The Apiary Harleston
Data Protection Policy
We take seriously our duties, and the duties of our employees, under the Data Protection Act 1998 (the DPA). This policy sets out how we deal with employees’ personal data and employees’ obligations in relation to any personal data that they handle.
The Data Protection Manager is responsible for ensuring compliance with the Act and with this policy. That post is held by Mike Chappell. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Manager.
Frequently used terms in this policy
Personal data means data kept electronically or in a structured paper file and relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual or it can be an opinion or statement of intention in relation to the individual.
Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Sensitive personal data includes information about a person’s racial or ethnic
origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings.
Data protection compliance
We will process personal data to comply with the eight principles of good practice. These provide that personal data must be:
How we are likely to use your personal data
We need to keep information on file about you for normal employment purposes. The information we hold is for our management and administrative use only. We will keep and use this information to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, from the time you first apply for a job, whilst you are working for us, at the time when your employment ends and after you leave. This includes using information to enable us to comply with our contractual obligations and to protect our legal position in the event of claims against us. Much of the information we hold will have been provided by you, but some may come from other internal sources, such as your manager or, in some cases, external sources, such as referees.
The sort of information we hold about you
The sort of information we hold includes:
Of course, you will also inevitably be referred to in many company documents and records which are produced by you and your colleagues in the course of carrying out your duties and the business of the company.
Where necessary, we may keep information relating to your health. This information might include reasons for any absences and doctor’s reports and notes and will be used for the following:
A CCTV system monitors our buildings. Images are recorded and retained for a limited period of time. This is primarily for security purposes, although in rare cases we may use CCTV footage in investigations into allegations of misconduct by employees, for example if a fight or vandalism is alleged to have taken place outside the building.
We keep records of your hours of work by way of our clocking on and off system
When we give information about you to third parties
We may disclose information about you to third parties, for example:
We will keep the personal data we hold about you accurate and up to date. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data. Please notify us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you.
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
Processing in line with your rights
We will process personal data in line with your rights, in particular your right to:
We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data
We have put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a third party if it agrees to comply with those procedures and policies, or if it puts in place adequate measures itself.
We will maintain data security by protecting the confidentiality, integrity and availability (for authorised purposes) of the personal data.
Accessing your personal data
If you wish to access personal data we hold about you under the DPA’s subject access provisions, you should make a request in writing to Mike Chappell, enclosing a fee of £10.
Within 40 days of the employee’s Subject Access Request, we will:
Your obligations regarding personal data
Everyone has rights with regard to the way in which their personal data is handled. During the course of the company’s activities, we will collect, store and process personal data not only about our employees but also about our customers, suppliers and other third parties.
Employees are obliged to comply with data protection law and the data principles set out above when processing personal data on our behalf (including that of other employees). In particular, they are obliged to comply with the following provisions and/or any other guidelines produced by the company relating to personal data and/or any other management instructions.
If you are in any doubt about what to do with personal information, you should seek advice from Mike Chappell.
Any breach of these obligations may result in disciplinary action.
If you acquire any personal data in the course of your duties, you must ensure that the use of the information is for a relevant purpose and that it is not kept longer than necessary.
If you acquire any personal data in the course of your duties, you must ensure that the information is accurate and up to date, insofar as it is practicable to do so.
In particular, you should ensure that you:
Where information containing personal data is disposed of, you should ensure that this is done securely. This may involve:
If you receive personal information in error by whatever means, you must inform Mike Chappell immediately.
Status of this policy and new instructions
This policy does not give contractual rights to individual employees. The company reserves the right to alter any of its terms at any time, although we will notify you in writing of any changes.