Data Protection Policy for Financial Year 2021/2022
At instaENG we recognise the increasing importance of data protection for all of us in the modern world. That is why we are dedicated to the rigorous protection of data for our employees, clients, and those with whom we conduct business. It is one of the key pillars of building a trusted and exceptional modern organisation.
We are fully compliant with the Data Protection Act 1998 ("DPA"), which gives rights to employees as well as other individuals about whom information or "data" is obtained or processed, whether manually or automatically. The DPA places obligations on institutions which hold and/or process data about any such individuals, and we are firmly resolved to fulfil them.
This document sets out the policy and procedures we have in place to comply with our duties. In the interest of transparency, this policy is made immediately available upon request to all employees and external agencies who have a legitimate interest. Additional guidelines are available for our staff, and this policy is not incorporated into employment contracts.
1. Processing of Data
1.1 Data processing, in the case of this policy, means the obtaining, recording or holding of information or data or the carrying out of any operation using that information or data such as altering or deleting it, consulting it or disclosing it.
1.2 We appoint at least one Data Control Officer as the party responsible for supervising data control, and for assisting those processing data in policy compliance. This officer is also responsible for notifying the Information Commissioner of the registrable particulars and ensuring that the notification is kept up to date and is amended or reviewed as appropriate. The name or names of the Data Control Officer(s) are recorded in Appendix One. Any person who has access to and processes personal data (the ‘data processor’) complies fully with this policy, and moreover with the registrable particulars notified to the Information Commissioner as required under the DPA.
1.3 Where our employees process personal data as a legitimate part of their role, they can rely upon the notification to the Information Commissioner provided by the Company (see: http://www.dataprotection.gov.uk/ dprhome.htm).
1.4 We make it the responsibility of each individual data processor to ensure their familiarity with our policy, and the registrable particulars to ensure compliance with instaENG’s requirements. Further information and guidance on any aspect of this policy, or details of the registrable particulars, may be obtained from the Data Control Officer.
1.5 Employees should not use instaENG’s facilities to process personal data for domestic or personal purposes. We do not cover such processing under our notification.
2. Purpose and Method of Data Collection
2.1 The purpose of our data collection is to facilitate the processing of data on instaENG’s employees, organisation structure, and other individuals with a relationship to instaENG. It is designed specifically to provide:
2.1.1 Information, whenever required, for planning and managing instaENG activities including:
2.1.2 Information, whenever required, for planning, delivering, and monitoring our portfolio of services;
2.1.3 Individual information for managing the employment, deployment, and welfare of individual employees;
2.1.4 Individual information for managing the attendance, performance, and welfare of individual employees;
2.1.5 Information, whenever required, for responding to legitimate external enquiries about instaENG employees;
2.1.6 Assistance with personnel and salary administration procedures.
2.2 Our Data Control Officer conducts an annual review on the nature of information being collated or held. This is to ensure that we do not hold information without sound business justification, and is a key feature of developing a data policy our team and clients can trust.
2.3 We need our employees and potential employees to feel secure in the collection and use of their personal data. That is why, wherever possible, they are advised of what personal information/data is obtained or retained, its source, and the purposes for which the data may be used or disclosed. We seek their consent in all cases. This is mainly done by way of general consent given when the information is collected; in the case of personal sensitive data, however, the individual is asked for explicit consent to its processing. Sensitive personal data here includes information relating to an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual orientation or the commission or alleged commission of offences. In the latter case, this may include any proceedings for any offence committed or alleged to have been committed by the individual, the disposal of such proceedings, or the sentence of any court.
2.4 Initial personal data is ordinarily obtained from job applications, and following that is collected principally from employees themselves. We clearly outline, in a statement at the end of our job application forms, that the information collected will be used only for legitimate purposes. A similar statement is also shown on the CDR forms, and in this latter case it is expressly stated that the information collected is potentially used or referred to for any of the purposes outlined at 2.1 above. A copy of this policy is included in the Staff Handbook and on the Intranet, so that any queries can be readily answered and any guidance readily given.
We are firm about the need for ethical guidelines on data solicitation. We make it clear that employees of instaENG will never be induced to provide information, nor will they be made to believe that a failure to supply information might unjustifiably disadvantage them.
3. Disclosure of Data
3.1 Our policy is careful to ensure compliance with the DPA. Moreover, in the interests of privacy, employee confidence, and good employee relations, we place strict restrictions on the disclosure and usage of data we hold. As such:
3.1.1 Data will only be used for one or more of the purposes specified in the notification and, in the case of documents generated by instaENG, will only be used in accordance with the statement within that document clearly outlining its intended use.
