Exel Contracts Ltd take the privacy of all our staff and customers seriously, we will only use personal information to administer to customer accounts and to provide the products and services our customers have requested directly from us.
We will further never knowingly pass on personnel information, unless written permission has been provided by the employee.
GDPR sets out seven key principles, all of which Exel Contracts fully support:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Storage limitation.
- Integrity and confidentiality (security)
Exel Contracts Ltd Policy Statement:
- We will comply with both the law and good practice
- We will comply to the Data Protection Act of 2018
- We will respect individuals’ rights and adhere to any policy put into operation
- We will be open and honest with data held
- We will provide training and support for staff who handle personal data, so they can act confidently and consistently.
- We will notify the Information Commissioner voluntarily should the need arise.
- We will ensure that all computer databases are protected adequately and that sensitive information will be encrypted.
- We will ensure that sensitive data that has to be sent to another is sent in an encrypted format (For example should a sub-contractor require contact details or floor plans).
- Where remote access is authorised, this will only be when the security can be managed.
- We will ensure that all staff are fully aware that the use of external devices in the hard drives of our computers is monitored with a strict policy that no one has permission to use any devices that can copy, add or remove data without prior written authority of the Director.
- We will ensure that the router and server has adequate and up to date hardware firewall built in.
- We will ensure that all mobile phones, tablets and emails are password protected (when any member of staff leaves working for Exel Contracts Ltd then all new passwords and settings will be implemented).
- We will ensure that any personal information such as contact mobile numbers, addresses (if not in the public domain), plans and drawings of floor plans and email addresses are sent in an encrypted format. Encrypted codes will be sent under separate cover.
- Any handwritten notes bearing personal information will be shredded.
- All paper files will be retained as per the legal period of 6/7 years, these will be stored securely in an alarmed premises and inside a locked secure cabinet. At the end of the 6/7 years all files will be shredded in a secure manner and a certificate of proof for shredding will be obtained.
We have identified two main risk areas:
- Information about data getting into the wrong hands, through poor security or inappropriate disclosure of information.
- Individuals being harmed through data being inaccurate or insufficient.
Exel Contracts has appointed a Data Protection Officer (DPO) and their responsibilities include:
- Briefing the Board on Data Protection responsibilities
- Reviewing Data Protection and related policies
- Advising other staff on complex Data Protection issues
- Ensuring that Data Protection induction and training takes place
- Notification to the ICO
- Handling subject access requests
- Approving unusual or controversial disclosures of personal data
- Approving contracts with Data Processors
This policy will form part of an ongoing review and will be updated when required.
The designated DPO is Danniella Wiltshire
Date Reviewed: 08th October 2021
Next review due: 08th October 2022