Ashby working together for a brighter future

A white background with a few lines on it

Data Protection Policy

Purpose

The Company is committed to being transparent about how it collects and uses the personal data of staff, and to meeting our data protection obligations. This policy sets out the Company's commitment to data protection, and your rights and obligations in relation to personal data in line with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).


This policy applies to the personal data of current and former job applicants, employees, workers, contractors, and former employees, referred to as HR-related personal data. This policy does not apply to the personal data relating to members of the public or other personal data processed for Company business.


Definitions

"Personal data" is any information that relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information. It includes both automated personal data and manual filing systems where personal data are accessible according to specific criteria. It does not include anonymised data.


“Processing” is any use that is made of data, including collecting, recording, organising, consulting, storing, amending, disclosing or destroying it.


"Special categories of personal data" means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic or biometric data as well as criminal convictions and offences.


"Criminal records data" means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.


Data protection principles

The Company processes HR-related personal data in accordance with the following data protection principles. The Company:

  • processes personal data lawfully, fairly and in a transparent manner
  • collects personal data only for specified, explicit and legitimate purposes
  • processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing
  • keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay
  • keeps personal data only for the period necessary for processing
  • adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage


The Company will tell you of the personal data it processes, the reasons for processing your personal data, how we use such data, how long we retain the data, and the legal basis for processing in our privacy notices.


The Company will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it. The Company will not process your personal data if it does not have a legal basis for processing.

The Company keeps a record of our processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).


Processing 

Personal data

The Company will process your personal data (that is not classed as special categories of personal data) for one or more of the following reasons:

  • it is necessary for the performance of a contract, e.g., your contract of employment (or services); and/or
  • it is necessary to comply with any legal obligation; and/or
  • it is necessary for the Company’s legitimate interests (or for the legitimate interests of a third party), unless there is a good reason to protect your personal data which overrides those legitimate interests; and/or
  • it is necessary to protect the vital interests of a data subject or another person; and/or
  • it is necessary for the performance if a task carried out in the public interest or in the exercise of official authority vested in the controller.

If the Company processes your personal data (excluding special categories of personal data) in line with one of the above bases, it does not require your consent. Otherwise, the Company is required to gain your consent to process your personal data. If the Company asks for your consent to process personal data, then we will explain the reason for the request. You do not need to consent or can withdraw consent later.


The Company will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.


Personal data gathered during the employment is held in your personnel file in hard copy and electronic format on HR and IT systems and servers. The periods for which the Company holds your HR-related personal data are contained in our privacy notices to individuals.


Sometimes the Company will share your personal data with contractors and agents to carry out our obligations under a contract with the individual or for our legitimate interests. We require those individuals or companies to keep your personal data confidential and secure and to protect it in accordance with Data Protection law and our policies. They are only permitted to process that data for the lawful purpose for which it has been shared and in accordance with our instructions.


The Company will update HR-related personal data promptly if you advise that your information has changed or is inaccurate. You may be required to provide documentary evidence in some circumstances.


The Company keeps a record of our processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).


Special categories of data

The Company will only process special categories of your personal data (see above) on the following basis in accordance with legislation:

  • where it is necessary for carrying out rights and obligations under employment law or a collective agreement;
  • where it is necessary to protect your vital interests or those of another person where you are physically or legally incapable of giving consent;
  • where you have made the data public;
  • where it is necessary for the establishment, exercise or defence of legal claims;
  • where it is necessary for the purposes of occupational medicine or for the assessment of your working capacity;
  • where it is carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates to only members or former members provided there is no disclosure to a third party without consent;
  • where it is necessary for reasons for substantial public interest on the basis of law which is proportionate to the aim pursued and which contains appropriate safeguards;
  • where is it necessary for reasons of public interest in the area of public health; and
  • where is it necessary for archiving purposes in the public interest or scientific and historical research purposes.

If the Company processes special categories of your personal data in line with one of the above bases, it does not require your consent. In other cases, the Company is required to gain your consent to process your special categories of personal data. If the Company asks for your consent to process a special category of personal data, then we will explain the reason for the request. You do not have to consent or can withdraw consent later.


