Introduction
Douglas
Hill needs to gather and use certain information about individuals.
These
can include (current and former) customers, suppliers, business contacts,
employees
and
other people the organisation has a relationship with or may need to contact.
This policy
describes
how this personal data must be collected, handled and stored to meet the firm’s
data
protection standards – and to comply with the law.
Why this policy exists
This
data protection policy ensures Douglas Hill:
•
Complies with data protection law and follows good practice.
•
Protects the rights of employees, customers and partners.
• Is
open about how it stores and processes individuals’ data.
•
Protects itself from the risks of a data breach.
Data Protection Law
The Data
Protection Act 1998 and the General Data Protection Regulation (GDPR)
(Regulation (EU) 2016/679) describe how organisations – including Douglas Hill
– must collect, handle and store personal information.
These
rules apply regardless of whether data is stored electronically, on paper or on
other
materials.
To
comply with the law, personal information must be collected and used fairly,
stored safely
and not
disclosed unlawfully.
The Data
Protection Act 1998 and General Data Protection Regulation (GDPR) (Regulation
(EU) 2016/679) are underpinned by eight important principles. These say that
personal data must:
1. Be
processed fairly and lawfully
2. Be
obtained only for specific, lawful purposes
3. Be
adequate, relevant and not excessive
4. Be
accurate and kept up to date
5. Not
be held for any longer than necessary
6.
Processed in accordance with the rights of data subjects
7. Be
protected in appropriate ways
8. Not
be transferred outside the European Economic Area (EEA), unless that country or
territory
also ensures an adequate level of protection
People, Risks and Responsibilities
Policy Scope
This
policy applies to:
• The
head office of Douglas Hill
• All
branches of Douglas Hill
• All
employees and Directors of Douglas Hill
• All
contractors, suppliers and other people working on behalf of Douglas Hill
It
applies to all data that the firm holds relating to the identifiable
individuals, even if that
information
technically falls outside of the Data Protection Act 1998 and the General Data
Protection
Regulation (GDPR) (Regulation (EU) 2016/679). This can include:
• Names
of individuals
• Postal
addresses
• Email
addresses
•
Telephone numbers
• Any
other information relating to individuals
Data Protection Risks
This
policy helps to protect Douglas Hill from some very real data security risks,
including:
•
Breaches of confidentiality. For instance, information being given out
inappropriately.
•
Failing to offer choice. For instance, all individuals should be free to choose
how the
firm
uses data relating to them.
•
Reputational damage. For instance, the company could suffer if hackers
successfully
gained
access to sensitive data.
Responsibilities
Everyone
who works for or with Douglas Hill has some responsibility for ensuring data is
collected, stored and handled appropriately.
Each
team that handles personal data must ensure that it is handled and processed in
line with this policy and data protection principles. However, these people
have key areas of responsibility:
The
Directors are ultimately responsible for ensuring that Douglas Hill meets
its
legal obligations.
The Data Protection Officer is responsible for:
• Keeping
the Directors updated about data protection responsibilities, risks and issues.
•
Reviewing all data protection procedures and related policies, in line with an
agreed
procedure.
•
Arranging data protection training and advice for the people covered by this
policy.
•
Handling data protection questions from employees and anyone else covered by
this
policy.
•
Dealing with requests from individuals to see the data Douglas Hill holds
about
them (also called ‘subject access requests’).
•
Checking and approving any contracts or agreements with third parties that may
handle
the company’s sensitive data.
•
Ensuring all systems, services and equipment used for storing data meet
acceptable
security
standards.
•
Performing regular checks and scans to ensure security hardware and software is
functioning
properly.
•
Evaluating any third-party services the company is considering using to store
or process
data.
For instance, cloud computing services.
•
Approving data protection statements attached to communications such as emails
and
letters.
•
Addressing any data protection queries from journalists or media outlets like
• Where
necessary, working with other employees to ensure marketing initiatives abide
by data
protection principles.
General Staff Guidelines
• The
only people able to access data covered by this policy should be those who need
it for
their work.
• Data
should not be shared informally. When access to confidential information is
required,
employees can request it from their line managers.
• Douglas
Hill will provide training to all employees to help them understand
their
responsibilities when handling data.
•
Employees should keep all data secure, by taking sensible precautions and
following
the
guidelines below.
• In
particular, strong passwords must be used and they should never be shared.
