Air Quality Plan Ltd takes the security and privacy of all personal data in its possession seriously, whether this belongs to employees, workers, job applicants, clients, customers or suppliers. In the course of our business, we need to gather and use information or ‘data’ to enable us to manage such relationships, or for legal requirements. We fully intend to comply with our legal obligations under the Data Protection Bill and the EU General Data Protection Regulation (‘GDPR’) and any other similar data protection legislation in respect of data privacy and security. We have a duty to notify you of the information contained in this policy.
The policy applies to current and former employees, workers, volunteers, apprentices and consultants. If you fall into one of these categories, then you are a ‘data subject’ for the purposes of this policy. You should read this policy alongside your Contract of Employment and any other notice that we may issue you with from time to time in relation to your data.
This policy explains how Air Quality Plan Limited will hold and process your information. It explains your rights as a data subject. It also explains your obligations when obtaining, handling, processing or storing personal data in the course of working for, or on behalf of, Air Quality Plan Limited. If you are in any doubt about what data you can or cannot disclose, you should seek advice from your line manager, or the HR department.
Air Quality Plan Limited is a ‘data controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.
Air Quality Plan Limited has measures in place to protect the security of your data in accordance with this policy and will hold data in accordance with our Employee Records policy, copies of which can be obtained from the HR department. We will only hold data for as long as necessary for the purposes for which we collected it, or if there is a legal basis for holding it longer.
This policy does not form part of your Contract of Employment and can be amended by Air Quality Plan Limited at any time. It is intended that this policy is fully compliant with the Bill and the GDPR however if any conflict arises between those laws and this policy, Air Quality Plan Limited intends to comply with the Bill and the GDPR.
Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must be:
We are accountable for these principles and must be able to show that we are compliant.
‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.
This policy applies to all personal data whether it is stored electronically, on paper or on other materials.
Data will be stored in a range of different places, including an employee’s personnel file, in HR management systems and on other IT systems (including our email system).
This personal data might be provided to us by you, by someone else (such as a former employer, your doctor, or the Disclosure and Barring Service), or it could be created by us. It could be provided or created during the recruitment process, or during the course of your working relationship with Air Quality Plan Limited, or after its termination. It could be created by your line manager or other colleagues.
We will collect, process and use the following types of personal data about you:
Air Quality Plan Limited may also collect, process and store the following special categories of your personal data:
‘Special categories of personal data’ are types of personal data consisting of information including:
We may hold and use any of these special categories of your personal data in accordance with the law.
‘Processing’ means any operation which is performed on personal data such as:
This includes processing personal data which forms part of a filing system and any automated processing.
Air Quality Plan Limited will process your personal data (including special categories of personal data) in accordance with our obligations under the Bill and GDPR.
We need to process data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefits, such as a pension.
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we are required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.
In other cases, we have a legitimate interest in processing personal data before, during and after the end of the employment relationship, providing that your interests or your fundamental rights do not override our interests.
We can process your personal data for these purposes without your knowledge or consent. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.
If you choose not to provide us with certain personal data, you should be aware that we may not be able to carry out certain parts of the Contract of Employment between us. For example, if you do not provide us with your bank account details we may not be able to pay you. It might also stop us from complying with certain legal obligations and duties which we have, such as to pay the right amount of tax to HMRC or to make reasonable adjustments in relation to any disability you may suffer from.
We have to process your personal data in various situations during your recruitment, employment (or engagement) and even following termination of your employment (or engagement). For example:
We might process special categories of your personal data for the purposes above which have an asterisk beside them. In particular, we may use information in relation to:
We will only process special categories of your personal data in certain situations, such as information about health or medical conditions or information about criminal convictions, in accordance with the law.
We may also process these special categories of personal data where we have your explicit written consent, in which case, we will provide you with full details of the information that we would like and the reason for our request, so that you can consider whether you wish to consent or not.
We do not need your consent to process special categories of your personal data when we are processing it for the following purposes, which we may do:
The only automated decision making that we may use is during recruitment, where we may undergo psychometric testing. If this applies to you, you will be advised and your rights explained to you.
Your information may be shared internally, including with members of the recruitment team, your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles.
