received from:
9.2.1. Employees;
9.2.2. suppliers;
9.2.3. our clients;
9.2.4. employees of our clients; or
9.2.5. others whose personal data we handle.
9.3. The Operations Team Leader will be responsible for investigating any complaints about our data protection practices in order to deal with any data protection breaches and to see what improvements can be made to prevent recurrences of such breaches. The results of such investigations will be reported to the directors who will be responsible for arranging for any improvements to be carried out.
9.4. Where we engage in a new way of processing personal data, we shall review that new method and ensure that any personal data so processed is done in accordance with the law and good practice.
10. Handling and Storing Personal Data and Data Security
10.1. We shall:
10.1.1. Take appropriate technical and organisational measures to guard against unauthorised or unlawful processing of personal data. The Act requires procedures and technologies to be implemented to maintain the security of all personal data from the point of collection to the point of destruction. Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
10.1.1.1. “Confidentiality” means that only people who are authorised to use the data can access it;
10.1.1.2. “Integrity” means that personal data should be accurate and suitable for the purpose of which it is processed; and
10.1.1.3. “Availability” means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore only be saved on our central computer system instead of individual PCs, laptops, smart phones and other employee owned devices;
10.1.2. ensure that staff who handle personal data are adequately trained and monitored;
10.1.3. ensure that passwords and physical security measures are in place to guard against unauthorised disclosures; and
10.1.4. where employees are allowed to work from home or use their own device for work, employees must ensure they comply with ESP’s policies and procedures in respect of such activities.
10.2. Paper Records
10.2.1. Manual data refers to paper and other non-digital personal data, records (such as copies of photographs or plans) which are recorded as part of a relevant filing system or with the intention that it should form part of such a system.
10.2.2. A relevant filing system is any set of information relating to individuals which is structured either by reference to individuals or by reference to criteria relating to individuals in such a way that specific information relating to a particular individual is readily accessible. To be covered by the Data Protection Laws, manual files have to have the same ready accessibility as a computerised file. For example, this could include employment records. However, it is good practice to treat all personal data, however stored or held, in accordance with the principles set out in the Data Protection Laws.
10.2.3. We shall ensure that all written records containing personal data shall be reviewed in accordance with paragraph 10.2.4 and a record shall be kept of all such reviews.
10.2.4. ESP also strives to minimise its use of paper records and operates a ‘clean desk’ policy to minimise the amount of paper that is being used and stored.
10.2.5. Manual records containing personal data must be reviewed in order to ensure that the data contained within them is accurate, not excessive, up to date and adequate for their purpose. All files shall be reviewed on a bi-annual basis for this purpose and in any event we must review manual records as and when they are periodically reviewed or retrieved for whatever purpose.
10.2.6. Any documents containing personal data or special category personal data should not be left on a desk on view when the desk is unattended.
10.3. Special category personal data
10.3.1. We must:
10.3.1.1. Take particular care of special category personal data and, where we have access to such information, we must make sure we process it properly and in accordance with the Data Protection Laws;
10.3.1.2. unless data is being processed in accordance with an employment contract or for medical purposes or in relation to a criminal investigation, we must make sure we obtain the explicit consent of an individual before processing sensitive data relating to them; and
10.3.1.3. store all sensitive data with adequate security measures to prevent unauthorised disclosure. Such measures will include lockable cabinets and password protection and encryption of automated data. We will also ensure that only those who need to access this information have access to it.
10.4. Technical Security measures
10.4.1. We will ensure that all computers have protection against malicious software/viruses and that software is not installed and information is not downloaded without first being checked for viruses and other malware. We will keep up to date with patches, fixes and new releases to ensure that our systems are protected against known security issues.
10.4.2. We must always store personal data electronically on our central computer system, rather than on local drives, devices or at home.
10.4.3. All computers and documents containing personal data should be password protected and all passwords should be kept secret at all times. Employee passwords should include a mixture of letters and numbers and not be easy to guess or use common combinations – such as “1234”.
10.4.4. We must store devices containing personal data carefully if taken out of the work place. Laptops, tablets, smart phones and other mobile devices should be stored securely and not left unattended in cars or in public places or on top of desks or table tops at home left unattended overnight.
