Data Protection Policy
1. Policy Aim
Plansafe Solutions Ltd is a consultancy based organisation advising on occupational health and safety, matters relating to asbestos in properties and lifting equipment. The Company is split into four main divisions, being:
- Health and Safety Consultancy and CDM Advisory Work.
- Asbestos Surveying and Services.
- Engineer Surveying.
- Expert Witness.
The Asbestos Surveying Division conducts both Management and Refurbishment/Demolition Surveys on all types of private and commercial properties; if requested, it offers for Tender Contracts for removal of asbestos on behalf of Clients; it also produces, and assists in the maintenance of, Asbestos Management Plans.
Engineer Surveying carries out Thorough Examinations of Lifting Equipment in commercial and domestic properties; undertakes Proof Load Testing of cranes, runway beams and lifting eyes fitted to newly manufactured equipment.
Expert Witness provides a specialist service to Solicitors acting on behalf of individual Employees raising actions against their Employers in respect of injuries suffered through accident at work, Solicitors acting on behalf of Employers who are the subject of such claims by Employees; Solicitors acting for Employers against whom the Health & Safety Executive may have raised criminal charges.
Health & Safety assists Employers by providing Health and Safety Management Systems, advising on safe work practices and procedures and acting in the capacity of their Health and Safety Advisor. This Division also provides a CDM Consultancy Service for parties involved in construction projects which are covered by the Construction (Management & Design) Regulations 2015.
The personal data Plansafe Solutions Ltd processes for operational and managerial purposes is protected in the following manner:
Staff
All personal data relating to staff is maintained on personnel files which are maintained in a locked fast drawer of the Managing Director’s desk and are controlled entirely by the Managing Director and the Data Controller. Payroll, pension contributions, tax and National Insurance and all financial, salary related data is processed by the Accounts Clerk (Diane Maxwell), who is a member of the Data Protection Team in the form of both electronic and paper based records. Contributions due to HMRC are calculated and recorded using HMRC’s Basic PAYE Tools application, the data is transferred to HMRC’s server by secure data transfer which is password protected; a similar process is adopted for all contributions to Workplace Pensions. Thereafter, HMRC and Workplace Pensions are considered trusted Data Controllers.
All paper based records relating to payroll and pension matters are maintained in a locked fast cabinet which is under the direct control of the Accounts Clerk.
Clients and Suppliers
In respect of both Clients and Suppliers, Plansafe Solutions Ltd holds relevant data in the form of:
- Names and addresses.
- Telephone numbers, both landline and mobile numbers of companies and individual Employee/Officers of the company.
- Email addresses.
- Bank details.
This data is held in both paper format and electronic format. The electronic data is a mixture of computer based data and data included on mobile devices such as mobile phones. We secure this data by ensuring that all Client/Supplier files are maintained in locked fast cabinets whose keys are under the control of the Data Protection Team.
In respect of electronic data, all staff computers, which have direct access to the server, are locked when unoccupied and secured by individual computer passwords, known only to the user of the computer in question and the Data Protection Team. All staff have been instructed to create an individual pin number through which to access their mobile telephone address book.
The Engineer Surveying Division operates a bespoke software and device application to facilitate computerised reporting of the Examinations they undertake. The back end of this software is hosted on a web server managed and controlled by One & One Internet Ltd with whom we have agreed arrangements for security of all data controlled. This data includes Clients’ names and addresses, telephone numbers and email addresses.
The Engineers work, on site, with hand held devices which synchronise with the web server and download the relevant information to allow the relevant Examinations to be undertaken. This relevant information contains the details identified in relation to the server based software. We secure this data by ensuring that all ipads have an independent access pin number known only to the user of that particular ipad and the Data Protection Team.
Plansafe’s computers are backed up onto external hard drives at the end of each day and these hard drives are handed to the Managing Director who takes them off the premises to his home where they are placed in a locked fast cabinet. In his absence, the Data Controller, Tracy Cowley, undertakes this task. Periodically, our IT Consultants, 8020 IT, remove one of these external hard drives and downloads the material onto one of their Test Servers to verify the backup material can be recovered. Plansafe has an agreement in place with 8020 IT that they will maintain encryption of the relevant servers along with password protection.
This policy sets out Plansafe Solutions Ltd’s commitment to ensuring that any personal data, including special category personal data, which Plansafe Solutions Ltd processes is carried out in compliance with Data Protection Law. Plansafe Solutions Ltd is committed to ensuring that good data protection practice is imbedded in the culture of our staff and our organisation. Plansafe Solutions Ltd’s other policies and procedures are listed at Appendix 1.
Plansafe Solutions Ltd is committed to:
Ensuring that we comply with the GDPR Data Protection Principles when processing any personal data and that we meet our legal obligations as laid down in Data Protection Law (including the GDPR and all relevant EU and UK data protection legislation).
