This section contains 3 policies that explain how I comply with GDPR
- My Data Protection Policy
What personal information do I collect?
It is not necessary for you to provide me with any personal information in order for you to access the general information sections of my website. However, if you wish to make contact with me via the online form, you will need to provide me with certain personal information such as your name and contact details including your e-mail address
How will I use your information?
I will use the information that you provide to me online for the purposes of:
- providing you with any service(s) that you have requested;
- dealing with your requests and/or enquiries;
- maintaining my records for administrative purposes;
- tracking activity on my website;
- protecting my website against unauthorised access;
Who do I disclose your information to?
Except as provided by law or the prevention of fraud, I will not share your personal information with any third parties:
My web page may track and catalogue the search terms that you enter in my Search function, but this tracking is never associated with individual users. I use tracking information to determine which areas of my site users like and don’t like based on traffic to those areas. I do not track what individual users read, but rather how well each page performs overall. This helps me continue to build a better service.
I use and operate standard secure data networks protected by industry standard firewall and password protection systems. Please note that whilst I endeavour to take all reasonable steps to protect your personal information, I cannot guarantee the security of any personal information and/or other data that you disclose to me online via the website. You accept the inherent risks of providing information and dealing online over the internet.
Please note that viruses and similar destructive programs are an inherent risk of communication via the Internet. Whilst I will use my reasonable endeavours to prevent contamination of any material accessed by you via the website, I do not accept any liability for any virus or similar destructive code which computer equipment and/or software used by you may suffer as a result of you accessing this website and/or as a result of any other communication via the Internet between you and me.
It is your sole responsibility to scan what you choose to download from this website to ensure that it is free from viruses. and other similar destructive code.
The copyright and all other intellectual property rights and all software compilations, coding, underlying source code and software belong to me unless otherwise acknowledged.
Whilst you may print or download extracts from the website for your personal use you may not otherwise download, copy, reproduce, redistribute, republish, transmit, adapt, alter, create derivative works from or otherwise extract or reutilise any material contained on this website for commercial purposes.
From this website, you may be able to access websites operated by others. I do not endorse such websites nor do I accept responsibility for any damage or loss you may suffer from accessing such websites or any material on them.
From time to time I may embed videos from YouTube. To find out more about Youtube and their privacy and use please visit their information page.
Website content disclaimer
The information contained in this website is provided on an “as is” basis. Nothing in this website is intended to be, nor should it be, construed as being an offer to enter into a contractual relationship.
The information on this website does not constitute legal advice and you should not rely on any information contained in this website as if it were legal or other professional advice.
I may at my sole discretion and at any time modify and/or remove any content posted onto my website.
Changes and Information
Should you wish to have your information updated, corrected or removed or you wish to see what data I hold about you then please contact me at Sylvia.firstname.lastname@example.org I will update, correct or deal with your request as soon as possible.
I respect your privacy, understand that privacy is important to you and that you care about how information about you is used, so this privacy notice sets out details about data I collect and how I use it.
Unless stated otherwise, I collect data to enable the performance of the contract between us or for a legitimate aim, eg in anticipation of business between us.
Visitors to my website
- Google Analytics
When someone visits my website, www.hrthathelps.co.uk, I make use of the Google Analytics service to collect standard information about visitors to the site and their behaviour (e.g. what pages they viewed). The data provided by Google Analytics is anonymised and in no way enables me to identify individual visitors, however, Google Analytics will place a cookie on your device to enable the service. For more information about how Google Analytics cookies work on websites visit: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
- Other tracking devices
If you fill out one of my website forms a notification email is sent to me. No copy of the data you submit is stored anywhere. As my site uses SSL (https) the data you submit using the contact form will be encrypted once your press the “Submit” button]
I use standard off the shelf security for my email and web site provision. My website is also accessed via password from my marketing supplier.
People who receive my newsletters or other marketing material
These people will have signed up via Mail Chimp ‘consent’ to say that they are happy to receive marketing information from me
People who call my office
Will be received by central reception and will enter their details in the visitor book for health and safety reasons
People who contact me via email
My emails are hosted via Falcoda, already mentioned at 2.4. I also use Microsoft Office. I can access them on my phone, laptop and remotely using any internet appliance. Access is passworded. I keep my emails in folders, I have a policy of clearing out twice a year in line with my paper files, usually December and mid summer. I have a spam/junk folder as well as folders in the inbox.
My use of social media
I use Twitter, Facebook and LinkedIn. I use their standard security options and can access them on my laptop and phone. These are passworded and also accessed by my marketing supplier
People who are my clients
Terms with Clients – These will ensure that clients have agreed with their employees and other interested parties that data can be shared and they have given a reason for legally processing this. This may be via consent [maybe for health data] or to operate the contract. This personal data may be sick notes and personal details of employees eg age, address etc
I will be clear to clients that I will hold data on their behalf and how I will look after it [copy of policy available if required]
Systems used – given under sections 2 and 5 of this policy
Retention details – given under section 10 of this policy
I have no employees but do have access to client employee data. Usually this will arrive by email and be part of the systems used, already mentioned in this policy. I treat this in the same way as all client data. I check that the client has sufficient data protocols in place to allow me to have access to their employee details. For example, this may need consent for matters of health or absence.
Recruitment and Privacy Notice for candidates
I process personal data relating to those who apply for job vacancies with my clients or send speculative job applications to me. I do this for employment purposes, to assist my self and my client in the selection for employment and to assist in the running of their business. The personal data collected may include identifiers such as:
- date of birth
- personal characteristics such as gender
- previous employment history
I will not share any identifiable information about you with third parties [other than the client] without your consent, unless the law allows or requires me to do so.
The personal data provided during an application process will be retained for a period of 6 months or, if required by law or a legitimate business reason, as long as is required.
This privacy notice does not form part of an employment offer or contract between us. If an employment offer is made to you, you will receive further information about the handling of your personal data in an employment context.
Unless stated elsewhere in this document or in my terms of services I only store the data necessary to provide the services I provide to you. I will keep this data for as long as it is lawful for me to do so (this may be for as long as you are a customer or because of a legal obligation to retain the information, whichever is the longest).
I go through my paper files twice a year in Dec and mid summer. I have a professional shredding company come to take away what I don’t consider I need anymore and I get a certificate of destruction from them. I have to make a judgement call on what I need to keep or not. I ask clients whether a tribunal hearing is likely and tend to keep other matters for a year after I have dealt with it. This is especially true of ongoing day to day clients. Ad hoc clients and one off projects I may only keep for the 6 months period.
I also go through my emails and client files twice a year [email logs can get full up] and dispose of all finished matters, aside from those going to tribunal or for ongoing day to day matters.
Third party processors and suppliers
I use a number of third-party cloud-based services for the purposes of effectively running my business and providing our services to you. I also use a number of third-party organisations, e.g. accountants, occupational health advisors, etc.
In all cases where I am using a third-party service or company, I will only provide the minimal amount of information for the purposes of delivering the service to me and to meet my requirements.
Where I hold information about them [eg supplier phone number or email address], I will only keep that for my own use and for reasons of performing the contract between us.
I always carry out due diligence against all my third-party suppliers for the purposes of ensuring their compliance with data protection, maintaining adequate security of your data and ensuring they apply adequate data protection principles to the processing of the data I supply.
Under current data protection legislation in the UK, you have rights as an individual which you can exercise in relation to the data I store and process about you. You can find more information about your rights on the Information Commissioner’s website: https://ico.org.uk/for-the-public/
If you want to make a compliant about the way I am processing your data, you can contact me, using the contact details below. You also have the right to complain to the Information Commissioner’s Office: https://ico.org.uk/concerns/
How to withdraw consent and object to processing
Where I am processing your data and needed to ask your permission to do so, you are able to withdraw your consent at any time. If you wish to stop receiving my marketing emails you can do so, by clicking on the “unsubscribe” link at the bottom or the email. Otherwise, you can contact me, using the contact details below.
