1. Purpose and objectives
This Statement forms part of H.A. McIlrath & Sons Ltd commitment to
the safeguarding of personal data processed. (Processing has a very
broad definition, and includes activities such as creating, storing,
consulting, amending, disclosing and destroying data.) Its objectives
are:
• To help employees and customers recognise personal data
• To help them understand their rights and obligations with respect to personal data.
2. Introduction
H.A. McIlrath & Sons Ltd processes the personal data of its employees
and customers. This processing is regulated by the General Data
Protection Regulation (GDPR), effective from 25th May 2018.
It is the duty of data controllers such as H.A. McIlrath and Sons Ltd to
comply with the data protection principles with respect to personal
data. This policy describes how HA McIlrath and Sons Ltd will discharge
its duties in order to ensure continuing compliance with the GDPR in
general and the data protection principles and rights of data subjects
in particular.
3. Definitions
Personal Data[1]
‘”Personal data” means data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of,
or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any
indication of the intentions of the data controller or any other person
in respect of the individual”. Personal data can include your contact
information, marital status, payroll records, training records, CCTV
images.
Sensitive personal data[2]
Information about:
• the racial or ethnic origin of data subjects
• their political opinions
• their religious beliefs or other beliefs of a similar nature
• whether they are members of a trade union
• their physical or mental health or condition
• the commission or alleged commission by them of any offence, and any proceedings for such offences.
Although the DPA does not define ‘health’, the term should be understood
broadly, to include preventative medicine, medical diagnosis, DNA
sequences, medical research, provision of care and treatment and the
management of healthcare services.
Personal demographic data, such as personal addresses and financial data
(including salaries) are not sensitive personal data, but should be
treated with similar care.
Manual Personal Data
Personal data recorded as part of a relevant filing system in paper or other non-electronic format.
Processing[3]
Obtaining, recording or holding personal data. This includes
organisation, adaptation or alteration; retrieval, consultation or use;
disclosure; and alignment, combination, blocking, erasure or
destruction.
Relevant Filing System[3]
Manual personal data structured by reference to individuals in such a
way that information relating to a particular individual is readily
accessible.
Data Holding
A collection of one or more data sets or files that are being processed
for permitted purposes under the direction of a clearly identified
member of HA McIlrath and Sons Ltd staff - the Data Owner.
Data Controller
As the organisation which determines the purposes of the processing, HA
McIlrath and Sons is the Data Controller for the personal data that it
manages.
Data Protection Officer
The HA McIlrath and Sons Ltd member of staff with lead responsibility for compliance with the GDPR.
Data Subject[4]
A living individual who is the subject of personal data
Data Processor[4]
Any third party (other than H.A. McIlrath and Sons Ltd employees) who
processes personal data on behalf of and on the instructions of the Data
Controller.
4. Purposes for which We Will Use Your Personal Data
We may use your personal data to:
• Register you as a new customer
• Process and deliver your order including, managing payments, fees and charges and collecting and recovering money owed to us
• Manage our relationship with you including notifying you about terms or privacy policy
• Administer and protect our business and our website (including
troubleshooting, data analysis, testing, system maintenance, support,
reporting and hosting of data)
• Deliver relevant website content and advertisements to you and measure
or understand the effectiveness of the advertising we serve to you
• Make suggestions and recommendations to you about goods or services that may be of interest to you
5. How We Use Your Personal Data
We use, and share your data where:
• you have agreed or explicity consented to the using of your data in a specific way (you may withdraw your consent at any time)
• use is necessary in relation to a service or a contract you have
entered into or because you have asked for something to be done
• use is necessary because we have to comply with a legal obligation
• use is necessary to protect your “vital interests” in exceptional circumstances
• use for our legitimate interests (which you may object to) such as
managing our business including credit risk management, training and
strategic planning.
6. Who We Share Your Information With:
When providing our services to you, we may share your information with:
• your authorised representatives
• third parties with whom i) we need to share your information to
facilitate transactions you have requested and ii) you ask us to share
your information
• service providers who provide us with support services and services in connection with our business
• statutory and regulatory bodies
• trade associations and professional bodies
• business or other partners.
