Data protection policy
This policy is the property of Study Group UK Limited (“Study Group” or the “Company”) and applies to all UK-based employees and contractors of Study Group, its subsidiaries, and affiliate/group companies. The Company is committed to all aspects of data protection and takes seriously its duties, and the duties of its employees, under the Data Protection Act 1998 (the “DPA”). This policy sets out how the Company deals with personal data, including personnel files and data subject access requests, and employees' obligations in relation to personal data.
This policy has been reviewed and approved by the board of directors of Study Group UK Limited.
Data Protection Officer
General Counsel is the Company's Data Protection Officer and is responsible for the implementation of this policy. If employees or contractors have any questions about data protection in general, this policy or their obligations under it, they should direct them to Gordon Bull, General Counsel, contactable via firstname.lastname@example.org.
Data Protection Principles
The DPA requires that eight data protection principles be followed in the handling of personal data (as defined below). These principles require that personal data must:
- be fairly and lawfully processed;
- be processed for limited purposes and not in any manner incompatible with those purposes;
- be adequate, relevant and not excessive;
- be accurate;
- not be kept longer than is necessary;
- be processed in accordance with individuals' rights;
- be secure; and
- not be transferred to countries without adequate protection.
The DPA applies only to information that constitutes "personal data". Information is "personal data" if it:
- identifies a person, whether by itself, or together with other information in the
organisation's possession, or is likely to come into its possession; and
- is about a living person and affects that person's privacy (whether in his/her personal or family life, business or professional capacity) in the sense that the information has the person as its focus or is otherwise biographical in nature.
Consequently, automated and computerised personal information about employees held by employers is covered by the Act. Personal information stored physically (for example, on paper) and held in any "relevant filing system" is also covered. In addition, information recorded with the intention that it will be stored in a relevant filing system or held on computer is covered.
A "relevant filing system" means a well-structured manual system that amounts to more than a bundle of documents about each employee filed in date order, ie a system to guide a searcher to where specific information about a named employee can be located easily.
The use of personal information
The DPA applies to personal information that is "processed". This includes obtaining personal information, retaining and using it, allowing it to be accessed, disclosing it and, finally, disposing of it.
"Sensitive personal data"
"Sensitive personal data" is information about an individual's:
- racial or ethnic origin;political opinions;
- religious beliefs or other beliefs of a similar nature;
- trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);
- physical or mental health or condition;
- sex life;
- commission or alleged commission of any criminal offence; and
- proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
The Company will not retain sensitive personal data without the express consent of the employee in question.
The Company will process sensitive personal data, including sickness and injury records and references, in accordance with the eight data protection principles. If the Company enters into
discussions about a merger or acquisition with a third party, the Company will seek to protect employees' data in accordance with the data protection principles.
An employee's personnel file is likely to contain information about their work history with the Company and may, for example, include information about any disciplinary or grievance procedures, warnings, absence records, appraisal or performance information and personal information about the employee including address details and national insurance number.
There may also be other information about the employee located within the organisation, for example in their Line Manager's inbox or desktop; with payroll; or within documents stored in a relevant filing system.
Documentation held in connection with applications to the Disclosure and Barring Services (“DBS”) or other statutory safeguarding requirements may also be held in an employee’s HR file, and treated in accordance with the code of practice issue by the DBS . For further information, please see https://www.gov.uk/disclosure-barring-service-check/overview. The Company may collect relevant sensitive personal information from employees for equal opportunities monitoring purposes. Where such information is collected, the Company will anonymise it unless the purpose to which the information is put requires the full use of the individual's personal information. If the information is to be used, the Company will inform employees on any monitoring questionnaire of the use to which the data will be put, the individuals or posts within the Company who will have access to that information and the security measures that the Company will put in place to ensure that there is no unauthorised access to it.
The Company will ensure that personal information about an employee, including information in personnel files, is securely retained. The Company will keep hard copies of information in a locked filing cabinet or in a secure offsite storage facility. Information stored electronically will be subject to access controls and passwords and encryption software will be used where necessary.
The Company provides training on data protection issues to all new employees who handle personal information in the course of their duties at work. The Company will continue to provide such employees with refresher training on a regular basis. Such employees are also required to have confidentiality clauses in their contracts of employment.
Where laptops are taken off site, employees must follow the organisation's relevant policies relating to the security of information and the use of computers for working at home/bringing their own device to work.
Data Subject Access Requests (“SARs”)
An employee has the right to access information kept about them by the organisation, including personnel files, sickness records, disciplinary or training records, appraisal or performance review notes, emails in which the employee is the focus of the email and documents that are about the employee.
The HR Operations Manager is responsible for dealing with SARs.
The Company will respond to any SAR within one month, unless the request is unusually complex, in which case we will respond to the data subject as soon as possible to explain any delay in complying with the SAR. SARs should be sent to email@example.com and marked for the attention of the HR Operations Manager.