•
Personal data should not be disclosed to unauthorised people, either within the
firm or
externally.
• Data
should be regularly reviewed and updated if it is found to be out of date. If
no
longer required,
it should be deleted and disposed of.
•
Employees should request help from their line manager or the data protection
officer if
they are
unsure about any aspect of data protection.
Data Storage
These
rules describe how and where data should be safely stored. Questions about
storing
data
safely can be directed to the IT Manager / Data Controller.
When
data is stored on paper, it should be kept in a secure place where unauthorised
people cannot see it.
These
guidelines also apply to data that is usually stored electronically but has
been printed
out for
some reason and to original copies of documents:
• When
not required, the paper or file should be kept in a locked drawer or filing
cabinet.
•
Employees should make sure paper and printouts are not left where unauthorised
people
could see them, like on a printer.
• Data
printouts should be shredded and disposed of securely when no longer required.
• Paper
Documents, especially originals of official purpose such as certificates or
similar
must be
sent using tracked delivery services which obtain a signature upon delivery.
•
Documents sent outside the UK should always be sent by a reputable
international
courier
using tracked delivery services which obtain a signature upon delivery.
• When
data is stored electronically, it must be protected from unauthorised access,
accidental
deletion and malicious hacking attempts.
• All
computers should have encrypted local disk drives.
• Data
should be protected by strong passwords that are changed regularly and never
shared
between employees.
• Data
stored on USB drives, CD’s or DVD’s is not permitted. Any data sent to us in
these
formats
should be given to IT for transfer to the correct secure storage location and
the
media
should then be properly destroyed.
• Data
should only be stored on designated drives and servers and should only be
uploaded
to an approved cloud computing service.
•
Servers containing personal data should be sited in a secure location, away
from
general
office space.
• Data should
be backed up frequently. Those backups should be tested regularly, in line
with the
firm’s standard backup procedures.
• Data
should never be saved directly to laptops or other mobile devices like tablets
or
smart
phones.
• All
servers and computers containing data should be protected by approved security
software
and a firewall.
Data Use
Personal
data is of no value to Douglas Hill unless the business can make use of
it. However, it is when personal data is
accessed and used that it can be at the greatest risk of loss, corruption or
theft:
• When
working with personal data, employees should ensure the screens of their
computers
are always locked when left unattended.
•
Personal data should not be shared informally. In particular, it should never
be sent by
email,
as this form of communication is not secure.
• Data
must be encrypted before being transferred electronically. The IT Manager can
explain
how to send data to authorised external contacts.
•
Personal data should never be transferred outside of the European Economic
Area.
•
Employees should not save copies of personal data to their own computers.
Always
access
and update the central copy of any data.
Data Accuracy
The law
requires Douglas Hill to take reasonable steps to ensure data is kept
accurate
and up to date.
The more
important it is that the personal data is accurate, the greater the effort Douglas
Hill should put into ensuring its accuracy. It is the responsibility of all
employees who work with data to take reasonable steps to ensure it is kept as
accurate and up to date as possible.
• Data
will be held in as few places as necessary. Staff should not create any
unnecessary
data
sets.
• Staff
should take every opportunity to ensure data is updated. For instance, by
confirming
a customer’s details when they call.
• Douglas
Hill will make it easy for data subjects to update the information
they
about them; for example, via regular contact and review
of data.
• Data
should be updated as inaccuracies are discovered. For instance, if a customer
can
no
longer be reached on their stored telephone number, it should be removed from
the
database.
• It is
the marketing manager’s responsibility to ensure marketing databases are
checked
against
industry suppression files every six months.
Subject Access Requests
All
individuals who are the subject of personal data held by Douglas Hill are
entitled to:
• Ask
what information the firm holds about them and why.
• Ask
how to gain access to it.
• Be
informed how to keep it up to date.
• Be
informed how the company is meeting its data protection obligations.
If an
individual contacts the firm requesting this information, this is called a
subject access
request.
Subject
access requests from individuals should be made by email, addressed to the data
controller
paul@ecodecsolutions.co.uk. The data controller can supply a standard request
form, although individuals do not have to use this.
Individuals
may be charged £10 per subject access request. The data controller will aim to
provide
the relevant data within 30 days.
The data
controller will always verify the identity of anyone making a subject access
request
before
handing over any information.