7. Roles and Responsibilities
Data Protection Officer
The Data Protection Officer has primary responsibility for HA McIlrath & Sons Ltd compliance with the GDPR. This comprises:
• maintaining H.A. Mc Ilrath & Sons Ltd notification with the Information Commissioner’s Office
• handling subject access requests and requests from third parties for personal data
• promoting and maintaining awareness of the GDPR and regulations, including training
• investigating losses and unauthorised disclosures of personal data.
Directors
Directors are responsible for ensuring their staff understand the role
of the data protection principles in their day-to-day work, through
induction, training and performance monitoring, and for monitoring
compliance within their own areas of responsibility.
Data Owner
Data Owners are responsible for:
• establishing and monitoring measures, in accordance with this policy
and the information security policy, to protect any holdings of personal
data for which they are responsible
• ensuring that any transfer of personal data to third parties is
authorised, lawful and uses appropriate safe transport mechanisms such
as encryption.
• authorising the downloading of electronic personal data on to portable
devices or the removal of manual personal data from HA McIlrath and
Sons Ltd premises
Employees
All employees are responsible for:
• ensuring that their processing of personal data, including research
data, in all formats (e.g. electronic, paper, etc.) is compatible with
the data protection principles
• raising any concerns in respect of the processing of personal data with the Data Protection Officer
• promptly passing on to the Data Protection Officer all subject access
requests and requests from third parties for personal data
• reporting losses or unauthorised disclosures of personal data to the Data Protection Officer.
8. Security of personal data
All employees processing personal data should ensure that the data are
secure: appropriate measures must be taken to prevent unauthorised
access, disclosure and loss.
It is rarely necessary to store electronic personal data on portable devices such as laptops, USB flash drives, portable hard drives, CDs, DVDs, or any computer not owned by HA McIlrath and Sons Ltd Similarly, manual personal data should not be regularly removed from HA McIlrath and Sons Ltd premises. In the case of electronic data, to minimise the risk of loss or disclosure, a secure remote connection to HA McIlrath and Sons Ltd should be used wherever possible.
Downloading personal data on to portable devices or taking manual personal data off-site must be authorised in writing by the Data Owner, who must explain and justify the operational need in relation to the volume and sensitivity of the data. The data must be strongly encrypted. Users should only store the data necessary for their immediate needs and should remove the data as soon as possible. To avoid loss of encrypted data, or in case of failure of the encryption software, an unencrypted copy of the data must be held in a secure environment.
Manual personal data and portable electronic devices should be stored
in locked units, and they should not be left on desks overnight or in
view of third parties.
Personal data should be securely destroyed when no longer required, with consideration for the format of the data.
Personal data must not be disclosed unlawfully to any third party.
Transfers of personal data to third parties must be authorised in
writing by the data owner and protected by adequate contractual
provisions or data processor agreements, and must use safe transport
mechanisms.
All losses of personal data must be reported to the Data Protection Officer. Negligent loss or unauthorised disclosure of personal data, or failure to report such events, may be treated as a disciplinary matter and could be considered gross misconduct.
9. Access to personal data
9.1 Subject access rights
Data subjects have a right of access to their personal data, including
some unstructured manual personal data. Subject access requests must be
made in writing and sent to the Data Protection Officer. Data subjects
must prove their identity
Copies will be provided in permanent form promptly and in any event within 30 days
Some personal data may be exempt from the right of subject access
10. How to Exercise Your Information Rights including the Right to Object
From 25 May 2018, you will have several enhanced rights in relation
to how we use your information, including the right, without undue delay
to:
• find out if we use your information, access your information and receive copies of your information
• have inaccurate/incomplete information corrected and updated
• object to particular use of your personal data for our legitimate business interests or direct marketing purposes
• in certain circumstances, to have your information deleted or our use of your data restricted
• in certain circumstances, a right not to be subject to solely
automated decisions and where we make such automated decisions, a right
to have a person review the decision
• exercise the right to data portability (i.e. obtain a transferable copy
of your information we hold to transfer to another provider) and
• to withdraw consent at any time where processing is based on consent