Although the nature of our business is non-polluting, we strive to make all the difference that we can in regards to minimising emissions, noise levels, and by recycling waste packaging.
Privacy Notice & GDPR
Privacy Notice & GDPR
HEIGHT TASKS LIMITED- PRIVACY NOTICE
What this Privacy Notice covers:
This Privacy Notice gives you information about how Height Tasks Limited ("Height task") treats the personal information which we hold about you.
Please read the following sections carefully to understand how your personal information will be used and handled by Height Tasks.
Height Tasks collects and uses your data in accordance with current data protection law (which includes, from 25 May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679))
Who we are:
The data controller with control of your personal information is Height Tasks Limited. Our registered office is at:
Royal Mail House, Terminus Terrace, Southampton, SO14 3FD
Company No. 11244915.
Height Tasks Data Protection Officer (or as we call it the Data and Compliance Manager) is Paul Calvert. He is the person appointed to lead data protection compliance for us. Paul can be contacted on: Tel: +44 (0)2381 247 306 or by email to [email protected]
Our Website may, from time to time, contain links to and from the websites of third parties. Please note that those websites will have their own privacy policies and Height Tasks does not accept any responsibility or liability for such policies/websites. Please check these other policies before submitting personal information to those websites.
Information: Collection, Use and Grounds for Processing
Height Tasks collects and processes information about you from a variety of sources. These are summarised below:
i. Information you give to us
This includes information about yourself which you provide to us by email, letter, telephone, via our website or in person.
The information you give us may include (but is not limited to) your:
· home and/ or business address as appropriate,
· email address,
· phone number,
· (if you are a customer, supplier or contractor of ours) bank details,
We process this information to:
(a) supply you with details of our services or other information where you have requested these from us;
(b) carry out services with you, where you are an employee, a sub-contractor or are otherwise working with us under another companies terms and conditions;
(c) supply you with the services you (or your employer) have purchased or requested from us (including taking pre-contractual steps such as providing you with a price quote). This includes us maintaining a database of customer contacts (including emergency contacts) as part of the service we provide;
(d) manage your (or your employer/s) account with us where you are the named contact;
(e) comply with our record keeping and regulatory compliance obligations;
(f) where you have opted to receive the same, or where we have a legitimate interest to do so, send you marketing communications concerning our product and service offerings;
(g) Account management;
(h) Supporting network and system security;
(j) Detecting and preventing fraud;
(k) Complying with legal obligations;
(l) Conducting web analytics; or
(m) Otherwise engage with you where none of the above applies.
We process this information on the following grounds:
(i) because the processing is necessary for us to provide you (or your employer) with the information or services requested from us, including us carrying out any pre-contractual steps we have instructed to take;
(ii) because, where you are our supplier or a contractor of ours, processing that information is necessary for us to administer the contract (including any pre-contractual steps) between us;
(iii) because, in certain cases, the processing is necessary for us to comply with our legal obligations, for example (but not limited to) where regulations oblige us to keep records of our customers details and account information;
(iv) because we have a legitimate business interest in sending you news and information about our business and that interest is not overridden by your interests and fundamental rights and freedoms (for example because you can opt-out of such materials at any time);
(v) because we have a legitimate business interest in processing your personal data and that interest is not overridden by your interests and fundamental rights and freedoms; and
(vi) in the event of a dispute arising between us (or your employer and us) we have a legitimate interest in processing your personal information to resolve that dispute and we are satisfied that your interests and fundamental rights and freedoms do not override our interest in doing so.
ii. Information provided by third parties
This relates to circumstances where a third party sends us information about you, particularly, for example, where:
· we are taking references;
· we are carrying out credit references;
· you are a sub-contractor or agency worker and your employer or recruitment agency sends us your details. This will usually be the case where you are an employee and your employer sends us your details as a point of contact for the business.
The information about you which we receive from third parties may include (but is not limited to) your name, address, email address, phone number and (if you are a customer, supplier or contractor of ours) bank details; criminal convictions/driving offences, credit and employment references.
We process this information for the same reasons as we do for information provided by you above.
Our grounds for processing this information are also the same as our grounds for processing information provided by you directly. Please refer to the previous section i. Information you give for more information.
iii. Information we collect about you.
We process this information to ensure that content from our website is presented in the most effective manner for your device and to collect anonymous statistical data in order to improve our services.
How long we keep your information for:
We only keep your information for so long as is reasonably necessary. Please refer to our Data Retention Policy.
These periods may be extended if, for example, there is a legal dispute between us (or your employer and us) or where we reasonably believe a longer retention period is justified. We may also keep your information for longer if we are required by law to do so.
How we share your information:
Your personal information is not shared with any third parties except where we are required to do so to comply with the law, to protect our rights or to perform our contractual obligations to you.
To achieve this, your information will be shared with the following groups of people:
(a) If you are a customer or a customer contact then we may share your contact details with third parties that help with the fulfilment of your contract (such as sub-contractors, accountants, bank etc), credit reference agencies, our trusted third party providers and other third parties where we are contractually obliged to do so. We ensure that all of our third party providers are under strict obligations to keep your information secure and confidential.
