General Data Protection Regulation (“GDPR”) Policy
TECS Group ('TECS' or the 'Company')
1. Purpose of this policy
This policy explains how and why TECS and it's subsidiary companies collects, processes and shares special category personal data about you in order to carry out our functions, in accordance with the data protection principles set out in the General Data Protection Regulation 2016 (GDPR.) Special category personal data can only be processed lawfully if it is carried out in accordance with this policy. All of our employees, workers, self-employed contractors or other third parties working on our behalf and instruction must therefore have regard to this policy when carrying out processing of special category personal data on behalf of the Company.
2. Our approach to data protection
TECS Group is committed to an information assurance and data governance framework that is clear and accessible and which ensures that the collection and processing of personal data is carried out in accordance with the GDPR and the Data Protection Act 2018 (DPA).
We value openness and transparency, and we have committed to and published a number of policies and processes to assist data subjects and to explain how we handle personal data.
We have built a network of Information Asset Owners who are responsible for ensuring that the information their department collects is necessary for the purposes required and is not kept in a manner that can identify the individual any longer than necessary. They are collectively responsible for ensuring that the Company's Information Asset Register is kept up to date and accurately reflects the information the Company holds and the lawful basis for holding it. This network is supported by every member of staff undertaking mandatory data protection training each year and agreeing via a signed declaration that they will abide by the relevant legislation, that they understand the processes and policies the Company has in place to ensure that it is compliant, and that they understand how data protection fits into their job.
3. The data protection principles
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
The Company will:
ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful;
only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing;
ensure that data subjects receive full privacy information through the relevant privacy notice so that any processing of personal data is transparent.
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
The Company will:
only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in its privacy notice;
not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose, we will inform the data subject first.
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
The Company will only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.
Personal data shall be accurate and, where necessary, kept up to date.
The Company will ensure that personal data is accurate, and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals. We will adhere to all requests for personal data to be amended or updated in a reasonable timeframe.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
The Company will only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Company will ensure that there appropriate organisational and technical measures in place to protect personal data that we process.
As controller of such personal data, the Company shall be responsible for, and be able to demonstrate compliance with these principles. The Directors are responsible for ensuring that the Company is compliant with these principles.
The Company will:
ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request;
carry out a Data Protection Impact Assessment for any high-risk personal data processing, and consult the Information Commissioner if appropriate;
have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law.
4. Special category data
Special category data
Personal data refers to any information by which a living individual can be identified. Individual identification can be by information alone or in conjunction with other information. Certain categories of personal data have additional legal protections when being processed. These categories are referred to in the legislation as “special category data” and are data concerning:
racial or ethnic origin
religious or philosophical beliefs
trade union membership
We will collect your special category data from yourself when you commence employment with us through health questionnaires.
We obtain and process this data for other statutory and legal obligations including, but not limited to:
responding to data subject requests under data protection legislation
responding to Freedom of Information Act requests
in connection with our duties under the Equality Act 2010
We may also process your special category data if you are not directly involved in a particular purpose of processing, but we come into contact with you for any other reason that is related to our functions, as set out above.
The lawful basis for processing your special category data
Consent – The consent of a data subject to the processing of his/ her personal data.
Legitimate Interest – there is a weighed and balanced legitimate interest where processing is needed and the interest is not overridden by others.
The additional condition relied on for processing your special category data
The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject.
Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Who we share your personal data with
We are required to share your data with third parties where we have a legal obligation to do so.
We also share information with other third parties where we have a lawful basis for doing so, and for special category personal data, where we have relied on an additional condition and this will be outlined in the relevant privacy notices.
The categories of persons we share your special category data with are listed in the below table along with the lawful basis for us doing so and the additional condition relied upon;
Type of Personal Data: Health, racial, ethnic, political, religious, philosophical, trade union, sexual orientation
Purpose: This information is shared / disclosed only when necessary for the purposes of seeking advice for the purposes of HR / Employment Law / Health & Safety Law
Third Party: Wirehouse Employer Services
Lawful Basis: Legitimate interests
Additional Information: Necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment law
5. Data controller’s policies as regards retention and erasure of special category personal data
We will ensure, where special category personal data is processed, that:
there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data;
where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous and this will be in line with our policy on data erasure;
data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored.