Data protection policy on the handling of employee and third party data

1. Introduction

Envira-Mech Services is committed to doing business with integrity which includes taking good care of the personal information, of our employees, customers and other people, that we use as part of doing business.

The processing of personal information is integral to many of our operations. It ensures that we can meet the expectations of our customers and improve our service to them. Personal information is also essential in how we look after our employees. The people whose information we use trust us to safeguard that information.

If we fail to put in place the right controls to ensure that personal information is not abused, lost, passed to unauthorised parties or allowed to become out of date, then we lose the trust of those whose information we are looking after and we might also be breaking the law.

The General Data Protection Regulation 2016 (referred to as the “GDPR”) provides rules which apply to the collection, use, disclosure, interception, monitoring and transfer abroad of information about individuals which includes employee and customer personal data. The GDPR sets out the principles that Envira-Mech Services must follow when processing personal data about individuals and also gives individuals certain rights in relation to personal data that is held about them.
Related legislation, the e-Privacy Regulation, sets out rules about use of personal data for marketing by email, SMS and telephone. Compliance with this policy will also address the requirements of the e-Privacy Regulation.

The aims of this policy are:

• To assist Envira-Mech Services in meeting its obligations under the GDPR;

• To regulate Envira-Mech Services use and collection of information relating to employees and others who work for Envira-mech Services (e.g. contractors or agents); and

• To ensure that employees and others working for Envira-Mech Services are aware of both their rights in relation to the personal data that Envira-Mech Services holds about them, and their responsibilities as regards personal data they may process about customers and other individuals as part of their job.
For ease of reference, this policy refers to “employees”, but it applies equally to others working for Envira-Mech Services 

2. Data Protection Principles

The GDPR is framed around clear data protection principes. Envira-Mech Services and its employees must observe these data protection principles and be able to show that appropriate steps have been taken to ensure compliance with the principles. In summary these state that personal data must:

• Be obtained and processed fairly;

• Be used and disclosed for specified, explicit and legitimate purposes and not in any manner incompatible with those purposes;

• Be adequate, relevant and not excessive;

• Be accurate, complete and up-to-date;

• Not be kept for longer than is necessary for the purpose(s) for which it was obtained;

• Be processed in line with the rights given to individuals under the GDPR;

• Be kept safe and secure.
Importantly, Envira-Mech Services must be able to demonstrate to the relevant authority that we have taken apporpriate measures to ensure that we are complying with these principles.

All employees have an obligation to comply with these principles where appropriate.

What is Personal Data?Personal data is data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. The data protection principles apply to any sort of personal data which is either electronically processed (e.g. on a database) or which is held or intended to be in a structured filing system (e.g. a set of personnel files).

Certain personal data is classified as “sensitive personal data”. This is personal data relating to a person’s racial or ethnic origin, biometric or genetic data, political opinions, religious or philosophical beliefs, membership of a trade union, physical or mental health, sexual life or any criminal offence or related proceedings. For example, Envira-Mech Services may, where necessary in connection with employment, collect and process sensitive personal data in respect of your health.

3. What We Have To Tell People

When We Collect Their Information

When Envira-Mech Services obtains information about an individual, we need to be transparent about who we are and how we will use the information. We always need to provide:

• Company contact details and details of the person responsible for data protection in Envira-Mech Services.

• The purposes of the processing for which the information is being obtained as well as the legal basis for the processing (e.g. legitimate interests of Envira-Mech Services);

• Who outside Envira-Mech Services will receive the information (any such transfer to a third party needs to follow the rules in this Policy);

• Where applicable, the fact that Envira-Mech Services intends to transfer the information to a company based in a country outside the European Economic Area;

• Any additional information necessary to be fair and transparent in our use of the information. The period for which the information will be stored, or if that is not possible, how we determine that period;

• The existence of the right to request from Envira-Mech Services access to and rectification or erasure of the information or restriction of our use of the information concerning or to object to our use of the information as well as the right to ask us to transfer the information to someone else;

• The existence of the right to withdraw consent at any time (if the use of information is based on consent);

• The right to lodge a complaint with the relevant regulating authority;

• Whether the provision of the information is a statutory (i.e. legal) or contractual requirement; and

• The existence of any automated decision-making (e.g. by a computer programme), and meaningful information about the process involved, the significance of, and the envisaged consequences of such use.

