FIRE DEFENCE SERVICING LIMITED (“FDS”)
PRIVACY NOTICE
Note – To download a copy of this policy Click Here
CONTENTS
- INTRODUCTION
- SECTION 1 – WHO WE ARE
- SECTION 2 – WHAT THIS POLICY IS FOR
- SECTION 3 – RESPONSIBILITY FOR DATA PROTECTION
- SECTION 4 – WHY FDS NEEDS TO PROCESS PERSONAL DATA
- SECTION 5 – TYPES OF PERSONAL DATA PROCESSED BY FDS
- SECTION 6 – HOW FDS COLLECTS DATA
- SECTION 7 – WHO HAS ACCESS TO PERSONAL DATA AND WHO FDS SHARES IT WITH
- SECTION 8 – HOW LONG FDS WILL KEEP PERSONAL DATA
- SECTION 9 – YOUR RIGHTS
- SECTION 10 – CONSENT
- SECTION 11 – WHOSE RIGHTS
- SECTION 12 – DATA ACCURACY AND SECURITY
- SECTION 13 – THIS POLICY
- SECTION 14 – QUERIES AND COMPLAINTS
- ANNEX A – Template Letter for Complaining to FDS about Data Protection
- ANNEX B – GDPR GUIDANCE FOR EMPLOYEES OF, OR THOSE APPLYING TO JOIN, FDS
INTRODUCTION
On 25thMay 2018, the new General Data Protection Regulations (GDPR) take effect in the UK and across the EU. GDPR will entirely replace our current Data Protection Act 1998. Basically, the same structure of Data Protection Law will remain; but, the compliance burden will increase significantly. One of the major requirements of GDPR is to provide information to individuals (data subjects) whose data is held by an organisation by what is known as a ‘Privacy Notice’. The Privacy Notice is more detailed and specific than that required under the Data Protection Act and places an emphasis on being understandable and accessible.
This is the Privacy Notice for Fire Defence Servicing Limited.
Glossary of Terms
“Data controllers” means organisations, that determine how people’s personal data is processed and for what purpose.
“Data Subjects” means any living individuals whose data the Data Controller processes.
“Processing” means any action in relation to that personal data, including filing and communication.
“Personal Data” includes everything from which a Data Subject can be identified. It ranges from simple contact details via personnel, customers and subcontractors, and encompasses opinions, file notes or minutes, a record of anyone’s intentions towards that person, and communications (such as emails) with or about them.
“Special Category Data”some categories of Personal Data are “special category data” under the GDPR (broadly equivalent to “sensitive” personal data under the old law, but with criminal data treated separately). These comprise data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; data concerning health or data concerning a natural person’s sex life or sexual orientation; and (new to GDPR) biometric data. Extra safeguards are provided by law for processing of such data.
Legal and Regulatory Framework
Various laws underpin this Privacy Notice:
- The Data Protection Act 1998and related statutory instruments (until 25 May 2018)
- The General Data Protection Regulation (from 25 May 2018)
- The Data Protection Act 2018 and related legislation (from 25 May 2018)
- The Privacy and Electronic Communications Regulations 2011(PECR) (to continue after 25 May 2018 until replaced by the e-Privacy Regulation – form and date TBC)
- The Protection of Freedoms Act 2012(biometrics and CCTV)
SECTION 1 – WHO WE ARE
This Privacy Notice covers the data processed by Fire Defence Servicing Limited (company number 036259723) (“FDS”) which is based in North Devon.
SECTION 2 – WHAT THIS POLICY IS FOR
2. This policy is intended to provide information about how FDS will use (or “process”) personal data about customers, sub contractors, service providers and other individuals including its staff.
2.1. This information is provided in accordance with the rights of individuals under Data Protection Law to understand how their data is used. Staff, our customers, sub contractors and service providers and any other individuals with a relationship to FDS are all encouraged to read this Privacy Notice .
2.3. This Privacy Notice applies alongside any other information FDS may provide about a particular use of personal data, for example when collecting data via an online or paper form.
2.4. This Privacy Notice also applies in addition to FDS’s other relevant terms and conditions and policies.
2.5. Anyone who works for, or acts on behalf of FDS (including staff and service providers) should also be aware of and comply with this Privacy Notice, which also provides further information about how personal data about those individuals will be used.
SECTION 3 – RESPONSIBILITY FOR DATA PROTECTION
3. FDS has appointed a Director (John William Johns) as the GDPR Privacy and Compliance Officer (GDPR P&CO) , who will deal with all any enquiries concerning FDS’s uses of your personal data (see section on Your Rights below) and endeavour to ensure that all personal data is processed in compliance with this policy and Data Protection Law.
3.1. The GDPR P&CO contact details are as follows:
- Email: bjohns@fire-defence.com
- Telephone :01769 574 070.
