1. Introduction

  • The Company holds personal data about Staff, clients and other individuals for a variety of business purposes.
  • This policy sets out how the Company seeks to protect personal data and ensure Staff understand the rules governing their use of personal data to which they have access in the course of their work.
  • In particular, this policy requires Staff to ensure that the Managing Director (“Data Protection Lead”) should be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
  • Everyone at the Company is responsible for ensuring compliance with this policy.
  • The Data Protection Lead is responsible for the monitoring and implementation of this policy. If you have any questions about the content of this policy or other comments including concerns that the policy is not being followed you should contact the Data Protection Lead.

2. Scope

  • This policy applies to all Staff.
  • This policy does not form part of your contract of employment. The Company may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to Staff before being adopted.
  • The Company may ask any member of Staff to take part in training on data protection issues at any time and Staff must do so when requested.

3. Definitions

In this policy:

“business purposes” means the purposes for which personal data may be used by the Company, e.g. personnel, administrative, financial, regulatory, payroll and business development purposes;
Company means Belfast One Bid Limited registered in Northern Ireland with number NI 637120 whose registered office is at Sinclair House 2nd Floor, 95-101 Royal Avenue, Belfast, BT1 1FE;
“personal data” means information relating to a living individual, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts who can be identified from that data or from that data and other information which the Company has or is likely to have. This can include name, address, email address, financial information, CCTV images, MAC and IP addresses, location data, aliases, preferences and profiles, amongst other things;
“processing data” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“sensitive personal data”/ “special categories” means personal data about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetic data, biometric data for the purpose of uniquely identify a person, data concerning physical or mental health or condition, sexual life, criminal offences, or related proceedings. Any use of sensitive personal data must be strictly controlled in accordance with this policy;
Staff means all directors, consultants, employees, interns, volunteers and temporary staff of the Company, including applicants, former applicants, employees (current and former), agency, casual workers and contract workers;

 

Supervisory Authority means the independent regulatory body responsible for monitoring the application of data protection law in its jurisdiction, the Information Commissioners Office (ICO) in the UK.

4. Collection of personal data

The Company collects the following personal data:

  • in relation to Staff:
    • before, during and after any application and/or interview process;
    • during any period of employment or arrangement, including absences, holidays, personal reviews, disciplinary action and back to work interviews;
    • in connection with payroll and benefits (e.g. pensions);
    • on dismissal, redundancy, resignation or retirement;
  • in relation to clients (levy paying businesses), through direct communication and through the Company’s website;
  • in relation to suppliers, in connection with the provision of goods and services, contact with such parties in the negotiation for goods and services and as part of managing such relationship;
  • in relation to the general public, we collect information through communications in connection with the provision of services such as competitions and events.

5. General principles

  • The Company’s policy is to process personal data in accordance with the applicable data protection laws and rights of individuals as set out below. All Staff have personal responsibility for the practical application of the Company’s data protection policy.
  • The Company will observe the principles set out in law in respect of the processing of personal data and will adhere to the following principles:
    • to process lawfully, fairly and transparently;
    • to obtain personal data for specific, explicit and legitimate purposes;
    • to be adequate, relevant and not excessive in relation to the purposes for which it is used;
    • to be kept accurate and up to date (and where inaccurate are erased and rectified without delay);
    • not to be kept for longer than is necessary for the purposes for which it is used; and
    • to be kept secure to prevent unauthorised processing and accidental loss, damage or destruction, using appropriate technical or organisation measures.
  • Staff should generally not process personal data unless:
    • the individual whose details are being processed has consented to this;
    • the processing is necessary to perform the Company’s legal obligations or exercise legal rights;
    • the processing is otherwise in the Company’s legitimate interests and does not unduly prejudice the individual’s privacy; or
    • the processing is necessary to carry out a contract with the data subject.
  • When gathering personal data or establishing new data protection activities, Staff should ensure that individuals whose data is being processed receive appropriate data protection notices to inform them how the data will be used. There are limited exceptions to this notice requirement. In any case of uncertainty as to whether a notification should be given, Staff should contact the Data Protection Lead.
  • Transparency is key to data protection. Individuals should be told how, why and on what basis their personal data is being processed.  Special categories of personal data are afforded a higher level of protection by law.

6. Accuracy, adequacy, relevance and proportionality

  • Staff should make sure data processed by them is accurate, adequate, relevant and proportionate for the purpose for which it was obtained. Personal data obtained for one purpose should generally not be used for unconnected purposes unless the individual has agreed to this or would otherwise reasonably expect the data to be used in this way.
  • Individuals may ask the Company to correct personal data relating to them which they consider to be inaccurate. If a member of Staff receives such a request and does not agree that the personal data held is inaccurate, they should nevertheless record the fact that it is disputed and inform the Data Protection Lead.
  • Staff must ensure that personal data held by the Company relating to them is accurate and updated as required. If personal details or circumstances change, Staff should inform the Data Protection Lead so the Company’s records can be updated.

7. Security

  • Information security is a key element of data protection and the Company must ensure that appropriate measures are taken to keep personal data secure from loss or unauthorised disclosure or damage.
  • All Staff must ensure they comply with the below procedures when using the Company’s IT systems and otherwise processing personal data:
    • Clear desk policy

All staff must operate a clear desk policy, this means that:

  • there must be no confidential information available for casual viewing or inspecting;
  • all documents and equipment containing confidential information must be locked in a secure environment when the area is unattended; and
  • confidential information should only be printed out as necessary, and you should avoid making unnecessary copies.

Antivirus Software

You must:

  • ensure that you have up to date virus scanning software for the scanning and removal of suspected viruses, spyware and spam related email;
  • report any viruses found on your Computer or Portable Device; and
  • never download files from unknown or suspicious sources. Spam emails should be blocked or deleted and unknown or suspicious attachments must not be opened.

Working remotely

If you use the Information Systems when working away from the Firm’s premises, which includes working from home, you must:

  • position yourself so that your work cannot be overlooked;
  • never save attachments locally onto any personal, public or shared computer;
  • take reasonable precautions to safeguard the security of your Portable Device(s), any equipment or hard copy documentation and your passwords, this includes encrypting external media;
  • ensure any hard copy documentation taken out of the office is kept safe and confidential at all times.

Telephone communications

When conducting a telephone conversation that includes commercially sensitive or personal in-confidence discussions, please ensure that you are not overheard in open plan or in public areas to keep the conversation private.

  • Where the Company uses external organisations to process personal data on its behalf additional security arrangements need to be implemented in contracts with those organisations to safeguard the security of personal data. There are also mandatory legal protections which must be included in any contract with such parties.
  • Staff should consult their Data Protection Lead to discuss the necessary steps to ensure compliance when setting up any new agreement or altering any existing agreement.

8. Data retention

  • Personal data should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances including the reasons why the personal data were obtained.
  • Personal data that is out of date or no longer required will be discarded.
  • In relation to a member of Staff’s personal data held by the Company, please refer to the retention periods set out in the Data Protection Privacy Notice (Employment).

International transfer

  • The transfer of personal data to any location outside the EEA (which includes the EU countries, Norway, Iceland and Liechtenstein) or outside of the UK once BREXIT takes effect is a breach of data protection law unless the personal data is adequately protected or an exemption applies.
  • Adequate protection can be provided if:
    • the data protection arrangements in the destination country have been approved by the EU Commission (there is a list of approved countries on the EU commission website); or
    • the recipient is a signatory to an EU approved data protection regime; or
    • the recipient is bound by a contract that ensures that the personal data concerned will be adequately protected (for example, the EU has approved a standard form agreement for this purpose).
  • Therefore, before transferring personal data outside the UK/EEA, including posting it on a website or giving anyone outside of the UK/EEA access to it, you must contact your Data Protection Lead.

Rights of individuals

  • Individuals are entitled (subject to certain exceptions) to request access, rectification, deletion, restriction and portability in relation to information held about them. All such requests should be referred immediately to the Data Protection Lead. This is particularly important because the Company must respond to a valid request within the legally prescribed time limits.
  • Any member of Staff who would like to correct or request information that the Company holds relating to them should contact your Data Protection Lead. It should be noted that there are certain restrictions on the information to which individuals are entitled under applicable laws.
  • Staff should not send direct marketing material to someone electronically (e.g. by email) unless there is an existing business relationship with them in relation to the services being marketed. Staff should abide by any request from an individual not to use their personal data for direct marketing purposes and should notify the Data Protection Lead about any such request. Staff should also contact the Data Protection Lead for advice on direct marketing before starting any new direct marketing activity.

Reporting breaches

  • Staff have an obligation to report actual or potential data protection compliance failures to the Data Protection Lead immediately. This allows the Company to:
    • investigate the failure and take remedial steps if necessary; and
    • make any applicable notifications.
  • You may be requested as part of your duties to support the Company in any such investigation.

Consequences of failing to comply

  • The Company takes compliance with this policy very seriously. Failure to comply puts both Staff and the Company at risk.
  • It is a condition of employment that Staff abide by the rules and policies issued by the Company from time to time. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action, which may result in dismissal.
  • Negligent or deliberate breaches of this policy could result in criminal liability for Staff personally.
  • Staff with any questions or concerns about anything in this policy including any of its Schedules and Appendices should not hesitate to discuss these with the Data Protection Lead.