Computer and Device Usage, Data Protection and Social Networking Policy

Part one – Computer Usage Policy

This policy applies to all computer users working within the Group, which means anyone who is authorised to use and/or access our computers, computer software, information and data.

Access

  1. All computer users are permitted to access only those parts of the computer system that they need to enter in order to carry out their normal duties. Any other access will be regarded as unauthorised.  Should a computer user believe that they need to gain access to other parts of the computer system, they must first seek clearance from their immediate Manager. You should not access or attempt to access IT systems which are unavailable to you or not required for your daily duties.

Network security and computer viruses

  1. A computer virus is a piece of computer software or program that can work in different ways, with many designed to replicate themselves from computer to computer without participation of the computer user. Once loaded into a computer, it can cause loss of data and programmes on that computer or network, can give access to the computer from external un-trusted sources, and in extreme circumstances a virus may even damage the computer itself.  Sources of viruses include internet websites, USB memory sticks, e-mail attachments and “click here” URL links in emails, even clicking on some pictures in an email or website, and software programs and files (e.g. Word or Excel or others) introduced via a route other than by the IT team.

What you must do to protect against viruses:

  • Only portable media received from a trusted source should be accessed from a company device. The same care should be shown for content in unsolicited emails such as URL links or requests for personal information e.g. bank account details or passwords or requests to ‘logon’ to a site to ‘confirm your details’.
  • Be vigilant and assist the IT Team both generally and when spot checks are carried out as part of the security procedures in place to protect our data.
  • Comply with any rules issued by the IT Team covering remote access to the computer network.

What you must not do:

  • Run or load private software on PCs (including laptops, or any other type of equipment provided to you by the Group that has a facility to run or load software), including software downloaded from the internet. This also extends to media files such as mp3, AVI, mp4, CD’s, DVD’s and any other type of file that, in the sole opinion of the Group is deemed as inappropriate.
  • Accept copies of software from others. If you have a legitimate need for the software you are being offered, then arrange for the IT Team to either purchase it for you, or install this for you.
  • Access unauthorised areas, applications, data or websites.
  • Install, replace, bypass, or modify any security feature that would render insecure our information or prevent us from monitoring the use of our systems.
  • Copy or distribute to any third-party company software or data.
  • Insert computer disks or USB memory sticks or other portable media into company computers or laptops or use 3rd party cloud storage. If you have a requirement for using removable or cloud storage contact IT for confirmation of what is acceptable.

Antivirus software is in use on our computers and laptops, but computer viruses can hide in seemingly trusted files and documents and the best protection is not to introduce these external threats.

If you think you have a virus you must contact the IT team immediately. 

Responsibility for Accounts

  1. Computer users may only use the computing facilities under the account name and password allocated to them.
  2. All users are directly responsible for their own accounts; actions are the responsibility of the account holder.
  3. Users are expected to take all reasonable precautions to prevent unauthorised use of their account by another person. This includes but is not limited to safeguarding their username and password, ensuring that they correctly log off their account and lock their screen when away from their computer or desk. Speak to IT if you have any queries or need help with this.
  4. Each computer user will be provided with a password. This is confidential and should not be disclosed to anyone whether or not that person works for us. The password should be changed whenever prompted by the system.
  5. Computer users must also comply with any rules or reasonable requests covering network security issued by the IT Team.

E-mail Style

  1. All communications by e-mail are to be treated as if they are permanent written communications and appropriate language and style should therefore be used at all times.

Private use of e-mail

  1. Whilst it is accepted that computer users may send and receive limited personal communications by e-mail, these should be minimal and the privilege not abused, just as in the case of personal telephone calls. All computer users must ensure that any private use does not interfere with the performance of their duties and should preferably be conducted:
  • Before your normal work time commences
  • During your break, or
  • After your normal finish time

Please note that, technical support from the IT Team will only be provided for work-based e-mail accounts, and not for any personal mail accounts such as Hotmail, Yahoo etc.