- Address: Crown Yealm House, Pathfields Business Park, South Molton, Devon EX36 3LH.
3.2. FDS has appointed the Company Secretary as the Data Protection Officer (DPO) who will deal with any data access requests.
3.3. The DPO contact details are as follows:
- Email:cbrowne@fire-defence.com
- Telephone:01769 574 070.
- Address:Crown Yealm House, Pathfields Business Park, South Molton, Devon EX36 3LH.
SECTION 4 – WHY FDS NEEDS TO PROCESS PERSONAL DATA
4. In order to carry out its ordinary business, FDS may process a wide range of personal data about individuals (including current, past and prospective staff, customers, sub contractors, service providers and other individuals) as part of its daily operations. Some of this activity FDS will need to carry out in order to fulfil its legal rights, duties or obligations – including those under a contract with its staff.
4.1. Other uses of personal data will be made in accordance with the FDS’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on individuals, and provided it does not involve special or sensitive types of data.
4.2. FDS expects that the following uses may fall within that category of its “legitimate interests”:
- For the purposes of customer, sub contractor, service providers and staff selection.
- For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records).
- To enable relevant authorities to monitor FDS’s performance and to intervene or assist with incidents as appropriate.
- To give and receive information and references about past, current and prospective staff, customers, sub contractors, service providers and other individuals, including relating to outstanding invoices, claims or payment history, and to provide references to potential employers of past members of staff.
- To enable staff to take part in training examinations or other assessments.
- To safeguard staff’s welfare and provide appropriate care.
- To monitor (as appropriate) use of FDS’s IT and communications systems.
- To make use of photographic images of staff in FDS’s publications, on the FDS website and (where appropriate) on FDS’s social media channels.
- For security purposes, including CCTV.
- Where otherwise reasonably necessary for FDS’s purposes, including to obtain appropriate professional advice and insurance for FDS.
4.3. In addition, FDS may need to process special category personal data (concerning health, ethnicity, religion or sexual life) or criminal records information (such as when carrying out DBS, DVLA or other checks) in accordance with rights or duties imposed on it by law, including as regards employment, or from time to time, by explicit consent where required. These reasons may include:
- To take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s medical condition where it is in the individual’s interests to do so: for example for medical advice, social services, or insurance purposes.
- To provide training or educational services.
- In connection with employment of its staff, for example DBS, DVLA or other checks, welfare or pension plans.
- To run any of its systems that operate on biometric data, such as for security and other forms of identification (lockers, site access etc.).
- For legal and regulatory purposes (for example diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.
SECTION 5 – TYPES OF PERSONAL DATA PROCESSED BY FDS
- This will include by way of example:
- Names, addresses, telephone numbers, e-mail addresses and other contact details.
- Car details (about those who use our vehicles or parking facilities).
- Past, present and prospective staff academic, disciplinary, and attendance records (including information about any special needs), and training and examination scripts and marks.
- Where appropriate, information about individuals’ health, nationality, date of birth, bank account, and contact details for their next of kin.
- References given or received by FDS about staff, customers, sub contractors, service providers and other individuals, and information provided by previous employers or establishments and/or other professionals or organisations working in the industry.
- Images of staff (and occasionally other individuals) engaging in relevant business activities, and images captured by CCTV systems.
- Voice recording of incoming and outgoing spoken communications.
SECTION 6 – HOW FDS COLLECTS DATA
6. Generally, FDS receives personal data from individuals directly or from third parties. This may be via a form, or simply in the ordinary course of interaction or communication (such as email or written assessments, quotations, or from websites or social media).
6.1. In some cases personal data may be supplied by third parties (for example a main contractor, another industry contractor, or consultants and industry professionals working with that individual); or collected from publicly available resources.
SECTION 7 – WHO HAS ACCESS TO PERSONAL DATA AND WHO FDS SHARES IT WITH
7. Occasionally, FDS will need to share personal information with third parties, such as professional advisers (lawyers, insurers and accountants) or relevant authorities (e.g. Industry regulators, HMRC, HSE, police or the local authority).
7.1. For the most part, personal data collected by FDS will remain within FDS, and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis). Particularly strict rules of access apply in the context of:
- Medical records.
- Employment records and appraisals.
7.2. Finally, in accordance with Data Protection Law, some of FDS’s processing activity is carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with FDS’s specific directions.
SECTION 8 – HOW LONG FDS WILL KEEP PERSONAL DATA
8. FDS will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the legal recommendation for how long to keep ordinary staff and other records is up to 7 years following the end of a relationship with FDS. However, project records and similar records and information will need to be kept much longer. If you have any specific queries about how this policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact the DPO (See Section 3). However, please bear in mind that FDS may have lawful and necessary reasons to hold on to some data.
