Head Office, The Water Works, Moors Close, Great Bentley, Essex, CO7 8QN

Need a commercial space re-done? Look no further than Alpha Group for all of your commercial requirements.

Discover more

Privacy policy document

ALPHA GRP  LIMITED 

On 25th May 2018, the UK introduced a raft of new data protection legislation – parts of the EU regulation – the GDPR (General Data Protection Regulation); Data Protection Act 2018 and e-privacy regulations as well as Fees Regulations.

To be compliant with the new legislation and avoid the inevitable fines regime, I have reviewed current measures in place for the company and have drafted new texts to take the new requirements into account.  The suggested text is in a different font and colour purely for ease of reference.

The company should have a Notification in place with the Information Commissioner’s Office (ICO) 


PRIVACY NOTICE 

This should go on the website under its own tab “Privacy & Cookies”.  It is the main Privacy Notice for the company…others will appear on the footer of emails and forms that collect data.  This Privacy Notice replaces any previous Data Protection Policy and Cookie Policy and should appear on the website:


PRIVACY & COOKIES

Alpha GRP Limited is based at The Water Works, Moors Close, Great Bentley, Essex CO7 8QL.   We may process “personal data” and/or “special category data” (as defined in UK data protection legislation) as part of our contracted services and/or for our administration.  Information is kept while it remains relevant to the reason for collection and/or if there is a statutory retention period.  All feasible security measures are in place.

Data may be shared with third parties as part of our contracted services, for administrative purposes and/or if we are required by law to do so.  We cannot accept any liability for any processing conducted by a third party outside our remit.

As required by law, we have conducted a cookie audit on our website.  Cookies are internet files utilised by websites to communicate.  We use analytical cookies to monitor and improve our website and social media website advertising for our own company.  None of the cookies we use are intrusive into your system.  

None of the above affects your rights under the legislation, in particular your right to access the data we hold on you.  If you wish to request a copy of your data, please submit it in writing/email to the Company.    Please include enough information to enable us to identify you and search for appropriate data.

If you are dissatisfied with this policy, have queries about our data protection procedures or wish to lodge a complaint, please contact the company in the first instance.  Thereafter you have the right to submit a complaint to the Supervisory Authority, the Information Commissioner’s Office (ICO):

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

COOKIES

There is currently a Cookie Bar on the website.  Cookie Bars are ONLY required if the non-essential cookies utilised are intrusive on the user’s system.  The company website does NOT use such cookies and therefore I recommend that the cookie bar be removed.  Despite assertions to the contrary in the relevant ICO guidance, the public have NOT understood Cookie bar use and they have proved continuously to be a “restraint” on the users entering the website.  This is why I recommend their removal when not needed, as in this case.

There is a separate cookie policy on the website.  There is no legal requirement for a separate cookie policy.  The requirement is to conduct a cookie audit and collate the results within the Privacy Notice as I have done above.  Therefore, I recommend the removal of the cookie policy altogether.


EMAIL PRIVACY NOTICE

Email privacy notices are required to meet the Privacy and Telecommunications Regulations 2003, the Companies Act 2007 and the GDPR.  Therefore, I respectfully suggest that the following be added to the existing footer on all outgoing emails as a default:

“The Internet is not a secure system.  If you are not the intended recipient of this email, please notify the sender and delete all copies.  All personal data herein are processed in accordance with UK data protection legislation.  Further details are available on our Privacy Notice or from the Company.

FORMS ON PAPER

I recommend that the following text be built into forms produced by the company:

“Any personal data/special category data herein is processed in accordance with UK data protection legislation”.

FORMS ON WEBSITE:

There is a Customer Enquiry form on the website. It does have a privacy notice there, and it does restrict the company’s use of the data.  The suggested wording here allows the company to utilise the data more fully (eg for marketing   - see below). Please include the following privacy notice near the Submit button:

“All personal data are processed in accordance with UK data protection legislation.  All feasible security measures are in place.”


MARKETING

When the legislation came into force on 25th May 2018, there was – and still remains – much confusion about the issues of “consent”.  The only time the company must actively seek consent for using personal data (such as email addresses or IP addresses) is when you are marketing electronically to potential customers with whom you have had no previous contact.  If you want to send some marketing information or do some work for someone who has completed the enquiry form on the website – that is “contact” and you are at liberty to do so without seeking further consent.  NOTE: all such emails must include an “unsubscribe” feature which must be adhered to!  Everyone has the right to “unsubscribe” from any communications at any time – but this is not the same as seeking consent in the first place. 