Unacceptable use of e-mail

  1. There are certain types of communication which could give rise to liability both for yourself and potentially for us. For this reason, computer users must not send or (where preventable) receive any personal or business e-mail that:
    • contains pornographic, obscene, defamatory or insulting material, whether or not you are offended personally by it;
    • contains information that is confidential, personal, commercially or client sensitive, or may have contractual or other legal implications for us, except as part of your duties;
    • may be deemed as ‘junk mail’, such as jokes, stories or chain letters;
    • may damage our reputation or that of any person or organisation with which we deal;
    • includes derogatory remarks about other people or organisations (even if only sent internally);
    • makes representations or expresses opinions purporting to be ours, except where authorised;
    • may constitute any form of discrimination including sex, race, age, disability, religion or sexual orientation;
    • may be deemed bullying and/or harassment.
  2. Computer users are expressly warned that e-mail messages can be recreated even after deletion and may be used in legal proceedings.
  3. You should note that internet e-mails are not secure, delivery may be unreliable, and you should be aware that this is outside of our control. Therefore, do not rely on e-mail for time sensitive or secure material. E-mail should be thought of as “best effort” and not guaranteed delivery. The same rules apply for incoming e-mails. For sensitive material such as personal details we would recommend that more secure methods of delivery be considered.

Internet Access

  1. As in the case of e-mail, we recognise that certain team members will have a legitimate business need to access the internet, and also that a reasonable and minimal amount of access for personal purposes is acceptable.
  2. Internet use to support activity connected with our business, including client, and / or customer communication, research, administration and the development of professional knowledge is not restricted.
  3. Internet use for personal banking, ordering goods, searching for information about holidays and personal administration is allowed provided it is minimal, reasonable and does not interfere with the performance of your duties and should preferably be conducted:
  • Before your normal work time commences
  • During your break, or
  • After your normal finish time

Please note that, technical support from the IT Team will only be provided for websites accessed that are specifically connected to work-based business. The IT Team will not provide support or accept any liability for external websites that are accessed for personal use, such as websites that require you to enter credit card and/or other personal details. We strongly advise you against accessing such sites.

Please note further that technical support for equipment that is not company property or has not been recommended by the Group will not be provided and should not in any event be used.

Prohibited and Unsuitable Websites

  1. Use of our internet to access, view, download or distribute pornographic, indecent, sexually explicit or obscene material, violence, or material likely to cause offence, whether or not this would constitute a criminal offence and irrespective of whether you do so during working hours or whether you personally find such material insulting or distasteful is prohibited.
  2. Playing computer games, online gaming, misuse of video files, private advertising and use of the internet for personal financial gain is also not allowed.
  3. You may inadvertently access inappropriate material because of misleading site descriptions or innocent searches. If this should happen you should exit the site immediately.  Failure to do so with due speed may result in us concluding that you deliberately viewed the material.
  4. A number of restrictions have been put in place to help avoid websites that are not suitable, however others may still be accessible and you must adhere to the guidelines. We reserve the right to change and amend these restrictions without notice at any time if considered to be in our best interest.

Guidance on handling personal data in the computer system and disclosure of documents in legal proceedings

  1. We all need to be mindful of our legal obligations when creating, storing or circulating information about individuals. Information relating to any identifiable individual which is created on our computer systems (e.g. a word document or e-mail) counts as “personal data” for the purposes of General Data Protection Regulation (“GDPR”) which came into force in May 2018.
  2. Once we hold personal data about an individual, we have obligations relating to that data. We must ensure that the data is accurate, not excessive or irrelevant and we can “process” the data only if strict conditions are satisfied.  In brief, most data can be processed for legitimate business reasons but there are additional limitations on the processing of sensitive information (e.g. about an individual’s health).  Circulating, retaining and even deleting information counts as processing.
  3. Individuals have a right, subject to certain exceptions, to see personal data that is held about them on our computer system. We may also have to disclose documents, including e-mails, in the context of legal proceedings (whether or not they count as personal data). If you wish to make a subject access request under the Data Protection Act, you may send your written request to HR.
  4. We may require you to confirm your identity to us to ensure that we are releasing your private information to you. This may require you to personally meet with a representative of the Group to verify your identity.  Any information we release to you under our DPA obligations is for your personal use only and must not be published, reproduced, broadcast or distributed in any way without our prior written permission.

