Privacy Policy

AIM

This policy outlines the rights that data subjects have, under the General Data Protection Regulation (GDPR), in relation to the data about them that we hold. Data subjects, for the purposes of this policy, includes employees (current, prospective and former), workers and contractors.

THE RIGHT TO BE INFORMED

In order to keep you informed about how we use your data, we have a privacy notice for employees.  You can obtain a copy of the privacy notice from your manager.

The Company also has a separate privacy notice applicable to job applicants, available from your manager.

You will not be charged for receiving our privacy notices.

Our privacy notices set out:

  1. the types of data we hold and the reason for processing the data;
  2. our legitimate interest for processing it;
  3. details of who your data is disclosed to and why, including transfers to other countries. Where data is transferred to other counties, the safeguards used to keep your data secure are explained;
  4. how long we keep your data for, or how we determine how long to keep your data for;
  5. where your data comes from;
  6. your rights as a data subject;
  7. your absolute right to withdraw consent for processing data where consent has been provided and no other lawful reason for processing your data applies;
  8. your right to make a complaint to the Information Commissioner if you think your rights have been breached;
  9. whether we use automated decision making and if so, how the decisions are made, what this means for you and what could happen as a result of the process;
  10. the name and contact details of our data protection officer.

THE RIGHT OF ACCESS

You have the right to access your personal data which is held by us. You can find out more about how to request access to your data by reading our Subject Access Request policy.

THE RIGHT TO ‘CORRECTION’

If you discover that the data we hold about you is incorrect or incomplete, you have the right to have the data corrected. If you wish to have your data corrected, you should complete the Data Correction Form.

Usually, we will comply with a request to rectify data within one month unless the request is particularly complex in which case we may write to you to inform you we require an extension to the normal timescale. The maximum extension period is two months. 

You will be informed if we decide not to take any action as a result of the request. In these circumstances, you are able to complain to the Information Commissioner and have access to a judicial remedy.

Third parties to whom the data was disclosed will be informed of the rectification.

THE RIGHT OF ‘ERASURE’

In certain circumstances, we are required to delete the data we hold on you. Those circumstances are:

  1. where it is no longer necessary for us to keep the data;
  2. where we relied on your consent to process the data and you subsequently withdraw that consent. Where this happens, we will consider whether another legal basis applies to our continued use of your data;
  3. where you object to the processing (see below) and the Company has no overriding legitimate interest to continue the processing;
  4. where we have unlawfully processed your data;
  5. where we are required by law to erase the data.

If you wish to make a request for data deletion, you should complete the Data Erasure form.

We will consider each request individually, however, you must be aware that processing may continue under one of the permissible reasons. Where this happens, you will be informed of the continued use of your data and the reason for this.

Third parties to whom the data was disclosed will be informed of the erasure where possible unless to do so will cause a disproportionate effect on us.

THE RIGHT OF ‘RESTRICTION’

You have the right to restrict the processing of your data in certain circumstances.

We will be required to restrict the processing of your personal data in the following circumstances:

  1. where you tell us that the data we hold on you is not accurate. Where this is the case, we will stop processing the data until we have taken steps to ensure that the data is accurate;
  2. where the data is processed for the performance of a public interest task or because of our legitimate interests and you have objected to the processing of data. In these circumstances, the processing may be restricted whilst we consider whether our legitimate interests mean it is appropriate to continue to process it;
  3. when the data has been processed unlawfully;
  4. where we no longer need to process the data but you need the data in relation to a legal claim.

If you wish to make a request for data restriction, you should complete the Data Restriction form.

Where data processing is restricted, we will continue to hold the data but will not process it unless you consent to the processing or processing is required in relation to a legal claim.

Where the data to be restricted has been shared with third parties, we will inform those third parties of the restriction where possible unless to do so will cause a disproportionate effect on us.

You will be informed before any restriction is lifted.

THE RIGHT TO DATA ‘PORTABILITY’

You have the right to obtain the data that we process on you and transfer it to another party. Where our technology permits, we will transfer the data directly to the other party.

Data which may be transferred is data which:

  1. you have provided to us; and
  2. is processed because you have provided your consent or because it is needed to perform the employment contract between us; and
  3. is processed by automated means.

If you wish to exercise this right, please speak to your manager.

We will respond to a portability request without undue delay, and within one month at the latest unless the request is complex or we receive a number of requests in which case we may write to you to inform you that we require an extension and reasons for this. The maximum extension period is two months.

We will not charge you for access to your data for this purpose.

You will be informed if we decide not to take any action as a result of the request, for example, because the data you wish to transfer does not meet the above criteria. In these circumstances, you are able to complain to the Information Commissioner and have access to a judicial remedy.

The right to data portability relates only to data defined as above. You should be aware that this differs from the data which is accessible via a Subject Access Request.

THE RIGHT TO ‘OBJECT’

You have a right to require us to stop processing your data; this is known as data objection.

 You may object to processing where it is carried out:

  1. in relation to the Company’s legitimate interests;
  2. for the performance of a task in the public interest;
  3. in the exercise of official authority; or
  4. for profiling purposes.

If you wish to object, you should do so by completing the Data Objection Form.

In some circumstances we will continue to process the data you have objected to. This may occur when:

  1. we can demonstrate compelling legitimate reasons for the processing which are believed to be more important than your rights; or
  2. the processing is required in relation to legal claims made by, or against, us.

If the response to your request is that we will take no action, you will be informed of the reasons.

RIGHT NOT TO HAVE AUTOMATED DECISIONS MADE ABOUT YOU

You have the right not to have decisions made about you solely on the basis of automated decision making processes where there is no human intervention, where such decisions will have a significant effect on you. 