If you wish to raise concerns about the way I am processing your data or would like to raise an objection, then please email me via Sylvia.email@example.com with your concerns.
Keeping your data up to date
It is important that any of your data that I process is kept up to date. I will from time to time ask you to verify your contact details but if you wish to update any information I hold about you, please contact me using the contact details below.
Erasure of your data (the “right to be forgotten”)
Under some circumstances you may request me to delete your data from my systems. Where this is possible (e.g. I don’t have any legal purpose for continuing to process your data) I will erase it from my systems.
If you wish to exercise your right to be forgotten, please contact me via the contact details below.
Your right to portability allows you to request a machine-readable format of the data you supplied to me and associated service logs (where we store them). Please contact me, using the contact details below, if you wish to receive this.
Access to your data
You have the right to ask me about what data I hold about you, how I process it and provide you with a copy of the information, free of charge and within one month of your request.
To make a request for any personal information I hold and process about you, I would prefer it if you could put it in writing or in an email to the addresses below. I will need to verify your identity before providing the information and where necessary may contact you further to ensure I understand what data you are requesting.
- Disclosure of information
I do not share any personal data with any third parties unless it is lawful for me to do so, if required by law to do so or if you provide us with permission to do so.
For more information about your data rights and privacy or data protection in general visit the Information Commissioner’s Office website: https://ico.org.uk
- How to contact me
If you have any questions about how I collect and use your information not covered in this privacy notice, or if you wish to speak to me about my approach to data protection and privacy, please contact: Sylvia.firstname.lastname@example.org
Changes to my privacy notice
I may change or update elements of this privacy notice from time to time or as required by law
Data Protection Policy – May 2018
I collect personal data about the people I deal with during the course of carrying out my business and delivering my services. Such people include my clients, their employees, other business contacts and prospective clients.
This policy document sets out the approach I take towards managing this personal data to ensure I meet the data protection requirements set out in the General Data Protection Regulation (“GDPR”), any UK specific implementation of aspects of the Regulation into UK law and any guidance the Information Commissioner’s Office or the Article 29 Working Party provide.
I take data protection seriously and place a high importance on the correct and lawful processing of all personal data as well as respecting the rights and privacy of my clients and their employees. As such, this policy sets out the company procedures that I follow when dealing with personal data across the business.
The GDPR is a European regulation which was ratified on 27th April 2016 and is enforced across the whole of the European Union, including the UK, from 25th May 2018. The Regulation replaces existing member state laws that implemented the previous EU data protection Directive and despite the UK leaving the European Union the Regulation will also replace the UK’s Data Protection Act 1998.
- “Personal data” relates to information that enables the identification directly or indirectly of a living individual, this includes the identification of an employee within a business, but does not include generic business data
- “Special categories of personal data” relates to more sensitive personal data including racial or ethnic origin, religious beliefs and health related information
- “Processing” means any activity carried out on the personal data including storage, collection, organisation and general use
- A “Data Subject” is the person whose data it is that is being collected or processed by the Data Controller and/or the Data Processor
- A “Data Controller” is an organisation who determines the purposes of processing of data – typically this is the organisation that has collected the data in the first place and wishes to process it
- A “Data Processor” is a person or organisation who processes data on behalf of the Data Controller (usually a third party).
Data protection principles
Controls around the use of data are governed by a set of principles, which state that data must be:
- Processed lawfully, fairly and transparently
- Collected only for specified or legitimate purposes and not further processed outside the original purpose for collection
- Relevant and necessary for the purposes for which they have been collected (i.e. we should not collect any data that we don’t need)
- Accurate and kept up to date
- Only kept for as long as the data is required. Where data is no longer required it must be deleted or anonymised
- Kept and processed securely
It is up to the Data Controller or Processor to be able to demonstrate compliance with these principles (this is the principle of “accountability”).
