TRADEDORK LTD
DATA PROTECTION POLICY
This Data Protection Policy (the Policy) sets out how Tradedork Ltd (“we”, “us” and “our”) handles personal data.
If at any time you have any queries on this Policy, your responsibilities or any aspect of data protection law, contact Chris Smith, our Data Compliance Manager at Tradedork.
1. Introduction
- The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) (together data protection laws) apply to the processing of personal data.
- The data protection laws all require that the personal data is processed in accordance with certain principles (see paragraph 2) and gives individuals rights to access, correct and control how we use their personal data (see paragraph 6).
- Data protection law in the UK is enforced by the Information Commissioner’s Office (ICO) and they are the regulator for data protection in the UK.
- In summary, the data protection laws require us to:
4.1 only process personal data for certain purposes;
4.2 process personal data in accordance with the six principles of “good information handling” (see paragraph 2);
4.3 provide certain information to those individuals about whom we process personal data which is usually provided in a privacy notice - for instance you will have received one of these from us as one of our staff and one will be available on our platform for our users;
4.4 respect the rights of those individuals about whom we process personal data (including providing them with access to the personal data we hold on them); and
4.5 keep adequate records of how data is processed and, where necessary, notify the regulator and possibly affected individual(s) where there has been a data breach.
- Every member of our staff has an important role to play in achieving these aims. It is your responsibility, therefore, to familiarise yourself with this Policy.
2. What are the Data Protection Principles?
Data protection laws set out six principles for maintaining and protecting personal data, which form the basis of the legislation. All personal data must be:
- processed lawfully, fairly and in a transparent manner and only if certain specified conditions are met (“lawfulness, fairness and transparency”);
- collected for specific, explicit and legitimate purposes, and not processed in any way incompatible with those purposes (“purpose limitation”);
- adequate and relevant, and limited to what is necessary to the purposes for which it is processed (“data minimisation”);
- accurate and where necessary kept up to date (“accuracy”);
- kept for no longer than is necessary for the purpose (“storage limitation”); and
- processed in a manner that ensures appropriate security of the personal data using appropriate technical and organisational measures (“integrity and security”).
3. What type of information might constitute personal data?
- Personal data will be data relating to an individual and therefore be their personal data if it:
1.1 identifies the individual (for instance, names, addresses, telephone numbers and email addresses);
1.2 its content is about the individual personally (for instance, medical records or user profile history (e.g. preferences));
1.3 relates to property of the individual;
1.4 could be processed to learn, record or decide something about the individual (for instance, if you are able to link the data to the individual to tell you something about them, this will relate to the individual (e.g. salary details for a post where there is only one named individual in that post));
1.5 affects the individual’s privacy, whether in their personal, family, organisation or professional capacity (for instance, work location and work email addresses can be personal data);
1.6 is an expression of opinion about the individual; or
1.7 is an indication of our (or any other person’s) intentions towards the individual (for instance, how a complaint received from a member of staff or a user of our platform will be dealt with).
- Information about companies or other legal persons who are not living individuals is not personal data. However, information about directors, shareholders, officers and employees, and about sole traders or partners, is often personal data, so business related information can often be personal data.
- Special category data under the data protection laws is personal data relating to an individual’s race, political opinions, health, religious or other beliefs, trade union records, sex life, biometric data and genetic data. In addition, criminal conviction and offence data is in a special category, which is in many ways treated the same as special category data. Previously these types of personal data were referred to as sensitive personal data and some people may continue to use this term.
4. How do we process personal data?
- We process personal data every day for any number of purposes and in any number of ways. Virtually anything we do with personal data is considered to be “processing” of that personal data, including collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction. So even just storage of personal data is a form of processing. We might process personal data using computers or manually by keeping paper records.
- Examples of processing personal data might include using personal data to correspond with users of our platform or holding personal data in our online storage systems or databases or in hard copy documents.
5. In what circumstances are we entitled to process personal data?
- For personal data to be processed lawfully, we must be processing it on one of the legal grounds set out in the data protection laws.
- For the processing of ordinary personal data in our organisation these may include, among other things:
2.1 the relevant individual has given their consent to the processing;
2.2 the processing is necessary for the performance of a contract with the relevant individual;
2.3 the processing is necessary for the compliance with a legal obligation to which we are subject; or
2.4 the processing is necessary to achieve our (or someone else’s) legitimate interests.