2. Scope
This policy applies to all personal data processed by Plansafe Solutions Ltd and is part of Plansafe Solutions Ltd’s approach to compliance with Data Protection Law. All Plansafe Solutions Ltd staff are expected to comply with this policy.
3. Data Protection Principles
Plansafe Solutions Ltd confirms that it complies with the following data protection principles and undertakes to ensure that when it processes personal data:
it is processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
it is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’)
It is all adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (‘data minimisation’)
It is all accurate and, where necessary, kept up to date and that reasonable steps will be
taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
It is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’)
It is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Plansafe Solutions Ltd is committed to facilitating and complying with any request from a data subject who wishes to exercise their rights under Data Protection Law in a transparent manner and without undue delay.
Plansafe Solutions Ltd will not transfer any personal data to a country outside the EU or an international organisation without ensuring the level of protection provided by Data Protection Law is not undermined.
4. Process/Procedures/Guidance
Plansafe Solutions Ltd will:
only collect and process the personal data that it is necessary for the purpose or purposes that we have identified in advance.
ensure that the legal basis for processing your data is identified in advance.
ensure that as far as possible the personal data we hold is accurate.
only process your data for as long as is it required for our purposes and then we will securely dispose of, or delete your data. Plansafe Solutions Ltd’s Data Retention Policy sets out the appropriate period of time.
collect personal data from anyone they will be given information in a fair processing or privacy notice which provides more detail on why we are asking for that data and what we intend to do with it.
not do anything with your data that you would not expect given the content of this policy and the fair processing or privacy notice.
ensure that appropriate technical and organisational measures are in place to ensure the security of your personal data.
Plansafe Solutions Ltd will ensure that all staff who handle personal data are aware of their responsibilities under this policy and other relevant data protection and information security policies and that they are adequately trained and supervised.
Any employees who breaches this policy may be subject to disciplinary proceedings.
5. Data Subject Rights
Plansafe Solutions Ltd will ensure that it has procedures in place to allow data subject to exercise the following data subject rights under the GDPR:
Subject access: the right to request information about how personal data is being processed including whether personal data is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:
the purpose of the processing;
the categories of personal data;
the recipients to whom data has been disclosed or which will be disclosed;
the retention period;
the right to lodge a complaint with the ICO;
the source of the information if not collected direct from the subject; and
the existence of any automated decision making.
Rectification: the right to allows you to rectify inaccurate personal data concerning you without undue delay.
Erasure: the right to have data erased in certain circumstances, and to have confirmation of erasure, but only where:
the data is no longer necessary in relation to the purpose for which it was collected;
where consent is withdrawn;
where there is no legal basis for the processing; or
there is a legal obligation to delete data.
Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:
if you contest the accuracy of your personal data;
if our processing is unlawful and you do not want it to be erased;
if we not no longer need the data for the purpose of the processing but it is required by you for the establishment, exercise or defence of legal claims; or
if you have objected to the processing, pending verification of that objection.
Data portability: you have the right to receive a copy of the personal data you have provided to us and certain information generated by us, if our processing is carried by automated means, which will allow you to transfer it to another data controller. This only applies if our legal basis for processing is consent or under a contract.
Object to processing: you have the right to object, on grounds relating to your particular situation, to the following:
processing carried out in the public interest or in the exercise of official authority; or
processing relying on the legitimate interests processing condition unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. You have an absolute right to object to any direct marketing that we are sending to you and there are no exemptions to this which would allow you to refuse to comply.
Object to automated decision making: if we are making decisions about you based on automated processing which have a legal or similar effect on you, then in some circumstances you have the right to object to this decision being made solely on the basis of automated processing. This includes any profiling of you that we carry out.
You cannot exercise this right in the following circumstances when the processing is:
necessary for entering into or the performance of a contract;
authorised by law; or
based on explicit consent.
6. Special Category Personal Data
This includes the following personal data revealing:
Racial or ethnic origin,
Political opinions,
Religious or philosophical beliefs,
Trade union membership,
The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person,
Data concerning health,
Data concerning a natural person's sex life or sexual orientation.
Plansafe Solutions Ltd processes special category data of employees as is necessary to comply with employment and social security law and in particular Plansafe Solutions Ltd. This policy sets out the safeguards we believe are appropriate to ensure that we comply with the Data Protection Principles set out above.
7. Responsibility for the Processing of Personal Data
Plansafe Solutions Ltd’s Board takes ultimate responsibility for data protection.
If you have any concerns or wish to exercise any of your rights under the GDPR then you can contact the Data Protection Officer in the following ways:
Plansafe Solutions Ltd
1 Irongray Road,
Dumfries
DG2 0HS
Tel: 01387 255 535
Email: tracy.cowley@plansafe.co.uk
8. Monitoring and Review
This policy shall be regularly monitored and reviewed by Plansafe Solutions Ltd annually.