SECTION 9 – YOUR RIGHTS
9. Individuals have various rights under Data Protection Law to access and understand personal data about them held by FDS, and in some cases ask for it to be erased or amended or for FDS to stop processing it, but subject to certain exemptions and limitations.
9.1. Any individual wishing to access or amend their personal data, or wishing it to be transferred to another person or organisation, or who has some other objection to how their personal data is used, should put their request in writing to the GDPR P&CO (See Section 3).
9.2. FDS will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. FDS will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, then FDS may ask you to reconsider or charge a proportionate fee; but, only where Data Protection Law allows it.
9.3. You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege. FDS is also not required to disclose any confidential reference given by FDS for the purposes of the education, training or employment of any individual.
SECTION 10 – CONSENT
10. Where FDS is relying on consent as a means to process personal data, any person may withdraw this consent at any time.Please be aware however that FDS may have another lawful reason to process the personal data in question even without your consent.
10.1. That reason will usually have been asserted under this Privacy Notice, or may otherwise exist under some form of contract or agreement with the individual (e.g. an employment or other contract, or because a purchase of goods, services or membership of an organisation has been requested).
SECTION 11 – WHOSE RIGHTS
11. The rights under Data Protection Law belong to the individual to whom the data relates.
11.1. FDS’s Staff are required to respect the personal data and privacy of others, and to comply with FDS’s policies and rules.
SECTION 12 – DATA ACCURACY AND SECURITY
12. FDS will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify the relevant member of staff of any significant changes to important information, such as contact details, held about them.
12.1. An individual has the right to request that any out-of-date, irrelevant or inaccurate information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law): please see above for details of why FDS may need to process your data, and of who you may contact if you disagree.
12.2. FDS will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to FDS systems. All staff will be made aware of this policy and their duties under Data Protection Law and receive relevant training.
SECTION 13 – THIS POLICY
13. FDS will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.
SECTION 14 – QUERIES AND COMPLAINTS
14. Any comments or queries on this policy should be directed to the GDPR P&CO or DPO (see Section 3 above for contact details).
14.1. If an individual believes that FDS has not complied with this policy or acted otherwise than in accordance with Data Protection Law, they should notify the DPO. Individuals can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with FDS before involving the regulator.
ANNEX A
A Template Letter for Complaining to FDS about Data Protection.
[Your full address]
[Phone number]
[The date]
The Data Protection Officer
Fire Defence Servicing Limited
Crown Yealm House
Pathfields Business Park
South Molton
Devon EX36 3LH
[Reference number (if provided within the initial response)]
Dear [Sir or Madam / name of the person you have been in contact with]
INFORMATION RIGHTS CONCERN
[Your full name and address and any other details such as account number to help identify you]
I am concerned that you have not handled my personal information properly.
[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]
I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.
You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within 28 calendar days. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me on the following number [telephone number].
Yours faithfully
[Signature]
ANNEX B
GDPR GUIDANCE FOR EMPLOYEES OF, OR THOSE APPLYING TO JOIN, FDS
- This Annex should be read in conjunction with the introductory paragraphs in the covering document.
- This privacy notice will be provided to you at the time your data is being obtained, if it is being obtained directly.
- Data will be processed for the purposes of responding to requests for information about joining FDS and FDS will therefore have a “legitimate interest” for processing basic personal data and sensitive personal data. The data FDS holds will be the minimum it requires to form and maintain the contract between you and FDS.
- FDS will share your data with the following companies or organisations who have contracts or relationships with FDS and who have equalled FDS’s precautions and systems for dealing with data, these are:
- HMRC.
- FDS’s IT software providers.
- DBS Clearance provider.
- Training providers.
- Insurance brokers and Insurers of FDS.
- DVLA.
- Health & Safety Executive.
- Industry regulators.
- It is not normally necessary for data to be shared with other countries. The exception to this will be international trips that FDS organises. Should this be envisaged for you, you will be contacted for your consent, the consent will be limited in time and content if it be required.
- The retention period for employee data will be as a minimum until you leave the employment of FDS and/or be modified by any other legal obligation FDS finds itself under.
- You have the right to withdraw your consent to data processing at any time, however this will only apply to certain groups of data for which you have given particular consent.
- You can complain at any time about how FDS has handled your data, the Information Commissioner is available as follows:
- ICO helpline is 0303 123 1113.
- A template letter, should you need it is at Appendix 1 to Annex A.
- We will obtain the data FDS requires from you. Should we need data from other sources we will contact you within a month.
- We see the provision of personal data as necessary to properly employ you at FDS and for FDS to fulfil its obligations under the contract once you are an employee here.
- There is no automated decision making or profiling involved in this data stream into and through FDS.