Air Quality Plan Limited also share your data with third parties, including third parties who process data on our behalf, such as previous employers (in order to obtain pre-employment references), payroll providers, benefits providers and/or administration, pension scheme providers and/or administration, occupational health providers, external auditors and organisations providing criminal record checks. We may also share your data with third parties that provide professional services such as specialist employment law guidance, or where it is necessary to administer the contract that we have entered into with you or where we need to comply with a legal obligation (e.g. detection and prevention of crime). We require those companies to keep your personal data confidential and secure and to protect it in accordance with the law and our policies. They are only permitted to process your data for the lawful purpose for which it has been shared and in accordance with our instructions.
We may also share your data with third parties in the context of a sale of some or all of our business, or in a TUPE situation. In those circumstances, the data will be subject to confidentiality arrangements.
We may also need to share your data with a regulator, or to otherwise comply with the law.
We will not transfer your personal data outside the European Economic Area unless there are adequate measures in place that ensure a level of protection equivalent to that afforded by the Bill and GDPR.
Everyone who works for, or on behalf of, Air Quality Plan Limited has some responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy and the Company’s Data Protection and Data Retention policies.
Air Quality Plan Limited’s Managing Director is responsible for reviewing this policy and the Quality & Regulatory Affairs (Q&RA) department are responsible for updating the Board of Directors on Air Quality Plan Limited ’s data protection responsibilities and any risks in relation to the processing of data. You should direct any questions in relation to this policy or data protection to them, or ask them if you need help or assistance. You should also inform them should you notice any areas of data protection or security that we can improve upon.
You should only access personal data covered by this policy if you need it for the work you do for, or on behalf of Air Quality Plan Limited and only if you are authorised to do so. You should only use the data for the specified lawful purpose for which it was obtained and you should keep it secure and not share it informally or with unauthorised people, and dispose of it securely when it is no longer required. You should ensure that you use strong passwords for any computer or other device, lock your screen when away from your desk and lock any drawers and filing cabinets when not in use. Please refer to our Clear Desk policy for further details.
Do not leave personal data lying about and do not save any personal data to your own personal computer or any other personal device or remove it from Air Quality Plan Limited’s premises without the authorisation of your line manager or the IT department.
You should regularly review and update personal data which you have to deal with for work. This includes telling us if your own contact details change.
Any deliberate or negligent breach of this policy by you may result in disciplinary action being taken against you in accordance with our disciplinary procedure. It is a criminal offence to conceal or destroy personal data which is part of a subject access request (see below). This conduct would also amount to gross misconduct under our Disciplinary Procedure, which could result in your dismissal.
We have robust measures in place to minimise and prevent data breaches from taking place, and have a data breach policy in place which will be followed should a breach of personal data occur (whether in respect of you or someone else).
If you are aware of a data breach, you should to report it to the Managing Director within 4 hours of discovering the breach using the ‘Notification of a Personal Data Breach’ form appended to the Data Protection Breaches policy. Once completed, this form should be emailed to firstname.lastname@example.org the Data Protection Officer will then investigate the breach. If the breach is likely to result in a risk to the rights and freedoms of individuals, then the company must also notify the Information Commissioner’s Office within 72 hours. Please refer to our Data Protection Breaches policy for further details.
Air Quality Plan Limited takes the security of your data seriously. We have internal policies and controls in place to ensure that your personal data is not lost, accidentally destroyed, misused or disclosed, and is limited to our employees or other third parties who have a need to know for the proper performance of their duties. We will use our data breach policy to deal with any suspected data security breach, and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
As a data subject, you have a number of rights. You can:
If you would like to exercise any of these rights, please email email@example.com who will deal with your request. Alternatively, you can write to Data Protection, Air Quality Plan Limited, Royal House, 3 Kingdom Close, Fareham, Hampshire, PO15 5TJ.
If you believe that Air Quality Plan Limited has not complied with your data protection rights, you can complain to the Information Commissioner’s Office (ICO), the UK supervisoryuthority for data protection.
Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk).
In most situations we will not rely on your consent as a lawful ground to process your data. If we do however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, you should contact firstname.lastname@example.org.
Any data subject can make a ‘subject access request’ (SAR) to find out the information we hold about them.
This request must be made in writing and emailed to email@example.com.
If you personally receive a SAR request from a data subject, you should forward it to firstname.lastname@example.org who will coordinate a response.
If it is unclear what information is being requesting, we may ask the data subject to complete one of our Subject Access Request Forms. We may also request further information or any evidence relating to their identity, to ensure that the correct information is provided to the correct individual.
In all cases of SARs, we must respond within one month unless the request is complex or numerous, in which case the period in which we must respond can be extended by a further two months.
There is no fee for making a SAR. However, if your request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse to respond to your request.