This policy, together with other documents such as Consent Forms, HR and new business Order Forms, describes how we will protect personal information to safeguard the individual and comply with the law. This privacy standard applies to all personal data that is processed, regardless of how that data is stored or whether it relates to past, present or potential staff, customers or suppliers and website users or any other data subject.
Steve Vick International Ltd is the data controller for the personal information we collect such as our employee information and business contact information. We are registered with the ICO, and we are responsible for protecting this information in accordance with this policy. Our ICO registration number is ZA283008.
Steve Vick International Ltd is the data processor for the personal information provided in order to deliver the contracted service, promote our goods, maintain our accounts and records, and to support and manage our staff. We also process personal information using a CCTV system to maintain the security of the premises and for preventing and investigating crime. We are responsible for protecting this information in accordance with the relevant contracts and written instruction.
The data subjects are the individuals whose personal information we deal with such as clients, our customers’ employees, potential customers, individuals captured by CCTV images, suppliers and staff members.
Personal information means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, from the information. The information includes name, address, date of birth, email, telephone number, national insurance number etc. Personal information also includes information associated with that individual such as telephone bills, call recordings, staff development, staff reviews and pay rates. Personal information can include opinions on an individual and any intention that we may have towards that individual, we must therefore be cautious what we record on personnel records.
We also process sensitive classes of information. Sensitive information, such as medical, race, religion, sexuality, political or trade union membership, is a special category of data that requires sensitive handling.
Processing means any action performed on personal information, which includes collection, recording, organising, storing, sharing and transmitting. This includes electronic and paper documents containing personal information and CCTV images. Many of the activities within Steve Vick International Ltd involves processing information and therefore we must comply with the law.
Steve Vick International Ltd must comply with the Data Protection Act (DPA) 2018 and the EU General Data Protection Regulation (GDPR).
Roles and Responsibility
Everyone associated with Steve Vick International Ltd has a responsibility to ensure we protect the personal information we hold, comply with this policy and to attend any relevant training on its requirements.
The IT Manager has the day-to-day responsibility for data privacy, they are the main point of contact for any questions about data privacy, including any personal data breach that occurs.
All staff are responsible for complying with this policy.
The Financial Director will produce a quarterly report on data privacy for the board of directors. If you know or suspect that a personal data breach has occurred, do not attempt to investigate the matter yourself. Contact the IT Manager immediately and preserve all evidence relating to the potential breach.
Data Privacy Impact Assessment (DPIA)
When we are considering processing information in a new way, using a new technology or processing sensitive information, the IT Manager will decide whether a Data Privacy Impact Assessment (DPIA) is required.
The IT Manager will maintain the Steve Vick International Ltd Processing Register and Privacy Risk Register. The register will be reviewed annually by the board of directors.
We should collect the minimum personal information we need to complete a task. We should not collect information just in case. If someone is making an enquiry about our services we should only collect initial contact details, there is no need to collect further information as these can be added later. In all cases, the personal data that we collect, should be relevant for the intended purpose and only for the legitimate business interests of Steve Vick International Ltd.
The personal data must be accurate and where necessary, kept up to date and corrected or deleted without delay when inaccurate.
Sensitive Personal Data
Information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, biometric or genetic data and personal data relating to criminal offences and convictions is considered sensitive personal data. We must protect personal data of this nature and only share it with trained and authorised personnel.
Sharing Personal Data
Generally we are not allowed to share data subject information with third parties unless certain safeguards and contractual arrangements have been put in place. Where such information is required to be disclosed to another employee, supplier or any other third party of the Steve Vick International Group, you must ensure that it is shared with the recipient on a job-related need to know basis and that the transfer complies with the GDPR regulation. If applicable, the data subject’s consent must also be obtained prior to sharing of their information.
When we are planning to process information, we need to consider the legal reason for processing, and whether we need the individual’s consent to process. Much of our processing is for legitimate business reasons to run our business and deliver our contracted services to customers; we need to pay staff, monitor and report on services and invoice fees and therefore we do not require consent.
However, some activities may not be considered necessary to deliver the contracted services, such as marketing or CCTV monitoring. Where we are marketing to business customers we do this as a legitimate business interest and do not need their consent but we must offer them the right to opt-out of further communications. A data subject’s objection to direct marketing must be promptly adhered to immediately should that customer choose to opt-out at any time. Where a business customer opts-out we must record this and ensure we do not market to that customer again.
