UK Data Protection Policy

Introduction

Kadence International Ltd is fully committed to compliance with the requirements of the European Union General Data Protection Regulation (EU GDPR), which came into force on 25th  May 2018.

We are required to maintain certain personal data about individuals for the purposes of satisfying our operational and legal obligations. We recognise the importance of correct and lawful treatment of personal data as it helps to maintain confidence in our organisation and to ensure efficient and successful outcomes when using this data.

The types of personal data that we may process include information about current, past and prospective employees; clients and customers; suppliers and other organizations with which we have dealings.

Personal data may consist of data kept on paper, computer or other electronic media; all of which is protected under the European Union General Data Protection Regulation.

Scope of this Policy

This policy applies to all employees and workers who handle personal data, whether this relates to their colleagues, clients or anyone else.  A copy will also be given to any third parties to whom we outsource any data processing or storage.

Principles

We endorse and adhere to the seven principles of the European Union General Data Protection Regulation, which are summarised as follows:

  • Legality, Transparency and Fairness
    • Legality – Any Personal Data must be processed in accordance with the rules and guidelines of the GDPR
    • Transparency – Any kind of information that an organization passes to the individual about the way it processes their data, must be disclosed clearly and thoroughly
    • Fairness – Data subjects have:
      • The right to be informed
      • The right of access
      • The right to rectification
      • The right to erasure
      • The right to restrict processing
      • The right to data portability
      • The right to object
      • Rights in relation to automated decision making and profiling
  • Purpose Limitation
    • Personal data should be collected for specified legitimate and explicit purposes and must not be further processed in a way which is incompatible with such purposes
  • Minimisation
    • Personal data must be relevant, adequate, and limited to what is necessary in relation to the purposes for which those data are processed
  • Accuracy
    • Personal data must always be up to date and actions should be taken to avoid storing old or redundant data
  • Storage Limitation
    • Personal data shall be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purpose for which the personal data is processed
  • Intergrity and Confidentiality
    • Personal Data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical, or organizational measures
  • Accountability
    • Both the Data Controller and the Data Processor have responsibility for, and must be able to prove compliance with all GDPR Principles
    • The GDPR requires businesses to show how they comply with the Principles
    • Supervisory Authorities can audit Businesses to check compliance with the accountability principle

These principles apply to obtaining, handling, processing, transportation and storage of personal data.

Employees and agents of Kadence International Ltd who obtain, handle, process, transport and store personal data for us must adhere to these principles at all times.

Types of data

The GDPR lays down conditions for the processing of any personal data, and makes a distinction between personal data and “sensitive” personal data.

Personal data is defined as data relating to a living individual who can be identified from that data; or from that data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.

Sensitive personal data is defined as personal data consisting of information regarding an individual’s racial or ethnic origin; political opinion; religious or other beliefs; trade union membership; physical or mental health or condition; sexual life; or criminal proceedings or convictions.

Handling of personal/sensitive information

Kadence International Ltd will, through appropriate management and the use of strict criteria and controls:

  • observe fully the conditions concerning the fair collection and use of personal information
  • specify the purpose for which information is used
  • collect and process information only to the extent that it is needed to fulfill operational needs or legal requirements
  • endeavour always to ensure the quality of information used
  • not keep information for longer than required operationally or legally
  • always Endeavour to safeguard personal information by physical and technical means (i.e. keeping paper files and other records or documents containing personal/sensitive data in a secure environment; protecting personal data held on computers and computer systems by the use of secure passwords, which where possible, are changed periodically and ensuring that individual passwords are not easily compromised)
  • ensure that personal information is not transferred abroad without suitable safeguards
  • ensure that the lawful rights of people about whom the information is held can be fully exercised.

In addition, Kadence International Ltd will ensure that:

  • there is someone with specific responsibility for data protection in the organisation (the designated Data Controller)
  • all staff managing and handling personal information understand that they are contractually responsible for following good data protection practice
  • all staff managing and handling personal information are appropriately trained to do so
  • all staff managing and handling personal information are appropriately supervised
  • a clear procedure is in place for anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, and that such enquiries are promptly and courteously dealt with
  • methods of handling personal information are regularly assessed and evaluated
  • data sharing is carried out under a written agreement, setting out the scope and limits of the sharing
  • any disclosure of personal data will be in compliance with approved procedures.

Note that, by law, Kadence International Ltd has to provide employee liability information to any organization that our employees are transferring to, in line with the Transfer of Undertakings Regulations.

Access to personal data

All individuals who are the subject of personal data held by us are entitled to:

  • ask what information we hold about them and why
  • ask how to gain access to it
  • be informed how to keep it up to date
  • have inaccurate personal data corrected or removed
  • prevent us from processing information or request that it is stopped if the processing of such data is likely to cause substantial, unwarranted damage or distress to the individual or anyone else
  • require us to ensure that no decision which significantly affects an individual is solely based on an automated process for the purposes of evaluating matters relating to him/her, such as conduct or performance
  • be informed what we are doing to comply with our obligations under the EU GDPR.

This right is subject to certain exemptions which are set out in the EU GDPR. Any person who wishes to exercise this right should make the request in writing to Data Protection Officer (currently the Data Management Director).