(b) If you are an employee of a customer of ours then we may share your information with your employer. Similarly, if you are a sole trader or partner in a business partnership then we may share your information with your employees. This is only done to the extent necessary for us to properly provide our services. We may also share this information internally within HeightTasks and where a third party is carrying out services on our behalf.
(c) Our IT providers will sometimes be given access to our contact database in order to monitor,maintain and improve our IT systems. Our IT providers have a strict contractual obligation to handle your information in accordance with data protection law and to keep it confidential at all times.
(d) We may, on occasion, share your information with our professional advisers.
(e) We will share your information with third parties where we are legally required to do so - for example, the police in the event of an accident or claim, our insurance providers in the same instance, our bank for financial admin, all government regulators which require us to do so.
(f) Potential seller or buyer In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
(g) If Height Tasks or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
We do not share your information with third parties for marketing purposes.
Automated decision making Height Tasks does not carry out any automated decision making or profiling using your personal information.
Under data protection law you have the following rights which you can exercise by contacting us:
(a) the right to be told what we do with your information. This includes, but is not limited to, the right to know what information we gather, process and store, what we do with it, who weshare it with and how long we keep it for. This information is set out in this Privacy Notice, as updated from time to time;
(b) where we are processing your information on the grounds of your consent, you have the right to withdraw that consent at any time. For the avoidance of doubt, Height Tasks does not currently process your information on the basis of consent;
(c) the right to access a copy of your information which we hold. This is called a 'subject access request. Additional details on how to exercise this right are set out in the Access to Information section, below;
(d) in certain circumstances, the rights to request that we erase, rectify, cease processing and/or delete your information where the original purpose for which the data was collected has expired;
(e) in certain circumstances, the right to request copies of the information we hold about you in a machine readable format so that you can transfer it to other services;
(f) the right to object to processing of your information where it is likely to cause or is causing damage or distress;
(g) the right to prevent us processing your information for direct marketing purposes. We will usually inform you (before collecting your information) if we intend to use your information for marketing purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your information, clicking the unsubscribe link in marketing emails we send you or by contacting us using the details set out at the end of this
(h) the right to object to decisions being made about you by automated means. For the avoidance of doubt, Height Tasks does not use automated decision making at this time;
(i) the right, in certain circumstances, to have your information rectified, blocked, erased or
destroyed if it is inaccurate; and
(j) the right, in certain circumstances, to claim compensation for damages caused by us
breaching data protection law.
You also have the general right to complain to us (in the first instance) and to the Information Commissioners Office (if you are not satisfied by our response) if you have any concerns about how we hold or process your information. Our contact details are set out at the end of this Privacy Notice.
The Information Commissioners Office website is www.ico.org.uk.
For further information on your rights under data protection law and how to exercise them, you can contact Citizens Advice Bureau (www.citizensadvice.org.uk) or the Information Commissioners Office (www.ico.org.uk).
Access to information
Under data protection law you can exercise your right of access by making a written request to receive copies of some of the information we hold on you. If you make your request before 25 May 2018, you will need to pay a £10 fee.
You must send us proof of your identity, or proof of authority if making the request on behalf of someone else, before we can supply the information to you.
From 25 May 2018 you will:
(a) no longer have to pay a £10 fee but we will be allowed to charge you for our reasonable
administrative costs in collating and providing you with details of the information we hold
about you if your request is clearly unfounded or excessive; and
(b) in certain circumstances, be entitled to receive the information in a structured, commonly used and machine readable form.
Unfortunately, the transmission of information via the internet is not completely secure. Although Height Tasks does its best to protect your personal information, we cannot guarantee the security of your data transmitted to our Website. Any transmission is at your own risk.
IP Addresses and Cookies
Height Tasks may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and management. This is statistical data about users browsing actions and patterns, and does not identify any individual.
For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computers hard drive. Cookies help us to improve our website and deliver a better and more personalised service; to allow us to estimate audience size and usage pattern; to store information about your preferences and so allow our website to be customised according to your individual interests; to speed up your searches; and to recognise you when you return to our website.
Changes to our Privacy Notice
Any changes made to this Privacy Notice in the future will be posted on the Website and, where appropriate, notified to you by email. It is recommended that you visit this page from time to time to review any changes. This Privacy Notice was last updated on 18 April 2018.
Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to Paul Calvert, Director HeightTasks ltd, Royal Mail House, Terminus terrace,Southapmton, SO14 3FD. [Tel: +44 (0)2381 247 306] or by email to [email protected]
Reasons for Policy
The business of Height Tasks Limited is based on customer leads generated from the purchase of third party data and a variety of browsers. It takes seriously its obligations with regard to personal data and is aware of the requirements of data protection legislation in the form of the Data Protection Act 2018 and the GDPR 2018.
Whilst the GDPR requires Height Tasks Limited to be mindful of its data minimisation obligations, other UK legislation requires Height Tasks Limited to retain certain records, usually for a specific amount of time. The accidental or intentional destruction of Personal Data (as defined under the GDPR) within these records during their specified retention periods could result in consequences for Height Tasks Limited and/or its employees or customers. This could include but is not limited to;
· Fines and penalties.