10.4.5. We must not use personal computers for work purposes unless this has first been cleared with our IT department.
10.4.6. We must ensure that individual monitors are positioned so they do not show confidential information to passers-by. This is particularly important if employee PC displays employee data or sensitive data. PCs should be logged off when left unattended.
10.5. Organisational Security Measures
10.5.1. Manual records
We must keep manual records secure by the use of locked cabinets. Access to such records should be restricted to those employees whose job requires access. Where a manual record is in constant use we must take appropriate security measures. These include operating a ‘clean desk’ policy, removing bins from the office space and replacing them with confidential paper disposal areas and requiring all computers to be locked when not in use.
10.5.2. Telephone enquiries
When we deal with telephone enquiries, we must be careful about disclosing any personal data held by us. In particular, we must:
10.5.2.1. Check the caller’s identity to make sure that information is only given to a person who is entitled to it;
10.5.2.2. suggest that the caller puts their request in writing, where we are not sure about the caller’s identity or where their identity cannot be checked; and
10.5.2.3. refer to the Operations Team Leader for assistance in difficult situations
10.5.3. Building access
Building access codes must be kept secret. Where security passes are in place we will take measures to ensure that all staff wear such passes in a prominent, visible position. Any stranger seen in entry-controlled areas should be reported immediately to the Operations Manager or the Administration Executive.
10.5.4. Deletion or destruction of data
Where personal data needs to be deleted or destroyed, adequate measures should be taken to ensure that such data is properly and securely disposed of and it must be destroyed in accordance with ESP’s Data Retention Policy. This will include the destruction of files and back up files and the physical destruction of manual files. The sale or destruction of IT equipment including PCs, laptops, smart phones and other mobile devices should be treated as a data processing activity.
10.6. General guidance
10.6.1. The measures outlined above should guard against accidental loss or destruction of or damage to personal data. The measures taken should be appropriate for the harm which will be caused by such accidental loss, destruction or damage.
10.6.2. Particular care should be taken of sensitive data and security measures should reflect the importance of keeping such sensitive data secure, see section 10.3 (Special Category Personal Data).
10.7. Policy update
We shall ensure all security policies and procedures are regularly monitored and reviewed to ensure that data is being kept securely. Policies and procedures shall be reviewed against good data protection practice including ICO guidance and case law. Where policies and procedures are found to be inadequate, prompt and appropriate action shall be taken in order to rectify such inadequacies. This shall include a review of the security sections and the consideration and implementation of replacement provisions to rectify such inadequacies.
11. Security Breach, Notification and Reporting
11.1. Introduction
We shall ensure that personal data is stored and used in accordance with this policy and the law. However, breaches may occur despite our best efforts. It is therefore essential that on discovering a breach has occurred, the breach is reported in accordance with ESP’s Data Breach Procedure to ensure that the impact of the breach on data subjects is minimised and our liability for the breach can be limited as much as possible. Reporting and thorough investigation of incidents also helps to ensure that potential risks and problems are identified early and appropriate changes are made to minimise the possibility of future data protection breaches occurring.
11.2. What is a data security breach?
11.2.1. The sixth data protection principle provides that personal data must be processed in a manner that ensures its appropriate security.
11.2.2. A data security breach is where the security or integrity of data is compromised and is likely to include loss, misuse or unauthorised use of personal data.
11.2.3. The key feature of a data security breach is the release (no matter how caused) of personal data to a third party who is not authorised to view, hold or otherwise process the information.
Examples of breaches would be:
11.2.3.1. An employee leaving a piece of personal data about another employee or the employee of a client (such as their address, date of birth etc.) on a desk when the employee leaves the desk so that other employees who do not have permission to view the information can see it;
11.2.3.2. the sending of an e-mail containing personal data (for example a database) to a third party that is not entitled to see it, for example, by entering the wrong email address;
11.2.3.3. the loss of a folder of papers or an electronic device such as a memory stick containing personal data in a public place; and
11.2.3.4. the theft of a laptop, tablet, smart phone, mobile or digital device (such as a camera) containing personal data, such as a database or e-mails.