Lawfulness of processing
For processing to be lawful, data can only be processed when one of the following conditions applies:
- The Data Subject has given consent
- Processing is required for the performance of a contract or delivering a service
- Processing is required to comply with a legal obligation
- Processing is necessary to protect the vital interests of the Data Subject
- Processing is carried out in the public interest
- Processing is carried out in the legitimate interests of the Data Controller, but without detriment to the Data Subject
Data subject rights
Under the GDPR, Data Subjects have the following rights:
- The right to be informed (including when the data was not obtained directly from them) about who has their data, what it’s used for, who will have access to and their rights to object, withdraw consent, etc.
- The right to request whether data is being processed by the Data Controller and if so what data and how (this is a subject access request)
- The right to have their data updated and kept up to date
- The right to erasure of their data when the data is no longer needed, when consent has been withdrawn or if it has been unlawfully processed
- To restrict, in certain circumstances, the processing of their data
- The right to data portability allowing a Data Subject to request copies of their data in a format compatible with another system for their own use or to import into a third-party system
- The right to object to the processing under legitimate interests, for direct marketing purposes, for profiling or research
- The right to object to automated decision making
What data is covered by data protection?
Personal data is defined as any information which identifies a living individual. Generally, this will include data such as name, address, email addresses, telephone numbers but specifically for us it would also include:
- Client employee details of:
- Disciplinary and grievance records and details
This policy document applies to HR that Helps and any sub-contractors that I may use
- Roles and responsibilities
I have responsibility for the data I collect
Director – Sylvia
Is ultimately responsible for ensuring adequate data protection controls are in place across the business.
Data Protection Officer – Sylvia
The Data Protection Officer is responsible for:
- Keeping up to date about data protection responsibilities, risks and issues across the business
- Overall data protection compliance for the business
- Reviewing (annually) all data protection resources made available to the business, including this policy, guidance and support information
- Ensuring adequate training is in place if needed
- Dealing with data protection and privacy related questions from any part of the business
- Dealing with subject access requests from Data Subjects (clients or client employees)
- Dealing with any requests to access data (clients or client employees) from external third parties, for example law enforcement and government offices
- Carrying out due diligence and ensuring appropriate contractual terms are in place for any third parties I use to share or store personal data
The Data Protection Officer is:
Sylvia Goddard [07765 863923]
IT Manager – Director – Sylvia
The IT Manager is responsible for:
- Ensuring all IT systems and use of technology is compliant and in line with this policy
- Maintaining IT security across the business and ensuring the security of systems is kept up to date
- Assisting the Data Protection Officer with assessing the security aspects of any third party systems that may be used to handle the company’s data
Marketing Manager – Director – Sylvia
The Marketing Manager is responsible for:
- Ensuring all marketing is compliant with the GDPR rules relating to consent and the marketing rules as set out in the Privacy and Electronic Communications Regulations (“PECR”)
- Everyone will familiarise themselves with this policy and any associated policies, relating to the processing of personal data and ensure their processing of personal data is within the rules set out within these policy documents. Specifically, ensuring:
- All personal data accessed, used or processed during their duties is kept and processed securely
- No personal data should be disclosed verbally, in writing or by any other means to any third party, without consent from the company’s Data Protection Officer
- No company systems should be accessed for any reason other than for the purposes of carrying out their duties as an employee
- They contact the Data Protection Officer if they are aware of an issue or are uncertain about any aspect of processing data
- Collection of personal data
- Whenever I collect data, I will only ask for data that is needed for the services I provide or for recruitment
- Where I need consent for the purposes of processing I will:
- Be open and transparent about why I am collecting the data and what is being consented to
- Provide an option for the Data Subject to provide their consent
- I will not provide any pre-ticked options or use any wording that could be missed or misconstrued by the Data Subject to “trick” them into consenting
I will record the place, time and situation by which that consent was given
- In all circumstances, when collecting data, I will provide the following information:
- Details of who I am, why I am collecting the data, what it will be used for and how long I will use and keep the data, and the legal basis for processing
- Details of how I can be contacted
- Details of the Data Subject’s rights:
- Data Subject access requests
- Have their data corrected if details change
- Have their data deleted when it is no longer needed
- Object to processing
- Right to complain to the Information Commissioner’s Office
- Details of how to withdraw consent (when consent is the lawful basis of processing)
- Where I make use of data supplied by a third party, in addition to the items listed in 4.3, we will also provide details of where the data came from. The information will be given to the Data Subject at the first opportunity (but not more than one calendar month from receiving the data).