Here is some practical guidance on handling information about individuals held on computer:

  • Beware what you say in e-mail messages. If sending an e-mail about an individual, remember that this is likely to be processing personal data.  This means that the individual may seek access to it and we have data protection obligations in respect of it.  Consider whether a telephone call would be a more appropriate means of communicating the information.  Remember that describing an individual by their initials (“ABC”) or indirectly (“you know who”) will often still count as processing data about the individual.
  • Never ask for or send information about someone’s health or other sensitive details unless they have specifically agreed to this or you know that you are acting within the limits of the GDPR.
  • Never make “throw-away” remarks about individuals in e-mails, assuming that they won’t see them. Subject access requests are becoming more common and this sort of remark can lead to legal liability.  Remember that e-mails are not a secure method of communication and can be forwarded very easily to individuals other than the intended recipients both deliberately and by mistake.

Monitoring of internet and e-mail use

  1. All internet usage is logged automatically by our systems for security purposes. The user, web site, date and other information is recorded and held centrally in IT.

We periodically review a list of sites accessed by users to identify any inappropriate sites which might have been accessed.

  1. All e-mail is content-filtered both coming in and going out of our server. This is carried out on an automatic and continuous basis.  If any e-mail fails to meet the requirements it is put into either the junk mail or spam mail folders. Occasionally, genuine e-mails will be filtered into these folders; therefore, you are advised to check the junk and spam mail folders periodically.

If the title of an e-mail arriving on our server or the content of an attachment to an e- mail checked by the IT Team, alerts the IT Department to a breach of this policy or other inappropriate behaviour, they will notify the HR Team or a senior Manager accordingly.

  1. We may also monitor your e-mails and internet usage:
    • where a breach of this policy, a breach of another policy, or other inappropriate behaviour is suspected;
    • to check for viruses;
    • to check facts or control quality;
    • if a member of the team is absent and e-mails need to be checked for work-related reasons.
  2. In order to monitor when a breach of a policy or other inappropriate behaviour is suspected, or where facts or quality are being checked, we may open e-mails sent or received by you including stored or deleted ones.
  3. Monitoring and checking of internet usage and e-mail will be conducted only by the IT Team, HR or an appropriate senior Manager. It must only be authorised by a senior member of the IT or HR or an appropriate senior Manager.

Before authorising monitoring, the relevant Manager will consider whether or not an alternative method of achieving the employer’s objective might be used which is less intrusive.

  1. All computer users should note that marking e-mails as ‘personal’ does not mean that we will not in some circumstances see their content or attachments. If you do not wish us to read private e-mails you should make alternative arrangements that do not involve our property. If you wish to communicate confidential information which you would not want monitored, for example, information about your or any person’s health, consider using other means such as post or by handing over the information in person.
  2. We may override any passwords or require computer users to disclose any passwords in order to facilitate access to any e-mail message for a reason set out above.

Consequences of breach of this policy

  1. Failure to comply with any aspect of this policy without good reason could result in the removal of privileges to use the computer system for personal purposes and/or:
    • in the case of team members, in disciplinary action being taken (including dismissal); and
    • in the case of non-employees, termination of the contract/relationship and/or legal action.
  2. The following will be regarded as gross misconduct and may lead to immediate dismissal of team members or, in the case of non-team members, immediate termination of the contract/relationship:
    • serious breach of our virus policy;
    • sending an e-mail which may materially damage our reputation or that of any person or organisation with which we deal;
    • sending an e-mail which constitutes sexual, racial or other harassment (whether or not it would be unlawful) or a breach of our harassment and bullying policy;
    • deliberately using our equipment to access internet facilities to view, download, print or distribute pornographic, indecent, sexually explicit or obscene material or material likely to cause offence;
    • introducing a virus to the computer network through unauthorised means including computer disks or USB stick.
  3. Computer users are specifically warned that there are a number of criminal offences that may arise from the misuse of our computer systems and that we reserve the right to inform the police if it is believed that such an offence may have been committed.

Incident Reporting

  1. Any team member who identifies a breach of this policy should refer immediately to their Manager or the IT Team.

Status of this policy

  1. This policy is not part of your contract of employment and does not create contractual rights or obligations. It may be amended by us at any time.

If you are uncertain about any of the issues covered by this policy you should speak to the IT or HR Team.