4. Employee Data

“Processing” includes the obtaining, recording, keeping and disclosing of data. Generally, processing of employee personal data is undertaken by Envira-Mech Services for its legitimate interests, for example where the processing is necessary for compliance with a legal obligation or where the processing is necessary for the performance of the employer / employee contract.

Nature of Employee Information
Envira-Mech Services holds and processes certain information constituting personal data about you as part of its general employee records, which may include your address, contact details, payroll details, educational history, position, etc. Employee information is also held on HR and operational databases. In some cases, your manager might also hold employee information in his or her own files.

Sensitive personal data may include records of sickness absence, medical certificates and medical reports. The purpose of processing this type of information is generally to manage the application process, to administer benefit plans, to monitor and manage sickness absence and to comply with health and safety legislation. If sensitive personal data relating to you is being processed for reasons other than those set out above or otherwise permitted by law, your specific consent will be sought.

Purpose of Processing General Employee Information
Envira-Mech Services needs to collect and use personal data about employees for a variety of personnel, administration, work and general business management purposes. These include administration of the payroll system, pension scheme, life insurance, the administration of employee benefits (such as leave entitlements), facilitating the management of work and employees, carrying out appraisals, performance and salary reviews, operating and checking compliance with Envira-Mech Services employment rules and policies, operating Envira-Mech Services IT and communications systems, checking for unauthorised use of those systems, protection of its legitimate business interests and to comply with record keeping and other legal obligations. Envira-Mech Services considers this processing to be in its legitimate interest.

Keeping Employee Information
Envira-Mech Services will take steps to ensure that the employee information it holds is accurate and up-to-date. For example, you are asked to inform Envira-Mech Services of any changes which we need to make to update your employee information (such as a change of address). From time to time you will be asked to supply updated personal information as part of our annual review of personal data held to ensure that Envira-Mech Services meets its data protection obligations. Envira-Mech Services will also take steps to ensure that it does not keep any information about employees for longer than is necessary.

Transfer of Employee Information
The Company may make some information about you available to Envira-Mech Services advisers and/or data processors such as lawyers, accountants, payroll administrators, benefits providers (for example, pension scheme providers), to those providing products or services to Envira-Mech Services (such as IT and other outsourcing providers) and to government and/or regulatory authorities. These recipients may be located outside the European Economic Area. In such case, Envira-Mech Services will ensure that the recipients of the information, both within and outside Envira-Mech Services, comply with the contents of this policy and relevant EU law. Information about an employee may also be transferred to another company within the Group solely for purposes connected with career development or the management of the business.

If you are involved in transferring any data for processing on behalf of Envira-Mech Services to a third party you must ensure that a Data Processing Agreement is signed by the third party (see schedule 3).

Your Rights under the Data Protection Rules
The GDPR gives you (and anyone else about whom personal data is held) specific rights in relation to the information that is held about you. Some of these rights are summarised below.

Under the GDPR you have the right to:

• know that information is being processed;

• access information that is being proccessed;

• rectification of information being processed;

• erasure of information held on you (commonly known as the right to be forgotten);

• restrict processing;

• be notified about what information has been rectified, erased and restricted;

• portability (that is, to request your data be handed over to someone else);

• object to the processing of your information.

It is important to note that this is not an absolute right to review all the information that is held about you, as there are various exceptions to this right contained in the GDPR. These include:

(a) where personal data is kept for the purpose of preventing, detecting or investigating offences and related matters; and

(b) where the data is given by another person in confidence.

5. Your Responsibilities under the Data Protection Rules

As well as having rights under the GDPR, all employees, when processing personal data, must comply with the data protection rules set out in this policy. Failure to comply with the rules and requirements in relation to data protection may result in disciplinary action being taken against you. In particular please note the following:

Your Personal Information
In order to assist Envira-Mech Services in ensuring that your personal information is kept up to date, you should inform ( of any changes in the following information:

• Address and other contact details;

• Emergency contact name-(Employees Only)

• Bank account details; and

• Marital status-(Employees Only)
Personal Information Relating to Others

• If, as part of your job, you hold any personal information about other employees of Envira-Mech Services or about anyone else then you also need to take steps to ensure that you are following the guidelines set out below. Please note that the following guidelines apply equally to documents containing personal information which are kept in files, as well as information which is kept electronically.