· Disciplinary action.
· Serious disadvantages in litigation.
Height Tasks Limited must retain certain records because they contain information that:
· Serves as Height Tasks Limited corporate memory.
· Has enduring business value (for example, it provides a record of a business transaction, evidences Height Tasks Limited rights or obligations, protects Height Tasks Limited legal interests or ensures operational continuity).
· Must be kept to satisfy legal, accounting, or other regulatory requirements. Height Tasks Limited prohibits the inappropriate destruction of any records, files, documents, samples, and other forms of information. This policy is part of a company-wide system for the review, retention, and destruction of records Height Tasks Limited creates or receives in connection with the business it conducts.
Types of Documents
This policy explains the differences among records, disposable information, and confidential information belonging to others.
A record is any type of information created, received, or transmitted in the transaction of Height Tasks Limited business, regardless of physical format. Examples of where the various types of records can include but are not limited to;
· Electronic files.
· Letters and other correspondence (including SMS message).
· Recordings of telephone calls.
· CCTV footage.
Therefore, any paper records and electronic files that are part of any of the categories listed in the Records Retention Schedule contained in the Appendix to this policy, must be retained for the amount of time indicated in the Records Retention Schedule. A record must not be retained beyond the period indicated in the Record Retention Schedule, unless a valid business reason authorised by a Director of Height Tasks Limited (or a litigation hold or other special situation) calls for its continued retention. If you are unsure whether to retain a certain record, contact your Managing Director.
Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has
served its temporary useful purpose and/or data that may be safely destroyed because it is not a record as defined by this policy. Examples may include:
· Duplicates of originals that have not been annotated.
· Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official record.
· Books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of Height Tasks Limited and retained primarily for reference purposes.
· Spam and junk mail.
Confidential Information Belonging to Others
Any confidential information that an employee may have obtained from a source outside of Height Tasks Limited, such as a previous employer, must not, so long as such information remains confidential, be disclosed to or used by Height Tasks Limited. Unsolicited confidential information submitted to Height Tasks Limited should be refused, returned to the sender where possible, and deleted, if received via the internet.
Mandatory Compliance Responsibility of All Employees
Height Tasks Limited strives to comply with the laws, rules and regulations by which it is governed and with recognised compliance practices. All company employees must comply with this policy and the Records Retention Schedule. Failure to do so may subject Height Tasks Limited, its employees and contract staff to serious civil and/or criminal liability. An employee's failure to comply with this policy may result in disciplinary sanctions, including suspension or termination.
Records Management Officer
Height Tasks Limited has designated Paul Calvert as the Records Management Officer. The Records Management Officer is responsible for:
· Administering the document retention program and helping department heads implement it and related best practices.
· Planning, developing, and prescribing document disposal policies, systems, standards, and procedures.
· Monitoring departmental compliance so that employees know how to follow the document retention procedures.
· Ensuring that senior management is aware of their departments' document retention responsibilities.
· Providing document management advice and assistance to all departments.
· Periodically reviewing the records retention guidance from the ICO.
· Evaluating the overall effectiveness of the document management program and reporting to the Board.
How to Store and Destroy Records
Height Tasks Limited records must be stored in a safe, secure, and accessible manner.
Height Tasks Limited Records Management Officer is responsible for the continuing process of identifying the records that have met their required retention period and supervising their destruction. Destruction will be completed via Confidential waste or Shredder.
The destruction of records must stop immediately upon notification from the Board that a litigation hold is to begin because Height Tasks Limited may be involved in a legal action or an official investigation (see next paragraph).
Destruction may begin again once the Board lifts the relevant litigation hold.
Audits and Employee Questions
Internal Review and Policy Audits
The Managing Director of Height Tasks Limited and the Records Management Officer will periodically review this policy and its procedures with legal counsel to ensure Height Tasks Limited is in full compliance with relevant new or amended regulations. Additionally, Height Tasks Limited will periodically audit employee files and computer hard drives to ensure compliance with this policy.
Questions About the Policy Any questions about this policy should be referred to Paul Calvert,02381247306; [email protected], who is in charge of administering, enforcing, and updating this policy.
Record Retention Schedule Height Tasks Limited establishes retention or destruction schedules or procedures for specific categories of records. This is done to ensure legal compliance and accomplish other objectives, such as protecting intellectual property and customer data. Employees should give special consideration to the categories of documents listed in the record retention schedule below.
RECORD RETENTION PERIOD
Employee applications and resumes 1 year if no offer of employment, 7 years if employment offered.
Employee benefit plans 6 years from when the record was required to be disclosed
Records relating to background checks on employees 5 years from when the background check is conducted.
Employment contracts; employment and termination agreements 6 years from their last effective date.
Employee records with information on pay rate or weekly compensation 6 years.
Injury and Illness Incident Reports 20 years following the end of the calendar year that these records cover.