The Company will allow the employee access to hard copies of any personal information. However, if this involves a disproportionate effort on the part of the organisation, the employee shall be invited to view the information on-screen or inspect the original documentation at a place and time to be agreed by the organisation.
The Company may reserve its right to withhold the employee's right to access data where any statutory exemptions apply.
Correction, updating and deletion of data
If an employee becomes aware that the Company holds any inaccurate, irrelevant or out-of-date information about them, they must notify immediately and provide any necessary corrections and/or updates to the information. Employees are responsible for ensuring that the Company has up to date home address and contact details at all times during their employment.
Data that is likely to cause substantial damage or distress
If an employee believes that the processing of personal information about them is causing, or is likely to cause, substantial and unwarranted damage or distress to him/her or another person, they may notify the Company in writing to the Data Protection Officer to request the Company to put a stop to the processing of that information.
Within 21 days of receiving the employee's notice, the Company will reply to the employee stating either:
- that it has complied with or intends to comply with the request; or
- the reasons why it regards the employee's notice as unjustified to any extent and the extent, if any, to which it has already complied or intends to comply with the notice.
The Company may monitor employees by various means including, but not limited to, recording employees' activities on CCTV, checking emails, listening to voicemails and monitoring telephone conversations. If this is the case, the Company will inform the employee that monitoring is taking place, how data is being collected, how the data will be securely processed and the purpose for which the data will be used. The employee will usually be entitled to be given any data that has been collected about him/her. The Company will not retain such data for any longer than is absolutely necessary. Further information about out use of CCTV can be found in the Company’s CCTV Policy.
In exceptional circumstances, the Company may use monitoring covertly. This may be appropriate where there is, or could potentially be, damage caused to the Company by the activity being monitored and where the information cannot be obtained effectively by any non-intrusive means (for example, where an employee is suspected of stealing property belonging to the organisation). Covert monitoring will take place only with the approval of the Data Protection Officer or the HR Director, UK & Europe.
Employees' obligations regarding personal information
If an employee acquires any personal information in the course of their duties, they must ensure that:
- the information is accurate and up to date, insofar as it is practicable to do so;
- the use of the information is necessary for a relevant purpose and that it is not kept longer than necessary; and
- the information is secure.
In particular, an employee should ensure that they:
- use password-protected and encrypted software for the transmission and receipt of emails;
- send fax transmissions to a direct fax where possible and with a secure cover sheet; and
- lock files in a secure cabinet.
If an employee acquires any personal information in error by whatever means, they shall inform the Data Protection Officer immediately and, if it is not necessary for them to retain that information, arrange for it to be handled by the appropriate individual within the organisation.
An employee must not take any personal information away from the organisation's premises save in circumstances where he/she has obtained the prior consent of the Data Protection Officer/senior management to do so.
If an employee is in any doubt about what they may or may not do with personal information, they should seek advice from the Data Protection Officer. If they cannot get in touch with the Data Protection Officer, they should not disclose the information concerned.
Disclosure and sharing or personal information
We may share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006.
We may also disclose personal data we hold to third parties:
- in the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business assets; or
- if we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets.
If we are under a duty to disclose or share a data subject’s personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property or safety of our employees, customers, or others and for the purpose of safeguarding our students. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Transferring data outside the European Economic Area (“EEA”)
We may transfer any personal data we hold to a country outside the EEA, provided that one of the following conditions applies:
- the country to which the personal data is transferred ensures an adequate level of protection for the data subject’s rights and freedoms;
- the data subject has given his/her consent;
- the transfer is necessary for one of the reasons set out in the Act, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject;
- the transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims;
- the transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subject’s privacy, their fundamental rights and freedoms, and the exercise of their rights.
Personal data we hold may also be processed by staff operating outside the EEA who work for us or for one or more of our suppliers. Such employees may be engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.
Disposal of personal data
Where information is disposed of, employees should ensure that it is destroyed. This may involve requesting the permanent removal of the information from the server by IT Operations. Please note that deleting an email or file from your computer by moving it into the trash folder and subsequently emptying the trash will not remove the information from the server. If you are in any doubt, please contact HR. Hard copies of information must be shredded in the workplace or placed into a confidential waste bin for shredding offsite. Under no circumstances should personal information be disposed of in a wastepaper basket/recycling bin.
Consequences of non-compliance
All employees are under an obligation to ensure that they have regard to the eight data protection principles (see above) when accessing, using or disposing of personal information. Failure to observe the data protection principles within this policy may result in an employee incurring personal criminal liability. It may also result in disciplinary action up to and including dismissal. For example, if an employee accesses another employee's employment records without the requisite authority, the Company will treat this as gross misconduct and instigate its disciplinary procedures. Such gross misconduct will also constitute a criminal offence.
Taking employment records off site
Any employee taking records off site must ensure that they do not leave their laptop, other device or any hard copies of employment records on the train, in the car or any other public place. They must also take care when observing the information in hard copy or on-screen that such information is not viewed by anyone who is not legitimately privy to that information.
Review of procedures and training
The Company will review and ensure compliance with this policy at regular intervals.