11.3. Who can report breaches?
11.3.1. Data security incidents can be reported by:
11.3.1.1. ESP;
11.3.1.2. an employee;
11.3.1.3. a client;
11.3.1.4. an employee of a client;
11.3.1.5. a supplier; or
11.3.1.6. a member of the public.
12. Dealing with Data Subject Access Requests
12.1. What is a Data Subject Access Request?
12.1.1. Data subjects have a right of access to a copy of their personal data.
12.1.2. A subject access request is any request from a data subject which indicates that the person wants to know what information is kept about him or her.
12.1.3. A subject access request can be made in any form, including verbally, so all ESP staff must be conscious of the risk of a subject access request being made and missed.
12.1.4. If a verbal request for information is received, we will ask the data subject to put the request in writing to ensure that ESP responds to it accurately and in a timely manner. This is not a requirement, however, and we will deal with any verbal requests in accordance with our obligations under the Data Protection Laws.
12.1.5. Internal data subject access requests will be treated as being of equal importance to external data subject access requests.
12.2. How ESP Responds to Data Subject Access Requests?
All Data Subject Access Requests will be dealt with in accordance with ESP’s Data Subject Access Request Policy.
13. Employee Personal Data
13.1. In the course of recruitment and employment we will collect, retain and process information consisting of personal data including special category personal data about employees.
13.2. All employment records, including application forms, interview notes, sickness notes, annual leave records, promotion and appraisal notes, training records, disciplinary and dismissal notes and reports, references (whether confidential or otherwise and whether given or received) and general personnel file notes must be processed in accordance with the Data Protection Laws.
13.3. Personnel records and all written information regarding an employee, including appraisal, career progression and discussions regarding salary should be set out in a manner which contemplates that it may be disclosable as personal data under the Data Protection Laws. All records should therefore be clear and fair and where opinions are expressed these should be shown to be such.
13.4. The information we hold for the above purposes will be retained for the duration of an employee’s employment. The purposes for which we hold any information about the employee after the end of employment are for use solely for any residual employment related matters including (but not limited to) the provision of job references, processing applications for re-employment, matters relating to retirement benefits and allowing us to fulfil contractual or statutory obligations.
13.5. Where employee records are maintained for organisational analysis, we will take care to ensure that only that personal data is kept which is necessary to satisfy the purpose for which it is kept. Where possible, such data should be anonymised.
13.6. All disciplinary actions, commentary, reports and any reports relating to a dismissal of an individual shall be written in a manner which is fair and accurate.
13.7. All employee records shall be regularly reviewed to ensure that they are accurate, not excessive, up to date and adequate for their purpose.
13.8. Use of personal data in recruitment
13.8.1. All recruitment advertisements must contain information which enables applicants to identify that they are applying to us.
13.8.2. The interview notes of all applications should be written in consideration that these will amount to personal data under the Data Protection Laws. All interview notes should therefore be a fair and accurate representation of the interview. Any opinions expressed should be included in a manner which contemplates that they may be disclosable at a later date.
13.8.3. Where an individual candidate is interviewed but we wish to offer the individual employment other than in the post which the individual has applied for, care must be taken to ensure that the individual has consented to his data being used for this purpose. Candidate details must not be shared with other organisations unless specific permission has been obtained from the candidate to so do.
13.8.4. Any decision to shortlist candidates, where such decision making is made in writing, should be done in a manner which is fair and lawful.
14. Client Data
14.1. Much of our clients’ data has the potential to be, and data that relates to the employees of our clients is most likely, personal data covered by the Data Protection Laws.
14.2. All client records which contain personal data, including (but not limited to) employment records, must be processed in accordance with the Data Protection Laws and this Policy.
14.3. We shall arrange for all client personal data records to be regularly reviewed to ensure that they are accurate, not excessive, up to date and adequate for their purposes.
14.4. We shall ensure that all client databases that contain personal data, are allocated to the Operations Manager who shall have control of the database. No processing should be carried out in respect of the database without the permission of the Operations Team Leader.