Data Protection Policy
This document sets out the policy within which the Logistics UK’s security compliance requirements are met, and how these conform to current codes of practice. The statement applies to all areas ‘in scope’, to ensure that data security measures, both technical and procedural, are consistent with the current standard ISO_IEC_27001_2013(en).
Document Control
Reference
|
A.18.1.4
|
Author and Directorate
|
Nigel Smart, Development & IT Department
|
Policy Application
|
Organisation wide
|
Approval By
|
Project Director
|
Confidentiality Level
|
Company Confidential
|
Responsibility for implementation
It is the responsibility of all employees, associates, and agents to ensure that they are working to the most up to date and relevant policies and procedures. By so doing, the quality of services offered will be maintained and the chances of employees making erroneous decisions, affecting customers, employees, or visitor safety, will be reduced.
A controlled copy of this document is stored on the ISMS SharePoint Site and access is controlled via SP file permissions set according to the confidentiality of this document. Only approved individuals or groups will be able to access this copy.
Hardcopy documents are marked as “uncontrolled when printed” to highlight their separation from the version control system online.
Review, update, approval, and re-versioning of this document will be carried out in accordance with the Document Control Policy held within the ISMS SharePoint site.
Executive Directors, Department Heads and Managers are to ensure their employees and associates are made fully aware of the document and its implication.
Introduction
Logistics UK (“the Company”) needs to process personal information (electronic or paper based) about customers, employees, and workers (associates and contractors) to support its operation. It is also necessary to process personal information about our staff and others who we come into contact with during the course of our operations. In doing so, we recognise that the correct and lawful treatment of personal information is critical to maintaining the trust and confidence of those connected to us.
This policy, and any other documents referred to in it, sets out our approach to ensuring that we comply with data protection laws. It has been prepared and updated to take account of changes in the law introduced by the UK General Data Protection Regulation (the retained EU law version of the General Data Protection Regulation (EU) 2016/679) (“GDPR”) and the Data Protection Act 2018 (“DPA”). In particular, a key change introduced is the principle of ‘accountability’ which requires us to demonstrate how we comply with data protection laws.
All employees must comply with our policies and procedures relating to data protection. This Policy does not form part of any employee’s contract of employment and may be amended at any time.
Data Protection Principles
We are committed to processing personal data in accordance with the 6 key data protection principles outlined in the GDPR:
1.Lawfulness, fairness, and transparency
- Transparency: We will tell data subjects how we will use their personal information.
- Fairness: We will ensure that we process personal information fairly; only using that information for the purposes set out in our privacy information or in a way which is compatible with those purposes.
- Lawfulness: we will ensure that we have identified a lawful basis for processing personal information.
2.Purpose limitation
Personal data will only be obtained for “specified, explicit and legitimate purposes”. Personal Data will only be used for a specific processing purpose that the data subject has been made aware of.
3.Data minimisation
Personal data collected about a data subject will be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
4.Accuracy
We will develop processes and protocols that support data being “accurate and where necessary kept up to date”.
5.Storage limitations
Personal data will be “kept in a form which permits identification of data subjects for no longer than necessary”.
6.Integrity and confidentiality
We are committed to handling data “in a manner ensuring appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”.
Data Protection Officer
We have appointed a ‘Data Protection Officer’ (“DPO”). The DPO must have expert knowledge in data protection law and practices. Our appointed DPO who fulfils these requirements is HY Solicitors, 1 Reed House, Hunters Lane, Rochdale, OL16 1YL who can be contacted by telephone on 0161 804 1144 or email at DPO@wearehy.com
Responsibilities
Everybody has a responsibility to ensure compliance with the GDPR and DPA. As part of our commitment to ensuring that we comply with our data protection obligations, particularly the principal of accountability, the Company has established where responsibilities are assigned:
The Board
- ensure that a suitably qualified DPO is appointed.
- include budget and resources needed to ensure compliance at all levels.
- comply with all reasonable directions from the DPO to promote effective data protection practices.
- ensure that staff receive appropriate training at reasonable internals in relation to data protection.
- ensure that the appropriate policies and procedures are implemented which demonstrate how the Company complies with its data protection obligations.
- ensure that Privacy Notices are readily available.
- ensure that an Article 30 register is held and kept up to date.
- ensure that data protection impact assessments are undertaken when required.
The DPO
- support the board to comply with its responsibilities.
- update and maintain data protection policies and procedures.
- provide advice in respect of data protection impact assessments.
- update privacy notices.
- investigate and report on data breaches.
- liaise with the ICO in relation to all compliance matters.
- provide advice and support across the Company on all matters which impact on individual rights.
- Provide training were requested to do so.
Staff
- observe data protection policies, procedures and guidance implemented by the Company.
- understand the purposes for which the Company uses personal information.
- collect and process appropriate information in accordance with the purposes for which it is to be used.
- ensure that information is correctly input into systems.
- ensure that information is destroyed (in accordance with our retention procedures) when it is no longer required.
- on receipt of a request from an individual or organisation for information held about them or another data subject, immediately notify the DPO in accordance with the subject access procedure.
- attend training when required to do so.
- understand that breaches of this Policy Statement may result in disciplinary action, including dismissal.
