Data Protection Policy
ARMA Connect Ltd will endeavour to ensure that all personal data is processed in compliance with this Policy, The Data Protection Act 2018 the General Data Protection Regulation (GDPR) Regulation (EU) directive.
Data Protection Principles
So far as is reasonably practicable we will comply with the Data Protection Principles contained in the Data Protection Act to ensure all data is:
– Fairly and lawfully processed
– Processed for a lawful purpose
– Adequate, relevant, and not excessive
– Accurate and up to date
– Not kept for longer than necessary
– Processed in accordance with the data subject’s rights
– Secure
– Not transferred to other parties without adequate protection
Data covers: personal data which may also include sensitive personal data as defined in the Act.
Processing of Personal Data
Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.
Sensitive Personal Data
ARMA Connect Ltd may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.
Rights of Access to Information
Data subjects have the right of access to information held by ARMA Connect Ltd, subject to the provisions of the Data Protection Act 2018 and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to the HR Director. ARMA Connect Ltd will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 40 days for access to records and 21 days to provide a reply to an access to information request. The information will be imparted to the data subject as soon as is reasonably possible after it has come to the HR Directors attention and in compliance with the relevant Acts.
Exemptions
Certain data is exempted from the provisions of the Data Protection Act which includes the following:
– National security and the prevention or detection of crime
– The assessment of any tax or duty
– Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon ARMA Connect Ltd.
The above are examples only of some of the exemptions under the Act.
Accuracy
ARMA Connect Ltd will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify HR of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply.
Enforcement
If an individual believes that ARMA Connect Ltd has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the member of staff should utilise the ARMA Connect Ltd grievance procedure and should also notify the DPC.
Data Security
ARMA Connect Ltd will take appropriate technical and organisational steps to ensure the security of personal data. Refer to Data Security Policy.
All staff will be made aware of this policy and their duties under the Act.
All staff are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.
An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems and be encrypted when transported offsite.
Breach of Personal Data
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, report the breach to the affected party.
External Processors
ARMA Connect Ltd must ensure that data processed by external processors, for example, service providers, Cloud services including storage, web sites, shredding companies etc. are compliant with this policy and the relevant legislation. External processors will also include contractors and suppliers that may have access to company information.
Secure Destruction
When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction. All printed material containing potentially sensitive information must be securely shredded. Where this activity is completed a record of the data type and date of destruction will be maintained by the office manager.
Retention of Data
ARMA Connect Ltd may retain data for differing periods of time for different purposes as required by statute or best practices, individual departments incorporate these retention times into the processes and manuals. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data.
ARMA Connect Ltd may store some data such as registers, photographs, training records, indefinitely in its archive.
Staff Training & Awareness
New starters and existing employees will be made aware of this policy and any changes resulting. Records of issue/ briefing will be recorded.
Our Data Protection Policy (POL-004, Version 2) was last reviewed on 15/10/2024 and is next due for review on 15/10/2025.