Data Protection Policy

This content is controlled for compliance requirements. Please contact the owner (Joe Hoyle) if you need to make changes.

Protecting personal data is very important. We take this responsibility seriously and work to ensure that we protect the personal data of our employees, clients, and customers.

It’s the responsibility of all members of staff to help to protect personal data that we hold. 

If you have any questions about data protection you should contact our CTO, Joe Hoyle, who is our Data Protection Officer (DPO).

We have eight principles for processing personal data:

  • Processed fairly and lawfully
  • Relevant and not excessive
  • Processed for limited purposes and in an appropriate way
  • Accurate
  • Not kept longer than necessary
  • Processed in accordance with the laws dealing with personal data
  • Kept secure
  • Not transferred to people or organisations in countries without adequate protection.

A lawful purpose for processing your personal data

We process personal data fairly and lawfully. Grounds for processing personal data include: 

  • with your consent
  • to comply with a legal obligation
  • in your vital interests
  • in the performance of a contract with you 
  • in our legitimate interests (or a third party processing your personal data). If the personal data is sensitive additional conditions will be met.

More details of the types of data we process and why are recorded in our privacy notice

Where we process the following data we will secure your consent before doing so:

  • personal data about your health to:
    • monitor sick leave; and
    • take decisions as to your fitness for work;
  • processing personal data to meet with our legal obligations to third parties including pensions and insurance providers;
  • processing personal data to measure and manage equal opportunities;
  • transferring your personal data to a county outside of the European Economic Area provided that we are satisfied with the protections that they have in place to protect your data (unless it’s a one off transfer of data);
  • sharing your personal data with the Fit For Work Service, your doctor, consultant and/or occupational health specialist.

Requests to see your personal data

If you want us to show you personal data that we hold on you then you need to make a request to privacy@humanmade.com . We might ask you for more details about the request or give you a template letter to help with your request. Where the request isn’t made in person we will always ask for two forms of identity to confirm that it is you making the request.

We’ll always try to acknowledge your request when we receive it, and will respond within a maximum of one calendar month. If your response is complex or you make more than one request, we will respond in full within three months. If we need something from you to be able to deal with your request (eg ID documents), the time limit will begin once we have received this.

Your rights to deletion, freezing data processing and corrections

You can ask us to delete your personal data where:

  • Processing it is no longer necessary bearing in mind the reason it was collected;
  • It is being processed unlawfully;
  • You object to us processing your personal data (unless we have an over-riding legitimate interest for continuing to process it in which case we may continue to do so).
  • Where information we hold on you is inaccurate or incomplete you can ask us to rectify the data.

You can ask us to stop processing your data where:

  • Processing is unlawful;
  • You say that the information that we hold is inaccurate;
  • You don’t consider we have a ‘legitimate interest’ for processing the data (unless we have an over-riding legitimate interest for continuing to process it in which case we will continue to do so).

If we think that you’re abusing these rights and making unfounded or excessive requests we may refuse your request or may charge a reasonable administration fee for processing the request.

Limitations and obligations

We have processes in place to ensure that the accuracy of the personal data that we hold is up to date. Obviously, if personal data that we hold on you is out of date or inaccurate please update the information yourself, and if you are unable to, notify privacy@humanmade.com. 

  • You should always encrypt personal data so that it is not easily accessible to others. Equally, you and we should not capture more personal data than is needed for the purpose identified. Where you are able to anonymise personal data you are encouraged to do so.
  • We will retain your personal data in accordance with our ‘policy on retaining your personal data’. We have processes in place to ensure that personal data isn’t kept for longer than necessary. Once it’s no longer necessary for processing purposes we will delete it. The duration we hold your data for is recorded in our asset register under Data Inventory.
  • We have put appropriate security measures in place to stop accidental loss of, or damage to personal data. All staff members are responsible for following our incident reporting procedure. 
  • Where we ask third parties to process your personal data we will ensure that they have appropriate security measures in place too and that they comply with data protection legislation.
  • You must follow our security policy and procedures to ensure that data is kept secure. 
  • A data breach is a breach of data security that leads to accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data. It includes sending emails to the wrong person, carelessness with passwords and leaving personal data on desks. If you become aware of a data breach you should immediately notify Daisy.
  • Usually, we will only process or share your personal data for the purpose it was collected. So, if it was gathered as part of a discussion about a medical condition that you have then generally we will not use the information for any other reason. Sometimes, in processing personal data we become aware of information that we cannot ignore, even if it means using it for a purpose beyond the reason it was collected.
  • If you become aware that personal data has become lost, stolen or otherwise transferred outside of Human Made accidentally or without authorisation, you need to report this immediately to the CTO and email privacy@humanmade.com
  • If you breach this policy it will be dealt with under our disciplinary policy.

This policy may be changed from time to time. We will notify you of any changes.

This page is reviewed every 1 year. It was last reviewed on December 21, 2024 and will expire on December 4, 2025.

Accessed Wed, 23 May 2018 10:50:58 +0000 from https://handbook.hmn.md/working-here/hr-policies/data-protection-policy/

Made by Humans