EFM needs to hold and to process personal data about its clients & their employees, contractors and other individuals in order to carry out its business and organisational functions.
The legal requirements pertaining to privacy are enshrined in data protection law. The Data Protection Act 2018 implemented a comprehensive legal framework for data protection in the UK, supplemented by the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) until the UK leaves the EU. The regulation was approved on 27 April 2016 and enforcement begins on 25 May 2018.
This policy encompasses the elements necessary for company compliance with privacy legislation, principles and practice.
Connected Companies EFM Limited, EFM Financial Management Limited, Outsource-FD Limited, DeNovo Partners Limited, EFM Ireland Limited
Cookies Log files planted in an individual’s computer hard drive to record and save that personal information about the individual’s location and preferences that it will need to use in future contacts.
Controller The organisation that determines the purposes and means of the processing of personal data.
ICO The Information Commissioner’s Office is the UK’s independent body set up to uphold information rights
Personal data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Processing Any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4.1 Main principles
The company and its employees will take all reasonable steps to maintain the confidentiality of all confidential business information and personal information.
The company will disclose to clients [data subjects] what personal information will be collected and the reason for collecting that information.
4.2 Regulatory compliance
The Data Protection Act 2018 controls how personal information is used by organisations, businesses or the government and is the UK’s implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’:
• Data must be processed fairly and lawfully
• Data should only be obtained for a specific and lawful purpose
• Data should be adequate, relevant and not excessive
• Data should be accurate and up to date
• Data should be held only for as long as it is likely to be required
• Data users should respect the rights of the data subject
• Measures should be taken to protect data
• Should only be maintained within the European Economic Ares (EEA) unless the holding territory has adequate protection levels
The company and its employees will ensure that personal data is processed in accordance with the rights of individuals, where applicable. These rights are:
• the right to be informed;
• the right of access to the information held about them by the company;
• the right to rectification;
• the right to erase;
• the right to restrict processing;
• the right to data portability;
• the right to object; and,
• rights in relation to automated decision making and profiling.
Additional conditions and safeguards will be applied to ensure that more sensitive personal data (defined as Special Category data in the legislation), is handled appropriately by the company. Special category personal data concerns an individual’s:
In addition, similar extra conditions and safeguards also apply to the processing of the personal data relating to criminal convictions and offences.
The company will maintain high standards of physical and electronic security wherever personal information is being handled and ensure that the design and implementation of systems and processes makes provision for the security and privacy of personal data, including:
• Electronic records of personal and confidential business information are subject to limited access by authorised personnel. All files containing personal information will be protected by password or server access restrictions.
• Physical records of personal information will be kept in locked cabinets or secure rooms and accessible only by authorised personnel.
This policy applies to:
• All personal data held and processed by the company. This includes expressions of opinion about the individual and the company’s intentions regarding that individual. It includes data held in any system or format, whether electronic or manual.
• All locations that personal data is accessed from, including off‐site.
• All contracts and other working arrangements with consultants, contractors or others providing services to the company. Compliance with the principles outlined in this policy shall be treated as essential for contract compliance.
All employees will ensure that privacy of personal information is protected and respected.
The managing director is the responsible for appointing a privacy champion.
The privacy champion will:
• develop and maintain both internal and external privacy policies;
• ensure that systems and processes are in place to support the policies;
• act as an expert resource on privacy within the company;
• act as a point of contact on privacy issues for staff, contractors and board.
7 Procedures & guidelines
7.1 Information Requests
Requests from a data subject to provide information about their personal information being collected, used or disclosed by the company will be answered within the statutory guidelines, currently, 28 days. The company will not charge a fee for this service for the first request. Repeat and unreasonable requests may be charged and the privacy champion will determine if a charge is necessary.
The DPO will manage the process of information requests and feedback to the Managing Director.
7.2 Integrity and confidentiality
All employees will protect and respect confidential business and personal information by:
• Not disclosing it inside or outside the company except as required by company policy.
• Taking all reasonable steps to secure and protect the information.
o Electronic records will be subject to limited access by authorised personnel in the performance of their duties who must use passwords and other security measures.
o Printed records of personal data, when they are not under the control of authorised personnel, will be subject to physical protection such as locked rooms or cabinets accessible only to authorised personnel.
Personal information may be disclosed without knowledge or consent only in these circumstances:
• in the event of an emergency that threatens the life, health or security of an individual;
• to a lawyer representing the company;
• to collect a debt owed to the company by the individual;
• to a government institution that has indicated that disclosure is required on a matter relating to national security or the conduct of international affairs;
• the information is publicly available;
• if required by law;
7.3 Lawfulness, fairness and transparency
According to Article 6(1) of the GDPR, processing shall be lawful only if and to the extent that at least one of these applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
7.3.2 Fair collection
Whenever the company obtains or collects personal data from an individual, it must supply certain information to that individual in the form of a contract. This information must state:
• the identity of the data controller (usually the company);
• the identity of any representative of the data controller (i.e. any organisation which is processing data on our behalf);
• any third parties to whom the data will be passed or disclosed;
• sometimes an indication of the length of time for which data will be kept;
• the purpose(s) for which the data are intended to be processed;
• the legal basis for the processing;
• where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the company or by a third party.
This information should be provided whenever new data is collected from an individual or whenever personal data already held by the company is used for a new purpose.
Whenever personal data is collected by the company for a purpose not set out by or covered by an existing contract, an amendment or new contract will be issued to cover this new activity.