Individual rights

As a data subject, you have a number of rights in relation to your personal data.


Subject access requests

You have the right to make a subject access request. If you make a subject access request, the Company will tell you:

  • whether or not your data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from yourself;
  • to whom your data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
  • for how long your personal data is stored (or how that period is decided);
  • your rights to rectification or erasure of data, or to restrict or object to processing;
  • your right to complain to the Information Commissioner if you think the Company has failed to comply with your data protection rights; and
  • whether or not the Company carries out automated decision-making and the logic involved in any such decision-making.

The Company will also provide you with a copy of your personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you agree otherwise.


If you want additional copies, the Company may charge a fee, which will be based on the administrative cost to the Company of providing the additional copies.


To make a subject access request, you should send the request to the BID Manager or BID Chair. In some cases, the Company may need to ask for proof of identification before the request can be processed. The Company will inform you if we need to verify your identity and the documents we require.


The Company will normally respond to a request within a period of one month from the date it is received. Where the Company processes large amounts of your data, this may not be possible within one month. The Company will write to you within one month of receiving the original request to tell you if this is the case.


If a subject access request is manifestly unfounded or excessive, the Company is not obliged to comply with it. Alternatively, the Company can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the Company has already responded. If you submit a request that is unfounded or excessive, the Company will notify you that this is the case and whether or not we will respond to it.


Other rights

You have a number of other rights in relation to your personal data. You can require the Company to:

  • rectify inaccurate data;
  • stop processing or erase data that is no longer necessary for the purposes of processing;
  • stop processing or erase data if your interests override the Company's legitimate grounds for processing data (where the Company relies on our legitimate interests as a reason for processing data);
  • stop processing or erase data if processing is unlawful; and
  • stop processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override the Company's legitimate grounds for processing data.
  • complain to the Information Commissioner. You can do this by contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk).

To ask the Company to take any of these steps, you should send the request to the BID Manager or BID Chair.


Data security

The Company takes the security of HR-related personal data seriously. The Company has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.


Where the Company engages third parties to process personal data on our behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.


Data breaches

The Company has robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur the Company must take notes and keep evidence of that breach.


If you are aware of a data breach you must contact the BID Manager or BID Chair immediately and keep any evidence, you have in relation to the breach.


If the Company discovers that there has been a breach of HR-related personal data that poses a risk to the rights and freedoms of yourself, we will report it to the Information Commissioner within 72 hours of discovery. The Company will record all data breaches regardless of their effect.


If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will tell you that there has been a breach and provide you with information about its likely consequences and the mitigation measures we have taken.


International data transfers

The Company will not transfer HR-related personal data to countries outside the EEA.


Individual responsibilities

You are responsible for helping the Company keep your personal data up to date. You should let the Company know if data provided to the Company changes, for example if you move to a new house or change your bank details.


Everyone who works for, or on behalf of, the Company has some responsibility for ensuring data is collected, stored and handled appropriately, in line with the Company’s policies.


You may have access to the personal data of other individuals and of members of the public in the course of your work with the Company. Where this is the case, the Company relies on you to help meet our data protection obligations to staff and members of the public. Individuals who have access to personal data are required:

  • to access only data that you have authority to access and only for authorised purposes;
  • not to disclose data except to individuals (whether inside or outside the Company) who have appropriate authorisation;
  • to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, locking computer screens when away from desk, and secure file storage and destruction including locking drawers and cabinets, not leaving documents on desk whilst unattended);
  • not to remove personal data, or devices containing or that can be used to access personal data, from the Company's premises without prior authorisation and without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
  • not to store personal data on local drives or on personal devices that are used for work purposes.
  • to never transfer personal data outside the European Economic Area except in compliance with the law and with express authorisation from the BID Manager or BID Chair. 
  • to ask for help from the Company’s data protection lead if unsure about data protection or if you notice a potential breach or any areas of data protection or security that can be improved upon. 

Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the Company's disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing personal data without authorisation or a legitimate reason to do so or concealing or destroying personal data as part of a subject access request, may constitute gross misconduct and could lead to dismissal without notice.


This is a non-contractual policy and procedure which will be reviewed from time to time.


Date of policy: September 2024

Share by: