At Roscom we are committed to protecting the personal data of our employees, suppliers, customers and business contacts. As a company we need to gather and use personal data about individuals to perform contracts and as an employer, to comply with the law. This is a key element of the Data Protection Act 2018 (DPA) which is the UK’s implementation of the General Data Protection Regulation (GDPR).
The UK left the European Union on the 31st of January 2020. By our compliance with the Data Protection Act 2018 we consequently continue to meet GDPR requirements. We will follow guidance and advice from the Information Commissioners Office (ICO – The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.). Going forward, where required Roscom will setup standard contractual clauses on a case-by-case basis in accordance with the business contracts.
This policy will explain the standards by which we will collect, handle and store personal data to comply with the law and respect an individual’s rights.
We wish to achieve the following:
- To protect the rights of employees, customers and business associates
- To be transparent in explaining how an individuals’ personal data is stored and processed
- To reduce the risks of a data breach
- To be compliant with the DPA 2018
The GDPR describes how organisations must collect, handle and store personal information, whether that information be in electronic, paper or other forms.
We are to follow seven key principles in the handling of personal data. Personal data must:
- Be processed lawfully, fairly and in a transparent manner
- Be collected for specified, explicit and legitimate purposes
- Be adequate, relevant and limited to what is necessary
- Be accurate and where necessary kept up to date
- Be retained only for as long as necessary
- Be processed in an appropriate manner to maintain security
- Be measured and recorded to demonstrate the organisations accountability measures
This policy is applicable to:
- Roscom head office
- All staff and volunteers of Roscom
- All contractors, suppliers and others working on behalf of Roscom
The policy is applicable to all personal data held by us relating to identifiable individuals. Some common examples of this can include (but are not limited to):
- Addresses (email, IP or postal)
- Telephone numbers
We collect limited personal data about business contacts, our clients, potential clients, job applicants, current employees, and former employees.
The collection of that data is initiated by an appropriate member of our staff. It may be gathered from the individual, from third parties acting on the instructions of our clients and from other public sources of information such as company websites.
We maintain documentation of the company’s data flow and processing activities that occur. We will only process personal data if a lawful basis is present, such as:
- Consent has been freely given for the data to be processed. e.g. the data subject chose to Opt-in and has the option available to Opt-out if they wish. If the processing includes special categories of data, then explicit consent will be required.
- There is a Contractual Obligation for the data to be processed. e.g. a signed contract states that certain types of personal data must be processed in order to fulfil the contract.
- There is a Legal Obligation for the data to be processed. e.g. An employer needs to process personal data to comply with its legal obligation to disclose employee salary details to HMRC.
- To protect the Vital Interest of the data subject. e.g. emergency services require personal data to protect a data subject’s vital interests.
- As part of a Public Task or in the Public Interest. e.g. This covers public functions and powers that are set out in law, such as the police services.
- There is a Legitimate Interest of the data subject. e.g. The DPA 2018 specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list.
You can contact us at any time to ask why we are processing personal data, ask for it to be corrected, object to the processing, ask to restrict processing, or ask for it to be deleted. We will be as transparent as possible when working towards these requests, however we must also comply with our legal and contractual obligations.
The services offered to clients are designed to keep personal data private. The processing of employee data is limited to only what is necessary.
|Names, Email Addresses, Telephone Numbers||This ensures that we can contact new or existing clients, job applicants, or employees.|
|Bank account, National Insurance Number, Unique Tax Reference, Date of Birth||For employee Payroll & Taxation (HMRC)|
|Passport, Photo ID, Utility bills||To confirm an employee’s identity|
|Payroll information, Doctors notes, Maternity notes, Pension, Date of Birth||For our Payroll service to complete their lawful obligation.|
|CCTV, Visitor Book, Number plates||We want to protect our offices and ensure our car park is only used by visitors to Roscom and our staff.|
The categories of personal data collected are: contact, communications, financial, contractual and public data. We also store minimal special types of data: criminal, trade union membership, medical data (including gender), which are processed for fraud and money laundering prevention and our payroll service.
This policy endeavours to protect data from numerous security risks arising from day-to-day activities, such as:
- Confidentiality Breaches – Preventing confidential information from being given out inappropriately
- Consent – Ensuring individuals are free to choose, clearly informed of the specifics, and can easily withdraw consent from us processing a data subjects personal information
- Reputational Damage – Secure by reputation e.g. if sensitive data was obtained by hackers, this would cause us reputational damage
We have an Information Security Management System (ISMS) in place to mitigate security and organisational risk which includes an internal Data Protection Policy.
Where an area is observed to be at high risk, we will perform a Data Security Impact Assessment (DSIA) and apply risk mitigation measures to reduce the risk.
Those who have access to personal data will be made aware that data protection rules apply and that such data must be handled with respect. Personal data will not be made available to an indefinite number of staff.