If personal details are inaccurate, they will be amended upon request. If by providing this information we would have to disclose information relating to or identifying a third party, we will only do so provided the third party gives consent, otherwise we may edit the data to remove the identity of the third party.

Personal information will only be released to the individual to whom it relates. The disclosure of such information to anyone else without their consent may be a criminal offence. Any employee who is in doubt regarding a subject access request should check with the Data Protection Officer. Information must under no circumstances be sent outside of the UK without the prior permission of the Data Protection Officer.  We aim to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 30 days of receipt of a written request unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.

Employee responsibilities

All employees must ensure that, in carrying out their duties, Kadence International Ltd is able to comply with its obligations under the EU GDPR. In addition, each employee is responsible for:

  • checking that any personal data that he/she provides to us is accurate and up to date
  • informing us of any changes to information previously provided, e.g. change of address.
  • checking any information that we may send out from time to time, giving details of information that is being kept and processed
  • if, as part of their responsibilities, employees collect information about other people or about other employees they must comply with this policy. This includes ensuring the information is processed in accordance with the EU GDPR, is only processed for the purposes for which it is held, is kept secure, and is not kept any longer than is necessary.

Employees are reminded that the EU GDPR does not just apply to records held relating to our employees, but also to any client files/records. Information stored on clients should be reviewed regularly to ensure it is accurate and up to date. All documents, whether hand written or stored in emails (current or deleted) are potentially disclosable in the event of a request from an employee or client.

Employee records

We hold personal information about all employees as part of our general employee records. This includes address and contact details, age, date of birth, marital status or civil partnership, educational background, employment application, employment history with Kadence International Ltd, areas of expertise, details of salary and benefits, bank details, performance appraisals and salary reviews, records relating to holiday, sickness and other leave, working time records and other management records. We may receive and/or retain this information in various forms (whether in writing, electronically, or verbally or otherwise).

This information is used for a variety of administration and management purposes, including payroll administration, benefits administration, facilitating the management of work and employees, performance and salary reviews, complying with record keeping and other legal obligations.

We also process information relating to employee’s health, some of which may fall under the definition of ‘sensitive personal data’. This includes pre-employment health questionnaires, records of sickness absence and medical certificates (including self-certification of absence forms) and any other medical reports. This information is used to administer contractual and Statutory Sick Pay, monitor and manage sickness absence and comply with our obligations under health and safety legislation and the Working Time Regulations.

From time to time we may ask employees to review and update the personal information we hold about them.  This will normally be done on an annual basis.  Employees should check this information carefully and inform us of any inaccuracies. However we ask that employees do not wait until asked to update this information, but inform us immediately of any significant change(s).

Data security

The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted.

Managers have access to the personnel records of the employees that report to them, but not to the files of other employees.  Managers are required not to retain their own copies of personal data, but to use the central storage system.

Data that is retained on laptops, smartphones and any other electronic equipment that is removed from our offices must be password protected.

All staff are responsible for ensuring that any personal data which they hold is kept securely and that personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party.

Any employee who discovers personal or sensitive data in an inappropriate place (for example unknowingly sent to the wrong printer) should immediately pass this to the HR Manager ensuring that its contents are not revealed to anyone else.

Publication of information

Information that is already in the public domain is exempt from the EU GDPR. This would include, for example, information on staff contained within externally circulated publications such as brochures and other sales and marketing aids.

Any individual who has good reason for wishing details in such publications to remain confidential should contact the Data Protection Officer.

Subject consent

Our contracts of employment require the consent of employees to the processing of personal data for the purposes of administering, managing and employing our staff. This includes: payroll, benefits, medical records, absence records, sick leave/pay information, performance reviews, disciplinary and grievance matters, pension provision, recruitment, family policies (maternity, paternity, adoption etc) and equal opportunities monitoring.

In some cases, if the data is sensitive, for example information about health, race or gender, express consent to process the data will be obtained. Such processing may be necessary to comply with some of our policies, such as health and safety and equal opportunities.

Information about an individual will only be kept for the purpose for which it was originally given. Employees and managers must not collect data that is simply “nice to have” or which is to be used for another purpose.

Retention and disposal of data

Information will be kept in line with our document retention guidelines. All employees are responsible for ensuring that information is not kept for longer than necessary.

Documents containing any personal information will be disposed of securely, and paper copies will be shredded.

Information stored on obsolete electronic equipment (desktops, laptops and other devices) will be erased prior to the equipment being sold, disposed of or reallocated to other employees.

Registration

Kadence International Ltd is registered in the Information Commissioner’s public register of data controllers (Reg No. Z7327136).

The EU GDPR requires every data controller/data processor who is processing personal data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence. The Data Protection Officer is responsible for notifying and updating the Information Commissioner of our processing of personal data.  Any changes made to the information stored and processed must be brought to the attention of the Data Protection Officer immediately.

Review and breach of this policy

Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the Data Protection Officer, who is responsible for ensuring compliance with the EU GDPR  and implementation of this policy.

This policy will be reviewed at least annually to see if it, or any supporting documentation, needs to be updated and to ensure compliance with statutory requirements.

This policy is not contractual but indicates how Kadence International Ltd intends to meet its legal responsibilities for Data Protection. Any breach will be taken seriously and may result in formal disciplinary action. Any employee who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with his/her line manager or the Data Protection Officer.