- Use of personal data
- I will only process personal data supplied to me for its original purpose. will not reuse the data for any other purpose unless it is lawful for me to do so (e.g. we have consent from the Data Subject).
- Where “legitimate interest” is the lawful basis for processing it will be possible to demonstrate that such processing is not harmful to the Data Subject’s rights and the reason for processing as a legitimate interest documented
- Where personal data is held by my business for marketing purposes, it is my responsibility to ensure that before, each time, data is used, it is cleansed against relevant marketing preference databases (e.g. Telephone Preference Services, Mail Preference Service and Corporate Mail Preference Service) to ensure that the Data Subjects have not opted out of marketing.
- Storing data
- The sharing of data within the business must only be done so through secure means
- Data should only be shared by email when no other secure means are available. If data is shared via email it should be locked with a password. Email should always be collected and sent via a secure connection
- Any devices (PCs, laptops, tablets, mobiles, etc.) that enable access to the company’s data should be locked with appropriate password controls or thumb print controls.
- Data will not be download to local devices (PCs, laptops, tablets, mobiles, memory sticks, etc.) or to network storage devices unless authorised by me. If data is downloaded to a local device then it must only be stored for the minimal time necessary on that device and deleted once it is no longer needed on that device
- Data will not be printed out, unless authorised by me. If data is printed out, then the printed copy of the data will be destroyed once it is no longer needed and the print out should be stored securely (e.g. in a locked filing cabinet) when it is not being used
- Any devices (PCs, laptops, tablets, mobiles, etc.) that can be used to access personal data should be locked down.
- Where personal data is being viewed on a device, the screen or device lock must be activated if the device is to be left unattended for any period of time
- I will observe if there is a risk that any unauthorised third party would be able to view personal data whilst they, themselves, are viewing the data on a device (e.g. whilst travelling on public transport, etc.) to prevent unauthorised viewing of personal data.
- Where personal data is, with permission, downloaded, copied or printed the storage of that data should be secure at all times
- Where the use of third party systems are used (and have been authorised by me), access controls will be put in place to ensure access is secure and limited to only those who have a need to access the data
- All company systems which are used for storing or processing of personal data should be adequately and regularly backed up. All backups should be encrypted and stored securely
- Accuracy of data and keeping it up to date
- If I am told by a client or client employee that the data I hold on them is out of date or incorrect I shall make sure the incorrect data is either deleted or updated
- If I am updating information about a client I must do so immediately to ensure the old data is not processed in the meantime
- If I have shared the data with any third party, I will immediately inform the third parties to ensure their copies of the data are updated
Retention of data
- I will only process (including store) data for as long as I have a business reason to do so. I can retain data where there is a legal duty for me to keep data (e.g. to meet the requirements set out by HMRC) but any data not required must not be retained, once it is no longer needed
- Where data is no longer required and I am unable to justify a legal reason for keeping it, we will either delete the data or anonymise it, within 6 months
- Twice a year [June and December] all shredding is removed from the premises by an authorised company and its destruction confirmed
- Data and records will only be kept for more than 6 months if there is still an ongoing case or it is reasonable to assume that the case may go to an Employment Tribunal. This includes electronic data [documents and emails] as well as paper records.