Our employees will treat all personal data as confidential and will not use or process it other than for reasons covered under articles 5-9 of the GDPR. The information must be kept accurate, up to date and not kept for longer than is necessary. Measures will also be taken to safeguard against unauthorised or unlawful processing and accidental loss, destruction or damage to the data.
The following people have key areas of responsibility:
- The board of directors are ultimately responsible for ensuring that Roscom meet the legal obligations.
- The data protection officer is responsible for:
- Monitoring compliance with the DPA 2018 and other data protection policies in order to report risks or issues to higher management
- Reviewing and updating data protection procedures and relevant policies. Including checking for updates provided by the ICO.
- Raising data protection awareness, delivering training and carrying out internal audits
- Performing Data Protection Impact Assessments (DPIA)
- Contact point for data protection queries received internally or externally (including the ICO)
- Handling Subject Access Requests
- Assessing contracts & agreements from third parties requiring a Roscom signature
- The IT manager is responsible for:
- Ensuring all our systems, services and equipment used for storing data meet acceptable security standards
- Performing appropriate regular checks and scans to ensure security hardware and software is functioning correctly
- Carrying out service assessments on third parties being considered for storing or processing data e.g. cloud services
- The marketing representative is responsible for:
- Ensuring the appropriate data protection statements are included in any marketing materials e.g. emails & letters
- Working with the data protection officer and other staff to ensure marketing initiatives abide by the relevant data protection principles
All our employees shall observe the following confidentially guidelines:
- Access to sensitive data will be limited and granted only according to what is needed to perform an employee’s duties
- Sensitive data will not be shared. Access to sensitive data is restricted and therefore must be requested via the appropriate line manager
- Training material will be provided in order to inform employees of their responsibility when handling data. Employees shall refer to the training material provided
- Strong passwords must be used and never shared
- Employees can request help from a line manager or the data protection officer if any area of data protection is unclear or of concern
- Employees are to lock their computers when leaving them unattended. Including when working from home.
- Personal data should never be transferred outside of the European Economic Area unless we are contracted to do so and the relevant protections have been put in place
- Never save copies of personal data to your own devices/computer – only ever access and update the central copy of the data
All our employees shall observe the following storage guidelines:
Paper / files / hardcopies
- When sensitive data is stored on paper, then is should be kept in a locked drawer or filing cabinet. It should not be left in areas where someone unauthorised may see it unattended e.g. left out on a printer, or on a desk at home.
- Paper copies should be disposed of in the office confidential waste bins provided when they are no longer required. It is not expected that people working from home will print out work-related materials, however if this is the case, then any paper copies should be disposed of in an appropriate manner e.g. put into a shredder of P-4 (DIN security level 4) or above.
Electronic / digital / soft copies
- Protect data with strong passwords which are changed regularly and never shared
- If data is stored on CD, DVD or some other form of removable media, then these should be kept locked away when not being used
- Data should only be stored on the drives, servers and cloud services that Roscom IT have advised
- Any servers containing personal data should be stored in a secure location
- Data must be backed up regularly in line with standard company practice
- Roscom data must never be saved to an unencrypted laptop, mobile device or tablet
- All servers and computers must be protected by approved antivirus software and appropriate firewalling
The DPA 2018 requires that organisations keep data accurate and limited to only what is necessary. Therefore, the following guidelines will be observed:
- Data will be stored in as few places as possible. Employees should not make needless copies of data, particularly if it contains sensitive data
- Where possible, employees will ensure that data is updated, particularly HR records
- We will ensure that any personal data held can be easily updated when notified by the data subject
- Data should be reviewed and checked for accuracy periodically. If out of date or no longer required then it should be deleted and disposed of. Personal data is not to be stored indefinitely
- The marketing team are only able to contact third parties if one of the six lawful processing principles apply. Typically, this will rely on either consent or legitimate interests of the data subject
There are cameras mounted within the building to identify people entering and leaving through reception. These cameras are both motion-activated and continuous, depending on requirement. Further cameras may record the movement of people within the building, to identify whether anyone having access has proceeded into an area forbidden to them. For example, a delivery driver passing beyond reception without an escort.
Additional cameras overlook the car park and main gateway to provide additional security for vehicles and records of vehicles entering and leaving our premises.
In accordance with the DPA 2018, an individual has the right to see a copy of the personal information that an organisation holds on them. We will make the following appropriate arrangements:
A) For an Employee:
As part of normal business practice, it is likely that we will be able to share the needed information without a formal SAR being required. If you would like to query this or ask for advice before raising a SAR, it is suggested that you contact either your line manager, the DPO email@example.com or Roscom HR firstname.lastname@example.org . If you wish to go ahead with a SAR then please refer to the 42571 Subject Access Request document for a form to help guide you in raising a SAR.