- To lawfully process special categories of personal data, certain other conditions must be met. We would normally only expect to process special category personal data or criminal conviction and offence data in an employment context, and therefore the conditions which we would ordinarily rely on may include, among other things:
3.1 in relation to special categories of personal data:
3.1.1 where the individual has given their explicit consent to the processing;
3.1.2 where the processing is necessary for the performance of our obligations under employment law;
3.1.3 where the processing is necessary to protect the vital interests of the relevant individual. The ICO has previously indicated that this condition is unlikely to be met other than in a life or death or other extreme situation;
3.1.4 where the processing is necessary for equal opportunities monitoring; or
3.1.5 where the processing is necessary for the purpose of preventative or occupational medicine or for the assessment of the working capacity of the employee; and
3.2 in relation to criminal conviction and offence data, where the individual has given their explicit consent to the processing.
6. What rights to individuals have in respect of their personal data?
- Individuals have certain rights under data protection laws (Rights). These are:
1.1 the right of access (also known as a “data subject access request”);
1.2 the right to rectification;
1.3 the right to erasure (also known as the “right to be forgotten”);
1.4 the right to restrict processing;
1.5 the right to data portability;
1.6 the right to object; and
1.7 rights in relation to automated decision making and profiling.
- The exercise of these Rights may be made in writing, including email, and also verbally and should be responded to in writing without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We must inform the individual of any such extension within one month of receipt of the request, together with the reasons for the delay.
- If you receive a verbal request in relation to a Right, or believe you have received a verbal request for the exercise of a Right, you should pass the call or person to our Data Compliance Manager. Our Data Compliance Manager will make a written record of all relevant details and explain the procedure. If possible, try to get the request confirmed in writing. If it is not possible to transfer the individual over then make a written record of the request and contact details for individual making the request. If a letter or email exercising a Right is received by you then you should pass the letter or email to our Data Compliance Manager who will then respond to the individual on our behalf.
- Our Data Compliance Manager will co-ordinate. The action taken will depend upon the nature of the request and the Right. our Data Compliance Manager will write to the individual and explain the legal situation and whether we will comply with the request.
- We may ask for additional information to confirm the identity of the individual making the request and we may also request that the scope of the request is narrowed in order to ease the searches to be undertaken (but the individual does not have to agree to such a request from us). Where requests are manifestly unfounded or excessive or they are repetitive, we may charge a reasonable fee considering the administrative costs of providing the information (and the amount can be subject to limits) or refuse to respond. Where we refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
- If we receive the request from a third party (for instance, a legal advisor), we must take steps to verify that the request was, in fact, instigated by the individual and that the third party is properly authorised to make the request. This will usually mean contacting the relevant individual directly to verify that the third party is properly authorised to make the request.
- If an individual disagrees that we have properly complied with a Right or we fail to respond they may apply to a court for an order or complain to the ICO in each case requiring us to properly perform the Right. If the court or the ICO agrees with the individual it can order us to properly carry out the Right and what steps are needed to do this and order us to notify third parties who we have passed the data onto of the Right. A court can also award compensation to the individual for any damage they have suffered as a result of our non-compliance. The ICO can also impose a civil fine upon us. These fines can be very substantial
7. Can we transfer personal data outside the UK?
- Personal data must not be transferred outside the UK unless the destination country ensures an adequate level of protection for the rights of the individuals in relation to the processing of personal data or we put in place adequate protections. These protections may come from special contracts we need to put in place with the recipient of the personal data, from them agreeing to be bound by specific data protection rules or due to the fact that the recipient’s own country’s laws provide sufficient protection
- You must not under any circumstances transfer any personal data outside of the UK without our Data Compliance Manager’s prior written consent. We will also need to inform affected individuals of any transfer of their personal data outside of the UK and may need to amend our privacy notice to take account of the transfer of data outside of the UK.
- If you are involved in any new processing of personal data which may involve transfer of personal data outside of the UK, then please seek approval of our Data Compliance Manager prior to implementing any processing of personal data which may have this effect.
8. What are the implications of a breach of this Policy?
- Any breaches of this Policy will be viewed very seriously. All personnel must read this Policy carefully and make sure they are familiar with it. Breaching this Policy is a disciplinary offence and will be dealt with under our disciplinary and capability procedure.
- If you do not comply with data protection laws and/or this Policy, then you are encouraged to report this fact immediately to contact our Data Compliance Manager. This self-reporting will be taken into account in assessing how to deal with any breach, including any non-compliances which may pre-date this Policy coming into force.
