Data Protection Policy
AIMS OF THIS POLICY
The Data Protection Act 1998 (“DPA”) gives rights to all individuals. The rights relate to how information about them is obtained, used and processed. This policy describes how JSR Management & HR Consultancy Services Ltd aim to meet our obligations under the DPA. Our aim is to look after information about you in your best interests and in compliance with the DPA, whilst ensuring that we can use it for the legitimate purposes of our business.
JSR Management & HR Consultancy Services Ltd take data protection seriously, we have appointed a Data Protection officer. Their contact details are given at the end of this policy.
WHAT INFORMATION IS COVERED BY THE DPA?
Any information relating to a living individual who can be identified from that information falls under the remit of the DPA. Such information is called “Personal Data”, and covers information held manually or electronically. Some examples of Personal Data which may be used by us in our day-to-day business include names, addresses, telephone numbers, bank and financial details.
The DPA defines a special category of Personal Data which it calls “Sensitive Personal Data”. This includes information relating to health, religion and criminal records. Financial information is not included in this category.
Organisations and businesses are legally obliged to comply with the DPA if they use Personal Data in almost any way whatsoever. The DPA sets out a series of principles to be met for compliance, and we set out below how we aim to comply with these principles.
Principle 1: Use of Personal Data must be fair and lawful
JSR Management & HR Consultancy Services Ltd aim to ensure that wherever possible individuals are advised of the Personal Data which has been obtained or retained, its source and the purposes for which such Personal Data may be used or disclosed. If we give this information to the individual at the time the Personal Data is collected, in the main we will conclude that the individual has given consent when providing that Personal Data. For example, where you provide us with your bank account details or National Insurance Number, etc.
If the Personal Data is not received directly from the individual concerned, then we will try to ensure that we have authority to use this information, and that we will let the individual know that we are holding and using that additional information as soon as possible. If the reasons for using Personal Data change, then we aim to notify the individual at that point.
If we are using Sensitive Personal Data, consent cannot be deemed, and we aim to obtain explicit consent. If there is no explicit consent and the information has not been received directly from the individual, we will not process this information unless we are lawfully entitled to do so or we obtain the relevant consents.
Occasionally, another specific part of the DPA can justify processing of Personal Data without
consent where it is necessary for a particular reason set out in the DPA, and we may use this in certain circumstances, e.g. for crime prevention.
Principle 2: Personal Data must only be used for specified lawful purposes.
JSR Management & HR Consultancy Services Ltd only use Personal Data for a lawful purpose, and where it is covered by our notification to the Information Commissioner.
We are required to notify the Information Commissioner (formerly known as the Data Protection Commissioner) about our use and processing of Personal Data.
We will review and co-ordinate the processing of Personal Data in accordance with the DPA and recommended good practice. We will try only to process Personal Data within the remit of the relevant notifications.
Principle 3: Personal Data to be adequate, relevant and not excessive
The Personal Data held and used by JSR Management & HR Consultancy Services Ltd will be adequate, relevant and not excessive for the reasons for which we are holding it.
Whilst this is a question of fact in each case, we will try to ensure that the Personal Data we collect is specific and relevant to the particular reason for which we need it. Whilst we may use all Personal Data necessary on which to base any decision that is to be taken for those reasons, we will not collect Personal Data that is simply useful rather than necessary.
Principle 4: Personal Data to be accurate
The best way to ensure that Personal Data is accurate is for us to check this with the individual at the time it is collected. But Personal Data can change from time to time. Examples of this include address and contact details, bank accounts and financial arrangements. Use of inaccurate or out-of-date information may conceivably cause some harm to the individual. We will try to keep Personal Data up to date. We may periodically, but at least once a year, ask individuals to tell us about any changes to the Personal Data they provide, and to confirm that the Personal Data we hold is correct.
If Personal Data is held or used for long periods of time and there is the possibility that some or all of the Personal Data held may become inaccurate, we will carry out regular reviews of the Personal Data by the most cost effective method to update this Personal Data.
Principle 5: Personal Data not to be kept for longer than is necessary
JSR Management & HR Consultancy Services Ltd endeavour to not keep Personal Data for longer than is necessary for the reasons for which we need it. This includes as long as may be necessary for the purpose of defending any legal proceedings brought against us in relation to the use of the Personal Data or as required by law, any regulatory body or recommended by any relevant code of practice.
We will review the nature of information being collected or held regularly to ensure there is a sound business reason requiring the information to be held.
Principle 6: Personal Data must be processed in accordance with individuals’ rights
Individuals have rights in relation to Personal Data processed about them. These include the right to have copies made available on request in most circumstances. This is called the right of subject access. We will deal with requests for copies of Personal Data in accordance with the provisions of the DPA. Generally, if such a request is made, we will:
- advise the individual whether we are using Personal Data about them;
- if so, give the individual a description of that Personal Data, the
purposes for which it is being processed and to whom it is or may be disclosed;
- provide the individual with copies (unless the costs of such permanent
format would be disproportionate) of the Personal Data.
All subject access requests should be dealt with by us within 40 days of receipt of the request from the individual in writing, together with a £20 fee. Any such requests should be made to the Data Protection Officer.
If compliance with a subject access request requires the disclosure of information relating to identifiable third party then we will not disclose the Personal Data unless either the third party has consented; or it is otherwise reasonable to comply with the request without such third party consent; or the Personal Data has been edited prior to disclosure so that the identity of third parties is not discernible.
Individuals have other rights under the DPA including:-
- no use to be made of Personal Data which will or is likely to cause
substantial and unwarranted damage or distress to the individual;
- the right to be notified of any decisions made solely on the basis of
automatic processing, such as creditworthiness, together with the logic for
that decision making;
- the right to have any decision based solely on automatic processing to be
reviewed upon written request.
JSR Management & HR Consultancy Services Ltd will not direct market any individuals (including business partnerships) unless we are entitled to do so under the DPA. We will comply with any request by an individual not to receive direct marketing information.
We will comply with any emailed elections to us requesting not to receive marketing or contact by telephone or mail.
Principle 7: Appropriate security must be applied to all Personal Data
The DPA provides that appropriate technical and organisational measures must be taken to prevent unauthorised or unlawful processing, accidental loss of, or destruction of, or damage to, Personal Data. Special security measures may be required to be put in place in the case of Sensitive Personal Data.
JSR Management & HR Consultancy Serivces Ltd have internal procedures to meet these requirements, and take very seriously the security of Personal Data. Our procedures include:-
- computer security, including the use of firewalls, passwords, virus
updates, back-up procedures;
- controlling access to Personal Data, including checking the authenticity of
persons to whom Personal Data is disclosed, limiting personnel access to
Personal Data, procedures for disposing of Personal Data;
- steps to reduce the chances of the destruction of Personal Data, including
taking appropriate precautions against burglary, fire and natural disaster;
- detecting and dealing with security breaches.
To ensure that any third party who is processing Personal Data maintains the same standards in relation to security as us, we ask them to sign our data processing agreement.
Our aim in this Data Protection policy is to show how we aim to meet the legal rights of individuals. If you have any queries about the policy, our Data Protection officer will be pleased to advise you. Their contact details are as follows:
Mr John Robertson, Managing Director
JSR Management & HR Consultancy Services Ltd
6 Paignton Road, Southampton, SO16 4NP