This Policy sets out the obligations of Acorn Builders, a company registered in England under number 44443519, whose registered office is at 1B Buckhurst Road,
Bexhill-on-sea, East Sussex, TN40 1QF (“the Company”) regarding data protection and the rights of clients, staff and policy holders (“data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable human being (a “data subject”)
This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, subcontractors, contractors, or other parties working on behalf of the Company.
The Data Protection Principles
This Policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:
- Processed lawfully, fairly, and in a transparent manner in relation to the data subject.
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
- Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest. e.g work/warranty/guarantee
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
The Rights of Data Subjects
The GDPR sets out the following rights applicable to data subjects:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (also known as the ‘right to be forgotten’)
- The right to restrict processing
- The right to data portability
- The right to object
Specified, Explicit and Legitimate Purposes including the right to erasure
- The company collects and processes the personal data of staff/employees, policy holders and suncontractors/tradesmen, this includes
- Personal data collected directly from data subjects
- Personal data obtained via third parties (insurance companies and subcontracted business)
- The company only collects, processes and holds personal data for specific purposes or for other purposes expressly permitted by the GDPR.
- Data subjects are kept informed at all times of the purpose or purposes for which the company uses their personal data.
- Data subjects reserve the right to view the personal data held by the company at any time.
- Data subject reserves the right to request erasure (right to be forgotten) at any time.
Accuracy of the data and keeping data up to date
- The company shall ensure that all personal data collected, processed and held is kept accurate and up to date. This includes but is not limited to rectification of personal data at the request of a data subject.
- The accuracy of personal data will be checked for accuracy at the time of collection and at regular intervals there after.
- If any personal data is found to be inaccurate or out of date reasonable steps will be taken to amend or erase the data as appropriate.
- The company shall not keep personal data for longer than is necessary.
- The company will not retain personal data that is no longer relevant or required for the purpose of which it was originally intended.
- Policy holder data is retained for the duration of the warranty period and then archived.
- When personal data is no longer required, reasonable steps are taken to erase or disposed of using the cross shredder in the main office.
- The company shall ensure that all personal data held and processed is kept securely and protected against unauthorised or un lawful third party processing and against accidental loss, destruction or damage.
All data processing staff
- Have taken the GDPR Awareness course – Pass certificates available on request
- Have read and signed the companies relevant GDPR compliance (confidentiality/non disclosure) documents.
Accountability and Record Keeping
- The companies Responsible Data Protection Person is Jamie Smart – 07979593008.
- The Responsible Data Protection Person is responsible for overseeing the implementation of this policy and monitoring compliance.
Personal data collected held and processed by the company, includes but is not limited to:
- Personal Phone numbers
- Postal Addresses
- Personal and Work Emails
- Property Details, postal address, details pertaining to access to properties.
- National Insurance Numbers
- Next of Kin
Data Transfer and Storage Security
The company shall ensure that the following measures are taken with respect to all transfers of any personal data.
- All emails containing personal data are transferred via encrypted, password protected, spy wear an firewall protected systems.
- All emails containing personal data are to be marked as CONFIDENTIAL
- Where personal data is transferred in hard copy form, it will passed directly to the recipient in a suitable container marked CONFIDENTIAL
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of using the cross shredder in the main office.
Security and Use of Personal Data
The Company shall ensure that the following measures are taken with respect to the use of personal data
- No personal data may be shared informally and if an employee, agent, subcontractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from Jamie Smart
- No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of Jamie Smart
- Personal data must be handled with care at all times and must not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time
- If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it. As per the Employee Compliance Regulations
- It is expressly forbidden to transfer any personal data to USB, CD or other portable device.
Data Security / IT Security
- All passwords used to protect personal data must be changed every 40 days.
- Employees must ensure that all devices are password protected via either a strong password (consisting of at least 8 characters, a combination of letters numbers and symbols, in upper and lower case) or a finger print recognition device. You must never use the same password twice.
- Separate passwords for different systems are mandatory.
- Employees must ensure that all data is backed up securely via Live Drive.
- The company will ensure that staff must never share company passwords with any other member of staff. Each member of staff has a different level of access.
- All software (including but not limited to) applications, operating systems, firewalls and spy ware shall be kept up to date.
- The company office manager shall be responsible for installing any and all security related updates including setting up automatic updates as soon as possible. These will be reviewed manually also.
- No software may be installed on any company device or computer without the prior approval of Jamie Smart.
Data Breach Notification
(please see the Data Breach Procedure for further information about the company procedures, this is available upon request)
- All personal data breaches must be reported immediately to Jamie Smart.
- If a personal data breach occurs and is like to pose a risk to the rights and freedoms of the data subject, Jamie Smart must ensure that the ICO (information commissioners office) is informed without delay and in any event within 72 hours of being notified.
Data breach notification shall include the following information:
- Categories and approx number of data subjects concerned
- Categories and approx number of data records concerned
- The name and contact details of the companies RDDP
- The likely consequences of the breach
- Details of measures taken by the company to address the breach where appropriate measures to mitigate its possible adverse effects – this can be done by undertaking a GDPR risk assessment.
Implementation of Policy
- The policy shall be deemed effective as of May 2018 – a full revision of which was completed in January 2019
- No part of this policy shall have retroactive effect and thus apply only to matters occurring on or after this date.