December 2022

Part two – Mobile Phones and Electronic Devices

The following policy applies to all employees who are issued with a Group mobile phone, tablet i-pad or other mobile electronic device.

The following guidelines should be adhered to:

  1. Group mobile phones are provided in order for you to fulfil your duties professionally and efficiently. The mobile phone provided does not belong to you. It is to be used for business purposes.
  2. We reserve the right to monitor internet use on the mobile phone to ensure compliance with our policy and any personal use may be recharged back to you. Group policy in relation to inappropriate internet use also applies to internet use on our mobile phones.

For your information, we do actively monitor mobile phone usage such as late-night texts; premium rate numbers; international dialling and excessive call and internet usage.

  1. We reserve the right to monitor all use of Group mobile phones, and all communication made using any means including text message, email or any application added to the phone. Therefore, communicating in this way via a Group mobile phone is done in the knowledge that those communications may be read by those in the Group responsible for monitoring mobile phone use. Monitoring your usage will mean processing your personal data.
  2. When using a Group phone, you are an ambassador of the Group therefore you should deal with all calls courteously and professionally.
  3. If you are issued with a Group mobile phone you are responsible for its safe keeping, ensuring that its battery is fully charged and that it is switched on at all times when on duty. However, there are some circumstances where it may be necessary to set the phone to silent or divert to voicemail – for example when attending a meeting.
  4. It is illegal to use a mobile phone without a hands-free set whilst driving. The Group does not require you to use any mobile phone whilst driving.  Please refer to the Driving on Company Business Policy issued to relevant drivers.
  5. If you lose or have your Group mobile phone stolen, you must report this immediately to the IT Helpdesk so the SIM card can be cancelled so no unauthorised user can make calls. You must also report it to your Manager and in the event of a theft to the local police station and obtain a crime reference number.
  6. On termination of employment, your Group mobile phone and accessories should be handed in to HR on your last date of employment.
  7. The phone number assigned to your Group mobile phone is the property of the Group and will not be transferred, nor will the Group accept the transfer in of any personal number.
  8. If your mobile phone becomes damaged, then it should be taken to an Apple Store / other well-known high street mobile phone retailer to get a quotation for the necessary repairs. Once the quotation has been obtained, you should seek approval from your Manager for the repairs, which should then be submitted through the expenses process. Please refer to the Expenses Policy.

Where the costs to repair the phone are excessive to the cost of the phone, you should inform your line manager and request approval for a replacement phone.  The request for the new phone (including manager’s approval) should be submitted to the IT Helpdesk along with details of where the new phone should be delivered.

  1. We reserve the right to expect employees to cover the cost of repairs or the cost of a new phone if the damage sustained was through a lack of due care or attention.

 

Part three – Data Protection Policy

  1. Introduction

During the course of our activities, The Group (“we”, “our”, “us”,) will process personal data (which may be held on paper, electronically, or otherwise) and we recognise the need to treat it in an appropriate and lawful manner, in accordance with General Data Protection Regulation 2018 (“GDPR”) .

We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. We are exposed to potential and significant fines depending on the breach, for failure to comply with the provisions of the GDPR.  Furthermore, individuals may incur personal criminal liability and fines if they fail to comply with data protection legislation.

All individual business areas, departments and supervisors are responsible for ensuring all employees (“you”, “your”) comply with this policy and need to implement appropriate practices, processes, controls and training to ensure such compliance.

This Policy sets out how we handle the Personal Data of our customers, suppliers, employees, workers and other third parties.

This Policy applies to all Personal Data we process regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject.

This Policy applies to all employees. You must read, understand and comply with this Policy when processing Personal Data on our behalf and if necessary attend training on its requirements. This Policy sets out what we expect from you in order for the Group to comply with applicable law. Your compliance with this Policy is mandatory. Related policies and guidelines are available to help you interpret and act in accordance with this Policy. You must also comply with all such related policies and guidelines. Any breach of this Policy may result in disciplinary action, which could result in dismissal.

This Policy (together with Related Policies and Privacy Guidelines) is an internal document and cannot be shared with third parties, clients or regulators without our prior authorisation.

This Policy does not form part of any contract of employment and we may amend it at any time.

