We hold personal data about our employees, customers, suppliers and other individuals for a variety of business purposes.
We take seriously our obligations under the General Data Protection Regulation (GDPR) and all other relevant regulation and legislation in relation to the personal data we hold.
We have appointed Mark Snow as our Data Compliance Manager (DCM) to have overall responsibility for monitoring how we collect and use personal data, data security and compliance with data protection regulations and laws.
This policy sets out how we seek to protect personal data and ensure staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the DCM should be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
It is important that staff understand the following terms:
Business purposes—the purposes for which personal data may be used by us, eg creating and administering customer accounts, personnel, administrative, financial, regulatory, payroll and business development purposes. These include the following:
creating, and managing our contracts and accounts with our customers
identification of new customers for anti-money laundering purposes
contacting customers for reasons related to the services they have signed up for or to provide information they have requested
contacting customers to notify them of any changes to our services that may affect them
invoicing for and collecting payments due for services provided to customers
collecting overdue payments
compliance with our legal, regulatory and corporate governance obligations and good practice
gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
ensuring business policies are adhered to (such as policies covering email and internet use)
operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
investigating complaints and resolving disputes
checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
monitoring staff conduct, disciplinary matters
following up leads and marketing our business
Personal data—information relating to identifiable individuals, such as customers, alternative contacts, suppliers, marketing contacts, job applicants, current and former employees, agency, contract and other staff. Personal data we gather may include: individuals’ contact details, financial and payment details, details of education, qualifications and skills, marital status, nationality, job title, and CV. The storage site is monitored by CCTV cameras at all times. and images of all persons and vehicles will be recorded and kept, and may be viewed subsequently.
Sensitive personal data—personal data about an individual’s racial or ethnic origin, sexual orientation, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings, CCTV images and any other biometric data.
This policy applies to all staff. Staff must be familiar with this policy and comply with its terms.
We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
Who is responsible for this policy?
The DCM has overall responsibility for this policy and for ensuring this policy is adhered to by all staff.
The GDPR imposes requirements that:
we only hold data if we have a lawful basis for doing so, for example, where we have a contract with a customer, to administer the customer’s account and provide the services the customer requires, to comply with our legal obligations, if we have a genuine and legitimate business interest in processing that information or we have the consent of the person to whom the data relates
we keep that data confidential and secure
we use it only for authorised purpose(s)
any data we hold is:
we do not keep data for longer than is necessary
Fair and lawful processing – Privacy Notices
We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the processing is:
necessary to perform legal obligations or exercise legal rights, or
otherwise in our legitimate interests and does not unduly prejudice the individual’s privacy
In most cases this provision will apply to routine business data processing activities for our Business purposes.
Our Privacy Notice is a notice to customers on data protection. The notice:
sets out the purposes for which we hold personal data on clients (ie for the provision of legal services and related purposes including legal and regulatory compliance)
highlights that we may be required to give information to third parties such as law enforcement agencies or need to share it with service providers such as insurers, credit reference agencies, debt collection agents and payroll providers, and
provides that individuals have a right of access to the personal data that we hold about them
Our Privacy Notice will be offered to the customer either in printed format and/or the appropriate website links at the first point of contact. Our website will direct customers to our Privacy Notice when they make an enquiry on-line. If a customer makes an enquiry in the store or signs a licence agreement in store, staff will offer a printed copy of our Privacy Notice at that time. The license to store goods will direct customers to the appropriate web site links. If enquiries are made by telephone, staff will let them know we take the privacy of their data seriously and that they can view our Privacy Notice on-line or we can send it to them by post or an email link to the website.
Our Privacy Notice needs to be available to the customer at the first point of contact. Our website will direct customers to our Privacy Notice when they make an enquiry on-line. If a customer makes an enquiry in the store or signs up a licence agreement in store, then staff must offer them a copy of our Privacy Notice at that time. If enquiries are made by telephone, staff will need to let them know we take the privacy of their data seriously and let them know that they can view our Privacy Notice on-line or we can send it to them by post or email.
Sensitive personal data
We do not normally collect and store any sensitive personal data as defined at 2.1.3. In the unlikely event that we need to collect and store any sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (eg to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them and we need to respond to them within one If any person makes a request to correct inaccurate information, staff must inform the DCM immediately giving details of the request. If staff believe that information is inaccurate they should record the fact that the accuracy of the information is disputed and pass this on to the DCM when reporting that the request has been made.
Right to stop direct marketing
We do not use personal data for direct marketing and customers are not invited to give permission for us to so do. In the event that this policy should change, the following provisions apply.