Job descriptions, performance goals and reviews; garnishment records Termination + 7 years
Employee tax records Duration of employment + 7 years
Medical exams required by law Duration of employment + 30 years
Personnel or employment records Duration of employment + 7 years
Pension plan and retirement records Permanent
Pre-employment Review Duration of employment + 7 years
Workers compensation records Duration of employment + 30 years
Payroll registers (gross and net) 21 years
Time cards; work and time schedules; earnings records; records of additions to or deductions from wages; records on which wage computations are based 5 years
Articles of Incorporation Permanent Board policies, resolutions, meeting minutes, and committee meeting minutes Permanent
Contracts + associate supplier information Permanent if current (7 years if expired)
Construction documents Permanent
Emails (business related) 7 years
Fixed Asset Records Permanent
Accounting and Finance
Accounts Payable and Receivables ledgers and schedules 7 years
Annual audit reports and financial statements Permanent
Annual plans and budgets 2 years
Bank statements, cancelled checks, deposit slips 7 years
Business expense records 7 years
Cash receipts 3 years
Electronic fund transfer documents 7 years
Employee expense reports 7 years
Invoices 7 years
Petty cash vouchers 3 years
Annual tax filing for the organization 7 years
Payroll tax withholdings 7 years
Earnings records 7 years
Payroll tax returns 7 years
Legal and Insurance Records
Copyright registrations Permanent
Environmental studies Permanent
Insurance claims/ applications Permanent
Insurance disbursements and denials Permanent
Insurance contracts and policies (Directors and Officers, General Liability, Property, Workers Compensation) Permanent
Leases 6 years after expiration
Real estate documents (including loan and mortgage contracts, deeds) Permanent
Trademark registrations, evidence of use documents Permanent
Warranties Duration of warranty + 7 years
Customer Data and Contact Data
Personal data pertaining to data subjects who do not 6 months unless re-consented become customers Personal data pertaining to customers Duration of contract/duration of marketing opt-in Financial records pertaining to customers Duration of contract Suppression lists of opt-out customers Permanent
Height Tasks Ltd Data Protection Policy/Privacy standards
Aims of the Policy
Height Tasks is committed to meeting its obligations under data protection law which includes the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). As a business, HeightTasks handles a range of Personal Data relating to its customers, staff and others. Personal Data includes information identifying living individuals kept as written records (both paper-based and electronic) and in other formats, such as CCTV recordings. (Please see the What is Personal Data section of this policy for more details).
Collection and processing of Personal Data is subject to a variety of legal requirements. It is the responsibility of Height Tasks to demonstrate how it complies with these legal requirements and that it has procedures in place to handle personal information securely and appropriately. Failure to do so can have serious commercial and legal implications for Height Tasks business and its customers.
The Data Controller
For the purposes of the DPA and the GDPR, the data controller is Height Tasks Limited (Height Tasks), Royal Mail House, Terminus Terrace, Southampton, Hampshire, SO14 3FD. Company No. 11244915.
The Data Protection Principles
By law, Height Tasks must comply with the six data protection principles. These are set out in the General Data Protection Regulation(GDPR), which in summary, require that Personal Data must be:
Principle 1: processed lawfully, fairly and in a transparent manner in relation to individuals
Principle 2: collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
Principle 3: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Principle 4: accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
Principle 5: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
Principle 6: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
What do I need to know?
This policy is intended to provide an overall framework for Height Tasks to demonstrate its compliance with data protection law. It contains explanations of Height Tasks legal requirements under the GDPR and the operational procedures in place at Height Tasks, including:
• Roles and Responsibilities
• The Legal Context
• Notification with the Information Commissioner’s Office
• Data Storage
• Access to Data
• Data Security
• Data Destruction
• Handling Breaches of Data Protection
• Maintaining Compliance
All staff (permanent, temporary or Consultants) should make sure they are familiar with the content of this policy and are expected to comply at all times with the procedures set out in this policy when handling Personal Data.
Who does this policy apply to?
This policy applies to all users of Personal Data (as defined below), that is:
· All entities of Height Tasks Limited (including related companies if appropriate, including all sites at which the Height Tasks operates now or at any time in the future);
· All managers, i.e. line and business managers, as well as those in the HR department who use Personal Data; and
· All employees (whether permanent, temporary), or contractors, agency workers and other temporary staff who use Personal Data.
When we use the term user of Personal Data or use Personal Data, we mean any activity relating to the collection, storage, processing or deletion of Personal Data. A user is therefore anyone who carries out any or all of these activities or otherwise has access to the Personal Data. Under the terms of their contract with Height Tasks all employees, temporary workers and others who have authorised access to Personal Data are responsible for handling Personal Data in accordance with this Data Protection Policy and maintaining confidentiality appropriately at all times.This policy may be amended at any time. You will have legally binding obligations relating to the use of Personal Data in your employment contract. Failure by any of these parties to adhere to this policy may result in civil or criminal legal action being taken against Height Tasks, or against its Directors personally, individual Managers or Employees by data protection authorities, or by the individuals to whom the Personal Data relates. It is the responsibility of Height Tasks to ensure that its staff are aware of and comply with this policy. Any breach of this policy will be taken very seriously and employees who act outside the requirements or guidance set out in this policy will be asked to explain the reasons for their actions and will face disciplinary action. Wilful and/or negligent non-adherence to this policy by any employee is a serious disciplinary matter which could result in dismissal.
