GDRP Policy 2018
JNC Safety Services Limited needs to gather and use certain information about individuals in order to process your requests in relation to services and or training. These can include delegates, clients, suppliers, business contacts, employees and other people the Company has a relationship with or may need to contact. This policy describes how this personal data is collected, handled and stored to meet the Company’s Data Protection standards and to comply with the law.
Data is stored both electronically and in hard copy format. Data is stored on our internal systems.
Only those employed by JNC Safety Services Limited will have access to this information. No information shall be passed to any third party unless requested by a Statutory Enforcing Authority, insurance company or such information is subject to court proceedings.
In order for the issuing of certificates, grants and funding information regarding services and or training data may be passed onto third parties such as the CITB, LSC, NEBOSH, CIEH, IOSH, UKATA etc. This information is solely for the purpose of processing certificates, grants and funding. This information may relate to you, your company or personal details of your employees. Other third parties except the aforementioned may request such information but your permission shall be sought prior to this being carried out.
JNC Safety Services Limited may use your information to provide you with health and safety updates and training courses that are appertaining to you and or your Company. Your information will not be passed onto third parties for this purpose.
Why this policy exists:
This data protection policy ensures JNC Safety Services Limited:
· Complies with data protection law and follow good practice.
· Is open about how it stores and processes individuals' data.
· Protects itself from the risks of a data breach.
· Protects the rights of employees, clients and delegates.
General Data Protection Regulation:
The General Data Protection Regulation (GDPR) describe how organisations, including JNC Safety Services Limited, must collect, handle, use and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
There are eight important principles. These say that personal data must:
1. Be processed fairly and lawfully.
2. Be obtained only for specific, lawful purposes.
3. Be adequate, relevant and not excessive.
4. Be accurate and kept up to date.
5. Not be held for any longer than necessary.
6. Processed in accordance with the rights of data subjects.
7. Be protected in appropriate ways.
8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
This policy applies to:
· All employees of JNC Safety Services Limited.
· All delegates, individuals, clients, contractors, suppliers and other people working on behalf of JNC Safety Services Limited.
· It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of The General Data Protection Regulation (GDPR). This can include: Names of individuals / postal addresses / email addresses / telephone numbers / any other information relating to individuals.
This policy helps to protect JNC Safety Services Limited from some very real data security risks, including:
· Breaches of confidentiality. For instance, information being given out inappropriately.
· Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
· Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
Everyone who works for or with JNC Safety Services Limited has some responsibility for ensuring data is collected, stored and handled appropriately.
Everyone that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
· The Company Directors is ultimately responsible for ensuring that JNC Safety Services Limited meets its legal obligations.
The Data Protection Controller, is responsible for:
· Reviewing all data protection procedures and related policies.
· Handling data protection questions from employees and anyone else covered by this policy.
· Dealing with requests from individuals to see the data JNC Safety Services Limited holds about them (also called 'subject access requests').
· Checking and approving any contracts or agreements with third parties that may handle the Company's sensitive data.
· Approving any data protection statements attached to communications such as emails and letters.
· Addressing any data protection queries from journalists or media outlets like newspapers.
The Data Protection Processor is responsible for:
· Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
· Performing regular checks and scans to ensure security hardware and software is functioning properly.
· Evaluate any third-party services the company is considering using to store or process data. For instance, cloud computing services.
The only people able to access data covered by this policy should be those who need it for their work. Data should not be shared informally. When access to confidential information is required, employees can request it from the Company Directors. JNC Safety Services Limited will provide training to all employees if required to help them understand their responsibilities when handling data.
Employees should keep all data secure, by taking sensible precautions and following the guidelines below:
· Strong passwords must be used and they should never be shared.
· Personal data should not be disclosed to unauthorised people, either within the Company or externally.
· Data should be regularly reviewed and updated if it is found to be out of date or if no longer required, it should be deleted and disposed of in the correct manner.
