Data Protection Policy
Wildwood Ecology Limited (the ‘Company’) is committed to being transparent about how it collects and uses personal data relating to its employees, subcontractors, volunteers and clients, and to meeting its data protection obligations.
This policy sets out the Company’s commitment to data protection and individual rights and obligations in relation to the personal data of staff, subcontractors, volunteers and clients or other personal data processed for business purposes.
The Company has appointed Richard Dodd as the person with responsibility for data protection compliance within the organisation. He can be contacted at firstname.lastname@example.org and any questions regarding this policy, or requests for further information should be directed to him.
This policy applies to all employees, subcontractors, volunteers and clients and their agents of Wildwood Ecology Limited, or to others whose personal data may be processed by the Company for business purposes.
The wording in this policy reflects the requirements of the General Data Protection Regulation (GDPR) which became effective in the UK on 25 May 2018.
Further details and clarification regarding all aspects of this policy can be found on the Information Commissioners Office (ICO) web site at www.ico.org.uk.
- Personal Data – any information relating to a living individual who can be identified from that information
- Processing – any use that is made of data including collecting, storing, amending, disclosing or destroying it
- Special Categories of Personal Data – information pertaining to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, biometric data
- Criminal Records Data – information relating to an individual’s criminal convictions and offences and information relating to criminal allegations and proceedings
- Data Protection Principles
The Company processes personal data in accordance with the following data protection principles:
- Personal data is processed lawfully, fairly and in a transparent manner
- Personal data is only collected for specified, explicit and legitimate purposes
- The Company processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing
- The Company keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay
- Personal data is only kept for the period necessary for processing
- Appropriate measures are in place to make sure that personal data is secure and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.
The Company tells individuals the reasons for processing their personal data, how it will be used and the legal basis for processing in its privacy notice. It will not process the personal data of individuals for any other reason. Where the Company relies on its legitimate interests as the basis for processing data it will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals.
When informed by the individual that information is inaccurate or has changed the Company will update it promptly.
Personal information may be held as hard copy, electronic format or within the Company’s computer system as appropriate. Information will be held for as long as is necessary to comply with legal and/or business requirements. A copy of the Company’s retention document is included under Addendum A of this policy.
- Individual Rights
Data subjects have a number of rights in relation to the personal data relating to them which may be held by the Company.
5.1 The Right to be Informed
Individuals have the right to know why and how their personal data is being processed. The Company has a privacy notice which is available on its website. It also provides information and a consent option as part of its information gathering forms. Where information is obtained from other sources individuals will be supplied with a copy of the privacy notice as soon as is reasonably possible and no later than one month from the Company obtaining the data. A copy of the Company’s privacy notice is contained within Addendum B of this policy.
5.2 The Right of Access
Individuals have the right to access their personal data and any supplementary information held by the Company.
Requests for information should be made by email or in writing to the Company, full details are contained within our privacy notice. The Company reserves the right to contact the individual in order to verify their identity before supplying any information.
Where the request has been made electronically the information will be supplied in an electronic format unless otherwise requested.
Information will be supplied free of charge; however, the Company reserves the right to charge a fee based on the administrative costs incurred where additional copies of the information is requested or where the request is excessive or repetitive.
Information will be provided as soon as is reasonably possible and within one month of receipt of the request at the latest. However, the Company reserves the right to extend this period by a further two months should the request prove complex or numerous. In these circumstances the Company will inform the individual within one month of receipt of the request and will explain why the extension is necessary.
Where the request is manifestly unfounded or excessive the Company may refuse to respond. In such cases it will contact the individual to explain its decision and inform them of their right to complain to the Information Commissioners Office.
5.3 The Right to Rectification
Individuals have the right to have their information corrected if they believe it is factually inaccurate. Requests for rectification of information may be made verbally or in writing and the Company reserves the right to verify the identity of the individual if deemed necessary. Where possible requests should be made by email to email@example.com
Any changes requested will be made free of charge and as soon as is reasonably possible, at the latest within one month of the date of the request.
Where the Company believes that the request is unfounded it reserves the right to refuse to make any changes to information. In such cases it will contact the individual to explain its decision and inform them of their right to complain to the Information Commissioners Office.
Where information has been disclosed to a third party (i.e. HMRC) the Company will inform them of the changes made to any information held.
5.4 The Right of Erasure (the right to be forgotten)
Individuals have the right to request that personal data is erased. Requests for erasure may be made verbally or in writing and the Company reserves the right to verify the identity of the individual if deemed necessary. Where possible requests should be made by email to firstname.lastname@example.org
The right to erasure is only valid in certain circumstances. Where a request for erasure of information is made the Company will consider the request and will inform the individual of its decision as soon as is reasonably possible. Where the request is accepted information will be deleted free of charge and within one month of the date of the request. Where the request is not accepted the Company will inform the individual of its decision and of their right to complain to the Information Commissioners Office within one month of the date of the request.
5.5 The Right of Restriction of Processing
In certain circumstances individuals have the right to stop the Company processing their personal data, for example when contesting the accuracy of their data.
During any period of restriction, the Company will continue to hold data but will not use it until the restriction has been lifted.
5.6 The Right to Data Portability
Individuals have the right to obtain and reuse their personal data for their own purposes. The right applies:
- To personal data you have provided to a controller
- Where the processing is based on your consent or for the performance of a contract, and
- Where processing is carried out by automated means
Information will be supplied free of charge in a commonly used format.
5.7 The Right to Object
Individuals have the right to object to the processing of their personal data for several reasons. Should you wish to object to the processing of your data please contact email@example.com.
The Company takes the issue of data security very seriously and works to maintain the GDPR’s ‘security principle’ at all times. The Company has:
- secure business premises with access restricted to key holders as necessary
- Secure cabinets for storage of paper files with access restricted to keyholders as necessary
- Password protected electronic devices
- Encryption, firewalls and anti-virus software installed and/or used as necessary to ensure confidentiality and integrity is maintained
Data is audited on a regular basis and out of date information is deleted from IT systems and/or shredded as appropriate.
The Company understands its obligations with regard to any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data and has an internal policy to deal with such instances should they occur
Data Retention Periods
Wildwood Ecology Limited has carried out and information audit and for the purposes of this policy will retain information in line with the data retention periods stated below:
|Recruitment paperwork including, but not restricted to, CVs, application forms, interview notes (for unsuccessful candidates)||12 months from the date of application or interview whichever is later. (Paperwork pertaining to successful candidates will be transferred to the personnel files)|
|Paperwork relating to payroll including HMRC records||6 years after the end of the financial year to which they relate|
|Company and accounting paperwork||6 years from the end of the last company financial year they relate to|
|Quotations and tender documents issued and not accepted||12 months from the expiry date of the quotation/tender|
|Supplier details||6 years after the end of the financial year to which they relate|
|Subcontractor records||12 months from the date of receipt|
|Volunteer records||12 months after the final working date|
If you have any queries relating to data retention, please contact us at firstname.lastname@example.org