- Also if you are aware of or believe that any other representative of ours is not complying with data protection laws and/or this Policy you should report it in confidence to our Data Compliance Manager. Our whistleblowing policy will apply in these circumstances and you may choose to report any non-compliance or breach through our confidential whistleblowing reporting facility.
- There are a number of serious consequences for both yourself and us if we do not comply with data protection laws. These include:
4.1 For you:
4.1.1 Disciplinary action or dismissal
4.1.2 Criminal sanctions for serious breaches
4.1.3 Investigations and interviews
4.2 For our company:
4.2.1 Criminal sanctions
4.2.2 Civil Fines of up to £17.5 million or 4% of worldwide turnover, whichever is higher.
4.2.3 Assessments, investigations and enforcement action by the ICO
4.2.4 Court orders
4.2.5 Claims for compensation from individuals
4.2.6 Bad publicity and loss of business
4.2.7 Drain on management time and resources
9. What practical steps can I take to ensure compliance?
Whilst you should always apply a common sense approach to how you use and safeguard personal data, and treat personal data with care and respect, set out below are some examples of dos and don’ts:
- Do not take personal data out of our premises (unless absolutely necessary).
- Only disclose your unique logins and passwords for any of our IT systems to authorised personnel (e.g. IT) and not to anyone else.
- Never leave any items containing personal data unattended in a public place, e.g. on a train, in a café or in unsecure locations e.g. in your car overnight - this includes paper files, mobile phone, laptops, tablets, memory sticks etc.
- Encrypt laptops, mobile devices and removable storage devices containing personal data and lock them and keep them out of sigh when not in use.
- Password protect documents and databases containing more sensitive personal data.
- Use confidential waste disposal for any papers containing personal data, do not place these into the ordinary waste, a bin or skip etc unless they have been shredded beforehand.
- When in public place, e.g. a train or café, or even in the office, be careful as to who might be able to see the information on the screen of any device you are using when you have personal information on display and if necessary move location or change to a different task. In addition, when speaking on the phone in a public place, or even in the office, take care not to use the full names of individuals or other identifying information, as you do not know who may overhear the conversation. Instead use initials or just first names to preserve confidentiality.
- Never act on instructions from someone unless you are absolutely sure of their identity, and if you are unsure then take steps to determine their identity. This is particularly so where the instructions relate to information which may be sensitive or damaging if it got into the hands of a third party or where the instructions involve money, valuable goods or items or cannot easily be reversed.
- Do not transfer personal data to any third party without prior written consent of a senior member of the business.
- Notify our Data Compliance Manager immediately of any suspected security breaches or loss of personal data (including loss of devices or materials containing personal data).
ANNEX 1 TO DATA PROTECTION POLICY
DATA BREACHES
1. Data breaches
- A data breach includes any loss of data owned or used by us, whether a third party obtains access to the data or not. So for example this will include:
1.1 loss of a computer, laptop, mobile telephone or removable storage media, loss of physical paper files or non-secure destruction of our data;
1.2 loss of our data stored on a computer or server due to corruption of the hard drive or hacking of or an attack (e.g. ransomware, malware, virus) on our (or our third parties’) computer network and systems;
1.3 sending an email or post to the wrong person which contains our data or sending an email to a group of recipients using the "to” field when their email addresses should not have been disclosed to the other recipients;
1.4 allowing someone to overhear a telephone conversation when identifying details are disclosed; or
1.5 data being disclosed or revealed to someone who is not entitled to see or know that data.
- The above is not an exhaustive list, and data breaches can take many forms. We require reporting of data breaches, whether or not the data relates to an individual, so any type of data breach should be reported to us.
2. What must you do?
- As soon as you become aware of any data breach which involves our data you must IMMEDIATELY notify our Data Compliance Manager. You must also make sure that receipt of the notification is acknowledged, this is to guard against the recipient being out of the office or on holiday. If you do not get an acknowledgement within 2 hours, then immediately let Imran Ahmed Director know about the data breach. It is your job to ensure that the data breach is notified and that the notification is received. Do not just send an email or leave a voicemail and forget about it.
- You will need to supply details and background regarding the data breach including details of the type of data lost, the amount of data lost, who it relates to, how it was lost and the identity of any third party who has acquired the data (if known). You must also provide any other information which may be requested by us, and in some cases we may need you to complete a form detailing the data breach with as much information as you have available. Even if you do not have all this information available straight away, then do not delay in making notification of the data breach to us. Time is critical.