Consent is not applicable when a contract with the individual has been issued and signed by both parties, as the processing is at the request of the client. The DPA, its appendix, the contract and its Appendix formalise the personal data that will be prcessed by the Company and demonstrates compliance to The Data Protection Act 2018 and GDPR 2016.
Where a contract is not valid, and wherever practical, the company should obtain consent for the processing of personal data (which will be given by a responsible client official for certain activities such as payroll processing), although relying solely on consent is often unwise: consent can be withdrawn by the data subject at any time;
Consent requires a positive opt-in and should be unambiguous and explicit. Pre-ticked boxes, opt out clauses or any other method of default consent must not be used.
Explicit consent requires a very clear and specific written statement of consent and evidence of consent must be retained.
Consent requests must be kept separate from other terms and conditions and must not be a precondition of a service.
Any third-party controllers who will rely on the consent must be specified.
Data subjects must be notified that they can withdraw consent and how they can do so.
If a data subject withdraws consent for the use of personal information, the privacy champion will take all necessary steps to cease the company’s use of the information within 28 days.
Personal information may be collected without knowledge or consent only in these circumstances:
• the collection is in the interest of the individual and consent cannot be obtained in a timely manner;
• in the event of an emergency that threatens the life, health or security of an individual;
• if there are reasonable grounds to believe that the information could be useful to investigate the contravention of a law;
• the collection of the information with the individual’s knowledge or consent would compromise the availability or accuracy of the information and the collection is required to investigate the contravention of a law;
• the information is publicly available.
7.4 Purpose limitation
All data subjects from whom personal data is obtained will be informed of the purpose(s) that data is to be processed for. This information will form part of the contract that will be issued to clients when personal data is collected from them/their employees.
All data will only be processed for the purpose that it was originally collected for and which the data subjects have been informed of.
7.5 Data minimisation
The company will only collect the data that it needs and enough of it to fulfil the specific stated purpose(s) but should not collect unnecessary data.
All mechanisms used for data collection (e.g. paper or online forms) will be reviewed on a regular basis to ensure that this principle is adhered to. Any unnecessary data field(s) will be discontinued.
Data will only be held relating to data subjects who are still relevant to the original purpose that the data was collected for. However, data cannot be deleted on an individual basis where it may corrupt a wider data set such as payroll output data.
The company has a duty to ensure that data is accurate when it is collected, even if an external party is used to provide or collect the data.
When data is collected from a data subject, a mechanism will be provided whereby that data subject may provide amendments to the data to keep it accurate and up to date.
Where appropriate, regular (perhaps annual) requests for data to be verified and updated may be sent to data subjects. Data that is most likely to be inaccurate or outdated should be identified and checked as a priority.
Where a data subject informs the company that a piece of personal data held about them is inaccurate, but the company disagrees, a note should be kept with the data recording this.
Staff will ensure that the source of all personal data is known and recorded.
Personal data must be disposed of / erased in line with the company’s retention schedule.
7.7 Storage limitation
The company must only keep personal data for the length of time necessary for the purpose(s) it was collected for; destroying the information when it is no longer required.
The company will maintain a retention schedule to record the periods personal data is to be kept for and what should happen to it once that period has been reached. Personal data not covered by the retention schedule must also have retention policies assigned to it but should normally be destroyed two years after it is no longer required. The company’s Record Management Policy provides internal guidance.
7.8 Transfers of personal data to third countries or international organisations
Personal data may be transferred without restriction to EEA countries. These are: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, The Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. Transfers to these countries still need to be consistent with the other data protection principles.
Personal data may also be transferred to other countries that the European Commission has decided provide an adequate level of protection for personal data. These are: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework).
Personal data may not be transferred to any country not on either of the above two lists unless exemptions exist, or appropriate safeguards have been put in place and enforceable data subject rights and effective legal remedies for data subjects are available.
7.8.1 Exemptions & safeguards
Several exemptions to the personal data export ban exist. Those most likely to be engaged by the company are:
• The data subject has given their consent to the transfer.
• The transfer is necessary:
a) for the performance of a contract between the data subject and the company; or
b) for the taking of steps at the request of the data subject with a view to his entering into a contract with the data company.
• The transfer is necessary:
a) for the conclusion of a contract between the company and a person other than the data subject that:
i. is entered into at the request of the data subject, or
ii. is in the interests of the data subject; or
b) for the performance of such a contract.
• The transfer is necessary for reasons of substantial public interest.
• The transfer is necessary in connection with any legal proceedings.
• The transfer is necessary to protect the vital interests of any data subject.
Consent is by far the simplest of these exemptions to use, and wherever possible should be sought if an overseas data transfer is contemplated. Even if other exemptions apply, consent should also be sought.
All the other exemptions are to some extent conditional and subject to caveats. Advice should be sought from the privacy officer if it is necessary to engage one of the exemptions or to rely on appropriate safeguards being in place.
7.8.2 Contractual Clauses
If a country does not have adequate safeguards in place it is possible to attempt to contract them in to any data transfer agreement. This involves inserting clauses into the data transfer agreement that attempt to ensure that the receiving organisation treats the data as if they were subject to the GDPR. The Information Commissioner’s Office publishes a set of model clauses to this end. If you wish to attempt to use a data transfer or data sharing agreement for this purpose you should contact the privacy officer for advice.
7.9 Data Breaches
Internal guidance will be adhered to when reporting a personal data breach ensuring a standardised approach is implemented throughout the company. The DPO will manage this process and feedback the Managing Director regarding all data breraches.
7.10 Review and update
This policy will be reviewed and updated annually or more frequently, if necessary, to ensure that any changes to the company’s business practices/business plan or legislation are accurately reflected.