Responsibilities of Height Tasks
To enable it to meet its obligations under data protection law, Height Tasks will provide the following:
· Training for Height Taks managers (and relevant employees) on data protection issues and Height Tasks procedures;
· Information for employees on data protection issues and Height Tasks procedures as part of induction and on-going employment;
· Appropriate procedures to safeguard Personal Data and to ensure compliance with the six data protection principles; and
· An escalation process whereby any potential issues should be raised with the Data and Compliance Manager and subsequently the Company Director.
Any questions or concerns about the operation of this policy and/or the handling of Personal Data should be referred in the first instance to the Data and Compliance Manager or in their absence the Director.
The Legal Context
What is Personal Data?
Personal Data - is any information:
· from which a living individual can be identified or from which, together with other information that
Height Tasks possesses (or is likely to possess), an individual can be identified (such as name, address, date of birth, national insurance number); and
· is processed, or intended to be processed by electronic or manual means, as part of a ‘relevant filing system’.
Processing - is any activity that involves use of the Personal Data. It includes obtaining, recording or storing or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Data to third parties, including those who may be processing the data on behalf of Height Tasks.
For Height Tasks this applies to:
1. Personal Data and employment records relating to current, past and prospective employees; and
2. Personal Data of customers or prospects.
Sensitive Personal Data - is a special category of Personal Data consisting of information about a living individual as to: racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union, physical or mental health or condition, Sexuality, the commission or alleged commission of an offence, or any proceedings for any offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of any court in such proceedings Height Tasks collects some items of Special Category Data. Such as but not limited to
· an employment law requirement in relation to Height Tasks staff (such as equal opportunities monitoring purposes, or for health and safety reasons); or
· Physical or Mental health details disclosed to us by our employees.
The collection and processing of Special Category Data is strictly regulated, generally requiring the explicit informed consent of the data subject to collect and process it (unless the collection is a legally imposed obligation) and imposing severe restrictions on access. However, consent is not required for the processing of Special Category Data in the context of employment, so we will not be requesting your consent if you are an employee of Height Tasks.
It is Height Tasks policy to collect Special Category Data only when absolutely necessary.
Special Category Data must be made available to users only on a strict need to know basis and managed with the highest practical level of security and confidentiality. Special Category Data should only be gathered from individuals if it is essential, in which case any necessary consent should be obtained. Where you have freely passed such information to us, you have given us consent to the processing of the data.
Fair and lawful processing
GDPR is intended to ensure that Personal Data is processed fairly and without adversely affecting the rights of the data subject. Height Tasks is obliged to give the data subject information as to:
· who the Data Controller is;
· what Personal Data is being processed;
· where the Personal Data has originated from (unless it originates from the data subject).
· Who will receive Personal Data (or the categories of recipients).
· the purpose for which the Personal Data is to be processed;
• The period for which the Personal Data will be stored,
• of the existence of extended data subject rights (delete it, freeze it, correct it);
• the legal basis for the transfer of the data to a non-EU third country and, give information on the safeguards applied to the transfer of such data.
For Personal Data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the Data Controller or the party to whom the data is disclosed.
When Sensitive Personal Data is being processed, more than one condition must be met. In most cases the data subjects explicit consent to the processing of such data will be required.
Processing for specified lawful purposes
Personal Data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by GDPR. This means that Personal Data must not be collected for one purpose and then used for another unless we have informed consent or can justify a legitimate interest in doing so which does not outweigh the rights and freedoms of the data subject. If it becomes necessary to change the purpose for which the Personal Data is processed, the data subject must be informed of the new purpose before any processing occurs.
The GDPR requires Data Controllers to provide detailed, specific information to Data Subjects. The information must be concise, transparent, intelligible, easily accessible, and in clear and plain language. This is to ensure that the Data Subject can easily understand the information. The types of information Height Tasks must provide to Data Subjects depends on whether the Personal Data was received directly from the Data Subjects or from elsewhere (e.g. a from third party).
Whenever we collect Personal Data directly from Data Subjects, including for human resources or employment purposes, we must provide the Data Subject with all the information required by the GDPR.
This information includes identifying the Data Controller, the Data Protection Office and stating how and why we will use, Process, disclose, protect and retain their Personal Data. We do this by providing the Data Subject with a Privacy Notice when they first provide us with their Personal Data.
For staff, full information is contained in our contracts of employment and in our employee handbook. For customers and third parties, we provide the relevant information in the form of a Privacy Notice which is located on our website. When Personal Data is collected indirectly (for example, from a third party or publically available source), we must provide the Data Subject with all the information required by the GDPR as soon as possible after collecting/receiving the data. In practice, this means sending them a copy of our relevant Privacy Notice or more usually, directing them to the appropriate place on our website
We are subject to certain rules and privacy laws when marketing to our customers (or any third party). For example, where we are marketing to consumers, a Data Subject's prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers known as soft opt in; allows us to send marketing texts or emails if we have obtained contact details in the course of a sale to that person, we are marketing similar products or services, and we gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message. This prior consent rule does not apply where we are marketing to companies or other businesses. The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information. A Data Subjects objection to direct marketing must be promptly processed and followed. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future (e.g. that persons email address or telephone number is kept on a do not call list which is checked against the Companys marketing database and the telephone preference service).
