Data protection and data security policy
Employees - All staff, consultants, contractors and temporary workers of RS Divers.
1.2. General Statement of Policy
RS Divers is committed to ensuring that all personal information handled by us will processed accordingly to legally compliant standards of data protection and security.
The purpose of this policy is to help us achieve our data protection and data security aims by:
A. Notifying employees about the types of personal information that we may hold about them and what we do with that information.
B. Ensuring employees understand our rules and legal standards for handling personal information relating to employees and others.
C. Clarifying the responslbilities and duties of employees in respect of data protection and data security.
2.1 Who is responsible for Data protection and Data Security?
Maintaining appropriate standards of data protection and data security is a collective task shared between everyone. This policy and the rules contained in it relates to all employees within RS Divers irrespective of seniority, tenure and working hours, including all employees and directors.
The Office Manager has overall responsibility for insuring that all personal information is handled in compliance with the law. The office Manager will act as the Data protection officer with day-to-day responsibility for data processing and data responsibility.
All employees have personal responsibility to ensure compliance with this policy, to handle all personal information consistently with the principles set out here and to ensure that measures are taken to protect the data security.
2.2 What personal information and activities are covered by this policy?
This policy covers personal information
A. Which relates to a living individual who can be identified either from that information or by reading it together by information that we possess.
B. Is stored electronically or on paper in a filing system.
C. In the form of statement of opinions as well as facts.
D. Which relates to employees (past, present or future) or to any other individual whose personal information we may hold.
E. which we obtain, hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
2.3 What personal information do we hold and how do we handle it?
We collect information about you which:
A. You provide or we gather before or during your employment with us.
B. Is provided by third parties, such as references or information from suppliers or any other party that we do busaness with.
The types of information that we collect, store and use are:
A. A home address and contact details as well as contact details for your next of kin
B. Recruitment (Including your application or cv, any references received and details of your qualifications).
C. Pay records and national insurance number.
D. Any sickness absence or medical information provided.
E. Performance. any disciplinary matters or grievances, complaints and concerns of which you are involved.
We confirm that for the purpose of the Data Protection Act 1998, RS Divers is a Data Controller of the personal information in connection with your employment. This means that we determine the purpose for which, and the manner in which your personal information is processed.
If you consider that any information held about is inaccurate then you should tell your line manaqer or the Data Protection Officer, if we agree that the information is inaccurate then we will correct it. If we do not agree with the correction then we will note your comments.
We will take reasonable steps to ensure that your personal information is secure, as described later in this policy, and in general we will not disclose personal information outside of RS Divers. However we may need to disclose personal information about staff:
A. For the administration of your employment.
B. To comply with our legal obligations, to assist in criminal investigations or to seek legal or professional advice in relation to employment issues, which may involve disclosure to our lawyers, accountants or auditors and to legal or regulatory authorities such as HM Revenue & Customs.
C. To other parties which provide service to us.
By providing your personal data to us, you consent to the use of your personal information in accordance with this policy.
2.4 Data Protection Principles
Employees whose work involves using personal data relating to any other employees or others must comply with this policy and with the eight legal data protection principles which require personal information is:
A. Processed fairly and lawfully: We must always have a lawful basis to process information, In most cases the person to whom the information relates must have given consent. The subject must be told who controls the information, the purpose for which we are processing the information and to whom it may be disclosed.
B. Processed for Iimited purposes and in an appropriate way: Personal information must not be collected for one put?ose then used in another. If we want to change the way we use the personal information then we must tell the subject.
C. Adequate, relevant and not excessiye for the purpose.
D. Accurate: Regular check must be made to correct or destroy inaccurate information.
E. Not kept longer than necessary for the purpose: Information must be destroyed or deleted when no longer needed.
F. Processed in line with the subjects' rights: Subjects have a right to request access to their personal information.
G. Secure: See further information below.
Some personal information needs even more careful handling. This includes information about a person's racial or ethnic origin, political opinions, religious beliefs. trade union membership, physical or mental health issues, sexual orientation and criminal offences. Strict processes apply to processing this sensitive data and the subject must normally have given specific and express consent to each way in which the information will be used.
2.5 Data Security
We must all protect personal information in our possession from being accessed, lost, deleted, damaged unlawfully or without proper organisation through the use of data security measures.
Maintaining Data security means that
A. Only people who are authorised to use this information can access it.
B, Information is accurate and suitable for the purpose for which it is being processed.
C. Authorised persons can access information if they need it for authorised purposes. Personal information should therefore not be stored on individual computer but on a central database.
By law we must use procedures and technology to secure personal information throughout the period that we hold it or control it, from obtaining to destroying the information. This is achieved using the Control of Records Procedure and the Control of Documents procedure.
Personal information must not be transFerred to any person or process, unless that person has either agreed to comply with our data security procedures.
Security procedures include:
A. Physically securing information. Any desk or cupboard containing confidential information must be kept locked, computers should be locked with a password or shut down when they left unattended.
B. Methods of disposal: Copies of personal information whether on paper or on any physical storage device must be physically destroyed when they are no longer needed. paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.
2.6. Subject Access Requests
By law, any subject may make a formal request for information that we hold about them, provided that certain provisions are met. The request must be made in writing.
3. POLICY IMPLEMENTATION
This policy is to be implemented through the procedures established by RS Divers
3.1 Breach of the Policy
Failure to comply with this policy could result in disciplinary action being taken against the employee. Up to and including dismissal.
3.2 Review of this Policy
This Data Protection and Data Security Policy will be reviewed annually in consultation with the relevant employees. The date of each review will fall on March of each year.
3.3 Dissemination of Policy
This policy will be made available to each employee upon commencement of work and additional copies will be made on request.