Currently the wording on the “Enquiry form” on the website, restricts your use of the data.  The problem with “ we do not share your data with anyone else” is that you cannot then share it with the Accountant (if external), Bank (for electronic payments ) or the Authorities – if they ask for it and you cannot refuse them! – so it becomes very complicated.  The Privacy Notice and the Short notice for the online form have been worded so that this is not required but the legal requirements are still met.

 
STAFF LIABILITY

I have not seen the Staff handbook or any email/acceptable use policy that may be in existence.  However, there is a requirement to “train” staff on requirements and to this end they should be aware that they are personally responsible for the content of emails if it is considered personal data.  This is usually included in the Staff handbook/email policy or Acceptable Use policy.  It may be useful to include the following definitions as well:

“Personal data” – any information relating to a natural person

“Special category data” – such as medical.

 
ACCOUNTABILITY

Under the GDPR, Companies are now required to keep an “Accountability” document within their administrative documentation.  This document needs to contain certain elements and can be issued if required.  To meet these requirements, I recommend that the text below is kept in a folder in the Company administration.

 
ACCOUNTABILITY

Alpha GRP Limited is based at The Water Works, Moors Close, Great Bentley, Essex CO7 8QL.   We may process “personal data” and/or “special category data” (as defined in UK data protection legislation) as part of our contracted services and/or for our administration.  Information is kept while it remains relevant to the reason for collection and/or if there is a statutory retention period.  All feasible security measures are in place.

Data may be shared with third parties as part of our contracted services, for administrative purposes and/or if we are required by law to do so.  We cannot accept any liability for any processing conducted by a third party outside our remit.

There is a data retention schedule in place.  This will allow the company to locate data quickly if required as well as documenting the Retention Policy for data.   

There are technical security measures in place – encryption where necessary and restriction of access to data to maintain integrity and privacy.  This is in place for both manual data and electronically-held data.  To protect data and for ease of usage, we utilise cloud services - all feasible security measures are in place.   

 Organisational measures such as policies and directions for staff when entering data. Training for staff is on an informal basis through the Staff Handbook/staff policies is in place.  There are agreements with third party service providers to ensure data are secure.  All manual data is secured as required with access restricted. “

 
PROCEDURES FOR RESPONDING TO REQUEST FOR SUBJECT ACCESS

Any written request for personal information  - by a customer for their information or a member of staff – should be processed in accordance with data protection legislation.

This document is designed to help you through the process.

Once a request for personal information is received by the company, the time limit for responding starts!  This is only 28 days under the General Data Protection Regulation so it is important that the request is passed to a central co-ordinator as soon as possible.   The receipt should be acknowledged. 

Do you have enough information in the Request to identify the subject of the data to be found?  Are you sure that the person making the request has the legal right to do so .  You can ask for more information if you need it.

Search through all systems ( manual or electronic) for information.  Then go through all the documents to extract the personal information to be disclosed. Remember that expressions of opinion count.  It is not about disclosing whole documents, but the relevant data within those documents.

THIRD PARTIES – any data about someone other than the data subject is a third party.  You should seek the consent of a third party to disclose their data IF it cannot be deleted from the data without destroying the data itself.  In most cases this should be possible.  You are responsible for the information the company holds so just make sure that the Response includes details of where you got the information from. 

You need to assess what is disclosable in each case.

RESPONSE

In the Response, you need to state that you are disclosing what is held and possible to disclose under the legislation.  You can withhold anything given to you by the requester but offer a copy if they wish it.  You can decide to include it but make sure the Requester is aware of what is the source of the data.

You should give the Requester the opportunity to request a review by the company  on what’s been disclosed if they think you haven’t released everything you should.  They also have the right to go to the Information Commissioner’s Office as well and you should provide contact details for them.
 

ADAVISTA, as a specialist consultancy in the field, can provide assistance with this matter if it ever arises.

Need a Free Quote? Ask Alpha

For any questions, queries, or to arrange a consultation, please contact our team via the contact form or by calling:

01206 648888

By submitting you agree to our privacy policy