1. Purpose and objectives
This Statement forms part of H.A. McIlrath & Sons Ltd commitment to the safeguarding of personal data processed. (Processing has a very broad definition, and includes activities such as creating, storing, consulting, amending, disclosing and destroying data.) Its objectives are:
• To help employees and customers recognise personal data
• To help them understand their rights and obligations with respect to personal data.
H.A. McIlrath & Sons Ltd processes the personal data of its employees and customers. This processing is regulated by the General Data Protection Regulation (GDPR), effective from 25th May 2018.
It is the duty of data controllers such as H.A. McIlrath and Sons Ltd to comply with the data protection principles with respect to personal data. This policy describes how HA McIlrath and Sons Ltd will discharge its duties in order to ensure continuing compliance with the GDPR in general and the data protection principles and rights of data subjects in particular.
‘”Personal data” means data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”. Personal data can include your contact information, marital status, payroll records, training records, CCTV images.
Sensitive personal data
• the racial or ethnic origin of data subjects
• their political opinions
• their religious beliefs or other beliefs of a similar nature
• whether they are members of a trade union
• their physical or mental health or condition
• the commission or alleged commission by them of any offence, and any proceedings for such offences.
Although the DPA does not define ‘health’, the term should be understood broadly, to include preventative medicine, medical diagnosis, DNA sequences, medical research, provision of care and treatment and the management of healthcare services.
Personal demographic data, such as personal addresses and financial data (including salaries) are not sensitive personal data, but should be treated with similar care.
Manual Personal Data
Personal data recorded as part of a relevant filing system in paper or other non-electronic format.
Obtaining, recording or holding personal data. This includes organisation, adaptation or alteration; retrieval, consultation or use; disclosure; and alignment, combination, blocking, erasure or destruction.
Relevant Filing System
Manual personal data structured by reference to individuals in such a way that information relating to a particular individual is readily accessible.
A collection of one or more data sets or files that are being processed for permitted purposes under the direction of a clearly identified member of HA McIlrath and Sons Ltd staff - the Data Owner.
As the organisation which determines the purposes of the processing, HA McIlrath and Sons is the Data Controller for the personal data that it manages.
Data Protection Officer
The HA McIlrath and Sons Ltd member of staff with lead responsibility for compliance with the GDPR.
A living individual who is the subject of personal data
Any third party (other than H.A. McIlrath and Sons Ltd employees) who processes personal data on behalf of and on the instructions of the Data Controller.
4. Purposes for which We Will Use Your Personal Data
We may use your personal data to:
• Register you as a new customer
• Process and deliver your order including, managing payments, fees and charges and collecting and recovering money owed to us
• Administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
• Deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
• Make suggestions and recommendations to you about goods or services that may be of interest to you
5. How We Use Your Personal Data
We use, and share your data where:
• you have agreed or explicity consented to the using of your data in a specific way (you may withdraw your consent at any time)
• use is necessary in relation to a service or a contract you have entered into or because you have asked for something to be done
• use is necessary because we have to comply with a legal obligation
• use is necessary to protect your “vital interests” in exceptional circumstances
• use for our legitimate interests (which you may object to) such as managing our business including credit risk management, training and strategic planning.
6. Who We Share Your Information With:
When providing our services to you, we may share your information with:
• your authorised representatives
• third parties with whom i) we need to share your information to facilitate transactions you have requested and ii) you ask us to share your information
• service providers who provide us with support services and services in connection with our business
• statutory and regulatory bodies
• trade associations and professional bodies
• business or other partners.
7. Roles and Responsibilities
Data Protection Officer
The Data Protection Officer has primary responsibility for HA McIlrath & Sons Ltd compliance with the GDPR. This comprises:
• maintaining H.A. Mc Ilrath & Sons Ltd notification with the Information Commissioner’s Office
• handling subject access requests and requests from third parties for personal data
• promoting and maintaining awareness of the GDPR and regulations, including training
• investigating losses and unauthorised disclosures of personal data.
Directors are responsible for ensuring their staff understand the role of the data protection principles in their day-to-day work, through induction, training and performance monitoring, and for monitoring compliance within their own areas of responsibility.
Data Owners are responsible for:
• establishing and monitoring measures, in accordance with this policy and the information security policy, to protect any holdings of personal data for which they are responsible
• ensuring that any transfer of personal data to third parties is authorised, lawful and uses appropriate safe transport mechanisms such as encryption.
• authorising the downloading of electronic personal data on to portable devices or the removal of manual personal data from HA McIlrath and Sons Ltd premises
All employees are responsible for:
• ensuring that their processing of personal data, including research data, in all formats (e.g. electronic, paper, etc.) is compatible with the data protection principles
• raising any concerns in respect of the processing of personal data with the Data Protection Officer
• promptly passing on to the Data Protection Officer all subject access requests and requests from third parties for personal data
• reporting losses or unauthorised disclosures of personal data to the Data Protection Officer.
8. Security of personal data
All employees processing personal data should ensure that the data are secure: appropriate measures must be taken to prevent unauthorised access, disclosure and loss.
It is rarely necessary to store electronic personal data on portable devices such as laptops, USB flash drives, portable hard drives, CDs, DVDs, or any computer not owned by HA McIlrath and Sons Ltd Similarly, manual personal data should not be regularly removed from HA McIlrath and Sons Ltd premises. In the case of electronic data, to minimise the risk of loss or disclosure, a secure remote connection to HA McIlrath and Sons Ltd should be used wherever possible.
Downloading personal data on to portable devices or taking manual personal data off-site must be authorised in writing by the Data Owner, who must explain and justify the operational need in relation to the volume and sensitivity of the data. The data must be strongly encrypted. Users should only store the data necessary for their immediate needs and should remove the data as soon as possible. To avoid loss of encrypted data, or in case of failure of the encryption software, an unencrypted copy of the data must be held in a secure environment.
Manual personal data and portable electronic devices should be stored
in locked units, and they should not be left on desks overnight or in
view of third parties.
Personal data should be securely destroyed when no longer required, with consideration for the format of the data.
Personal data must not be disclosed unlawfully to any third party. Transfers of personal data to third parties must be authorised in writing by the data owner and protected by adequate contractual provisions or data processor agreements, and must use safe transport mechanisms.
All losses of personal data must be reported to the Data Protection Officer. Negligent loss or unauthorised disclosure of personal data, or failure to report such events, may be treated as a disciplinary matter and could be considered gross misconduct.
9. Access to personal data
9.1 Subject access rights
Data subjects have a right of access to their personal data, including some unstructured manual personal data. Subject access requests must be made in writing and sent to the Data Protection Officer. Data subjects must prove their identity
Copies will be provided in permanent form promptly and in any event within 30 days
Some personal data may be exempt from the right of subject access
10. How to Exercise Your Information Rights including the Right to Object
From 25 May 2018, you will have several enhanced rights in relation
to how we use your information, including the right, without undue delay
• find out if we use your information, access your information and receive copies of your information
• have inaccurate/incomplete information corrected and updated
• object to particular use of your personal data for our legitimate business interests or direct marketing purposes
• in certain circumstances, to have your information deleted or our use of your data restricted
• in certain circumstances, a right not to be subject to solely automated decisions and where we make such automated decisions, a right to have a person review the decision
• exercise the right to data portability (i.e. obtain a transferable copy of your information we hold to transfer to another provider) and
• to withdraw consent at any time where processing is based on consent