- Protecting personal data
- Protecting personal data is very important. Whether it belongs to you or individuals we work with we take our responsibilities very seriously.
- Not only do we need to ensure that we protect your personal data but you also need to help us to protect other personal data that we hold.
- We have appointed a Personal Data Manager (Daisy) If you have any questions or concerns about this policy or the processing of personal data please speak with them first.
- When dealing with personal data there are eight principles that you and we need to follow. The personal data needs to be:
- Processed fairly and lawfully;
- Relevant and not excessive;
- Processed for limited purposes and in an appropriate way;
- Accurate;
- Not kept longer than necessary;
- Processed in accordance with the laws dealing with personal data;
- Kept secure;
- Not transferred to people or organisations in countries without adequate protection.
There is a lot to understand in respect of these principles. This policy should help you to ensure that your and our treatment of personal data is appropriate and lawful. If you have any questions please direct them to Daisy.
A lawful purpose for processing your personal data
- We process personal data fairly and lawfully. Grounds for processing personal data include: with your consent, to comply with a legal obligation, in your vital interests, in the performance of a contract with you or in our legitimate interests (or a third party processing your personal data). If the personal data is sensitive additional conditions will be met.
- At the end of this policy we identify the categories of personal data that we collect and the reasons for processing it along with a privacy notice explaining more about what we do with your personal data.
- Where we process the following data we will secure your consent before doing so:
- personal data about your health to:
- monitor sick leave; and
- take decisions as to your fitness for work;
- processing personal data to meet with our legal obligations to third parties including pensions and insurance providers;
- processing personal data to measure and manage equal opportunities;
- transferring your personal data to a county outside of the European Economic Area provided that we are satisfied with the protections that they have in place to protect your data (unless it’s a one off transfer of data);
- sharing your personal data with a company within our group (where applicable) or with any person or business that intends to buy us or take over control;
- sharing your personal data with the Fit For Work Service, your doctor, consultant and/or occupational health specialist.
Requests to see your personal data
- If you want us to show you personal data that we hold on you then you need to make a request in writing to Daisy. We might ask you for more details about the request or give you a template letter to help with your request. Where the request isn’t made in person we will always ask for two forms of identity to confirm that it is you making the request.
- We’ll always try and acknowledge your request when we receive it. We have between 30 days and three months to respond in full to your request.
- We may ask you to contribute towards the administration fee in processing your request.
- If you are asked to disclose personal data you should notify Daisy immediately and follow their instructions.
Your rights to deletion, freezing data processing and corrections
- You can ask us to delete your personal data where:
- Processing it is no longer necessary bearing in mind the reason it was collected;
- It is being processed unlawfully;
- You object to us processing your personal data (unless we have an over-riding legitimate interest
for continuing to process it in which case we may continue to do so). - Where information we hold on you is inaccurate or incomplete you can ask us to rectify the data.
- You can ask us to stop processing your data where:
- Processing is unlawful;
- You say that the information that we hold is inaccurate;
- You don’t consider we have a ‘legitimate interest’ for processing the data (unless we have an over-riding legitimate interest for continuing to process it in which case we will continue to do so).
- If we think that you’re abusing these rights and making unfounded or excessive requests we may refuse your request or may charge a reasonable administration fee for processing the request.
Limitations and obligations
- We have processes in place to ensure that the accuracy of the personal data that we hold is up to date. Obviously, if personal data that we hold on you is out of date or inaccurate please update the information yourself, and if you are unable to, notify Daisy. We will talk to you at least once a year and at the point that you leave our employment about the personal data that we hold on you, whether it is still necessary to hold that data and whether any of it is inaccurate or out of date.
- Wherever possible you should always encrypt personal data so that it is not easily accessible to others. Equally, you and we should not capture more personal data than is needed for the purpose identified. Where you are able to anonymise personal data you are encouraged to do so.
- We will retain your personal data in accordance with our ‘policy on retaining your personal data’. We have processes in place to ensure that personal data isn’t kept for longer than necessary. Once it’s no longer necessary for processing purposes we will delete it.
- We have put appropriate security measures in place to stop accidental loss of, or damage to personal data. Where we have shared with you those measures you must comply with them. Where we ask third parties to process your personal data we will ensure that they have appropriate security measures in place too and that they comply with data protection legislation.
- Bear in mind that desks and equipment hold personal data. You should keep locked away or password protected any personal data and such data should be kept out of view of others at all times. You should adhere to the security guidelines in the staff handbook.
- A data breach is a breach of data security that leads to accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data. It includes sending emails to the wrong person, carelessness with passwords and leaving personal data on desks. If you become aware of a data breach you should immediately notify Daisy.
- Usually, we will only process or share your personal data for the purpose it was collected. So, if it was gathered as part of a discussion about a medical condition that you have then generally we will not use the information for any other reason. Sometimes, in processing personal data we become aware of information that we cannot ignore, even if it means using it for a purpose beyond the reason it was collected.
- If you become aware that personal data has become lost, stolen or otherwise transferred outside of Human Made accidentally or without authorisation, you need to report this immediately to Daisy.
- If you breach this policy it will be dealt with under our disciplinary policy.
- This policy may be changed from time to time. We will notify you of any changes.
Information about your data
Type of Data | Privacy Notice | What we do with the information | Reason for processing | Who processes the data | Where the data came from | Any recipients of the data |