Personal Data should only be collected to the extent that it is required for the specific purpose notified to the data subject and must be accurate and kept up to date at all times. Data Subjects have the right to ensure that all Personal Data is accurate, up to date and relevant and to require deletion or correction of Personal Data which falls short of this standard. All employees, temporary workers and others at Height tasks handling Personal Data must follow the general data storage rules set out in this section.
· Paper records containing Personal Data must always be stored securely unless in use and should not be left on desks or other areas accessible by third parties or unauthorised personnel. Cabinets containing files must be kept locked and offices in which cabinets are located should also be locked when not in use.
· Documents containing Personal Data whose loss, unauthorised disclosure, or deletion could be detrimental to Height Tasks or its employees, or customers should be marked: Confidential – For Internal Use only and should be circulated to relevant individuals internally in a sealed envelope marked: To be opened by Addressee only.
· Electronic records containing Personal Data:
o must be kept on an Encrypted hard drive and secured in a safe when not in use;
o must be kept in separate folders to electronic files not containing Personal Data;
· Desktop computers and laptops on which electronic records are stored or accessed must be running an up-to-date operating system and up-to-date firewall and anti-virus software.
· If the premises where paper records and computer equipment and devices containing electronic records are kept are alarmed then the alarm must always be set.
Access to Personal Data
This will be closely monitered and access will only be given to those staff whom it is deemed nessasary to have access by the Managing Director and the Data & Compliance Manager Processing in line with data subjects rights. Data must be processed in line with the data subjects rights. Data subjects have a right to:
· request access to any data held about them by a Data Controller;
· prevent the processing of their data for direct-marketing purposes;
· ask to have inaccurate data amended; and
· prevent processing that is likely to cause damage or distress to themselves or anyone else.
· request that inaccurate, irrelevant or superfluous data is deleted, together with data which is being held for longer than the permitted period; and
· the portability of their data.
Requests by Individuals relating to their own Personal Information
Under the GDPR, individuals have the right to request Personal Data (in any format) held about them by Height Tasks. This is known as a ‘Subject Access Request’.
It is important to note that this right only:
· relates to the requesting individuals Personal Data (and not to information relating to other people); and
· allows access to information contained within documents (rather than documents themselves).
There are some exemptions under GDPR in giving access to certain information contained within files.
The main reasons to consider refusals relate to:
o protecting the health and safety of anyone concerned; ??!
o protecting the privacy of a third party who may be identified if information is shared;
o protecting the confidential management planning of Height Tasks.
The existence of these reasons does not automatically prevent disclosure under a Subject Access Request and you should speak to our Data and Compliance Manager before making any disclosure. You should note that it is a criminal offence if you tamper with, delete, alter or deface any Personal Data in order to evade disclosure under a Subject Access Request.
To exercise their right of access, individual data subjects must make their request in writing and give appropriate notice to Height Tasks.
NB: if the request is made by a disabled person, Height Tasks may need to make reasonable adjustments to this expectation, as required under the Disability Discrimination Act 1995, for example by accepting a verbal request for information.
Height Tasks must comply with Subject Access Requests as soon as reasonably practical and within 1 calendar month. Where the request is onerous or unusually complicated, we can have a further two months to respond but we must document our reasons as to why we have taken advantage of the additional time.
Under GDPR, we will be able to charge a reasonable admin fee in responding to the request (taking into account the complexity of the request) provided that such fee does not prevent the request from being made. In reality, it will be unlikely that any fee will be required.
There is no limit under GDPR to the number of requests an individual may make for access to Personal Data held about them. However, we are not obliged to respond to similar or identical requests for information which have already been dealt with and without a reasonable lapse of time. The law does not define what constitutes ‘reasonableness’, but expects that organisations consider how often information is updated and how much new information is likely to have been recorded between requests. Further, under the GDPR, where the request is manifestly excessive or onerous, we can refuse to respond altogether. THIS IS NOT SOMETHING TO DECIDE LIGHTLY and we will be required to provide reasoned justification in respect of any refusal to respond.
Procedure for dealing with Subject Access Requests
Any member of staff who receives a written request for access to Personal Data should forward it immediately to the Data and Compliance Manager.
Providing information over the telephone
Any member of staff dealing with telephone enquiries should be careful about disclosing any Personal Data held by Height Tasks. In particular they should:
· check the caller's identity to make sure that information is only given to a person who is entitled to it;
· ask that the caller put their request in writing if they are not sure about the caller's identity and where their identity cannot be checked;
· refer to their line manager or the Data and Compliance Manager for assistance in difficult or unusual situations. No-one should be bullied into disclosing personal information; and keep a record of all disclosures.
Under no circumstance should you disclose information about a customer or employee of Height Tasks where you have no established the identity of the caller and where you have not obtained consent to allow you to do so. To do so is a serious data breach and will result in Height Tasks receiving a monetary penalty notice.