• You should not keep personal information about people which you no longer need or which is out of date or inaccurate. You should therefore review any personal information that you hold from time to time, bearing these principles in mind.

• All personal information must be kept securely and should remain confidential. You should be careful not to inadvertently disclose documents by sending data via email, reading sensitive documents in a public place or using laptops, smart phones etc on public transport or in a public place.

• Sensitive data should be treated even more carefully. For example, you should keep sensitive data locked in a filing cabinet with restricted access and stored only on encrypted devices.

• If you receive a request from someone to give them any personal data about an employee (or other individual) you should refer them to your Manager. Envira-Mech Services Ltd needs to verify the identity of the person making such a request and has to balance various considerations when deciding whether and how to respond to such request, including compliance with the GDPR.

• Accessing, disclosing or otherwise using employee records or other personal data without authority will be treated as a serious disciplinary offence and may result in disciplinary action being taken in accordance with Envira-Mech Services disciplinary procedure up to and including dismissal. If you breach this Policy as an individual then the relevant data protection regulator may take action directly against you.

• If you are sending data to a third party to do work for the company then remember to put in place a Data Processing Agreement (schedule 3) unless data protection is covered in the contract already.

If you are unsure about the application of these guidelines to the information you hold as part of your job, you should ask for advice from your manager. Envira-Mech Services will provide you with training to help you understand what you have to do.

Breach of this Policy will be a disciplinary matter and may result in sanctions being put in place under our disciplinary policy, up to and including dismissal.

6. Monitoring and Interception

You are entitled to know about any monitoring of electronic and telephone communications systems or CCTV surveillance that Envira-Mech Services may undertake. CCTV monitoring will be indicated by signage. From time to time Envira-Mech Services may have to undertake covert monitoring for purposes of security or otherwise to protect its legitimate business interests. All covert monitoring must be authorised by a Director using the Impact Assessment form at Schedule 1.

For some vehicles, Envira-Mech Services might use telematic or vehicle tracking systems for safety, security and business efficiency purposes.

7. Third Party Data (such as customer, suppliers, contractors etc)

Our Commitment To Protecting the Personal Information Of Customers and Other Third Parties

Privacy of customer, supplier and contractor data is important to Envira-Mech Services.

The Way Envira-Mech Services Uses Customer Information

Envira-Mech Services uses the information a customer provides when placing an order only to complete that order, maintain high levels of customer service and to contact them about buying more of those products for a limited time afterwards. We do not share this information with outside parties except to the extent necessary to complete that order. On occasions it may be necessary for us to communicate with the customer for administrative or operational reasons relating to the services provided.

We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose, apart from and are not shared with outside parties.

When obtaining customer contact details, Envira-Mech Services will either rely on its legitimate interest to market its products to customers or will seek the customer’s permission about use of the customer’s data and contact preferences. Where there is a legitimate interest or the customer has consented, contact details may be used to supply information to the customer by telephone, SMS, email or post, about Envira-Mech Services and to send occasional promotional material, such as information about special offers which we think the customer might find valuable. We must always make clear that the customer may opt out from receiving future information at any time.

Envira-Mech Services could on occasion email or telephone Customers if they have provided their contact details to us as part of a transaction in which they bought goods from us. Unless we receive notification from the Customer that they wish to opt out of receiving any future communication from us in regards to our products and services.

Our Commitment To Data Security
To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect. Access to the information which is provided by customers will be limited to authorised employees as required for the purposes identified above as well as IT security and maintenance.
Any personal information provided by a customer may be used to verify the customer’s identity and assist Envira-Mech Services in preventing or detecting fraud. As part of these checks customer information may be disclosed to credit reference agencies, who may keep a record of that information. This is not a credit check and the customer’s credit rating will be unaffected.

Customer / Third Party Access To Or Correction of Information Held About that Customer
A customer is able to withdraw his or her consent to processing or request access to all of his or her personal information that we collect online and maintain by writing to Envira-Mech Services (director responsible for data protection).

To protect privacy and security, we must take reasonable steps to verify the customer’s identity before granting access or making corrections.

The customer will need to confirm in writing (including by email) their full name, full address, date of birth and a description of the information required

The GDPR allows Envira-Mech Services one month to provide the requested personal information. This starts from the date we receive the request containing enough information for us to identify the customer and locate the information requested and proof of identity (e.g. photocopy of driving licence). However, Envira-Mech Services will try to provide this information as soon as possible within this timescale.
A customer can correct factual errors in his or her personal information that we hold by sending us a request that credibly shows that there is an error in our records.