Disclosing Data for other Reasons
In
certain circumstances, the Data Protection Act and the General Data Protection
Regulation allows personal data to be disclosed to law enforcement agencies
without the consent of the data subject.
Under
these circumstances, Douglas Hill will disclose requested data. However, the
data controller will ensure the request is legitimate, seeking assistance from
the Directors and from the firm’s legal advisers where necessary.
Providing Information
Douglas
Hill aims to ensure that individuals are aware that their data is being
processed,
and that they understand:
• How
the data is being used.
• How to
exercise their rights.
To these
ends, the firm has a general privacy statement setting out how data relating to
individuals
is used by the firm.
Privacy Notice
Douglas
Hill conduct work for clients in a range of areas and must collect data for
this
purpose. This privacy notice explains how we use any personal information we
collect
about
you.
What information do we collect about you?
We
collect information about you when you engage us for advice or services. This
information will relate to your personal and financial circumstances. It may
also include special categories of personal data such as data about your
health, if this is necessary for the provision of our services.
We may
also collect information when you voluntarily complete client surveys or
provide
feedback
to us.
Why do we need to collect and use your personal data?
The
primary legal basis that we intend to use for the processing of your data is
for the
performance
of our contract with you. The information that we collect about you is
essential
for us
to be able to carry out the services that you require from us effectively.
Without
collecting
your personal data we’d also be unable to fulfil our legal and regulatory
obligations.
Where
special category data is required we’ll obtain your explicit consent in order
to collect
and
process this information.
How will we use the information about you?
We
collect information about you in order to provide you with the services for
which you
engage
us.
Who might we share your information with?
If you agree, we may email you about other products or services that we think
may be of
interest
to you.
If you agree, we’ll pass on your contact information to our group of companies
so that they
may
offer you their products and services.
We won’t
share your information for marketing purposes with any third party.
In order
to deliver our services to you effectively we may send your details to third
parties such as those that we engage for professional compliance, accountancy
or legal services or other credentialed specialist advisers.
Where
third parties are involved in processing your data we’ll have a contract in
place with
them to
ensure that the nature and purpose of the processing is clear, that they are
subject to a duty of confidence in processing your data and that they’ll only
act in accordance with our written instructions.
Where
it’s necessary for your personal data to be forwarded to a third party we’ll
use
appropriate
security measures to protect your personal data in transit.
To
fulfil our obligations in respect of prevention of money-laundering and other
financial crime we may send your details to third party agencies for identity
verification purposes and this search will be recorded as an identity check. It
will not affect your ability to obtain credit.
How long do we keep hold of your information?
In
principle, your personal data shouldn’t be held for longer than is required under
the terms
of our
contract for services with you. However, we’re subject to regulatory
requirements to
retain
data for specified minimum periods, usually between 7 and 10 years. We also
reserve
the
right to retain data for longer than this in order to be able to provide you
with long term
analyses,
trends and reports or other business data and to allow us to assist you should
you be subject to an HMRC enquiry or investigation.
You have
the right to request deletion of your personal data. We’ll comply with this
request,
subject
to the restrictions of our regulatory obligations and legitimate interests as
noted
above.
How can I access the information you hold about me?
You have
the right to request a copy of the information that we hold about you. If you’d
like a
copy of
some or all of your personal information, please email or write to us using the
contact details noted below.
When
your personal data is processed by automated means you have the right to ask us
to
move
your personal data to another organisation for their use.
We have
an obligation to ensure that your personal information is accurate and up to
date.
Please
ask us to correct or remove any information that you think is incorrect.
Marketing
We’d
like to send you information about our products and services which may be of
interest to you. If you agree to receive marketing information, you may opt out
at a later date.
You have
a right at any time to stop us from contacting you for marketing purposes or
giving
your
information to other members of the group. If you no longer wish to be
contacted for
marketing
purposes, please contact us by email or post.
What can you do if you are unhappy with how your personal data is
processed?
You also
have a right to lodge a complaint with the supervisory authority for data
protection.
In the
UK this is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113 (local rate)
Changes to our privacy policy
We keep
our privacy policy under regular review. This privacy policy was last updated
on
27th
March 2019.
How to contact us
Please
contact us if you have any questions about our privacy policy or information we
hold
about
you: by email to info@douglas-hill.co.uk
Or
write to us at:
Data Controller
Pattens Farm,
Church Rd,
West Hanningfield,
Chelmsford
CM2 8UN