Employees and other individuals who handle Personal Data at Height Tasks are responsible for ensuring they only handle Personal Data in line with the requirements of GDPR and this policy. As a general principle, this includes:
· not sharing information with third parties without the consent of the individual concerned unless we have a legitimate business interest to do so; and
· not enabling third parties to access Personal Data through insufficient attentiveness to our security, storage or management.
Height Tasks must ensure that appropriate security measures are taken against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, or alteration of Personal Data. Data subjects may apply to the courts for compensation if they have suffered damage from such a loss. GDPR requires Height Tasks to put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. Maintaining data security means guaranteeing the confidentiality, integrity and availability of the Personal Data, as follows:
· Confidentiality: only people who are authorised to use the data can access it.
· Integrity: Personal Data should be accurate and suitable for the purpose for which it is processed.
· Availability: authorised users should be able to access the data if they need it for authorised purposes.
Personal Data should therefore be stored on Height Tasks central computer system instead of individual PCs.
Practical Security Measures
Height Tasks employs several security procedures and technologies to maintain the security of Personal Data. Employees and others at Height Tasks with authorised access to Personal Data must follow these procedures at all times. These include:
· Entry controls: reporting any stranger seen in entry-controlled areas.
· Secure lockable desks and cupboards: keeping desks and cupboards locked if they hold Personal Data of any kind. (Please see: Data Storage section for further information about the storage of Personal Data.)
· Secure methods of disposal: Using confidential waste and/or shredding documents containing Personal Data. Media containing electronic documents should be physically destroyed when they are no longer required.
· Equipment: ensuring that individual monitors do not show any form of Personal Data or confidential information to passers-by and that individuals log off from or lock their PC when it is left unattended.
· Passwords / Restriction by User: using passwords (which are regularly updated) and user access to restrict access to documents containing Personal Data.
· On-Site Working: at all times where possible, keeping all files and documents containing Personal Data on-site, or where a specific business need requires off-site working, encrypted memory sticks and password protected access should always be used.
· Strict policies on Subject Access Requests: avoiding accidental disclosure in person, by phone, email or other methods (e.g. when conversations are overhead by others present or by failing to adequately verify the identity of the person making a request for information). (Please see: Access to Data section for more detail.)
· Security Software: ensuring that software and internet security are regularly updated.
This list is for guidance and is not exhaustive. Further advice should be sought from the Height Tasks Data and Compliance Manager where necessary. A risk assessment is also carried out annually as specific security requirements may change over time. (Please see the section: Maintaining Compliance.)
Disclosure of Personal Data to Third Party Data Processors
It may be necessary to disclose Personal Data as a legitimate business interest where this is:
· to enable Height Tasks to perform its obligations under the contract of employment with the individual; or
· necessary for the conduct of Height Tasks business; or
· required by law.
If Height Tasks discloses Personal Data to outsourcing companies or third party data processors, whether external organisations or other companies owned by or related to Height Tasks, (for example for payroll processing, telephone marketing, pensions administration, archiving or computer support), additional security measures must be taken, to ensure such third parties handle the Personal Data appropriately.
In such circumstances Height Tasks should ensure the following:
Due Diligence - satisfy itself that the third party Data Processor is reliable, that it will keep data confidential, and that it has adequate technical and organisational security measures in place;
· (E.g. this might be by requiring a minimum set of due diligence questions / requirements to be addressed, prior to entering into a contract);
· Contracts with Third Party - ensure a written contract is in place binding the data processor to the same obligations that apply to Height Tasks, and under which the data processor agrees to act only in accordance with written instructions from Height Tasks, and to take appropriate technical and organisational security measures when processing and deleting Personal Data; and
· Consider what is necessary - at all times ensure that no more Personal Data than necessary is provided by Height Tasks to the third party data processor for the performance of the contract.
Unauthorised disclosure of Personal Data may result in disciplinary proceedings, could be grounds for dismissal and it could also lead to criminal proceedings being taken against anyone who has done so. If an employee of Height Tasks has any doubt on whether Personal Data may be disclosed or transferred, they should seek the advice of the Data Compliance Manager before any transfer is made.
Height Tasks approach to data destruction is that files and information relating to customers, and employees will only be destroyed upon specific request from the customer or employee or, under GDPR, after the permitted purpose has come to an end. Height Tasks will make it clear to customers and employees that should they wish data about them to be destroyed then this will be done in an expeditious manner and securely. For details on specific data deletion timeframes, please refer to our Data Retention Policy.
Height Tasks will keep a record of all employee Personal Data destroyed.
· Paper records - paper records containing information about data subjects will be placed in confidential waste bins. Paper records should never be placed in normal waste bins, whether shredded or not.
· Electronic records
o media which contains electronic records but which is damaged or will not be used again (e.g.CDs) should be physically destroyed;
o electronic records and data files held on computers, laptops, USB sticks or other portable devices should be destroyed.
Under GDPR there is an obligation on data controllers to undertake regular impact assessments of high risk processing activities. The assessments will be carried out annually. The assessment should include
· A description of any high risk processing activities;
· And the purpose for which the activities are being carried out;
· It should identify any risk arising from the processing; and
· Identify measures being taken in order to mitigate against such risk.