Staff should abide by any request from an individual not to use their personal data for direct marketing purposes and notify the DCM about any such request.
Do not send direct marketing material to someone electronically (eg via email) unless the person has given their consent to this. Staff will need to follow industry guidance on following up on people who have made enquiries or asked for a quote for storage. [Please see our Policy on following up potential customers.]
Please contact the DCM for advice on direct marketing before starting any new direct marketing activity.
Right of access to personal data – subject access requests
Please note that under the Data Protection regulations, individuals are entitled (subject to certain exceptions) to request access to information held about them.
If staff receive a subject access request, or a request to correct information, they should refer that request immediately to the DCM.
Staff should inform customers that we Please contact DCM if you would like to correct or request information that we hold about you. We may charge a small fee for providing personal data about you as permitted by applicable law. This fee will be no more than £10. There are also restrictions on the information to which you are entitled under applicable law.
Right to be forgotten or to restrict use of personal data
Please note that under the Data Protection regulations,, individuals are entitled (subject to certain exceptions) to request that we restrict how we use the personal information we hold about them or that we delete it altogether.
If staff receive a request of this kind, they should refer that request immediately to the DCM .
Your personal data
Staff must take reasonable steps to ensure that personal data we hold about them is accurate and updated as required, EG. if personal circumstances change then please inform the DCM so that we can update our records.
Staff must keep personal data secure against loss or misuse and should comply with our security guidelines and policies set out in the Information Security Schedule below.
Where other organisations process personal data as a service on our behalf (eg payroll or outsourcing companies), the DCM will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
We must retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our Data retention guidelines.
Transferring data internationally
There are restrictions on international transfers of personal data. Staff must not transfer personal data internationally at allwithout first consulting the DCM
All members of staff have an obligation to report actual or potential data protection compliance and data security failures. This allows us to:
investigate the failure and take remedial steps if necessary
maintain a register of compliance failures
notify the regulatory authorities if we are required to do where any compliance failures are material either in their own right or as part of a pattern of failures.
If staff suspect or become aware of any data security breach or that we have failed to do something which may be a breach of our data compliance obligations, they should report these facts or suspicions immediately to the DCM.
All staff will receive training on this policy. New employees will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.
Training will cover:
the law relating to data protection
our data protection and related policies and procedures
Completion of training is compulsory.
The DCM will continually monitor training needs but if staff feel that they need further training on any aspect of the relevant law or our data protection policy or procedures, they should contact the DCM.
Everyone must observe this policy. The DCM will take steps to ensure it is being adhered to.
The DCM will review this policy at least annually to ensure it remains fit for purpose and compliant with the applicable legislation.
Consequences of failing to comply
We take compliance with this policy very seriously.
Failure to comply puts both staff and the business at risk.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures, which may result in dismissal.
If staff have any questions or concerns about anything in this policy, they should not hesitate to contact the DCM
INFORMATION SECURITY SCHEDULE
We are committed to the highest standards of document and information management and security and treat confidentiality and data security extremely seriously.
One of the purposes of this policy is to:
protect against potential breaches of confidentiality and failures of integrity or availability of information
ensure our information assets and IT facilities are protected against damage, loss or misuse
ensure all staff are aware of and comply with UK law and our own procedures applying to the processing of data
increase awareness and understanding in the business of the requirements for information security and the responsibility of staff to protect information they handle
The DCM will review security event logs and error logs on a monthly basis and is responsible for downloading and installing any necessary software, security patches or system updates.
Records and information are owned by the business and not by any individual or team.
Keeping accurate and up-to-date records is an integral part of all business activities.
Complete and accurate records must be securely stored in the appropriate locations and be easily identifiable and accessible to those who need to see them. This means:
files must be kept in accordance with our normal file management protocols and must be kept organised and up-to-date
substantive matter related emails and notes of telephone or other conversations must be placed on file and must not be stored solely in personal mailboxes
files must not be removed from the office except as permitted under this policy
Information includes information stored anywhere on our IT system, as well as paper records and CCTV images.
Information will be held only as long as is required and will be disposed of in accordance with our Information retention and destruction policy.
All staff must ensure that any information and data gathered is accurate and, where appropriate, kept up-to-date.
Human resources information
Given the internal confidentiality and sensitivity of personnel files, access to such information is limited to the DCM. Except as provided in individual roles, no other staff are authorised to access that information.
Any staff member in a management or supervisory role must keep personnel information confidential.
Subject to the provisions of the GDPR and associated codes of conduct, staff may ask to see their personnel files at any time by request to the DCM.