Requests made by individuals who are external are handled by our Data Protection Officer. If any of our other employees receive such a request in writing (letter, email, etc.) or verbally, then it will be passed to a Data Protection Officer. A SAR can be made by phone or verbally, however we recommend that the 42571 Subject Access Request document is used to guide you in raising a SAR (available on request).
We will provide access to personal data as quickly as possible but will ensure that it is provided within 30 days.
When a Subject Access Request is received from an external data subject, we require at least one registered form of photographic identification. This can include: Passport, Driving License, Official UK ID card etc. The ID proof required will be limited to the minimal possible.
We will not charge for the first SAR, however if the requests are repetitive, unfounded or vexatious, then we will charge a fee of £10 for the administration costs of complying with the request. This fee will apply if an individual requests additional copies of the same data following the original request.
For monitoring and compliance purposes, we will maintain a centralised record of all SARs, including: when the request was received; the details of the request; confirmation of ID; when the SAR was fulfilled; and any issues or concerns. We will retain the information provided and only share the information with those who are legally entitled to. The information will only be kept for as long as necessary and in accordance with our retention policy, and will be disposed of in a safe and secure manner.
The Data Protection Act 2018 specifies that a subject access request relates to the data held at the time the request was received. If possible, we will endeavour to supply current information held, even if this is different to that which was held when the request was first received.
Although highly unlikely due to the nature of the business, if we are required to provide information to a child, we will ensure particular importance is given to making the language used is plain and clear to understand.
We may need to extend the time to respond by a further two months if the request is complex. If this is the case, then we will inform the individual within one month of receiving their request and explain why the extension is necessary. A complex access request is considered as: Several requests from same individual, Multiple information sources, Release of contentious information, involves release of third-party information and finally data protection officer or legal adviser must be consulted.
At any time, you can contact us to ask why we are processing personal data, ask for it to be corrected, ask to restrict processing, or ask for it to be deleted. We will be as transparent as possible when working towards these requests, however we must also comply with our legal obligations and professional confidentiality requirements. If your request is subject to these requirements, we will explain that to you clearly on receipt of your request.
If you require that your personal data is ported to another data controller and the current lawful basis of processing is either (i) consent, (ii) for the performance of a contract or, (iii) the processing is carried out by automated means, then please contact email@example.com or firstname.lastname@example.org for assistance.
Unsolicited Personal Data
If personal data is received in an unsolicited manner (either intentionally or accidentally), our process is that the source of the information will be notified (unless the source of information appears suspicious according to our IT policies) and then the personal data received will be deleted without delay (within 30 days of receipt). A near-miss will also be documented internally by us for audit purposes, specifying the source and a brief description of the type of data received.
If data is anonymised in such a manner that the data subject is no longer identifiable, then the DPA 2018 does not concern the processing of such anonymous information.
Transfers of Data Outside the EU
We may not Transfer any Personal Data outside the European Economic Area (EEA) unless the Data Controller has given prior written authorisation and one of the following conditions is fulfilled:
- The country the Personal Data is transferred to is recognised by the European Commission as ensuring an adequate level of personal data protection; or
- Roscom and the company the Personal Data is transferred to have entered into a Standard Contractual Clause (SCC). An SCC is a valid mechanism for ensuring that a vendor provides the necessary data protection.
If you wish to withdraw from our news and product update marketing emails, please use the unsubscribe link provided. Alternatively email your request to email@example.com
If the personal data is being processed based upon consent or legitimate interest, then the process of withdrawing consent is straightforward. However, if the data is being processed based on our legal or contractual obligations, then this will require discussion with Roscom’s data protection officer or HR department. If you wish to withdraw consent from us processing your personal data then please email firstname.lastname@example.org.
Automated Decision Making
Our work is personal to our client’s needs and our employees own unique circumstances. We do not use any automated profiling or decision-making methods.
The Risk and Controls Hub
We provide an online portal for clients which allows access to a wealth of information about our Solutions and Services. This includes training, best practice, news and support.
On The Risk and Controls Domain, users can update their email address, display name and password. We generate monthly activity logging reports for observation and security. This log includes admin actions, search queries, IP address and failed login attempts (with email/IP addresses).
Roscom LMS – Online Training Hub
We utilise an online portal (provided by Talent LMS) for delivering training to our employees and clients. This includes training videos on best practice, tests and certificates for passing the courses.
Users can update their email address, display name and password. Activity logging is carried out for security, training and improvement purposes. It is also used for interview assessments. This log includes login information, training course activity, test results, documentation downloaded, videos watch, comments and assignments (shown by user).
Lodging a Complaint
If you feel you are unable to resolve any data related issue directly with us, you have the right to bring your concerns to the Independent Commissioner’s Office