Air Monitors Ltd is required to comply with the law governing the management and storage of personal data, which is outlined in the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018.
Data protection and GDPR compliance is overseen by the UK supervisory authority which is the Information Commissioner’s Office (ICO).
Air Monitors Ltd is accountable to the ICO for all of its data protection compliance. Protection of personal data and respect for individual privacy and the rights of data subjects are fundamental to the day-to-day operations of Air Monitors Ltd.
Purpose of this policy
This policy is applicable to everyone working for and with Air Monitors Ltd and aims to protect and promote the data protection rights of every individual whose data we process. The policy explains to everyone working for and with Air Monitors Ltd of their data protection obligations and of procedures that everyone must follow to order to ensure compliance with the GDPR.
Scope of the policy
This policy applies to all members, staff, consultants and any third party to whom this policy has been communicated. It covers all personal data and special categories of personal data – processed on computers in whatever format including mobile IT and data stored in paper files.
Karen Pavey (Director of Finance) has been appointed as the lead within the company for ensuring all aspects of data compliance. Karen Pavey is also responsible for ensuring GDPR requirements for the business and should be the first point of contact for any concerns or queries anyone in the organisation has in respect of processing personal data.
However, everyone working for and with the organisation is also responsible for compliance with this policy. Failure to do so may result in disciplinary action, where appropriate this may be considered as gross misconduct.
Specific responsibilities for data lead in the company
• Developing and ensuring compliance with Data protection policies and procedures
• Making staff and others aware of their responsibilities in respect of data protection
• Being a point of contact for staff and others about any data queries
• Being the point of contact for the ICO
• Undertaking any work in respect of subject access requests and any other queries from data subjects
• Monitoring compliance with Data protection policy and procedure
• Dealing with any breach issue and maintaining a record of any incidents
Company number 03975947.
Registered Office: C1 The Courtyard, Tewkesbury Business Park, Tewkesbury, Gloucestershire. GL20 8GD
FAILURE TO FOLLOW RULES AND EXPECTATIONS ON DATA SECURITY, PROTECTION AND PRIVACY MAY BE
DEALT WITH VIA AIR MONITORS LTD’S DISCIPLINARY PROCEDURE.
The GDPR is designed to protect individuals and their personal data which is held and processed about them. it also gives them rights over the data that is processed There are some key definitions and themes that are of significance for everyone to understand.
Data You Control And Process
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; In simple terms – a person or business that uses data ie information that identifies someone such as a customer and decides the way in which that data is used (also known aa “processed”). So, in reality this means any business. The business is the data controller and employees act on behalf of the business (they are not data controllers or processors in their own right) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; In simple terms this is everything that can be done with information eg: storing it on a hard drive or server,
or keeping paper records (in a filing system ie in any way that is structured eg client files or HR files).
Personal Data is information relating to an identified or identifiable natural person (‘data subject’ or person); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, eg: a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; In simple terms this means: any information that identifies a living person.
Below is a comprehensive (but not exhaustive) list of what ordinary data any business might typically hold (and the groups a business might hold it under, eg: membership list): Contact details of customers, clients, employees, contractors: Name, address, telephone number(s), email address, emails, IP address, bank details, notes kept of meetings, HR/ employee records, photos, CCTV, ID cards, financial information, membership lists, subscriber lists,
Special Category Data
This is information which might previously have thought of as sensitive information. Article 9 of GDPR defines this information as:
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”.
In terms of Air Monitors Ltd this information may well be processed in HR records. Any processing of special category data must be undertaken only with permission from, and under the direction of, Karen Pavey.
Data Protection Principles
The GDPR is based around a set of principles which are the starting point to ensure compliance with the Regulation.
Everybody working in for and with Air Monitors Ltd must adhere to these principles in performing their day-to-day duties.
The principles require Air Monitors Ltd to ensure that all personal data and sensitive personal data are:
- Processed lawfully, fairly and in a transparent manner in relation to the subject (‘lawfulness, fairness and transparency’)
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed (‘storage limitation’)
- Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (‘integrity and confidentiality’)
Fairness And Lawfulness
The purpose of GDPR and UK data protection laws is not to prevent the processing of data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is (in this case Air Monitors Ltd, and who the data controller’s representative is this case Felicity Sharp Managing Director and for day today support management of any data issues Karen Pavey Finance Director has been appointed as the data lead), the purpose for which the data is to be processed by us and the legal basis for doing so, and the identities of anyone to whom the data may be disclosed or transferred.
GDPR allows processing of data for specific purposes, which are where it is needed:
• for the performance of a contract, such as an employment contract
• to comply with a legal obligation
• in order to pursue our legitimate interests (or those of a third party) and where the interests and
fundamental rights of the data subject do not override those interests
• to protect the data subject’s vital interests
• in the public interest, or
• in situations where the data subject has given explicit consent.
We, as data controller, will only process data on the basis of one or more of the lawful bases set out above. Where consent is required, it is only effective if freely given, specific, informed and unambiguous. The data subject must be able to withdraw consent easily at any time and any withdrawal will be promptly honoured.
Special categories of data and criminal convictions data will only be processed with explicit consent of the data subject, unless the data controller can rely on one or more of the other lawful bases set out above, and any additional legal bases for processing specific to these types of data. Air Monitors Ltd also processes this type of data for reasons related to employment of staff.
We will provide all required, detailed and specific information to data subjects about the use of their data through appropriate Privacy Notices which will be concise, transparent, intelligible, easily accessible and in clear and plain language.