- The notification requirement applies whether or not you were involved in or the cause of the data breach. If you are aware of a data breach then you must notify it to us regardless of its cause. We will treat all notifications which are about a colleague or another worker in confidence in accordance with our whistleblowing policy.
4. What are the consequences if you fail to notify?
- If you notify a data breach in accordance with this policy, then even if you are at fault in causing or contributing to the data breach, for example due to human error, then we would prefer to know about the data breach. The fact that you have reported it will work in your favour, and it is a fact of life that data breaches sometimes occur.
- However if you are aware of a data breach in relation to our data and you fail to notify that data breach in accordance with this Policy, then we will regard that as serious misconduct. This applies whether the data breach was caused or contributed to by you or if you are just aware of a data breach caused or contributed to by a colleague or third party or even just aware of a data breach where no-one was at fault.
5. Why must you notify?
- Under data protection law we are under a duty to inform the ICO of data breaches involving personal data which we control as soon as possible in cases where the data breach may result in harm to individuals. We have to inform the ICO as soon as possible and in any event within 72 hours of becoming aware of the data breach. This time period runs from when you become aware of the data breach, and not when you notify the data breach to us. Therefore the notification to us must be made immediately.
- Your notification will allow us to assess whether or not we need to notify the ICO regarding the data breach. If we fail to notify the ICO when we should then we can be subject to fines of up to 2% of group worldwide turnover or £8.7 million, whichever is the higher. These are very substantial risks and for this reason the failure to notify us of any data breach which you are aware of is treated as serious misconduct, and could result in dismissal or termination of a contract.
6. What happens once you have notified?
- Once you have notified a data breach, we will assess what needs to happen next. This may be that we must report the data breach to the ICO. We may also need to report the data breach to the individuals whose data is affected by the data breach.
- We may also need to take steps to try to mitigate the impact of the data breach, contain the data breach or reverse the data breach. These steps are easier to take if we know about the data breach as soon as possible and without any delays.
- We may also need to change our systems, procedures and protections to prevent or reduce the risk of such a data breach occurring in the future. There is usually always something to be learnt from a data breach.
- Whatever happens we will record the data breach on our data breach register, which may help us to spot patterns or areas of particular risk over time so that we can take steps to prevent or reduce the risk of repeat data breaches.
ANNEX 2 TO DATA PROTECTION POLICY
APPROPRIATE POLICY DOCUMENT
1. Introduction
This document sets out how we will protect special category data and criminal conviction and offence data and meets the requirement of the Data Protection Act 2018 that an appropriate policy document be in place where such personal data in certain circumstances.
2. Why we process special category data and criminal conviction and offence data
- We process special category data for the following purposes:
1.1 assessing an employee’s fitness to work;
1.2 complying with health and safety obligations;
1.3 complying with the Equality Act 2010;
1.4 checking applicants’ and employees’ right to work in the UK; and
1.5 verifying that candidates are suitable for employment or continued employment.
- We process criminal conviction and offence data for the following purposes:
2.1 verifying that candidates are suitable for employment or continued employment; and
2.2 ensuring staff are permitted to drive company vehicles and arranging insurance for the driving of such vehicles.
3. Compliance with data protection principles
- Lawfulness, fairness and transparency
1.1 We will only process personal data fairly and lawfully and for specified purposes. Data protection law restricts our actions regarding personal data to specified lawful purposes. We can process special category data and criminal conviction and offence data only if we have a legal ground for processing and one of the specific processing conditions relating to special category data or criminal conviction and offence data applies. We will identify and document the legal ground and specific processing condition relied on for each processing activity.
