All personal data has to be managed in accordance with the principles of the Data Protection Act 1998 and the General Data Protection Regulations 2018. It is the policy of Lara Nichols to comply with the Act and the Regulations. This policy is a guide for all employees.
This policy and guide must be read in conjunction with any Confidentiality policy or Bring your own device to work policy. You must also follow the Data Protection Rules contained within this handbook. Failure to follow the rules will render you liable to disciplinary action including, in serious cases, dismissal.
What is personal data?
Personal data is any data that identifies to a living person, an individual’s email address for example. Such data is protected under the General Data Protection Regulations (or equivalent legislation in Europe). Where such information is held on our information systems you must have a legitimate, work-related, reason for recording or accessing such data. It must be used only for the reason for which it was obtained. In other circumstances you must have explicit consent from the individual to record or use such data. For example, if you wish to contact a colleague for a non-work related purpose then you must have that colleague’s explicit consent (in an email for example) to do so. Breaching this policy is a disciplinary offence and could lead to dismissal.
Special category personal data
Some data is especially sensitive and this includes physical and mental health, disabilities, racial or ethnic origin and religious belief. Where you are aware of such information it must not be disclosed, or even recorded, without the explicit permission of the person concerned (there are a few very specific exceptions).
What are my responsibilities?
You must not, except in the proper course of your duties either during your employment or thereafter, use, communicate, or disclose directly or indirectly to any person or organisation, personal data that you come into contact with during the course of your work. You must use your best endeavours to prevent any unauthorised communications or disclosures. In particular, you must:
- be sure all personal data has been fairly and lawfully obtained and is so used. Do not, for example, keep information on the political beliefs of customers
- use data only for the purposes specified by Lara Nichols
- make sure that whatever personal data you keep on behalf of Lara Nichols is adequate, relevant and not excessive in relation to that purpose or purposes
- keep such data accurate and up to date
- not keep such data longer than necessary for the purpose in question
- respect the rights of individuals in using the data (the right to privacy, for example)
- keep such data secure and not remove it from the company premises without written permission. You are required to return on request any information that is held at your home, for example. Having returned such information then you must delete it from your own data store(s)
- consult the Managing Director before transferring such data outside the European Economic Area unless in line with explicit instructions authorised by the Managing Director.
In areas of uncertainty contact the Finance Manager in the first instance. Casual ‘gossip’ about customers, for example, is a breach of this policy and is a disciplinary offence. Any serious breach, such as discussing customers’ health problems with other customers, may be regarded as gross misconduct.
No employee may give a reference on behalf of Lara Nichols without the explicit authority of the Managing Director. An unauthorised reference is a disciplinary offence and if it exposes Lara Nichols to a claim for damages it will be regarded as gross misconduct.