This policy relates to Link365 Ltd, we will comply with the Data Protection Legislation by following a number of important principles regarding the privacy and disclosure of information. The purpose of this policy is to ensure that Link365 staff are aware of their obligations when handling personal information which identifies a natural living person and that individuals internally and externally are aware of their rights.
In the United Kingdom and the European Economic Area (EEA), "Data Protection Legislation" means all applicable data protection and privacy legislation or regulations including The Privacy and Electronic Communications (EC Directive) Regulations 2003 (also known as PECR) and any guidance or codes of practice issued by the European Data Protection Board or the Information Commissioner, together with:
- prior to 25 May 2018, the UK Data Protection Act 1998; and
- from 25 May 2018 onwards Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "Data Protection Legislation”), as amended by the UK Data Protection Bill and/or relevant acts of parliament
- Outside of the EEA, "Data Protection Legislation” means local, territorial data protection and privacy legislation that governs the processing of Personal Data
This policy has been drafted and approved in agreement with the Link365 Data Protection office. It establishes a policy that:
- is appropriate and fit for purpose for the provision within Link365
- provides a framework for effective data protection within Link356
- endeavours to balance the need for effective governance with agile process
- ensures Executive Directors are accountable for business processes/operations
- ensures Directors and Heads of Department are responsible for defining processes/operations
- empowers LINK365staff to work within the parameters of defined processes/operations.
The data protection policy shall:
- be communicated within the organisation and externally
- be managed and maintained effectively in accordance with company process
- be available to interested parties, as appropriate.
When does this policy apply?
The Data Protection Legislation and therefore this policy applies to any situation where personal data for a natural living person can be identified. The protection of personal privacy is very important to Link365 and any personal data collected and used MUST be treated in accordance with current Data Protection Legislation.
What is covered by this policy
The capture, storage, processing, management, distribution and secure destruction of any personal data for natural living persons connected with Link365.
The Link365 Committee is committed to applying the Data Protection Legislation throughout our organisation.
To operate efficiently, Link365 needs to collect and use personal information relating to current, past and prospective suppliers, clients, customers and others who we communicate with.
To enable Link365 to meet our data protection commitments, whilst protecting our reputation, we must adopt appropriate and relevant data protection and privacy standards, guidelines and requirements for legal, regulatory or legitimate organisational purposes. When dealing with personal data Link365are committed to:
- processing personal information only where this is strictly necessary in a fair, transparent and lawful way, ensuring it is relevant and adequate
- keeping the information we hold to a minimum and only while we have a purpose to retain it in line with company policy
- carrying out data protection impact assessments, as appropriate, where personal data is being processed
- having in place written contracts with organisations who process personal data on our behalf in support of delivering our business
- maintaining full records of personal information processed by ourselves including the categories and purposes for each category
- keeping accurate personal information, updating as appropriate, storing securely and not holding for any longer than necessary, ensuring that we dispose of it appropriately
- taking a ‘data protection by design and default’ approach, adopting and implementing the appropriate technical and organisational security measures throughout the entire lifecycle of our processing operations, including maintaining effective data protection policies to safeguard personal information
- adhering to relevant codes of conduct and signing up to certification schemes where appropriate and necessary
- only transferring personal information outside the UK in circumstances where it can be adequately protected
- providing a strategy for dealing with regulators across the EU (EEA) where services are offered to individuals who are resident in other EU (EEA) countries
- ensuring that people know about their rights to see the personal information we hold about them and that we respond appropriately, taking into account the exemptions allowed by Data Protection Legislation, should a request for access, rectification or erasure (the right to be forgotten) be received.
- we clearly describe the ways in which personal information is treated with a commitment to continuous improvement and will communicate to train and support internal departments and external organisations as appropriate
- staff handling personal information understand that they are responsible for following good practice, they will receive appropriate training and are properly supervised.
- anybody wanting to make enquiries about handling personal information knows what to do
- in the event of a data or privacy breach, we take swift and appropriate steps to minimise any reputational damage to Link365 and any affected third parties and endeavour to minimise any associated business disruption
Individuals have the right to the following, subject to Data Protection guidelines:
- To be informed as to the purpose of the processing and the lawful basis for this processing
- To access their personal data and to request rectification or erasure if it is inaccurate or incomplete
- To restrict and/or object to the processing of their data
- To data portability, allowing them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way
- Where we use automated individual decision-making including profiling, we ensure this is necessary as part of a contract, is lawful and/or based on the individual’s consent.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
If a data breach occurs, the Data Protection office must be informed by telephone to the appropriate person immediately. We will investigate, record and take any steps required to minimise the risk of further unlawful disclosure.
What is excluded from this policy
This policy is not required to cover information held for deceased individuals. However, it should be noted that it is best practice to apply the same principles.
Failure to comply with this policy
Failure to comply with this policy may result in an increased risk to Link365. Data processing arrangements that are not in line with DATA PROTECTION LEGISLATION create unnecessary risk and Link365 would have minimal legal protection in the event of a challenge being made. Staff who do not comply with this policy may be subject to disciplinary action.