The European Union (EU) General Data Protection Regulation (GDPR) came into force in May 2018. This applies to all member states, enabling harmonisation of data privacy laws across the EU, affording individuals stronger and consistent rights to access and control their personal information. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). The Data Protection Act 2018 controls how your personal information is used by organisations. Everyone has the right to the protection of personal data concerning him or her, as well as access to data which has been collected concerning him or her, and the right to have it rectified.
Under the Data Protection Act 2018, you have the right to find out what information GTT Wireless Ltd store about you. These include the right to:
- be informed about how your data is being used
- access personal data
- have incorrect data updated
- have data erased
- stop or restrict the processing of your data
- data portability (allowing you to get and reuse your data for different services)
- object to how your data is processed in certain circumstances
You also have rights when an organisation is using your personal data for:
- automated decision-making processes (without human involvement)
- profiling, for example to predict your behaviour or interests
GTT Wireless Limited only keeps necessary information about its employees, customers, suppliers and partners to carry out its day-to-day operations, to meet its objectives and to comply with legal obligations.
GTT Wireless is committed to ensuring any personal data will be dealt with in line with GDPR and the Data Protection Act 2018. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. Please note this policy covers all employed staff and contractors.
This document also highlights key data protection procedures within the organisation.
In line with the principles of the Data Protection Act 2018, GTT Wireless will ensure that personal data will:
- Be obtained fairly, lawfully and transparently
- Be obtained for a specific, explicit and lawful purpose
- Be adequate, relevant, but not excessive and limited to only what is necessary
- Be accurate and where necessary kept up to date
- Not be held longer than necessary
- Be handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper-based personal data as well as that kept on computer.
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.
• Accountability: Those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
• Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
• Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
• Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
• Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.
Type of information processed
GTT Wireless Ltd processes the following personal information:
• Information on applicants for posts, including references
• Employee information – contact details, bank account number, payroll information, supervision and appraisal notes
• Customers – contact details
• Suppliers – contact details
Personal information is kept in the following forms:
• Paper -based systems
• Password protected computer-based systems
Groups of people within the organisation who will process personal information are:
Under the Data Protection Guardianship Code, overall responsibility for personal data in an organisation rests with senior management. In the case of GTT Wireless Ltd, this is the management board.
The management board delegates tasks to the Information Officer. The Information Officer is responsible for:
- understanding and communicating obligations under the Act
- identifying potential problem areas or risks
- producing clear and effective procedures
All employees and contractors who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.
Breach of this policy will result in disciplinary proceedings.
To meet our responsibilities, employees will:
• Ensure any personal data is collected in a fair and lawful way
• Explain why it is needed at the start
• Ensure that only the minimum amount of information needed is collected and used
• Ensure the information used is up to date and accurate
• Review the length of time information is held
• Ensure it is kept safely
• Ensure the rights people have in relation to their personal data can be exercised
We will ensure that:
• Everyone managing and handling personal information is trained to do so
• Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do
• Any disclosure of personal data will be in line with our procedures
• Queries about handling personal information will be dealt with swiftly and politely
Training and awareness raising about the Data Protection Act 2018 and how it is followed in this organisation will take the following forms:
• On induction, review of the data protection policy document
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure.
The following measures will be taken:
• Using lockable cupboards (restricted access to keys)
• Password protection on personal information files
• Setting up computer systems to allow restricted access to certain areas
• If personal data can be taken off site, in which forms (paper, memory stick, laptop) and what instruction do you give to people about keeping it safe?
• Back up of data on computers (onto a separate hard drive / onto tapes kept off site)
• Password protected attachments for sensitive personal information sent by email
Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings.
All information that:- a) is or has been acquired by you during, or in the course of your employment, or has otherwise been acquired by you in confidence; b) relates particularly to our business, or that of other persons or bodies with whom we have dealings of any sort; and c) has not been made public by, or with our authority; shall be confidential, and (save in the course of our business or as required by law) you shall not at any time, whether before or after the termination of your employment, disclose such information to any person without our prior written consent. You are to exercise reasonable care to keep safe all documentary or other material containing confidential information and shall at the time of termination of your employment.
GTT Wireless Ltd only processes your information in compliance with the UK Data Protection Act 2018 and in accordance with the relevant data protection laws of the EU. If, however, you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we may have handled your information, please write to: Andy Bird, GTT Wireless Ltd, The King Centre, Barleythorpe, Oakham, Rutland, LE15 7WD, United Kingdom. Or email: firstname.lastname@example.org or Tel: +44 (0)1572 338011.
Review of this Policy
This policy will be reviewed annually to ensure it remains up to date and compliant with the law. This Policy was last updated in September 2018.