Data protection rights exist in voice and video recordings. We must treat video and voice recordings in the same way we treat other personal data:
Processing of Information by Service Providers on Our Behalf

Envira-Mech Services will sometimes need to use a third party to provide services on its behalf which will involve the use of customer or employee information, for example a mailing house for marketing purposes, outsourced IT solutions or a payroll services provider for the HR team.
If you are involved in transferring any data for processing on behalf of Envira-Mech Services to a third party you must ensure that a Data Processing Agreement is signed by the third party (see schedule 3).
Requests For Information By Police Etc:

Requests from the police and government departments are not data subject access requests but classed as requests for disclosure by a third party. The GDPR expressly provides that such requests may be exempt from the data protection principle regarding restriction of access to personal data if the conditions set out in the relevant exemptions apply, namely that there is a statutory right for them to have access to that information.

Although these are not subject access requests Envira-Mech Services must maintain a good audit trail, good tracking system and ensure that all disclosures are properly recorded with reasons given for the disclosure.
All requests that have been received by Envira-Mech Services should be referred to the [director responsible for data protection] who will log the request and handle the response process.
Any such request from the police, tax authorities or other government department should be referred to the [director responsible for data protection]. Please note that private organisations are not authorised to investigate criminal activity so the exemption may not apply.

The [director responsible for data protection] will:

Maintain a log of all requests;
Ensure these written requests are signed off by someone in authority in the requesting organisation in a formal request;
Maintain a copy of information sent in response;
If redactions (i.e. black outs) are applied, reasons for the redaction are to be maintained;
Ensure that sent documents are signed off by the relevant manager; and
Ensure appropriately secure mode of despatch e.g. recorded delivery, encryption.

For every request for personal information received through a formal request, the [director responsible for data protection] will ask the following questions:

• Am I sure the person is who they say they are (only formal written requests are to be processed)?

• Is the person asking for this information doing so under a statutory power or under a court order – obtain written confirmation?

• If I do not release the personal information, will this significantly harm any attempt by the requesting authority to prevent crime or catch a suspect?

• If I do decide to release personal information, what is the minimum I should release for them to do their job?

• What else (if anything) do I need to know to be sure that the exemption applies?

8. Privacy By Design: Recording Decisions Which Affect Data Protection

The GDPR introduces the concept of a data protection impact assessment (a “DPIA”), which is a requirement when the business processes personal data which is “likely to result in a high risk to the rights and freedoms” of the subject of the data.

We will use DPIAs as a compliance tool to describe, assess and mitigate the risks to an individual’s rights and freedoms from the processing of personal data and also to demonstrate that measures we will take to ensure compliance. More details are set out in our DPIA Policy.

The minimal requirements for a DPIA are that the assessment shall contain at least:

• a systematic description of the envisaged processing operations and the purposes of the processing

• an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

• an assessment of the risks to the rights and freedoms of data subjects; and

• the measures envisaged to address the risks.

We will always carry out a DPIA prior to introducing any new data processing or where changes to an existing process will have an impact on personal data. The ultimate accountability for ensuring a DPIA is in place lies with the data controller. Failure to comply with DPIA requirements under the GDPR can result in very substantial fines.

A single DPIA may be used for a single processing operation or to address a set of similar processing operations that present similar high risks, as long as sufficient consideration is given to the nature, scope, context and purpose of the processing. Situations that may particularly indicate a high risk which will require a DPIA include where we undertake the following:

• evaluation or scoring, including profiling or predicting;

• automated decision making with legal or similar significant effect;

• systematic monitoring;

• processing of sensitive data;

• data processed on a large scale;

• datasets that have been matched or combined;

• data concerning vulnerable data subjects;

• innovative use or applying technological or organisational solutions;

• data transfer across borders outside the European Union; and

• where the processing itself prevents data subjects from exercising a right or using a service or contract

The DPIA will be a record of our decision-making process where we are taking any steps that have an impact on personal data in our business. A record of all DPIAs will be retained centrally by ‘[directpr responsible for data protection].

9. Any Questions About Data Protection or this Policy

All questions from customers or third parties about Envira-Mech Services data protection policy should be referred to [director responsible for data protection].