3.1.2 Aggregate or statistical information will be used to respond to any legitimate requests for data if and only if individual identities are not disclosed.
3.1.3 Personal data will not be disclosed, either within or outside instaENG, to any recipient who is not authorised in the terms of the Data Protection Act, or for any purpose which is not authorised by our notification.
3.1.4 Where data processors harbour any doubts about a data request of any kind, they can count on careful and qualified guidance from the Data Control Officer.
NB. External requests for information are only accepted in writing, and our data processors must be satisfied about the legitimacy of requests for information. They are meticulous, and will seek valid documentary evidence where appropriate.
3.2 We do, however, account for the presence of exceptional circumstances. Consent of the data subject is not required for authorised external requests if:
3.2.1 The request is made for the purpose of law enforcement. Disclosure is only allowed where failure to make disclosure would be likely to prejudice one of those purposes. In all cases, written evidence is obtained from the Police, Inland Revenue, Customs and Excise and the Child Support Agency (as appropriate) about the purpose of the request.
3.2.2 The request is made in relation to compulsory legal processes. Again, to preserve the integrity of our system, appropriate written evidence is obtained beforehand.
3.2.3 The request is urgently required for the prevention of injury and damage to health. If needed to protect the vital interests of one of our employees, disclosure may be made without prior consent. Otherwise, the written consent of the employee is obtained beforehand.
3.2.4 The request is made by pension administrators, in order to administer instaENG’s participation in various external pension schemes.
3.3 Authorised requests for data by external recipients of data, which do require the consent of the data subject are:
3.3.1 Requests from agents authorised by the employee who is the subject of the data, for e.g. mortgage requests, employment references. We seek confirmation from the employee that the information is to be released and, if possible, we obtain it in writing.
3.3.2 Requests required by authorised officials or representatives of recognised trade unions. Again, confirmation is sought from the employee that the information is to be released - in writing where possible.
NB: All our data processors endeavour to meet disclosure requests from outside of instaENG as infrequently as possible, unless required by law. This is crucial in maintaining our position as a trusted guardian of personal data. Our processors follow, at all times, the instaENG security requirements detailed in paragraph 7.
4. Accuracy of Data
4.1 We are careful to ensure that data is accurate at the time of collation. This means that updating is required only "where necessary," and that our data collection process is minimally invasive.
4.2 Our employees understand it is important to notify instaENG about any relevant change in personal circumstances. We want to make this as simple and non-invasive as possible, so our employees take an active role in helping us maintain rigorous and accurate records. That is why we have standard forms for updating change of address, telephone number, and those to contact in an emergency.
4.3 We issue standard printouts of personal records to employees on an annual basis so they can help us confirm that data is up to date and accurate. Employees are entitled to correct any details, and we expect documentation where necessary to ensure our records are rigorous and accurate.
5. Employee’s Rights
5.1 Our employees can access the personal data we hold on them upon written request - unless it is excluded data (see paragraph 5.9 below); this may incur a small fee. Our employees are also entitled to information about the purpose for which the data is or is intended to be used, and the likely recipient.
5.2 Our employees are, in addition, entitled to access their own training and appraisal results. Supplying this data is normally a matter of routine, as it is an important part of setting and meeting performance goals.
5.3 Examiners' comments, in whatever form they come, fall under these provisions too. Where they are not immediately or readily available, our staff record these comments for an employee in a meaningful form.
5.4 Our employees have access to minutes, where available, of meetings in which they were involved, or which contain discussion about them if candidates are named or otherwise identified - unless that data cannot be disclosed without additionally disclosing personal data about a third party.
5.5 Test and appraisal results are not, as a matter of course, disclosed to third parties on notice boards or other public places.
5.6 Test and appraisal results are not given over the phone.
5.7 Employees are not, however, permitted access to personal data consisting of information recorded by candidates during an academic, professional or other examination.
5.8 We keep our requests policy clear and efficient. Once an employee requests in writing confirmation that data is held, or to see it, our Personnel Department/Division office will refer them to the Data Control Officer to respond promptly on behalf of instaENG. This response will come, at the very latest, within 40 days of the request being received (subject to paragraph 5.2 above). This is conditional upon the Data Control Officer being provided with sufficient information to identify the relevant employee and to locate the information sought. We may charge a fee of up to £10 for providing this information, for each request - although in the case of current employees instaENG may waive this charge. Access to records such as an enrolment form or assessment results does not incur a fee.
