Grosvenor Services needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how the personal data must be collected, processed and stored to meet the companies’ data protection standards and to comply with the law.
This data protection policy insures that Grosvenor Services complies with GDPR and any national requirements of the countries in which we operate, and follows good practice.
Data protection law and the general data protection regulations describes how we must collect handle process and protect and store personal information.
These rules apply regardless of whether data is stored electronically on paper or other materials.
To comply with the law personal information must be collected and used fairly, stored safely and not disclosed unlawfully. GDPR is underpinned by six important principles:
This policy will be reviewed on an annual basis or as changes in the law or our business dictates.
Group Managing Director
This policy applies to the head office of Grosvenor Services all branches of Grosvenor Services all staff and volunteers of Grosvenor services all contractors, suppliers and other people working on behalf of Grosvenor Services.
It applies to all data that the company holds relating to personal and sensitive personal information relating to an identifiable natural person.
Definition under the DPA: personal data consisting of information as to:
(a) The racial or ethnic origin of the data subject;
(b) Political opinions;
(c) Religious beliefs or other beliefs of a similar nature;
(d) Trade union membership
(e) Physical or mental health or condition;
(f) Sexual life;
(g) Commission or alleged commission of any offence; or
(h) Any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings
Is any information relating to an identified or identifiable natural person? This can include;
1. Names of individuals
2. Postal addresses
3. Email addresses
4. Telephone numbers
5. Plus any other information relating to individuals.
This policy helps to protect the company from some very real data security risks including:
All employees who have access to data have responsibility for ensuring data is collected, stored and protected, processed appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. The board of directors is ultimately responsible for ensuring that we meet our legal obligations.
The company has appointed a data protection steering committee.
The steering committee is chaired by:
Pursuant to Article 37 of GDPR we note that there is a requirement for a controller and processor to designate a Data Protection Officer (DPO) in any case where:
(a) The data processing is carried out by a public authority;
(b) The core activities of the controller and processor require regular and systematic monitoring of data subjects on a large scale; or
(c) The core activities of the controller and processor consist of large scale processing of special categories of data and/or personal data relating to criminal convictions and offences.
Grosvenor Services has considered the requirements of GDPR and in particular Article 37 in order to decide whether it was required to appoint a D P O. Grosvenor Services wishes to record that it has considered the matter in an appropriate manner and to record its decision.
In coming to a decision, Grosvenor Services, has noted the following:
On the basis of the foregoing matters, Grosvenor Services has decided that it is not required to appoint a Data Protection Officer. The Data Protection function will be managed in Grosvenor by the appointment of a Data Protection Manager. This will be George Parish, Business Improvement Director.
The steering committee is responsible for:
Head of IT is responsible for.
Data Protection Manager is responsible for:
Each department has an appointed champion who is responsible for:
Where personal data is processed or held, the area in which its held must be secure with restricted access. Any person involved in handling personal data MUST sign a non-disclosure form. Failure to comply with the requirement could result in disciplinary proceedings.
Where legitimate access is required to data, the paper files cannot be taken from the restricted area unless the original is required in a court of law, in which case this is against a signature.
Grosvenor services operates a clean desk policy.
All files containing personal or sensitive data must be secured in a locked cabinet or file when not in use.
These rules describe how and where data should be stored. Questions about storing data safely should be directed to a member of the steering committee.
When data is stored on paper it should be kept in a secure place where unauthorised people cannot access it.
These guidelines also apply to data that is usually stored electronically but that has been printed out for some reason.
All paper based archive, should be in boxes marked, to show the content and the disposal date. The area or buildings in which the boxes are kept MUST be secure.
Every 3 months, the person responsible, will dispose of the data either by shredding or via a third party confidential waste disposal company.
Only authorised persons (approved by head of department) may access any stored data.
Personal data is of no value unless the business can make use of it. However it is when personal data is accessed that it can be the greatest risk of loss, corruption or theft:
All individuals who are the subject of personal data held by us are entitled to;
If an individual contacts the company requesting this information, this is called a subject access request.
Subject access requests from individuals can be received by email, or addressed to the HR manager at 64c Heather road Sandyford Dublin Ireland or The HR Manager 10 Algitha Road Skegness, Lincs, UK. The manager will supply standard request forms, although this is not necessary.
The HR manager will aim to provide the relevant data within 30 days.
The HR manager will always verify the identity of anyone making subject access request before handing over the information
In certain circumstances the law allows personal data to be disclosed to law-enforcement agencies without the consent of the data subject. Under the circumstances we will disclose requested data. However, the HR Manager will ensure the request is legitimate, seeking assistance from the Data Manager and from the company’s legal advisers when necessary
We aim to ensure that individuals are aware that the data is being processed and that they understand:
– How the data is being used.
– How to exercise their rights.
To this end, the company has a privacy statement setting out our data relating to individuals issues by the company.
This is available on request. A version of the statement is also available on the company’s website