Data may only be processed for the specific purposes notified to the data subject via the Privacy Notice. This means that data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the
new purpose via a new or amended Privacy Notice before any processing occurs.
Data should only be collected to the extent that it is required for the specific purposes notified to the data subject in the Privacy Notice. Any data which is not necessary for those purposes should not be collected in the first place.
Data must be accurate, complete and kept up-to-date. Information which is incorrect is not accurate and steps should therefore be taken to check the accuracy of any data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data should be amended or destroyed.
Data should not be kept longer than is necessary to carry out the specified purposes. This means that data should be destroyed or erased from our systems when it is no longer required, and in accordance with our data retention principles. Air Monitors products have a long life cycle – therefore it is company policy to retain information relevant to the sale of the goods for in excess of 20 years. Financial information is retained for 6 years after the relevant accounting period and in line with HMRC rules. Employee data is retained in line with statutory provisions
Security, Integrity And Confidentiality
We will ensure that appropriate technical and organisational security measures are taken against unlawful or unauthorised processing of data, and against the accidental loss of, or damage to, data. Data subjects may apply to the courts for compensation if they have suffered damage from such a loss. We will put in place procedural and technological safeguards appropriate to our size, scope and business, our available resources and the amount of data we hold, to maintain the security of all data from the point of collection to the point of destruction. For example (a) Air Monitors Ltd systems are password protected;
(b) firewalls and anti-virus software are kept up to date; (c) McAfee installed on remote equipment. Moreover, Air Monitors Ltd is cyber essentials accredited confirming that all IT is fully secure and compliant with regulations. Paperwork is in files in cabinets. Payroll information on paper before it was transferred onto electronic format is held in a locked cabinet in the accounts office which is also locked. The premises is burglar alarmed which is monitored and there are number pads for secure access on the access doors.
We will consider and use, where appropriate, the safeguards of encryption, anonymisation and pseudonymisation (replacing identifying information with artificial information so that the data subject cannot be identified without the use of additional information which is kept separately and secure). We will regularly evaluate and test the effectiveness of these safeguards. Employees have a responsibility to comply with any safeguards we put in place.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of the data, defined as follows:
• Confidentiality in respect of internal systems, means that only people who are authorised to use the data can access it.
• Integrity means that Data should be accurate and suitable for the purpose for which it is processed.
• Availability means that authorised users should be able to access the Data if they need it for authorised purposes. In this connection, Air Monitors Ltd also expects employees to comply with its Communication and representation policy and computer use policy which can be found in the policy section of our handbook
We will not routinely transfer data to any recipients outside the European Economic Area (EEA). However, from time to time we may pass personal data such as your name and email address to other services that we use to send out newsletters and other communications (both electronic and print). Your personal data will remain in the EU or countries considered by the EU to have equivalent policies such as Jersey, Guernsey, Switzerland, New Zealand and Canada. Companies based in the USA that have certified with the EU-US Privacy Shield programme are also considered to be permitted destinations by the EU (this
includes popular US products like Office 365, DropBox and MailChimp).
Rights of the data subject
The GDPR gives rights to individuals in respect of the personal data that any organisations hold about them. Everybody working for Air Monitors Ltd must be familiar with these rights and adhere to Air Monitors Ltd procedures to uphold these rights. These rights include:
• Right of information and access to confirm details about the personal data that is being processed about them and to obtain a copy;
• Right to rectification of any inaccurate personal data;
• Right to erasure of personal data held about them (in certain circumstances);
• Right to restriction on the use of personal data held about them (in certain circumstances);
• Right to portability – right to receive data processed by automated means and have it transferred to another data controller;
• Right to object to the processing of their personal data
If anybody is aware of a request for information about them from a data subject they must inform the lead in the organisation immediately as there is only one month to respond to these requests.
A data protection breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Everyone working for and with [company] has duty to report any breach or suspected breach without delay to the data lead who will determine what steps to take. It may be that the ICO or the data subjects who’s data has been breached need to be informed. If so, this must be done within 72 hours of anyone in the company becoming aware of the breach or suspected breach. The data lead will also keep a record of each and all breaches and suspected breaches. Final authority, and responsibility for any data breach is Felicity Sharp – Managing Director who will also be the first point of contact for the ICO in this connection.
Confidentiality and data sharing
Air Monitors Ltd must ensure that they only shares personal information with other individuals or organisations only where they are permitted to do so in accordance with data protection law. Wherever, possible you should ensure that you have the data subject’s consent before sharing their personal data, although, it is accepted that this will not be possible in all circumstances, for example if the disclosure is required by law. Any further questions around data sharing should be directed to the lead for data protection.
Complaints relating to breaches of the GDPR and/ or complaints that an individual’s personal data is not being processed in line with the data protection principles should be referred to Karen Pavey without delay.
It is important that everybody working for Air Monitors Ltd understands the implications for Air Monitors Ltd if we fail to meet our data protection obligations. Failure to comply could result in:
• Criminal and civil action;
• Fines and damages;
• Personal accountability and liability;
• Suspension/ withdrawal of the right to process personal data by the ICO and imposition of different
• processing methods
• Loss of confidence in the integrity of the business’s systems and procedures;
• Adverse publicity for the business
• Irreparable damage to the business’s reputation.
Name: Felicity Sharp
Title: Managing Director
Date: 3rd December 2020