SIG Data Protection Policy
Introduction
SIG is fully committed to compliance with the requirements of the Data Protection Act 1998 (“the Act”). SIG UK based businesses will therefore follow procedures that aim to ensure that all employees, contractors, agents, consultants or other servants of SIG who have access to any personal data held by or on behalf of SIG, are fully aware of and abide by their duties and responsibilities under the Act.
Statement of policy
In order to operate efficiently, SIG has to collect and use personal data about people with whom it works. These may include members of the public, current, past and prospective employees, clients and customers, and suppliers. This personal information must be handled and dealt with properly, regardless of how it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, and there are safeguards within the Act to ensure this.
SIG regards the lawful and correct treatment of personal data as very important to its successful operations and to maintaining confidence between SIG and those with whom it carries out business. SIG will ensure that it treats personal data lawfully and correctly.
To this end SIG endorses and adheres to the Principles of Data Protection as set out in the Data Protection Act 1998.
Handling of personal data
SIG will, through appropriate management and the use of strict criteria and controls:-
• Observe fully conditions regarding the fair collection and use of personal data;
• Only obtain and process personal data by lawful and fair means;
• use non-identifiable information and limit the collection of personal data to that necessary to accomplish a legitimate business purpose;
• Collect and process appropriate personal data and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
• Ensure the quality of personal data used;
• Develop and publish a retention policy detailing the length of time personal data is held;
• Take appropriate technical and organisational security measures to safeguard personal data;
• Ensure that cross border transfers of personal data are not conducted without suitable safeguards;
• Ensure that the rights of people about whom the personal data is held can be fully exercised under the Act.
These rights include:
• The right to be informed that processing is being undertaken;
• The right to receive a copy of their own personal data within the statutory 40 days: the following fees will be charged for all subject access requests;
Certain Education Records - £ 50.00
Certain Health Records - £50.00
All Other Records - £10.00
The statutory 40 day period will not begin until the fee is paid and sufficient information to enable compliance with the subject access request has been supplied.
• The right to prevent processing in certain circumstances;
• The right to correct, rectify, block or erase personal data regarded as wrong data.
The principles of data protection
The Act stipulates that anyone processing personal data must comply with Eight Principles of good practice. These Principles are legally enforceable.
The Principles require that personal data is:
• Fairly and lawfully processed;
• Processed for limited purposes;
• Adequate, relevant and not excessive;
• Accurate and up to date;
• Not kept for longer than necessary;
• Processed in line with the individual’s rights;
• Secure;
• Not transferred to other countries without adequate protection;
The Act provides conditions for the processing of any personal data.
Personal data is defined as, data relating to a living individual who can be identified from:
that data and other information which is in the possession of, or is likely to come into the possession of the data controller; and includes any expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.
Roles and Accountabilities
All Employees
Employees are responsible for:
• Checking that any personal data provided in connection with their employment is accurate and up to date;
• Notifying SIG in writing if this data changes to ensure personal data provided is accurate and up to date, for example, change of address, name, etc;
• Ensuring they are familiar with and follow this policy and the eight data protection principles at all times.
Data Security
Employees are also responsible for ensuring that any personal data, whether in electronic or paper format, is held and processed securely including:
• Appropriate password/screen saver protection is in place prior to going home or leaving a workstation for any length of time;
• Not disclosing passwords to anyone;
• A suitable secure environment is in place for the storage of personal data on portable disks/manual records;
• Personal data is not disclosed either verbally or in writing, accidentally or otherwise, to any unidentified or unauthorised third party.
If an employee is in any doubt about what they may or may not do under data protection legislation, they must seek advice from their Manager. If they are in doubt and cannot get in touch with them, they must not disclose any personal data.
Failure on the part of any employee to comply with any of the requirements set out in this policy and associated guidance is a disciplinary offence and may result in disciplinary action. In some cases this could result in dismissal and also a criminal prosecution.
All Managers
In addition to the above, all Managers are responsible for ensuring:
• Their direct reports are aware of the employee’s obligations under the DPA, this policy and of any local security protocols/requirements for the holding and processing of personal data (including any other users of SIG’s information systems that they are responsible for);
• Any personal data they hold for day to day operational management purposes (for example, notes that may be needed in relation to formal proceedings) is kept to a minimum, processed for a specific purpose and held confidentially in accordance with the eight data protection principles;
• Paper files and other records or documents containing personal/sensitive data are kept in a secure environment;
• Personal data held on computers and computer systems is protected by the use of secure passwords, which where possible have forced changes periodically;
• Individual passwords are not easily compromised.
All Human Resources Personnel
In addition to the above, all employees who work in Human Resources Departments and handle personal data are responsible for:
• Ensuring all employment records are kept up to date and accurate;
• Limiting internal access to HR records to authorised users only (i.e. on the need to know principle, by restricting confidential personal data only to those who need to have access in order to carry out their duties/role effectively. Other designated employees with a legitimate need, including Audit, Investigation and Legal Services are also granted access as appropriate);
• Obtaining written requests from management representatives prior to providing employee personal data;
• Verifying employee identification prior to facilitating personal data requests;
• Holding all manual HR records confidentially and securely in lockable storage, (which is only left open during normal office hours).
• Ensuring files leaving an area are booked in and out by an authorised HR employee.