We are subject to certain rules and privacy laws when marketing to existing and potential customers. Prior consent is required from data subjects when marketing electronically by email, text or automated calls. However, there is limited exception to this rule for existing customers. This is known as a “soft opt-in”. In this instance, marketing by texts or emails can be undertaken if contact details have been obtained in the course of a sale to that individual, and providing that customer was given an opportunity to opt-out of marketing during the initial gathering of their details.
We must not send marketing material to an individual’s personal email address or home address without their consent.
We use CCTV to maintain the security of property and our premises, as well as for preventing and investigating crime. For these reasons the information processed may include visual images, personal appearance and behaviours. We should only keep the images for as long as necessary to meet the purpose of recording them and we must let people know they are being recorded in this way. CCTV should only be used in exceptional circumstances and used to deal with very serious concerns. We must not use CCTV as a way to monitor staff when they are carrying out their work duties.
The IT Manager will maintain the Processing Register which will record the details of all processing activities and any enhanced security controls.
We must protect the personal information we use whether in electronic or paper format.
Documents containing personal information should be stored securely when not required.
Documents containing staff personal information should only be removed from business premises where necessary. Documents must be protected while offsite and should not be left unattended.
Electronic copies of personal information must be stored on Steve Vick International Ltd controlled devices or systems in accordance the Company’s Policy.
Electronic documents containing customer or another employee’s personal information should not be emailed to staff home computers or personal mobile devices.
Staff should not download electronic documents containing customer or staff information on their own devices.
You are responsible for protecting the personal data we hold and must follow all procedures and technologies we put in place to maintain the security of that data. You must ensure there are reasonable and appropriate security measures against unlawful or unauthorised processing of personal data and against the accidental loss or damage to that data. You must also take particular care in protecting sensitive personal data from loss, unauthorised access, use or disclosure.
You must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purposes for which we originally collected it, including for the purpose of satisfying any legal, accounting or reporting requirements. Unless the law requires such data to be kept for a minimum time, you must comply with Steve Vick International Ltd’s guidelines on Data Retention. Annex A contains a list of how long we need to retain the types of information we process.
We have a duty of confidentiality to our customers and employees when processing their personal information. All Steve Vick International Ltd employees must sign a confidentiality agreement before starting work at Steve Vick International Ltd.
Subject Access Request
Individuals have the right to know whether we store and process their personal information, this is known as a Subject Access Request. If the information we hold is inaccurate they have the right for that information to be corrected. In certain circumstances, they have the right to have the information deleted or to be given a copy of that information. We have to respond to any request within one month. The individual does not have to state they are making a subject access request, it can be a simple email asking what information we hold, and therefore, any request by an individual with regards to the information we hold must be forwarded to the IT Manager.
Steve Vick International Ltd is registered with the ICO as a data controller and data processor. The Financial Director is responsible for maintaining our registration.
We will have a privacy notice which will clearly inform individuals how we collect their information, what we do with their information and their rights. A copy of the privacy notice will be displayed prominently on our website and a copy will be sent to individuals when we are requesting information from them.
Where we are delivering a service as a data processor the relevant privacy notice will be included in the terms and conditions of the contract.
The privacy notice for staff will be given to staff on induction.
The IT Manager is responsible for maintaining the privacy notice.
Education and Awareness
All staff will receive annual data privacy training as part of their ongoing staff development. The IT Manager will periodically send emails to all staff highlighting key aspects of data privacy.
We have a legal responsibility to report certain data privacy incidents to the ICO within 72 hours or face a financial penalty. It is essential all staff follow the incident procedure. Example of privacy breaches are:
Revealing a customer’s contact details to an unauthorised third party.
Emailing an employee’s sensitive personal information to another member of staff.
Losing a laptop containing the personal information of a large number of customers and staff.
Compromise of a third-party service resulting in the loss of customers’ contact information.
Not all the examples above are reportable to the ICO however it is essential that staff report any incident or potential incident to the IT Manager. The Financial Director will then discuss the incident with the board of directors and decide whether the incident requires reporting to the ICO and whether an action is required to manage the risks from the incident.
Assurance and compliance
The Financial Director will carry out periodic checks to monitor staff compliance with this policy.
External Auditors, if applicable, will carry out annual checks on our compliance with this policy.