Data Protection Policy and Procedure

Introduction

SASIE Ltd is committed to preserving the privacy of its employees, partners and customers and to complying with the Data Protection Act 1998. To achieve this commitment information about our customers, employees and other clients and contacts must be collected and used fairly, stored safely and not unlawfully disclosed to any other person.

Information that is already in the public domain is exempt from the Data Protection Act 1998 and 2000. It is SASIE Ltd policy to make as much information public as possible and in particular the following information will be available to the public.

Names of our Directors.

Company information (contact address, company registration number, telephone)

Principles

SASIE Ltd, its staff and others who process or use any personal information must ensure that they follow the data protection principles set out in the Data Protection Act 1998. These are that personal data shall:

  • Be obtained and processed fairly and lawfully.
  • Be obtained for a specified and lawful purpose and shall not be processed in any   manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Not be kept longer than is necessary for that purpose.
  • Be processed in accordance with the data subject rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.
  • Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data.

SASIE Ltd will not release customer or employee data to third parties except to relevant statutory bodies. In all other circumstances SASIE Ltd will obtain the consent of the individuals concerned before releasing personal data.

 

Responsibilities

SASIE Directors

The Company Directors are responsible for the oversight and implementation of this policy.

 

Senior Staff

It will be the responsibility of senior staff to ensure compliance with the policy and for communicating the policy to all employees.

 

Data Protection Coordinator

The nominated Data Protection Coordinator for SASIE Ltd is the Administration Manager – they have operational responsibility for the implementation of this policy.

 

All Staff

All staff are responsible for ensuring that any personal data which they hold is kept securely and personal information is not disclosed in any way and to any unauthorised third party.

 

Compliance

Failure to comply with the data protection policy and procedure could result in disciplinary action.

 

Review

This policy and related procedures will be reviewed and issued on at least an annual basis.

 

Data Protection Procedure

1. INTRODUCTION

The Company needs to keep certain information about its employees, customers and other stakeholders to allow us to monitor performance, achievements, customer assessments, feedback + complaints, finances and health and safety. It is also necessary to process information so that staff can be recruited and paid, projects organised and legal obligations to funding bodies and government complied with. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

To do this, SASIE Ltd must comply with the Data Protection Principles, which are set out in the Data Protection Act 1998. In summary these state that personal data shall:

  • Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Not be kept longer than is necessary for that purpose.
  • Be processed in accordance with the data subject’s rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.
  • Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

 

The Company and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the Company has developed the Data Protection Policy, available on the Company shared folders.

In the case of information obtained through a Green Deal Assessment, information will remain confidential, and will only be provided to the parties below upon request:

  • The organisation or individual who has commissioned the work
  • The Green Deal Assessor (when preparing a quotation)
  • The Certification Body (where required)
  • The Green Deal Oversight and Registration Body (where required)
  • The appropriate registries, when lodging elements of the Green Deal Advice Report

Certification bodies (a to e)

 

2. RESPONSIBILITIES OF STAFF

2.1 Information About Yourself

All staff are responsible for:

Checking that any information they provide to the Company in connection with their employment is accurate and up-to-date.

Informing the Company of any changes to information, which they have provided, i.e. change of address.

Informing the Company of any errors or changes. SASIE Ltd cannot be held responsible for any errors unless the staff member has informed us of them.

 

2.2 Information About Other People

All staff must comply with the following guidelines:

All staff will process data about individuals on a regular basis, when making assessments, writing reports or references, or as part of general business activities. The Company will ensure that individuals give their consent to this type of processing, and are notified of the categories of processing, as required by the 1998 Act. The information that staff deal with on a day-to-day basis will be ‘standard’ and will cover categories such as:

General personal details such as name and address.

Details about their buildings (home, business or other organisation)

Details of energy use

 

Information about an individual’s physical or mental health; sexual orientation; political or religious views; trade union membership or ethnicity or race is sensitive and can only be collected and processed with consent.

All staff have a duty to make sure that they comply with the data protection principles, which are set out above and the Company Data Protection Policy. In particular, staff must ensure that records are:

  • Accurate;
  • Up-to-date;
  • Fair;
  • Kept and disposed of safely, and in accordance with the Company policy.

 

The College will designate staff in the relevant area as ‘authorised staff’. These staff are the only staff authorised to access data that is:

  • Not standard data; or
  • Sensitive data.

 

The only exception to this will be if a non-authorised member is satisfied and can demonstrate that the processing of the data is necessary:

In the best interests of the individual or staff member, or a third person, or the Company AND

He or she has either informed the authorised person of this, or has been unable to do so and processing is urgent and necessary in all the circumstances.

This should only happen in very limited circumstances, e.g. an individual is injured and unconscious and in need of medical attention, or a member of staff tells the hospital that the individual is pregnant or a Jehovah’s Witness.