However, the Company does not make any decisions based on such processes.

If you wish to exercise this right, you should speak to your manager.

However, we may carry out automated decision making with no human intervention in the following circumstances:

  1. when it is needed for entering into or the carrying out of a contract with you;
  2. when the process is permitted by law;
  3. when you have given explicit consent.

In circumstances where we use special category data, for example, data about your health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership the Company will ensure that one of the following applies to the processing:

  1. you have given your explicit consent to the processing; or
  2. the processing is necessary for reasons of substantial public interest.

 

SUBJECT ACCESS REQUEST POLICY

AIM

You have a right, under the General Data Protection Regulation, to access the personal data we hold on you. To do so, you should make a subject access request, and this policy sets out how you should make a request, and our actions upon receiving the request.

DEFINITIONS

“Personal data” is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, including your name.

“Special categories of personal data” includes information relating to:      

  1. race
  2. ethnic origin
  3. politics
  4. religion
  5. trade union membership
  6. genetics
  7. biometrics (where used for ID purposes)
  8. health
  9. sex life or
  10. sexual orientation. 

MAKING A REQUEST

Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. If you wish to make a request, please use the Subject Access Request form.

Requests that are made directly by you should be accompanied by evidence of your identity. If this is not provided, we may contact you to ask that such evidence be forwarded before we comply with the request.

Requests made in relation to your data from a third party should be accompanied by evidence that the third party is able to act on your behalf. If this is not provided, we may contact the third party to ask that such evidence be forwarded before we comply with the request.

TIMESCALES

Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.          

FEE

We will normally comply with your request at no cost. However, if the request is manifestly unfounded or excessive, or if it is repetitive, we may contact you requesting a fee. This fee must be paid in order for us to comply with the request. The fee will be determined at the relevant time and will be set at a level which is reasonable in the circumstances.

In addition, we may also charge a reasonable fee if you request further copies of the same information.

INFORMATION YOU WILL RECEIVE

When you make a subject access request, you will be informed of:

  1. whether or not your data is processed and the reasons for the processing of your data;
  2. the categories of personal data concerning you;
  3. where your data has been collected from if it was not collected from you;
  4. anyone who your personal data has been disclosed to or will be disclosed to, including anyone outside of the EEA and the safeguards utilised to ensure data security;
  5. how long your data is kept for (or how that period is decided);
  6. your rights in relation to data rectification, erasure, restriction of and objection to processing;
  7. your right to complain to the Information Commissioner if you are of the opinion that your rights have been infringed;
  8. the reasoning behind any automated decisions taken about you.

CIRCUMSTANCES IN WHICH YOUR REQUEST MAY BE REFUSED

We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.

We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with and an explanation of the reason will be provided.

DATA BREACH NOTIFICATION POLICY

AIM

We are aware of the obligations placed on us by the General Data Protection Regulation (GDPR) in relation to processing data lawfully and to ensure it is kept securely.

One such obligation is to report a breach of personal data in certain circumstances and this policy sets out our position on reporting data breaches.

PERSONAL DATA BREACH

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed.

The following are examples of data breaches:

  1. access by an unauthorised third party;
  2. deliberate or accidental action (or inaction) by a data controller or data processor;
  3. sending personal data to an incorrect recipient;
  4. computing devices containing personal data being lost or stolen;
  5. alteration of personal data without permission;
  6. loss of availability of personal data.

BREACH DETECTION MEASURES

We have implemented measures to assist us in detecting a personal data breach, including partners informing us of any data breaches.

INVESTIGATION INTO SUSPECTED BREACH

In the event that we become aware of a breach, or a potential breach, an investigation will be carried out. This investigation will be carried out by the Office Manager who will make a decision over whether the breach is required to be notified to the Information Commissioner. A decision will also be made over whether the breach is such that the individual(s) must also be notified. 

WHEN A BREACH WILL BE NOTIFIED TO THE INFORMATION COMMISSIONER

In accordance with the GDPR, we will undertake to notify the Information Commissioner of a breach which is likely to pose a risk to people’s rights and freedoms.  A risk to people’s freedoms can include physical, material or non-material damage such as discrimination, identity theft or fraud, financial loss and damage to reputation.

Notification to the Information Commissioner will be done without undue delay and at the latest within 72 hours of discovery. If we are unable to report in full within this timescale, we will make an initial report to the Information Commissioner, and then provide a full report in more than one instalment if so required.

The following information will be provided when a breach is notified: 

  1. a description of the nature of the personal data breach including, where possible:

 

  1. the categories and approximate number of individuals concerned; and
  2. the categories and approximate number of personal data records concerned

 

  1. the name and contact details of the appointed compliance officer where more information can be obtained;
  2. a description of the likely consequences of the personal data breach; and
  3. a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects. 

WHEN A BREACH WILL BE NOTIFIED TO THE INDIVIDUAL

In accordance with the GDPR, we will undertake to notify the individual whose data is the subject of a breach if there is a high risk to people’s rights and freedoms. A high risk may be, for example, where there is an immediate threat of identity theft, or if special categories of data are disclosed online. 

This notification will be made without undue delay and may, dependent on the circumstances, be made before the supervisory authority is notified.

The following information will be provided when a breach is notified to the affected individuals:

  1. a description of the nature of the breach
  2. the name and contact details of the appointed compliance officer where more information can be obtained
  3. a description of the likely consequences of the personal data breach and
  4. a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

RECORD OF BREACHES

The Company records all personal data breaches regardless of whether they are notifiable or not as part of its general accountability requirement under GDPR. It records the facts relating to the breach, its effects and the remedial action taken.