- Subject access requests
- A client or client employee has a right to request access to the data I process and to ask how I process that data (a so called “Subject Access Request”). All subject access requests should be processed by the me in line with the Subject Access Request policy
- Right to erasure
- All requests from a Data Subject for the deletion of their data should be dealt and I will ensure I don’t delete data we have a lawful basis, or legal requirement, to continue processing
- Unless where I can demonstrate otherwise, if a Data Subject requests the deletion of their data I will comply with the request, within one month of the request, and confirm to the Data Subject what data has been deleted
- Where the personal data in question has been disclosed to a third party, I will notify the third party of the need for them to also erase the data
- Right to data portability
- I will ensure that any systems I use that meets the requirements for a data portability option has the data portability option available.
- Where this system is not accessible directly to the client or employee, all requests for an export of a data from a Data Subject will be dealt with by me within one month of the original request
- The data will be made available at least in CSV format or in a format standard that has been established between suppliers of similar systems
- Objections to processing
- Any objections to the use of data for marketing (e.g. requests to stop receiving marketing information) should be passed to me and I will ensure that the details of the Data Subject are removed from any marketing lists
- Any other objections are to be dealt with by me to ensure that the business does not have a lawful basis for processing
- Third party due diligence
- Where a third party is used for the processing of personal data, due diligence checks will be carried out on the third party, in consultation with me, to ensure they are data protection compliant and will enable my own data protection compliance. Such checks will include asking about how they are GDPR compliant and asking them for a GDPR statement
- Contractual obligations will also be put in place with any third parties I use. Where I provide a contract to be agreed with the third party I shall ensure these contractual obligations are included in the contract either via a new contract or by an addendum to an existing contract; where I am taking a service from a third party who have their own terms of service, to which I have to agree, I must ensure that the contractual obligations are included within those terms
- I will not use any third party who is unable to provide evidence of their data protection compliance or willingness to agree to the appropriate contractual terms
- Data protection impact assessments
- When new technologies, systems or processes are introduced I will be involved and carry out a Data Protection Impact Assessment to ensure the new technologies are compliant with the data protection rules and protect, by default, the privacy and rights of the Data Subjects whose data will be processed by the new technology. Consideration should include:
- The purposes for which personal data is being processed and the kinds of processing carried out
- An assessment of the necessity and proportionality of the processing with respect to the purposes for which it is being processes
- As assessment of the risks to the Data Subjects from the processing
- Details of steps to be taken to minimise any risk to the Data Subjects from the processing
- Data breaches
- A data breach occurs when any personal data is processed or accessed unlawfully. This may be due to a breach in security but relates to the situation where data is accessed, destroyed or altered without the appropriate authority
- Everyone has a duty to report any suspected breaches of data protection to me
- Any data breaches will be handled by me in line with the Data Breach policy
Access by third parties
- Any requests to access client data from external parties such as the Police or a government department, should be checked by me to ensure it is lawful for us to disclose the data requested
- Any complaints made to the business about the processing of personal data are to be passed, immediately, to me. This includes complaints from data subjects and information requests or correspondence from the Information Commissioner’s Office
- International transfer
- The company may, from time to time, transfer or process personal data outside the EU. Transfer or processing of data outside the EU will only take place when:
- The transfer is to a country that the European Commission has determined ensures an adequate level of protection for personal data
- The transfer is to a country or organisation which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the Regulation); contractual clauses agreed and authorised by the Information Commissioner’s Office; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the ICO
- The transfer is made with the informed consent of the relevant Data Subjects
- The transfer is necessary for the performance of a contract between the Data Subject and me (or for pre-contractual steps taken at the request of the Data Subject)
- When data is to be transferred, or processed outside the EU for the first time the transfer must be authorised by me.