5.9 The following information is excluded from the above:
5.9.1 Confidential references given by instaENG when these relate to the education, training or employment of staff or employees.
5.9.2 Personal data processed for the purposes of management forecasting or management planning to the extent that disclosure would be likely to prejudice the conduct of that business or activity only.
5.9.3 Personal data which consists of records of the intentions of instaENG relating to any negotiations with the employee to the extent that disclosure would be likely to prejudice those negotiations only.
5.9.4 If, in order to comply with a disclosure request, instaENG would need to disclose information relating to an identifiable third party, then disclosure is not required - unless the third party consents or it is otherwise reasonable to comply with the request without such third party consent. If the information sought is a health record, and the third party concerned is a health professional who has compiled or contributed to that health record, then disclosure will be made.
5.10 We are careful to ensure that our policies align with the needs of our staff. This is why, in addition to seeking disclosure of information, our employees are also entitled to request that instaENG does not process data concerning them where this will cause or be likely to cause substantial and unwarranted damage or distress, either to the employee concerned or to a third party. Such a request will need to be submitted in writing and, where possible, will be agreed by instaENG. The employee will not be able to prevent processing, however, if the processing is necessary for compliance with any legal obligation (other than one imposed by contract), or if it is necessary to protect the vital interests of the employee, or if it is is necessary for the performance of a contract to which the employee is a party. Upon receipt of a written request from an employee, one of our Data Control Officers will write to the employee within 21 days confirming that the request will be upheld, or giving reasons why it will not.
5.11 Currently, decisions are not made by instaENG solely by automatically processing data that we hold. Should, however, any decision that significantly affects an employee (or prospective employee) be taken on this basis in future, then a Data Control Officer will notify this employee that the decision was taken on that basis as soon as reasonably practicable, along with the reasons for that decision. Our employees are then entitled, within 21 days of receiving that notification, to submit a written request that that decision be reviewed. The Data Control Officer, upon receiving such a written request, will then have 21 days to respond. This right only applies where there has been no exercise whatsoever of human judgement.
5.12 We ask any employee who feels they have suffered, or is likely to suffer, damage as a result either of either inaccuracy in the data held by us, or as a result of unauthorised disclosure of information, to notify a member of the Personnel Department/Division office in writing immediately. Where appropriate under these circumstances, we correct or erase that information, or indicate that the information is contested by the employee.
5.13 In the event that this policy or the legal rights of an employee in respect of personal data are not complied with, we encourage our employees to use the various avenues of remedy open to them through the courts. In all cases however, we encourage our employees in the first instance to use the official Grievance Procedure, designed with the express purpose of exhaustively and efficiently accounting for any employee dissatisfaction.
5.15 In some cases, personal data is held by client organisations. We look upon these organisations as autonomous bodies, and as such we both expect and trust these partner organisations to be responsible for the registration of personal data.
6. Transfer of Data Outside the UK
6.1 We are committed to complying with all requirements of the DPA, including those prohibiting the transfer of data to any country or territory outside of the European Economic Area. We will not carry out such a transfer unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
6.2 For the avoidance of doubt, the European Economic Area currently includes Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Portugal, Spain, and Sweden. We do, however, allow our employees to consent to the transfer of data in circumstances where the transfer is necessary.
6.3 instaENG will seek the explicit consent of our employees if it becomes necessary to process and transfer data relating to that employee to a country or territory outside the European Economic Area.
The security of our employees is a constant and top priority - and now more than ever this applies equally to their data. We have designed this policy not just to fulfil statutory requirements, but also to prevent unauthorised disclosure of, or access to, personal data.
As part of our data privacy commitments, we have established the following security measures that cover the processing of any personal data:
7.1 Access to personal data about employees is restricted to those members of staff who have a legitimate need to access such data in accordance with instaENG’s notification to the Information Commissioner.
7.2 Members of staff authorised to access personal data under paragraph 7.1 above are allowed to do so only insofar as they have a legitimate need, and only for the purposes recorded in the notification.
7.2 All persons processing data and individuals requesting access to personal data in accordance with this policy must have familiarised themselves with this policy, and our Data Control Officers are charged with ensuring that all such personnel are thoroughly trained in its use. Our team is committed across the board to acting in line with our policy, and the ready availability both of this policy and guidance on it helps them to do so.
