DATA PROTECTION POLICY
Stein Electrical & Mechanical Solutions Ltd is routinely required to gather and retain information from individuals and a variety of suppliers, business contacts, employees and others. This policy describes how this personal data must be collected, handled, and stored to meet the company’s data protection standards and to comply with the law.
This policy ensures that Stein:
- Complies with Data Protection law
- Protects the rights of staff and all stakeholders
- Is open about how it stores and processes data
- Protects itself from risks of data breach
Data protection law
The Data Protection Act 2018 describes how organisations must collect, handle and store personal information. These rules apply whether data is stored electronically or in ‘hard’ fashion. To comply with the law, personal information must be collected and used fairly, stored safely, and not disclosed unlawfully. The 8 principles of the act are as follows;
-
- Data must be processed fairly and lawfully.
- Be obtained only for specific, lawful purposes.
- Be adequate, relevant, and not excessive.
- Be accurate and kept up to date.
- Not be held for any longer than necessary.
- Be processed in accordance with the rights of data subjects
- Be protected in appropriate ways.
-
- Not be transferred outside the European Economic Area unless that country or territoryalso ensures an adequate level of protection.
-
ScopeThis policy applies to all staff employed by Stein and all people working on behalf of Stein. It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 2018. This can include the names, postal addresses, email addresses, telephone numbers or any other information relating to individuals.
Responsibilities
Everyone who works for Stein has some responsibility for ensuring data is collected, stored and handled properly. The Directors are ultimately responsible for ensuring that Stein meets its legal obligations, continually leading the review of procedures and related policies in line with an agreed schedule.
General Guidelines
- The only people able to access data covered by this policy should be those who need it for their work
- Data should never be shared informally when access to confidential information is required, employees can request it from their line managers
- Employees should keep all data secure by taking sensible precautions.
- Personal data should not be disclosed to unauthorised people, either within the companyor externally.
- Data should be regularly reviewed and updated if found to be out of date. If no longerrequired, it should be deleted and disposed of.
Data Storage
-
- These rules describe how and where data should be safely stored.
- When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it. These guidelines also apply to data that is stored electronically but has been printed out.
- When not required, the paper files should be kept in a locked facility, such as a filing cabinet or drawer.
- Employees should make sure that paper print outs are not left where unauthorized people could see them
- Data printouts should be shredded and disposed of securely when no longer required.
- When data is stored electronically, it must be protected from unauthorised access usingstrong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media, such as CD or DVD, these should be kept lockedaway securely when not being used.
- Data should only be stored on designated drives and servers and should only be uploaded to approved cloud computing services.
- Servers containing personal data will be sited in a secure location.
- Data shall be backed up frequently. These backups should be tested regularly.
- Data should never be saved directly to laptops or other mobile devices such as tablets or smartphones.
- All servers and computers containing data should be protected by approved securitysoftware and a firewall.
Data Accuracy
The law requires Stein to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is accurate and up to date. Data will be retained in as few places as possible, staff should not create any unnecessary additional data sets.
Access Requests
- All individuals who are the subject of personal data held by Stein are entitled to:
- Ask what information the company holds about them and for what purpose
- Ask how to access the information the company holds on them
- Be informed how to keep it up to date
- Be informed how the company is meeting its data protection obligations
- Disclosing data for other reasons
- In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without consent of the data subject.
- Under these circumstances, Stein will disclose requested data. However, Billy Stein, Managing Director, will seek advice from the company’s legal advisors where necessary
- This policy is publicly available by contacting us at [email protected]
Approved By: Billy Stein, Managing Director