All contractors, consultants, partners or other servants or agents of SIG must:
• Ensure that they and all of their staff who have access to personal data held or processed for or on behalf of SIG, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under the Act. Any breach of any provision of the Act will be deemed as being a breach of any contract between SIG and that individual, company, partner or firm;
• Allow data protection audits by SIG of personal data held on its behalf (if requested);
• Indemnify SIG against any costs arising from prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.
All contractors who are users of personal data supplied by SIG will be required to confirm that they will abide by the requirements of the Act with regard to data supplied by SIG.
Disclosure Requests From and to External Organisations
• Disclosure requests are requests made from third parties to SIG for information about employees containing personal data.
• Personal data will not be disclosed to a third party without the consent of the employee, unless the disclosure is permitted by law under statute or is necessary for the prevention or detection of crime.
• Where a request by a third party for disclosure is made, which requires the consent of the employee to be given, then the employee must be informed as soon as is practicable and their consent obtained, unless SIG is prevented by law from doing so or if obtaining consent would prejudice a criminal or tax investigation. Where a disclosure request is received, the identity and the authority of the person/organisation making it will be verified before any disclosure is made.
Direct Marketing
Direct marketing is defined as, contact via the use of personal data regarding the activities/products/services of SIG which involves the processing of personal data, e.g. someone’s name, address or email address.
It is prohibited to send Marketing emails and text messages without prior consent unless there is an existing relationship between SIG and the recipient.
• Email - In all instances of direct email marketing activities’ recipients must be given a clear, distinct and simple means of refusing (free of charge except for the cost of the transmission of the refusal) the use of his/her contact details for the purpose of such direct marketing on each occasion direct marketing takes place.
• Text - The same rules as email marketing apply to the use of text messaging for direct marketing purposes.
• Telephone - (whether by voice or fax) It is prohibited to make unsolicited calls for direct marketing purposes where the number called is that of a subscriber who has previously notified SIG that such calls should not be made, or has been entered on a specific register maintained for that purpose. In the UK the register of numbers is maintained by the Telephone Preference Service.
Information Technology (IT)
Monitoring – Incoming and outgoing email is electronically scanned for undesirable content, however all mail is treated in the strictest confidence and is not accessed by the company. In exceptional circumstances, for security reasons and to detect and deter unauthorised access, SIG reserve the right to view mail that it deems to be suspect. The results of monitoring will be maintained in the strictest confidence.
Security – All SIG employees with responsibilities for maintaining IT equipment, e.g. data servers, shall be required to comply with the company’s confidentiality agreements. It is therefore Company policy that any breach of any of the obligations set out in the agreements will be treated extremely seriously and will result, not only in disciplinary action, but also in certain cases in legal action against the employee.
Access – SIG reserves the right to gain access to personal password protected IT equipment where it is deemed necessary in order to continue business operations. Access to this equipment may be granted to other employees for business use only.
Company E-Mail Addresses
SIG reserve the right to use e-mail address provided by the company for the distribution of information relating to the company or any benefits, such as discount schemes with third parties, that have been negotiated by the company on employees’ behalf.
Use of Employee Photographs
SIG reserve the right to use photographs taken in the course of employment for the promotion of the company except where an individual expressly requests for them not to be used.
Use of CCTV Images
SIG reserve the right to use CCTV images recorded in the course of employment for the purpose of accident investigation, crime prevention and training.
Use of Telephone Recordings
SIG reserve the right to use telephone recordings recorded in the course of employment for the purpose of monitoring and training.
Additional Responsibilities
SIG will ensure that:
• There is someone with specific responsibility for data protection in the organisation;
• Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
• Everyone managing and handling personal data is appropriately trained to do so;
• Everyone managing and handling personal data is appropriately supervised;
• Anyone wanting to make enquiries about handling personal data, whether a member of staff or a member of the public, knows what to do;
• Queries about handling personal data are promptly and courteously dealt with;
• Methods of handling personal data are regularly assessed and evaluated;
• Performance with handling personal data is regularly assessed and evaluated;
• Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.
Implementation
SIG has appointed a Data Protection Officer (Mark Smith). This officer and senior management will be responsible for instigating the implementation of this policy throughout the company. The Data Protection Officer and senior management will ensure that:
• Sufficient data protection training is provided, for staff within SIG;
• Best practice guidelines are developed;
• Compliance checks are conducted to ensure adherence, throughout the company, with the Data Protection Act;
Notification to the Information Commissioner
The Information Commissioner (ICO) maintains a public register of data controllers. SIG Plc and its subsidiary companies are registered as such.
The Data Protection Act 1998 requires most data controllers that process personal data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence. To this end the Data Protection Officer will be responsible for notifying and updating the Information Commissioner of the processing of personal data, within the company.
The Data Protection Officer will review the Data Protection Registration annually, prior to notification to the Information Commissioner.
Any changes to the registration will be notified to the Information Commissioner, within 28 days.
To this end, any changes made between reviews must be brought to the attention of the Data Protection Officer immediately.
The Group Chief Executive has lead responsibility for policy implementation within the Group and this policy is signed by the CEO to demonstrate the Board’s commitment. A copy of this policy is also posted on the SIG plc web site www.sigplc.com.
C J Davies
Chief Executive
Issue No: 2
Issue Date: May 2011
Document Ref: SIG-DPP