Access to offices and files
At the end of each day, or when desks are unoccupied, all files, backup systems and devices containing confidential information must be securely locked away or access disabled in case of temporary absence.
All office access doors must be kept secure at all times and customers and visitors must not be given keys or pass-codes other than those they need to access their storage units.
If staff are dealing with a customer at reception or it becomes necessary to see customers in another office area then no customer files or other client information should be visible which do not relate to that customer.
Customers and visitors should never be left alone in areas where they could have access to confidential information.
Computers and IT
Computers must be password protected and those passwords must be set-up and changed in accordance with requirements issued by the DCM’s from time to time. Passwords should not be written down or given to others.
Computers and other devices should be locked when not in use to minimise the risk of accidental data loss or disclosure.
The use of memory sticks and other removable media is prohibited. No confidential information is to be copied onto floppy disk, removable hard drive, CD or DVD or memory stick/thumb drive without the express permission of the DCM and even then it must be encrypted.
Data copied to any of these devices must not be uploaded to our IT system until the device has been checked and cleared. Once this has happened, relevant Data should be stored on our computer network in order for it to be backed up and the Data on the removable device should be deleted.
Backup of data
All electronic data must be securely backed up at the end of each working day.
Backup media must be encrypted.
Backup media that is retained on site prior to being sent for storage at a remote location must be stored securely in a locked safe and at a sufficient distance away from the original data to ensure both the original and backup copies are not compromised.
A recording mechanism is in place and maintained by our IT manager to record all backup information including any failures or other issues.
Communication and transfer
Confidential information must not be removed from our offices without permission from the DCM.
Postal, fax and email addresses and numbers should be checked and verified before information is sent to them. Particular care should be taken with email addresses where auto-complete features may have inserted incorrect addresses.
All sensitive or particularly confidential information should be encrypted before being sent by email. Such information sent by post should be sent by recorded delivery.
Sensitive or particularly confidential information should not be sent by fax unless you can be sure that it will not be inappropriately intercepted at the recipient fax machine.
Personal email and cloud storage accounts
Personal email accounts, such as yahoo, google or hotmail and cloud storage services, such as dropbox, icloud and onedrive are vulnerable to hacking. They do not provide the same level of security as the services provided by our own IT systems.
Staff must not use a personal email account or cloud storage account for work purposes. Do not plug in or attach your personal devices to the business’s IT system – charge from a wall plug socket.
If you need to transfer a large amount of data, contact the DCM for help.
No confidential or other information should be taken to your home without the permission of the DCM and only then if they are satisfied that you have appropriate technical and practical measures in place to maintain the continued security and confidentiality of that information.]
No confidential information is to be stored on your home computer (PC, laptop or tablet).
Files and confidential information must be kept in a secure and locked environment where they cannot be accessed by family members or visitors.
For more guidance, consult the DCM for details of our remote working and removable media policy.
Cybercrime prevention and management
All staff are required to be aware of and comply with our Cybercrime prevention strategy and incident management plan, which incorporates our Password policy [and criteria for remote working].
IT system management and development
Our IT systems are managed by suitably trained staff who are responsible for overseeing day-to-day operation and to ensure continued security and integrity.
The DCM is responsible for ensuring we have procedures for the secure configuration of network devices. These will vary from time to time but are likely to include:
ensuring all network devices have up to date fire walls
encryption of hard drives
ensuring all devices are password protected[/alarmed]
The DCM is responsible for the management of user accounts and will implement procedures to ensure:
appropriate permissions are set for different types of user accounts, eg administration, standard or guest
all members of staff have the correct type of user account
users run with a minimal set of permissions whenever possible
user accounts are suspended or deleted promptly where required, eg if a member of staff leaves the firm
Access controls will be maintained at appropriate levels for all systems by ongoing and proactive management. Any changes to permissions must be approved by the DCM.
New IT systems, or upgrades to existing systems, must be authorised by the DCM and the authorisation process must take account of security requirements. The information assets associated with any proposed new or updated systems must be identified and a risk assessment undertaken.
Any new equipment must have appropriate levels of resilience and fault tolerance and must be correctly maintained.
Software and applications must be managed to ensure their smooth day-to-day running and to preserve data security and integrity. The purchase or installation of new or upgraded software must be planned and managed and any information security risks must be mitigated. Specifications for new software or upgrades of existing software must specify the required information security controls.
The business has in place a Business continuity plan. That plan has been designed to ensure continued data security and to maintain confidentiality. Staff will be trained on what to do if this plan needs to be put into place.
If staff suspect or become aware of any data security breach or that we have failed to do something which may be a breach of our data compliance obligations, staff should report these facts suspicions immediately to the DCM.