  1. Useful Definitions
  • Group Personnel: all employees, team members, workers, contractors, agency workers, consultants, directors, members and others.
  • Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. We are the Data Controller of all Personal Data relating to our Group Personnel and Personal Data used in our business for our own commercial purposes.
  • Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
  • Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour. Personal Data is subject to the legal safeguards specified in the GDPR.
  • Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
  • Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
  1. Scope

Please contact the Group Head of IT with any questions about the operation of this Policy or the GDPR or if you have any concerns that this Policy is not being or has not been followed. In particular, you must always contact the Group Head of IT in the following circumstances:

  • if you are unsure of the lawful basis which you are relying on to process Personal Data;
  • if you need to rely on consent;
  • if you are unsure about what security or other measures you need to implement to protect Personal Data;
  • if there has been a Personal Data Breach;
  • if you need any assistance dealing with any rights invoked by a Data Subject;
  • If you need help complying with applicable law when carrying out direct marketing activities; or
  • if you need help with any contracts or other areas in relation to sharing Personal Data with third parties.
  1. Personal Data protection principles
    • Lawfulness and fairness

Personal data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

You may only collect, Process and share Personal Data fairly and lawfully and for specified lawful purposes. The GDPR allows Processing for specific purposes, some of which are set out below:

  • the Data Subject has given his or her consent;
  • the Processing is necessary for the performance of a contract with the Data Subject;
  • to meet our legal compliance obligations.;
  • to protect the Data Subject’s vital interests; or
  • to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy notices or fair processing notices.

You must identify and document the legal ground being relied on for each Processing activity.

  • Consent

A Data Controller must only process Personal Data on the basis of one or more of the lawful bases set out in the GDPR, which include consent.

A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient.

Data Subjects must be easily able to withdraw consent to Processing at any time and withdrawal must be promptly honoured.

You will need to evidence consent captured and keep records of all consents so that the Group can demonstrate compliance with consent requirements.

  • Transparency (notifying data subjects)

The GDPR requires Data Controllers to provide detailed, specific information to Data Subjects through appropriate Privacy notices or fair processing notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.

Whenever we collect Personal Data directly from Data Subjects, we must provide the Data Subject with all the information required by the GDPR including the identity of the Data Controller, how and why we will use, Process, disclose, protect and retain that Personal Data through a notice which must be presented when the Data Subject first provides the Personal Data.

When Personal Data is collected indirectly (for example, from a third party or publicly available source), you must provide the Data Subject with all the information required by the GDPR as soon as possible after collecting/receiving the data. You must also check that the Personal Data was collected by the third party in accordance with the GDPR.

  1. Purpose limitation

Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.

You cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained.

  1. Data minimisation

Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.

You may only Process Personal Data when performing your job duties requires it. You cannot Process Personal Data for any reason unrelated to your job duties.

You may only collect Personal Data that you require for your job duties: do not collect excessive data. Ensure any Personal Data collected is adequate and relevant for the intended purposes.

You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Group’s data retention guidelines. See 12.6 of this policy.

  1. Accuracy

Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

You will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

  1. Storage limitation

Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.

You must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.

You must comply with our retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time.

You will take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require in accordance with all the Group’s applicable records retention and storage schedules and policies. This includes requiring third parties to delete such data where applicable.

You will ensure Data Subjects are informed of the period for which data is stored and how that period is determined in any applicable notice.

  1. Security integrity and confidentiality
    • Protecting Personal Data

Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.

We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data. You are responsible for protecting the Personal Data we hold. You must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data.

You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction.  This will include but may not be limited to:

  • password protecting documents that contain personal data.
  • checking with a colleague before you email data to ensure accuracy and security.
  • maintaining hard copies of information such as personal files in locked cabinets / storage.
  • confidentially disposing hard copy documents containing personal data.
  • Only recording personal data that is absolutely necessary for completing the task, do not take additional details.

You must maintain data security by ensuring that only people who have a need to know and are authorised to use the Personal Data can access it.

You must comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the GDPR and relevant standards to protect Personal Data.

  • Reporting a Personal Data Breach

If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact your line manager and the IT Helpdesk as the key point of contact for Personal Data Breaches. You should preserve all evidence relating to the potential Personal Data Breach.

  1. Transfer limitation

The GDPR restricts data transfers to countries outside the European Economic Area in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.

You must comply with any Group guidelines on cross border data transfers.