7.3 Access to computer-held data is subject to the same restrictions as above, save that all staff authorised to access personal data are required to have passwords in order to access the data. These passwords are changed at regular intervals to ensure security is maintained. These passwords are a key part of maintaining security, and as such we may bring formal disciplinary procedures against any employee found to have disclosed a password.
7.4 All personal data is stored in such a way that access is only permitted by authorised staff. This includes data stored in filing cabinets and other storage systems. Again, we treat this with the utmost seriousness, and acts or omissions by employees which lead to unauthorised access or disclosure may lead to a formal disciplinary investigation.
7.5 Personal data is transferred under conditions of security commensurate with the anticipated risks and appropriate to the type of data held.
7.6 Personal data held electronically is appropriately backed up and stored securely to avoid incurring liability to individuals who may suffer damage or distress as a result of the loss or destruction of their personal data.
7.7 We conduct any disposal of personal data in a secure way, normally by shredding or security waste. All computer equipment or media to be sold or scrapped has all personal data completely destroyed, by re-formatting, over-writing or degaussing.
7.8 In the case of unauthorised or unlawful processing of personal data, appropriate technical and organisational measures are undertaken.
7.9 In the case of accidental loss, damage or destruction of personal data, appropriate technical and organisational measures are employed.
7.10 We do not keep personal data for any longer than is strictly necessary for the specific purposes for which it was obtained. We do not use it for any other purposes that are incompatible with the original purpose for acquiring it.
8. Third Parties
8.1 Any personal data which instaENG receives and processes in relation to third parties is obtained lawfully and fairly, and managed in accordance with the principles and conditions of the Act.
8.2 We ensure our employees register the use to which the data is to be put in the Notification (See 1.4)
8.3 Our employees obtain explicit consent from third party data subjects to process such personal data for the purposes expressed in the Notification, and ensure that there is a mechanism for data subjects to gain access to data about themselves, to prevent the processing of such data for the purposes of direct marketing and to object to the disclosure of such data.
8.4 In cases in which it is necessary to transfer personal data relating to a third party to a country or territory outside the European Economic Area, our data processor will seek advice from our qualified Data Control Officer. The data subject is, however, able to consent to the transfer of data in circumstances where the transfer is necessary.
9. We do not permit student use of Personal Data held by us.
10. Contractors and Suppliers
10.1 In certain circumstances, we recognise that it may be necessary to allow contractors or suppliers access to personal data in the course of maintenance or repair work. We understand that specific allowances require specific measures to be put in place to uphold our broader commitment to privacy.
10.2 In such circumstances, we ensure that contractors are documented and wear some form of identification. They are not permitted unnecessary admittance to areas where personal data is held or processed, and we require them to sign nondisclosure agreements if access to personal data is unavoidable.
11. Staff Use of Personal Data Off-Site, On Home Computers, Or At Remote Sites
11.1 When our employees process personal data off-site, they are careful to take reasonable precautions to prevent the data from being accessed, disclosed or destroyed as a result of any act or omission on their part. They notify the Data Protection Officer immediately in the event of theft.
12. Use of Personal Data in Research
12.1 The 1998 act provides certain exemptions for 'research purposes,' including statistical or historical purposes. This is an interesting area for any data protection policy to cover, and instaENG has accordingly put in place the following conditions.
12.2 Provided that the purpose of processing in this research is not to create measures or decisions targeted at particular individuals, and it does not cause substantial distress or damage to a data subject, then personal data may be:
I. Processed for purposes other than for which they were originally obtained
Ii. Held indefinitely
Iii. Exempt from the right of access by data subjects where the results do not identify individual data subjects
12.3 Most of our Data Protection Principles still apply to personal data used for research purposes, and we demand that researchers always provide clear guidance to individuals whose personal data will be used in research as to why the data is being collected and the purposes for which it will be used.
13. Collection of Personal Data From Web Pages
13.1 We recognise that data collection nowadays runs a broad gamut, and that includes web visitors. As such, we are committed to providing the following information on any web pages designed to collect personal data:
i. The purpose for which the data is being collected
ii. The recipients or classes of recipients to whom the data may be disclosed
iii. An indication of the period for which the data will be kept
iv. Any other information to ensure that the processing is 'fair’
13.2 instaENG will provide users with the opportunity to opt out of any parts of the collection of or use of the data that are not directly relevant to the intended transaction
Approval For this Statement
This statement was approved by the Board of Directors on 27/10/2020 signed by Frano Lubura, Quality Manager/General Manager.