Data Protection and data security policy
Statement and purpose of policy
A. Lucinda Dumpling LTD (the Employer) is committed to ensuring that all personal data handled by us will be processed according to legally compliant standards of data protection and data security.
B. We confirm for the purposes of the data protection laws, that the Employer is a data controller of the personal data inconnection with your employment. This means that we determine the purposes for which, and the manner in which, your personal data is processed.
C. The purpose of this policy is to help us achieve our data protection and data security aims by:
D. This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at
any time, in our absolute discretion.
E. For the purposes of this policy:
Data protection principles
Staff whose work involves using personal data relating to Staff or others must comply with this policy and with the following data protection principles which require that personal information is:
Who is responsible for data protection and data security?
What personal data and activities are covered by this policy?
This policy covers personal data:
What personal data do we process about Staff?
We collect personal data about you which:
The types of personal data that we may collect, store and use about you include records relating to your:
Sensitive personal data
We may from time to time need to process sensitive personal information (sometimes referred to as ‘special categories
of personal data’).
We will only process sensitive personal information if:
Before processing any sensitive personal information, Staff must notify the Data Protection Officer of the proposed processing, in order for the Data Protection Officer to assess whether the processing complies with the criteria noted above.
Sensitive personal information will not be processed until the assessment above has taken place and the individual has been properly informed of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.
Our privacy notice sets out the type of sensitive personal information that we process, what it is used for and the lawful basis for the processing.
Criminal records information
Criminal records information will be processed in accordance with out Criminal Records Information Policy.
How we use your personal data
We will tell you the reasons for processing your personal data, how we use such information and the legal basis for
processing in our privacy notice. We will not process Staff personal information for any other reason.
In general we will use information to carry out our business, to administer your employment or engagement and to
deal with any problems or concerns you may have, including, but not limited to:
Sickness records: to maintain a record of your sickness absence and copies of any doctor’s notes or other documents supplied to us in connection with your health, to inform your colleagues and others that you are absent through sickness, as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence, to inform reviewers for appraisal purposes of your sickness absence level, to publish internally aggregated, anonymous details of sickness absence levels.
Monitoring IT systems: to monitor your use of e-mails, internet, telephone and fax, computer or other communications or IT resources.
Accuracy and relevance
If you consider that any information held about you is inaccurate or out of date, then you should tell the Data Protection Officer. If they agree that the information is inaccurate or out of date, then they will correct it promptly. If they do not agree with the correction, then they will note your comments.
Storage and retention
Personal data (and sensitive personal information) will be kept securely in accordance with our Information Security
The periods for which we hold personal data are contained in our privacy notices.
You have the following rights in relation to your personal data.
Subject access requests:
You have the right to make a subject access request. If you make a subject access request, we will tell you:
You have a number of other rights in relation to your personal data. You can require us to:
rectify inaccurate data;
We will use appropriate technical and organisational measures to keep personal data secure, and in particular to protect
against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Maintaining data security means making sure that:
By law, we must use procedures and technology to secure personal information throughout the period that we hold or
control it, from obtaining to destroying the information.
Personal information must not be transferred to any person to process (eg while performing services for us on or our
behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other
adequate measures exist.
Security procedures include:
Telephone Precautions. Particular care must be taken by Staff who deal with telephone enquiries to avoid inappropriate disclosures. In particular:
Methods of disposal. Copies of personal information, whether on paper or on any physical storage device, must be
physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks
or similar must be rendered permanently unreadable.
Data impact assessments
Some of the processing that the Employer carries out may result in risks to privacy.
Where processing would result in a high risk to Staff rights and freedoms, the Employer will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the the activity is carried out, the risks for individuals and the measures that can be
put in place to mitigate those risks.
If we discover that there has been a breach of Staff personal data that poses a risk to the rights and freedoms of individuals, we will report it to the Information Commissioner within 72 hours of discovery.
We will record all data breaches regardless of their effect in accordance with our Breach response policy.
If the breach is likely to result in a high risk to your rights and freedoms, we will tell affected individuals that there has
been a breach and provide them with more information about its likely consequences and the mitigation measures it has
International data transfers
In the course of carrying out our business, we may need to transfer your personal information to a country outside the European Economic Area (EEA) including to any group company or to another person with whom we have a business relationship.
Your personal data will only be be transferred to a country outside of the EEA if there are adequate protections in place. To ensure that your personal data receives an adequate level of protection, we have put in place appropriate procedures with the third parties we share your personal data with to ensure your personal data is treated by those third parties in a way that is consistent with and which respects the law on data protection.
If you wish to know more about international transfers of your personal data, you may contact the Data Protection Officer.
Staff are responsible for helping the Employer keep their personal data up to date.
Staff should let the Employer know if personal data provided to the Employer changes, eg if you move house or
change your bank details.
You may have access to the personal data of other Staff members and of our customers in the course of your
employment. Where this is the case, the Employer relies on Staff members to help meet its data protection obligations
to Staff and to customers.
Individuals who have access to personal data are required:
We will provide training to all individuals about their data protection responsibilities as part of the induction process
and at regular intervals thereafter.
Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or
responding to subject access requests under this policy will receive additional training to help them understand their
duties and how to comply with them.