Prestige Safety Services is committed to collecting information as a consequence of being an employer, use it lawfully and keep it safe in accordance with the General Data Protection Regulations 2018 (GDPR).
This policy provides clarity on the key principles as well as identifying roles and responsibilities within Prestige Safety Services regarding the protection of personal information we use for our day-to-day activities. This policy applies to any information we hold related to a person that can be used to directly or indirectly to identify them. This policy includes employees, associates, third party subcontractors and clients of the business.
Key GDPR 2018 Principles
From the 25th May 2018 the Data Protection Act 1998 will be enhanced by the GDPR which brings in line legislation which is fit for purpose in a modern technological age and takes into consideration how data is obtained, processed and destroyed. The key overarching principles for data security are:
Data must be:
- Processed lawfully, fairly and in a transparent manner.
- Collected for specified, explicit and legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and where necessary kept up to date.
- Only be retained for as long as is necessary to complete the function for which it was obtained.
- Processed in an appropriate manner to maintain security.
Rights for Data Subjects Under GDPR 2018
Data subjects have the following rights under the new legislation:
- Right to be informed
- Right of access to data
- Right to rectification of data
- Right to be forgotten or erased
- Right to restrict processing
- Right for data to be transferred
- Right to object
- Right not to be subjected to Automated processing / profiling
Roles and Responsibilities
It is the Directors ultimate responsibility to ensure that the company complies with the new legislation. Directors will handle any requests regarding Freedom of Information, complaints relating to the use of personal data, data subjects right to have their personal data erased, notifying the Information Commissioner (ICO) of a security breach as well as being the person to investigate potential breaches of data security.
Unless there is a lawful exemption within the GDPR we will carry out the following to comply with the governing principles:
- Explain why we are collecting information and how it will be used at the point we first collect it.
- Only share information to third parties when it is lawful to do so and with the explicit consent of the data subject.
- Take extra care in our processing of sensitive personal data which includes information about physical, mental, learning difficulties, race, religion and criminal convictions and proceedings.
- Avoid using personal information for any new or substantially changed purposes which were not explained at the point the information was first collected.
- Check the quality and the accuracy of the personal information we hold and act quickly to correct details that are found to be inaccurate.
- Ensure we do not hold information for longer that is necessary.
- Ensure that data is disposed of, which is no longer required, in a secure manner.
- Ensure that there are both technological and procedural safeguards in place to protect personal information from loss, unauthorised access, unauthorised disclosure, unplanned destruction, damage or theft.
- Ensure we have effective procedures to deal with requests from anyone who asks for a copy of the information we hold about them.
- Ensure our staff understand the policies and procedures that relate to data protection and have received appropriate training accordingly.
- Confirm the identity and validity of persons who contact us before there is disclosure of any personal information to them.
- Use appropriate methods to transport and send information to third parties in a secure and safe manner.
- Investigate any known or suspected breaches of data security and take appropriate steps to address any risks identified.
- Obtain assurances for our suppliers and contractors on their data protection and information security standards before allowing them to access personal information we hold.
It is the responsibility of all those accessing personal data to ensure that security is treated seriously. Those involved must be aware of the risks to data security and comply with the relevant control measures.
In the event of a data breach:
In the unlikely event of a security breach of a data subjects’ personal data the Director is to be notified as soon as it been identified. The Director will notify any data breaches to the ICO within 72 hours (3 calendar days; NOT business days) so if a data breach was identified on a Friday afternoon, the ICO would have to be notified no later than Monday afternoon).
Signed Date 19.04.23