1.2 When collecting special category data and criminal conviction and offence data from data subjects, either directly from data subjects or indirectly (for example from a third party), we will provide data subjects with a privacy notice setting out all the information required by data protection law in a privacy notice which is concise, transparent, intelligible, easily accessible and in clear plain language which can be easily understood.|
Workers, contractors and employees | |
Data concerning health Consent (Article 6(1)(a) UK GDPR). Compliance with a legal obligation (Article 6 (1)(c) UK GDPR). Necessary for the performance of a contract with the data subject (Article 6(1)(b) UK GDPR). In the organisation’s legitimate interests which are not outweighed by the fundamental rights and freedoms of the data subject (Article 6(1)(f) UK GDPR). | The data subject has given explicit consent to the processing (Article 9(2)(a) UK GDPR). Necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law (Article 9(2)(b) UK GDPR and Paragraph 1, Schedule 1, DPA 2018). Necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (Article 9(2)(c) UK GDPR). Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, provided such data is processed by or under the responsibility of a professional or another person subject to a legal obligation of professional secrecy under or rules established by a national competent body (Article 9(2)(h) UK GDPR and Paragraph 2, Schedule 1, DPA 2018). |
Racial or ethnic origin data Consent (Article 6(1)(a)). Compliance with a legal obligation (Article 6(1)(c)). In the organisation’s legitimate interests which are not outweighed by the fundamental rights and freedoms of the data subject (Article 6(1)(f)). | The data subject has given explicit consent to the processing (Article 9(2)(a) UK GDPR). Necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law (Article 9(2)(b) UK GDPR and Paragraph 1, Schedule 1, DPA 2018). Necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained. (Article 9(2)(g) UK GDPR and Paragraph 8, Schedule 1, DPA 2018) Carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally or necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations and in both cases can reasonably be carried out without the consent of the data subject. (Article 9(2)(g) UK GDPR and Paragraph 9, Schedule 1, DPA 2018) |
Criminal conviction and offence data Compliance with a legal obligation (Article 6(1)(c)). In the organisation’s legitimate interests which are not outweighed by the fundamental rights and freedoms of the data subject (Article 6(1)(f)). | Necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law (Article 9(2)(b) UK GDPR and Paragraph 1, Schedule 1, DPA 2018). Preventing or detecting unlawful acts (Article 10 UK GDPR and Paragraphs 10 and 36 Schedule 1, DPA 2018). Regulatory requirements relating to unlawful acts and dishonesty (Article 10 UK GDPR and Paragraphs 12 and 36 Schedule 1, DPA 2018). |
| |
- Purpose limitation
We will only collect personal data for specified, explicit and legitimate purposes and will inform data subjects what those purposes are in a published privacy notice. We will not use personal data for new, different or incompatible purposes from those disclosed when it was first obtained unless we have informed the data subject of the new purposes and they have consented where necessary.
- Data minimisation
We will only collect or disclose the minimum personal data required for the purpose for which the data is collected or disclosed. We will ensure that we do not collect excessive data and that the personal data collected is adequate and relevant for the intended purposes.
- Accuracy
We will ensure that the personal data we hold and use is accurate, complete, kept up to date and relevant to the purpose for which it is collected by us. We check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We take all reasonable steps to destroy or amend inaccurate or out-of-date personal data.
- Storage limitation
5.1 We only keep personal data in an identifiable form for as long as is necessary for the purposes for which it was collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.
5.2 We maintain a Data Retention Policy and related procedures to ensure personal data is deleted after a reasonable time has elapsed for the purposes for which it was being held, unless we are legally required to retain that data for longer.
5.3 We will ensure data subjects are informed of the period for which data is stored and how that period is determined in any applicable privacy notice.
- Security, integrity, confidentiality
We take the security of special category data and criminal conviction and offence data very seriously. We have appropriate administrative, physical and technical safeguards in place to protect personal data against unlawful or unauthorised processing, or accidental loss or damage.
- Accountability principle
7.1 We are responsible for, and able to demonstrate compliance with the above principles. Our Data Compliance Manager is responsible for ensuring that we are compliant with the above principles.
7.2 We will:
7.2.1 ensure that records are kept of all personal data processing activities, and that these are provided to the ICO on request;
7.2.2 carry out a data protection impact assessment for any high-risk personal data processing to understand how processing may affect data subjects and consult the ICO if appropriate;
7.2.3 ensure that a Data Compliance Manager is appointed to provide independent advice and monitoring of personal data handling, and that the Data Compliance Manager has access to report to the highest management level; and
7.2.4 have internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law.
4. Policies on retention and erasure of personal data
- We will ensure, where special category data or criminal conviction and offence data are processed that:
1.1 the processing is recorded, and the record sets out, where possible, a suitable time period for the safe and permanent erasure of the different categories of data in accordance with our Data Retention Policy;
1.2 where we no longer require special category data or criminal conviction and offence data for the purpose for which it was collected, we will delete it or render it permanently anonymous as soon as possible;
1.3 where records are destroyed we will ensure that they are safely and permanently disposed of.
- Data subjects receive a privacy notice setting out how their personal data will be handled when we first obtain their personal data, and this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
5. Review
- This appropriate policy document on processing special category data and criminal conviction and offence data is reviewed annually.
- This appropriate policy document will be retained where we process special category data and criminal conviction and offence data and for a period of at least six months after we stop carrying out such processing.
- A copy of this policy will be provided to the ICO on request and free of charge.