We will also undertake an Impact Assessment where we are making a fundamental change to the way that we process Personal Data.
Handling Breaches of Data Protection
The definition of personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data.
A security breach may take place for several reasons, including one or more of the following:
· Loss or theft of Personal Data
· Inappropriate access/unauthorised use of Personal Data
· Equipment failure
· Human error
· Unforeseen circumstances, such as fire or flood
· Hacking or obtaining of information by deception.
It is the responsibility of staff to report to their line manager any actual, potential or suspected breach of data protection law as soon as possible. Managers should then report this to the Company Directors and the Data and Compliance Manager. Under the revised rules, we must notify the regulator promptly and within 72 hours, if feasible where the breach is likely to result in a risk to data subjects. Where are reporting the breach to the Regulator (which in the UK is the Information Commissioner's Office) then we also need to inform the individuals themselves who are affected by the breach so that they can take steps to mitigate the effects of any breach. In considering its response to a potential or actual breach of its data protection obligations, Height Tasks managerial team should then consider the content in Schedule A:
1. Containment and Recovery of Data
This may include:
· Initial investigation-DCM would lead
· Establishing a data recovery plan
· Specialist input from IT and legal advisers.
The following issues should be considered:
· Who should be informed of the breach and any actions
that should be taken to contain it (e.g. changing door codes / passwords)
· What can be done to recover lost data
· Consider whether the Police (other regulatory authorities) need to be informed.
2. Risk Assessment Consider the seriousness of the risk to individuals arising out of the breach. The following should be taken into account:
· Type of data involved (i.e. is does it involve Special Category Data)
· How many people are affected
· Who has been affected (e.g. staff, customers)
· Level of sensitivity
· Risk of harm, damage or distress to the affected data subjects
· Who now has access to the Personal Data
· The need to inform third parties
· Any wider risks (e.g. public health, reputational issues)
The level of assessed risk should also inform the timescale for response and whether to notify the affected individuals and / or the ICO that a breach of Personal Data has taken place.
3. Notification Consider whether notification of the breach is relevant.
(NB: This is different to the annual requirement to notify with the ICO referred to earlier in this policy – which is a legal requirement.)
The following should be taken into account:
· Any legal and contractual requirements to notify
· Consider if notifying the individuals who have been affected by the breach will enable them to take steps to protect themselves. This is a requirement under the GDPR if there is a high risk to particular individuals
· If notifying affected individuals is appropriate consider the best means of notification
· Is the breach of a type and severity required to be notified to the ICO
4. Evaluation Establish if the breach is due to a one-off or systemic problem and take appropriate steps to remedy the situation and to prevent it happening again. This is likely to require completion of a new risk assessment and amendments to existing procedure and policy.
Further guidance on this issue should be sought if necessary, for example from the ICO website, www.ico.gov.uk, or from Height Tasks legal advisors, but you should never respond to a data breach or try and manage it on your own YOU MUST REPORT A DATA BREACH TO THE DATA AND COMPLIANCE MANAGER IMMEDIATELY THAT YOU BECOME AWARE OF IT. In serious cases, or where required under the GDPR, breaches should be notified to the ICO. In making an assessment as to whether to notify the ICO, Height Tasks managers should take into account the potential level of harm to individuals, either through the volume of data breached or its sensitivity. In notifying a breach, Height Tasks must describe:
1. The precise details of the breach,
2. the approximate numbers of individuals affected,
3. the likely consequences of the breach,
4. the measures taken or proposed in respect of minimising the fall out of the breach. Records must be kept of all data breaches and action taken, including those in respect of which there was noobligation to notify the regulator.
Privacy By Design
We are required to implement Privacy by Design measures when Processing Personal Data. This involves implementing appropriate technical and organisational measures (like Pseudonymisation) to ensure compliance with data privacy principles. All Company Personnel have an ongoing responsibility to assess what Privacy by Design measures can be implemented on all programs, systems and procedures that Process Personal Data. If you have any comments or suggestions about how new Privacy by Design measures might be implemented or how existing measures could be improved then please pass them on to the DPO.
Height Tasks is required to implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. Height Tasks is responsible for, and must be able to demonstrate, compliance with the data protection principles. Height Tasks must have adequate resources and controls in place to ensure and to document GDPR compliance including:
(i) appointing a suitably qualified DPO (where necessary) and an executive accountable for data privacy;
(ii) implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing presents a high risk to rights and freedoms of Data Subjects;
(iii) integrating data protection into internal documents including this Policy, Related Policies and Privacy Notices;
(iv) regularly training staff on the GDPR, this Policy, Related Policies and data protection matters including, for example, Data Subjects rights, Consent, legal bases, DPIA and Personal Data Breaches. We must maintain a record of training attendance by staff; and
(v) regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
Changes to this Policy
We reserve the right to change this Policy at any time without notice to you so please check back regularly to obtain the latest copy of this Policy.
We last revised this Policy on 19-04-2018
Version 1: 16 April 2018