  1. Data Subject’s rights and requests

Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:

  • withdraw consent to Processing at any time;
  • receive certain information about the Data Controller’s Processing activities;
  • request access to their Personal Data that we hold;
  • prevent our use of their Personal Data for direct marketing purposes;
  • ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
  • challenge Processing which has been justified on the basis of our legitimate interests;
  • prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else; and
  • be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms.

You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation).

You must immediately forward any Data Subject request you receive to your supervisor.

  1. Accountability
    • The Data Controller must implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. The Data Controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
    • Record keeping

The GDPR requires us to keep full and accurate records of all our data Processing activities.

You must keep and maintain accurate corporate records reflecting our Processing including records of Data Subjects’ consents and procedures for obtaining consents. These records should include, at a minimum, the name and contact details of the Data Controller, clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place.

  • Training and audit

You must undergo all mandatory data privacy related training and ensure your team undergo similar mandatory training in accordance with the Group’s mandatory training guidelines.

You must regularly review all the systems and processes under your control to ensure they comply with this Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.

  • Direct marketing

We are subject to certain rules and privacy laws when marketing to our customers.

For example, a Data Subject’s prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers known as “soft opt in” allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar products or services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.

The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.

A Data Subject’s objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

You must comply with the Group’s guidelines on direct marketing to customers.

  • Sharing Personal Data

Generally, we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.

You may only share the Personal Data we hold with another employee, agent or representative of our Group (which includes our subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.

You must comply with the Group’s guidelines on sharing data with third parties.

12.6     Data Retention

The DPA requires that our we must ensure that Personal Data processed by us shall be kept for “no longer than is necessary for the purposes for which the personal data are processed”. Employee data will be kept for a maximum of 7 years from the end of the applicable tax year in which termination of employment occurs. This is to ensure compliance with HMRC regulations.

  1. Changes to this Policy

We reserve the right to change this Policy at any time without notice to you so please check back regularly to obtain the latest copy of this Policy.

 

Part four: Social Networking Policy

There are lots of different social media sites and programmes that you might use to keep in contact with friends and family in your own time.

Our policy applies to all social media types; some of the most common ones at the moment are Facebook, WhatsApp, Instagram, Snapchat, LinkedIn, YouTube and Twitter. Other forms of social media include internet forums, interest Groups and blogs. In your own time and using your own mobile phone or computer you are absolutely free to use social media, including in your breaks.

In summary, we want to make sure that everyone is clear and confident about using social media in a way that will support ourselves, the Group and associated companies, our customers and our colleagues..

  1. We are only concerned about what you say online if it affects our business, reputation or our colleagues and customers. You should remember that anything you post online is permanent and public and cannot necessarily be easily removed, even after you have attempted to delete it. You should think carefully before posting anything and realise what would happen if your comments were read by people that you don’t know, team members, customers or even people who work in the media, like journalists. You should remember that YOU are personally responsible for anything you say online.
  2. This policy applies to all employees across every level of the Group and explains our 3 Social Media Policy principles of Representing, Responsibility and

 

Representing

  1. Most of the time, your use of social media to keep in touch with friends and family will probably not have anything to do with your work. But if you do talk about your place of work (or associated companies) or people from work then people reading your comments or posts might assume that you are talking on behalf of the Group which could be confusing or embarrassing for you or the Group. You should take note of the following policy requirements that you are expected to adhere to:
  • Never comment on or disclose any confidential Group information, such as financial information, present and future business performance and business plans.
  • Don’t post or comment on anything about Group issues or incidents that could reflect badly on us as a Group.
  • If you do post something that is related to the Group then make it clear that it’s your personal opinion and not that of the Group. You can say “This is my personal opinion and does not represent the opinion of the Group”.
  • Don’t give your opinion about something on behalf of the Group; we have people specialised to do this. If you are asked to comment on any matters connected to the Group, then you should direct them to your line manager and allow them to handle it.
  • If you are creating your own specific social site, Group or blog for your local business location then it is vitally important that you do not publish any sensitive or confidential material or data as we need to protect our business; and equally important, you need to protect yourself. If you are planning such activities, then you should take advice from IT and/or HR.
  • Don’t use any company logos or corporate images on personal or social media sites.
  • Don’t discuss or post anything confidential, or that might break data protection or copyright rules.
  • Be mindful of posting images or videos of yourself or team members on social media sites when at work as it may put the Group in a negative light if they are inappropriate. Please use your judgement!