· Employees should request help from the Company Director/s if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to Data Protection Officer and/or Processor.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
· When not required, the paper or files should be kept in a locked drawer or filing cabinet.
· Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
· Data printouts should be shredded and disposed of securely when no longer required.
· Any paperwork/documentation that contains personal data mush be disposed of by shredding onsite and the waste securely disposed of or collected and disposed of by a specialist business providing JNC Safety Services Limited with a certificate of destruction.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
· Data should be protected by strong passwords that are changed regularly and never shared between employees.
· Employees have unique user names and are not to be shared between employees.
· If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
· Data should only be stored on designated drives, and should only be uploaded to an approved cloud computing services.
· Data should be backed up frequently; those backups should be tested regularly.
· All computers including laptops and mobile devices containing data should be protected by approved security software and a firewall and security updates are quickly installed.
· Removal of electronic based records within a database or any IT document such as Word or PDF, must be deleted in full and removed from all systems in their entirety including any ‘recycle bins’ that the data may be unknowingly backed up into.
JNC Safety Services Limited retains stored data for a minimum period of 4 years. Training records are maintained to allow any complaints/appeals/confirmation of achievement requests to be dealt with.
Personal data is of no value to JNC Safety Services Limited unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
· When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
· Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
· Data must be encrypted before being transferred electronically.
· Employees should not save copies of personal data to their own computers.
The law requires JNC Safety Services Limited to take reasonable steps to ensure data is kept accurate and up to date. The more important it is that the personal data is accurate, the greater the effort JNC Safety Services Limited should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
· Data will be held in as few places as necessary.
· Employees should not create any unnecessary additional data sets.
· Employees should take every opportunity to ensure data is updated. For instance, by confirming a client’s details when they call.
· Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
· It is the Company Director’s responsibility to ensure marketing databases are checked against industry suppression files every six months.
All individuals who are the subject of personal data held by JNC Safety Services Limited are entitled to:
· Ask what information the Company holds about them and why.
· Ask how to gain access to it.
· Be informed how to keep it up to date.
· Be informed how the Company is meeting its Data Protection obligations.
· The right to restrict processing.
· The right to object.
· If an individual contacts the Company requesting this information, this is called a subject access request.
JNC Safety Services Limited aims to ensure that individuals are aware that their data is being processed, and that they understand:
· How the data is being used.
· How to exercise their rights.
Subject Access Requests:
Subject access requests from individuals should be made by email, addressed to the Data Controller at firstname.lastname@example.org. The Data Controller will aim to provide the relevant data within 7 days. The Data Controller will always verify the identity of anyone making a subject access request before handing over any information.
Subject access requests that are manifestly unfounded or excessive, JNC Safety Services Limited have the right to refuse or charge the individual for handling their request/s. Should JNC Safety Services Limited refuse a subject access request they will inform the individual without undue delay (within one month) as to why and that they have the right to complain to the supervisory authority and to a judicial remedy.
In the case of a personal data breach, no matter how large or small, the Data Protection Controller shall without undue delay and where feasible, no later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority ICO.
Data breaches must be notified to the Data Protection Processor and Controller in the form of an email sent to email@example.com without undue delay after becoming aware of a personal data breach.
The notification should include, where known, the following information:
A detailed description of the data breach, including cause of the breach.
An approximate number of the individuals and data records affected.
A contact to whom to liaise with regarding the breach and where more information can be obtained.
A description of the likely consequences of the person data breach.
A description of the measures taken or proposed to be taken to deal with the data breach and measures to mitigate its possible adverse effects.
The Data Protection Controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable auditors to verify compliance.
The company aims to fully comply with the General Data Protection Regulations (GDPR). In the event that you are not happy with the way that your information has been dealt with you may write to,
Mr James Slater, Director / Data Protection Processor at JNC Safety Services Limited, Woodbine Farm, Truro Business Park, Truro, Cornwall TR3 6BW.