Authorised staff will be responsible for ensuring that all personal data is kept securely. In particular staff must ensure that personal data is:

  • Put away in lockable storage
  • Not left on unattended desks or tables.
  • Unattended ICT equipment should not be accessible to other users.
  • ICT equipment used off-site must be password-protected.
  • Data files on CD or floppy disk or memory stick or email attachments used off-site containing personal data must be password-protected.
  • Paper records containing personal data must be shredded where appropriate.

 

Staff must not disclose personal data to any individual, unless for normal business purposes, without authorisation or agreement from the data controller, or in line with the Company policy.

Staff shall not disclose personal data to any other staff member except with the authorisation or agreement of the designated data controller, or in line with the Company policy.

Before processing any personal data, all staff should consider the following.

  • Do you really need to record the information?
  • Is the information ‘sensitive’?
  • If it is sensitive, do you have the data subject’s express consent?
  • Has the individual been told that this type of data will be processed?
  • Are you authorised to collect/store/process the data?
  • If yes, have you checked with the data subject that the data is accurate?
  • Are you sure that the data is secure?
  • If you do not have the data subject’s consent to process, are you satisfied that it is in the best interests of the individual or the safety of others to collect and retain the data?

 

3. RIGHTS TO ACCESS INFORMATION

Staff, individuals and other users of the Company’s facilities have the right to access any personal data that is being kept about them either on computer or in certain files. Any person who wishes to exercise this right should put the request in writing and send it to the Administration Manager.

The Company will make a charge of £10 on each occasion that access is requested, although the Company has discretion to waive this. This charge will be automatically waived for staff.

The Compnay aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 21 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request.

 

4. SUBJECT CONSENT

In many cases, the Company can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained. Agreement to the Company processing some specified classes of personal data is a condition of acceptance by a customer of a SASIE offer of work, and a condition of employment for staff. This includes information about previous criminal convictions.

Some jobs or assessments will bring the applicants into contact with children, including young people between the ages of 16 and 18. The Company has a duty under the Children Act and other enactment to ensure that staff are suitable for any job offered. The Company also has a duty of care to all staff and customers and must therefore make sure that employees and those who use the Company’s facilities do not pose a threat or danger to other users.

The Company may request information about health and well-being or in relation to private financial matters (e.g. access to social benefits). This information will only be in accordance with SASIE’s direct business activities and customer consent will be needed.

 

5. THE DATA CONTROLLER AND THE DESIGNATED DATA CONTROLLER/S

The Company as a registered private company is the data controller under the Act, and the Directors are therefore ultimately responsible for implementation. However, the designated data controllers will deal with day-to-day matters.

The nominated Data Protection Coordinator is the Administration Manager.

In the event of the Administration Manager being unavailable, the nominated deputy for the Data Protection Coordinator is the Managing Director.

The College‘s designated data controller is Administration Manager.

 

6. RETENTION OF DATA

Please see appendix 1 for the guidelines for the retention of personal data.

 

7. NOTIFICATION OF CHANGES TO THE PROCESSING OF PERSONAL DATA

All staff with access to Company email will be directly notified of any changes to the Company Policy or Procedure by email. Those without access will be notified by the appropriate manager or supervisor verbally in a team meeting.

 

8. APPLICATION TO ENERGY ASSESSMENTS

Customer data is collected specifically for the purpose of energy assessments. This includes data about the building, energy used in the building and details about the occupants. The Company’s Data Protection Policy and Procedure applies to Green Deal Assessments and generation of Energy Performance Certificates (EPC). The guidance defining the Green Deal Code of Practice (current Version 3, dated 31 July 2013, published by the Department for Energy + Climate Change, available on the DECC website). Annexes A-D apply, with additional implications in Annexes E and F.

SASIE energy assessors must explain the assessment requirements and obtain customer consent for collection of personal data before completion of the assessment. Data collected for the purposes of Green Deal or EPC assessments must be kept in accordance with this policy and procedure and used only for the purposes of generating assessment reports. The data, whether raw collected data or processed data and reports should not be shared with third parties unless in exceptional circumstances and emergencies (e.g. absence of the assessor due to sickness).

In the case of information obtained through a Green Deal Assessment, information will remain confidential, and will only be provided to the parties below upon request:

  • The organisation or individual who has commissioned the work
  • The Green Deal Assessor (when preparing a quotation)
  • The Certification Body (where required)
  • The Green Deal Oversight and Registration Body (where required)
  • The appropriate registries, when lodging elements of the Green Deal Advice Report

 

9. CONCLUSION

Compliance with the 1998 Act is the responsibility of all members of the Company. Any breach of the data protection policy may lead to disciplinary action being taken, access to the Company facilities or customer sites being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation of this policy should be referred to your line manager.

Download a printable PDF of this policy

Leave a Reply

Your email address will not be published. Required fields are marked *