Data Protection Policy

This Policy contains the data protection policy of KODEHORT LIMITED (the Employer).

The Employer reserves the right to amend, replace or remove the contents of this policy from time to time, in its absolute discretion. Any amendments or revisions will be notified to staff by email and subsequently incorporated into future editions.

Staff members are required to familiarise themselves with the contents of this policy and comply with it at all times.

The Employer is committed to complying with its data protection obligations under the Data Protection Act 2018 (the DPA 2018), the General Data Protection Regulation 2016/679 (the GDPR) and any other applicable UK legislation (together, Data Protection Law).

This policy provides a framework for appropriate use of personal data (ie any information which relates to an identifiable individual such as his name or address). For information on how the Employer deals with staff members’ personal data, please see the staff privacy notice.

All staff members (including employees, casual workers, officers and agency workers) must comply with this policy. Any breach of this policy will be taken extremely seriously and, in the case of employees, may lead to disciplinary action up to and including dismissal.

Alistair Stead will be the person responsible for the Employer’s data protection compliance. If any staff member has any concerns regarding this policy, they should raise these with Alistair Stead.

The Employer will provide training to all staff about data protection on induction and as required thereafter. Staff with responsibility for personal data or whose work involves dealing with personal data on a regular basis will be required to complete additional training. Managers must ensure that they and their staff have completed any required data protection training courses.

To comply with data protection law, all staff must act in accordance with the following principles when handling personal data:

1. all personal data must be processed lawfully, fairly and in a transparent way;
2. personal data must be collected for specified, explicit and legitimate purposes, and any further processing must be compatible with the original purposes for which the data was collected;
3. all personal data must be adequate, relevant and limited to what is necessary to achieve the purpose for which it is processed;
4. all personal data must be accurate and kept up to date where necessary, and all reasonable steps must be taken to correct or erase inaccurate data promptly;
5. personal data must not be kept in a form which identifies individuals for any longer than is necessary for the purposes of processing; and
6. personal data must be processed securely and in a way that protects against unauthorised or unlawful processing, accidental loss, destruction or damage.

Processing personal data includes collecting, using, accessing, organising, disclosing, holding or destroying personal data.

Staff with access to and responsibility for others’ personal data:

1. must adhere to the data protection principles listed above;
2. must keep personal data secure at all times and comply with the Employer’s IT, Communications and Social media policy, including the provisions for data security;
3. must not access personal data without proper authorisation;
4. must not use personal data for unauthorised purposes;
5. must exercise proper caution before sharing personal data both within and outside the Employer, including by email or via the internet;
6. must not send others’ personal data to their own personal email account or store it on any personal devices;
7. must attend and complete any required data protection training;
8. must ensure that personal data is not kept for longer than the retention periods specified in the Employer’s privacy notices;
9. must destroy personal data permanently and securely where it is to be deleted;
10. must report any loss of personal data or personal data breach to the Employer as soon as possible; and
11. must inform the Employer if they acquire any personal data in error.

Sensitive personal data

From time to time, the Employer may process sensitive personal data about an individual. Sensitive personal data is data that is particularly sensitive in terms of the impact it could have on the rights and freedoms of individuals, including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric and health data, or data concerning a person’s sex life or sexual orientation. Such data should typically only be processed with the explicit consent of the individual concerned unless a legal exemption applies. Staff who propose to process any sensitive personal data must notify Alistair Stead in order to assess on what basis the data may be processed and to determine whether a DPIA should be carried out.

Processing of sensitive personal data must be carried out in accordance with the requirements of this policy at all times.

Data subject requests

Data subjects have various rights in respect of any personal data the Employer controls the storage or use of. These include:

1. a general right to request a copy of any personal data the Employer holds about them, by submitting a Subject Access Request (SAR) to the Employer;
2. a right to request to transfer or port their personal data (eg to another company);
3. a right to request that any inaccurate data held about them is corrected;
4. a right to request that any personal data held about them is deleted; and
5. the right to withdraw their consent to the Employer’s use of their personal data.

The Employer is under strict legal obligations in relation to some types of requests, therefore any staff member who receives a data subject request (eg from one of the Employer’s clients, customers, staff, contractors or other relevant person), should immediately pass it to person responsible for data protection compliance

Personal data breaches

Staff must immediately report any actual or suspected personal data breaches to the person responsible for data protection compliance so that they can be investigated promptly. The Employer is required to notify the Information Commissioner about any sufficiently serious data breaches within 72 hours of discovery, so it is vital that all staff are vigilant and quick to report any suspected breach.

Data protection impact assessments (DPIA)

Where a proposed data processing activity would result in a high risk to the rights and freedoms of individuals, the Employer must carry out a DPIA. For example, a DPIA may be required if the Employer intends to share personal data with another business, introduces a new IT system or wishes to use personal data on file for a new process. Staff should seek advice from the person responsible for data protection compliance as to whether a DPIA is required in any particular circumstances.