Acorn is committed to all aspects of data protection and takes seriously its duties, and the duties of its employees, under GDPR. This policy sets out how the organisation deals with personal data, including personnel files and data subject access requests, and employees' obligations in relation to personal data. This incorporates the following companies:
- Acorn Engineering Group Limited
- Acorn Engineering Limited trading as Acorn Maintenance
- Acorn Integrated Systems (BMS Maintenance) Limited
The Managing Director is responsible for the implementation of this policy. If employees have any questions about data protection in general, this policy or their obligations under it, they should direct them to the HR department.
Data Protection Principles
GDPR describes how organisations — including Acorn — must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
GDPR is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
GDPR applies only to information that constitutes "personal data". Information is "personal data" if it:
- identifies a person, whether by itself, or together with other information in the organisation's possession, or is likely to come into its possession; and
- is about a living person and affects that person's privacy (whether in his/her personal or family life, business or professional capacity) in the sense that the information has the person as its focus or is otherwise biographical in nature.
Consequently, automated and computerised personal information about employees held by employers is covered by the Act. Personal information stored physically (for example, on paper) and held in any "relevant filing system" is also covered. In addition, information recorded with the intention that it will be stored in a relevant filing system or held on computer is covered.
A "relevant filing system" means a well-structured manual system that amounts to more than a bundle of documents about each employee filed in date order, i.e. a system to guide a searcher to where specific information about a named employee can be located easily.
The Use of Personal Information
GDPR applies to personal information that is "processed". This includes obtaining personal information, retaining and using it, allowing it to be accessed, disclosing it and, finally, disposing of it.
The organisation may collect relevant sensitive personal information from employees for equal opportunities monitoring purposes. Where such information is collected, the organisation will anonymise it unless the purpose to which the information is put requires the full use of the individual's personal information. If the information is to be used, the organisation will inform employees on any monitoring questionnaire of the use to which the data will be put, the individuals or posts within the organisation who will have access to that information and the security measures that the organisation will put in place to ensure that there is no unauthorised access to it.
The organisation will ensure that personal information about an employee, including information in personnel files, is securely retained. The organisation will keep hard copies of information in a locked filing cabinet. Information stored electronically will be subject to access controls and passwords and encryption software will be used where necessary.
Where laptops are taken off site, employees must follow the organisations relevant policies relating to the security of information and the use of computers for working at home/bringing your own device to work.
Correction, Updating and Deletion of Data
If you become aware that the organisation holds any inaccurate, irrelevant or out-of-date information about you, you must notify the HR department immediately and provide any necessary corrections and/or updates to the information.
The organisation may monitor employees by various means including, but not limited to, recording employees' activities on CCTV, checking emails, listening to voicemails and monitoring telephone conversations. If this is the case, the organisation will inform the employee that monitoring is taking place, how data is being collected, how the data will be securely processed and the purpose for which the data will be used. The employee will usually be entitled to be given any data that has been collected about him/her. The organisation will not retain such data for any longer than is absolutely necessary.
In exceptional circumstances, the organisation may use monitoring covertly. This may be appropriate where there is, or could potentially be, damage caused to the organisation by the activity being monitored and where the information cannot be obtained effectively by any non-intrusive means (for example, where an employee is suspected of stealing property belonging to the organisation). Covert monitoring will take place only with the approval of [name of individual/senior management/the data protection officer.
Employees' Obligations Regarding Personal Information
If an employee acquires any personal information in the course of his/her duties, he/she must ensure that:
- the information is accurate and up to date, insofar as it is practicable to do so;
- the use of the information is necessary for a relevant purpose and that it is not kept longer than necessary; and
- the information is secure.
In particular, an employee should ensure that he/she:
- uses password-protected and encrypted software for the transmission and receipt of emails;
- sends fax transmissions to a direct fax where possible and with a secure cover sheet; and
- locks files in a secure cabinet.
If an employee acquires any personal information in error by whatever means, you shall inform the HR manager immediately and, if it is not necessary for you to retain that information, arrange for it to be handled by the appropriate individual within the organisation.
Consequences of Non-compliance
All employees are under an obligation to ensure that they have regard to the eight data protection principles (see above) when accessing, using or disposing of personal information. Failure to observe the data protection principles within this policy may result in an employee incurring personal criminal liability. It may also result in disciplinary action up to and including dismissal. For example, if an employee accesses another employee's employment records without the requisite authority, the organisation will treat this as gross misconduct and instigate its disciplinary procedures. Such gross misconduct will also constitute a criminal offence.
Taking Employment Records Off Site
An employee must not take employment records off site (whether in electronic or paper format) without prior authorisation from the HR manager.
An employee may take only certain employment records off site. These are documents relating to disciplinary or a grievance meeting that cannot be held on site, meetings with occupational health or specific monitoring purposes/seeking professional advice. An employee may also take employment records off site for any other valid reason given by the HR manager. Any employee taking records off site must ensure that they do not leave their laptop, other device or any hard copies of employment records on the train, in the car or any other public place. You must also take care when observing the information in hard copy or on-screen that such information is not viewed by anyone who is not legitimately privy to that information.