On 25th May 2018 new legislation came into force; the General Data Protection Regulations 2018 or GDPR for short. GDPR introduced major changes as to how personal information is requested, used and stored by any organisation. These regulations also provide you, as an individual, with the right to see what personal information is held and request that any factual errors are corrected. Any information requested and held must be relevant and must not be passed to any third party without the subject’s express permission.
In the case of MD Govier Electrical Engineering Ltd, we only ask for basic contact details and sometimes banking details for the purpose of payment. As a client of MD Govier you are agreeing to us using your contact details to allow us to send you messages and information regarding future works planning/commencing works/previous completed works, as well as contact you in an emergency. You also have the right to withdraw your consent or request a transfer of your personal data at any time using a subject access request.
Subject access requests can be made in writing, electronically or verbally. If a member of staff is in doubt if a certain situation has given rise to a SAR, they are to contact the Data Protection Officer. The subject/requester may be asked to produce valid proof of identity, such as a current UK passport or UK driving licence. A requirement of the UK GDPR laws is to respond to any SAR within 30 days. Any employee, who receives a request from the Data Protection Officer to locate and supply information relating to a SAR, must make a full exhaustive search of the records which they are responsible for or owns. This may include but is not limited to emails (including archived emails and those that have been deleted but are still recoverable). Any SAR that naturally involves the data of another subject must be filtered to ensure that other data subjects’ information has been protected and they have the opportunity to consent to the supply of their data as part of the SAR before any information is released. All the information that has been requested must be provided unless an exemption can be applied. The Data Protection Officer will seek external advice and refer to the ICO for more complex SARs.
We do not pass clients’ personal information to any third party, and it is used solely to allow us to operate as a business. All personal information of clients is held and managed by the Directors. The Director fulfils the role of Information Officer and will be responsible for the security of all personal information held by the Company. Other members of staff may have access to a client’s personal information if they are part of the Company’s administration team or if they are designated the role of Project Manager for work being conducted on behalf of a client.
MD Govier Electrical Engineering Ltd believes that our current procedures for information management are compliant with GDPR.
In the course of your work with our Company you are likely to collect, use, transfer or store personal information about our employees, clients, customers and suppliers, for example their names and home addresses. The UK’s data protection legislation, including the UK General Data Protection Regulations (UK GDPR) contains strict principles and legal conditions which must be followed before and during any processing of any personal information.
The purpose of this policy is to ensure that you are aware that everyone has a responsibility to comply with the principles and legal conditions provided by the data protection legislation, including the UK GDPR and failure to meet those responsibilities are likely to lead to serious consequences. Firstly, a serious breach of data protection is likely to
be a disciplinary offence and will be dealt with under the Company’s disciplinary procedure. If you access another employee’s personnel records or any sensitive personal information without authority, this will constitute a gross misconduct offence and could lead to your summary dismissal. Additionally, if you knowingly or recklessly disclose personal data in breach of the data protection legislation, including the UK GDPR you may be held personally criminally accountable for any such breach.
Breach of the data protection legislation, including the UK GDPR rules can cause distress to the individuals affected by the breach and is likely to leave the Company at risk of serious financial consequences.
If you are in any doubt about what you can or cannot disclose and to whom, do not disclose the personal information until you have sought further advice fromthe Company’s Data Protection Officer – Kelly Govier. This can be via office email (ke***@go***************************.uk) or in person.
It is of paramount importance that personal data must be kept confidential and secure and only be processed by authorised personnel. Personal data must be held securely, either in a locked filing cabinet or, if computerised, files are password protected. This is to ensure that it is protected from unintended destruction or change and is not seen by unauthorised persons. Employees must not access another employee’s records without authority, as this will be treated as gross misconduct, and it is also a criminal offence. Personal information should also not be removed from the workplace with the intention of processing it elsewhere unless this is necessary to enable you to carry out your job duties and has been authorised by your line manager. Any hard copy personal information should be disposed of securely i.e. cross-shredded.
Transfer of personal data to countries or organisations outside of the UK should only take place if appropriate safeguarding measures are in place to protect the security of that data.
This policy does not form part of a contract of employment. However, it is mandatory that all employees, workers or contractors must read, understand and comply with the content of this policy and you must attend associated training relating to its content and operation. Failure to adhere to this policy is likely to be regarded as a serious disciplinary matter and will be dealt with under the Company’s disciplinary rules and procedures.
As a company that employs fewer than 250 employees, we only need to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals, or involved the processing of special categories of data or criminal conviction and offence data.
Kelly Govier
Data Protection Officer
23rd May 2024