 

Responsibility

  1. When engaging in any social media activities you must be mindful of your responsibilities, remembering that you are personally responsible for everything you say online. The following are policy guidelines that you should adhere to:
  • Think responsibly, if you wouldn’t say it directly at work then don’t say it in a social media context.
  • Be sure of your facts before you post anything.
  • Remember that copyright, fair use and financial disclosure laws apply to everything you say and do online.
  • Don’t give out or post information that might be a risk to our security or intellectual property; or your own safety for that matter.
  • Ensure you do not disclose other people’s personal information on social media sites.
  • Don’t post material that is obscene, defamatory, threatening, harassing, discriminatory or hateful to another person or entity, including the Group, its employees, contractors or suppliers, its competitors or customers and/or any other business-related individuals or organisations. We will take any breach of this rule very seriously and will deal with the matter under our disciplinary code without exception.
  • Do not feel that you have to join any Groups or support any opinions that you don’t want to, even if colleagues or other people associated with your job ask you to. If you do join any Groups or support any opinions that are considered to put the Group in a negative light then we may need to speak to you about them and investigate.
  • Do not post material that contains viruses, or any computer code that is intended to damage, interfere with or covertly intercept or steal any system data or information.
  • Be aware of social network website privacy policies and privacy settings, including that you can be “tagged” or associated with content that you did not create yourself, and that some information you share may be made available to a wider audience than a smaller closed Group of people it was intended for.

 

Respect 

  1. Online, your personal and business personas are likely to overlap. The Group respects the free speech rights of all of its employees but you must remember and respect that employees, contractors, suppliers, competitors, customers and/or any other business-related individuals or organisations may have access to the online content you post. Keep this in mind when publishing information online that can be seen by more than friends and family and know that information originally intended just for friends and family can be forwarded on! The best advice is to approach online worlds in the same way we do the physical one; by using sound judgement and common sense. Please adhere to the following policy guidelines:
  • Be polite and respectful of other opinions, even in times of heated discussion or debate. Discussions and debate can be helpful but disputes can sometimes turn nasty online.
  • Respect copyright, privacy, financial disclosure, data protection and any other applicable laws when commenting or publishing on social media platforms.
  • If you are unsure about what you are about to write, then either don’t post it or take advice.
  • Don’t post anything about colleagues or work-related persons unless they have agreed to it. This includes posting images and/or videos.
  • Be mindful of your language and behaviour as you would if you were communicating verbally.
  • Be respectful of all individuals and communities with which you interact online.
  • Do not post anything that is obscene, defamatory, profane, libellous, threatening, harassing, discriminatory, abusive, hateful or embarrassing to any other person or entity, or violates the privacy rights of another.
  • Respect privacy; do not post or comment on any content related to any legal proceedings or litigation involving the Group. Consult HR if you have any questions.
  1. The Group is dedicated to treating all employees with fairness dignity and respect. If you find comments or postings by colleagues that you think are untrue, unfair or inappropriate, or if you feel you are being bullied or harassed by someone you work with through social media, you can in the first instance talk to your Manager or contact HR
  2. We do not accept this kind of behaviour in person or online and we will always investigate and take action where appropriate.

In general, what you do on your own time is your business. However, inappropriate activities in or outside of work that affect your job performance, the performance of others, or the Group’s  (or associated Companies) business interests will not be tolerated.

Remember that there are always consequences to what you publish. If you publish something that makes you even feel the slightest bit uncomfortable, review the advice and guidelines above and ask why that is. If you’re still unsure and it is related in any way to the Group or people or entities associated with us, feel free to discuss it with your Manager. Ultimately, however, you have sole responsibility for what you post to your blog or publish in any form of online social media.

Finally; don’t forget your job. You should make sure that any online activity, whether it is on your mobile phone, PC or any other device that can be used to gain online access does not interfere with your job or work commitments, and if you have any queries or are unclear – ask IT or HR for guidance.

 

Have fun… but think before you post!

December 2022