Implementation
This policy will be implemented and supported through the development of a data protection framework comprising of 2 elements:
Data Protection - Standards
The Standards set out the actions that will be taken to implement the data protection policy.
Procedures
Step by step instructions to achieve a given aspect of the standards.
Data Protection - standards
Purpose
The Standards outline the actions that will be taken to implement the data protection policy and cover the following areas of data protection: -
S1: Lawfulness, fairness, and transparency
S2: Individual Rights
S3: Accountability and governance
S4: Information security
S5: Physical Security
S6: Computer and network security
S7: Personal data breach management
S8: Records management
S9: Access to records
S10 Communication using email
S11: Training and Awareness
S1: Lawfulness, fairness, and transparency
- We will conduct information audits at appropriate intervals and maintain a record of processing activities in compliance with Article 30 of the GDPR (“the Record”)
- The Record will document the personal data processes undertaken, its purpose, where it comes from and who we share data with
- We will identify the lawful bases for processing and document it in the Record.
- We will keep a record of consent.
- Where we rely on legitimate interests as the lawful basis for processing, we will apply the three-part test and demonstrate that we have considered and protected individual’s rights and interests.
- We will register with the Information Commissioners Office.
S2: Individual Rights
- We will provide privacy information to individuals.
- We will communicate privacy information in a way that is clearly understood and accessible.
- We will have a process to recognise and respond to individual requests to access their personal data.
- We will have processes in place to ensure that the personal data we process remains accurate and up to date.
- We will have processes in place to securely dispose of personal data that is no longer required or where an individual has asked us to erase it.
- We will have procedures to respond to an individual’s request to restrict the processing of their personal data.
- We will have procedures to allow individuals (where applicable) to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
- We will have procedures to handle an individual’s objection to the processing of their personal data.
S3: Accountability and governance
- We will have a data protection policy.
- The data protection policy will be supported by a framework which details how we will respond to subject access requests, handle data breaches, provide privacy information and how long we will retain personal data.
- We will provide data protection awareness training for all staff.
- We will have written contracts with any processors that we use.
- An Article 30 register will be maintained.
- We will use the principles of ‘Data protection by Design and Default’ and implement appropriate technical and organisational measures to integrate data protection into our processing activities.
- We will conduct Data Protection Impact Assessments (DPIAs)
- We will have a nominated Data Protection Officer (DPO)
- Decision makers and key people will demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the Company.
S4: Information security
- We will identify, assess, and manage information security risks.
- We will have established written agreements with third-party processors that ensure the personal data that they access and process on our behalf is protected and secure.
- We will ensure that we have an adequate level of protection for any personal data processed by others on our behalf that is transferred outside the European Economic Area.
S5: Physical Security
- We will have entry controls to restrict access to premises and equipment in order to prevent unauthorised physical access, damage and interference to personal data.
- We will have secure storage arrangements to protect records and equipment in order to prevent loss, damage or theft of personal data.
- We will have a process to securely dispose of records and equipment when no longer required and this will be done safely such that the data is irrecoverable.
S6: Computer and network security
- We will assign user accounts to authorised individuals and will manage user accounts effectively to provide the minimum access to information.
- We will have appropriate password security in place.
- We will establish effective anti-malware defences to protect computers from malware infection.
- We will routinely back-up electronic information to help restore information in the event of disaster.
- We will keep software up-to-date and apply the latest security in order to prevent the exploitation of technical vulnerabilities.
- We will have boundary firewalls to protect computers from external attack and exploitation and help prevent data breaches.
S7: Personal data breach management
- We will have an effective process to identify, report, record, manage and resolve any personal data breaches.
- We will have training in place to ensure staff know how to recognise and what to do if they detect a personal data breach.
- We will have a procedure in place to report a breach to the ICO and to affected individuals, where necessary.
- We will have a procedure in place to effectively investigate the cause(s) of a breach and implement measures to mitigate future risks.
S8: Records management
- We will have a records management policy.
- We will implement processes to ensure that personal data is held in accordance with the records management policy.
S9: Access to records
- We will implement role-based access and check it regularly.
- We will have a process to assign and manage user accounts to authorised individuals and to remove them when no longer appropriate.
S10: Use of email
- Each e-mail user will be allocated their own personal account with a unique identifier and password.
- Industry recognised e-mail software will be installed and kept up to date.
- All emails that are used for official business will be sent from an official domain address.
- A standard disclaimer to protect the Company against any liability and the unauthorised disclosure of the contents of e-mails will be automatically appended to each e-mail.
- Sensitive personal information will only be sent via email if there is a method in place to ensure the information is secure. This includes either:
- Sending the information as a password protected attachment or
- Providing a link to a secure shared area document.
- The use of e-mail will be monitored to protect against misuse.
S11: Training and Awareness
- To ensure all staff are aware of their responsibilities under the GDPR and are aware of associated policies and procedures, appropriate training will be provided for all those involved in using our data and systems.
- All employees will receive notification regarding changes to policies, standards, and procedures on a timely basis.
Data Protection Procedures
We will maintain the following procedures to support the Data Protection Standards
P1: Subject Access Requests (SARs)
P2: Data Breach Procedure
P3: Records Management Policy