MYSHON is committed to being transparent about how it collects and uses the personal data of its workforce, and to meeting its data protection obligations. This policy sets out MYSHON’s commitment to data protection, and individual rights and obligations in relation to personal data.
This policy applies to the personal data of job applicants, employees, workers, contractors and former employees. This policy will also apply to the personal data of clients or other personal data processed for business purposes.
MYSHON is committed to all aspects of data protection and takes seriously its duties, and the duties of its employees, under the General Data Protection Regulations. MYSHON is registered under the Information Commissioners Office and a copy of this registration certificate is available from the HR Department and on the intranet.
This policy sets out how MYSHON deals with personal data, including personnel files and data subject access requests, and employees’ obligations in relation to personal data.
Data Protection Officer
The Human Resource Manager is MYSHON data protection officer. Their role, alongside the Commercial Director, is to inform and advise MYSHON on its data protection obligations. The HR Manager is responsible for data protection compliance within the organisation and is responsible for the implementation of this policy.
Any questions regarding this policy, requests for further information or their obligations under it should be directed to HR and the Commercial Director.
Data Protection Definitions
“Personal data” is any information that relates to an individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
“Special categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
“Criminal records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
Data protection principles
MYSHON commits to processing personal data in accordance with the following data protection principles:
To process personal data lawfully, fairly and in a transparent manner.
To collect personal data only for specified, explicit and legitimate purposes.
To process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
To keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
To keep personal data only for the period necessary for processing.
To adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
It is against the law if an employer does not keep to these principles during the processing of personal data and fines will be issued by the Information Commissioners Office (ICO) for non-compliance.
MYSHON tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for any other reasons.
Where MYSHON processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with that particular policy on special categories of data and criminal records data.
MYSHON will update HR-related personal data promptly if an individual advises them that their information has changed or is inaccurate. MYSHON will also make available a self-service system to employees so that they can also update their own personal data should this change.
Personal data gathered during the employment, worker, contractor or client relationship is held in secure individual files, in either hard copy or electronic format, or both, and databases, and for HR related personal data on HR & Payroll systems.
The periods for which the organisation holds HR-related personal data are contained in its privacy notices to individuals along with being available through an internal HR retention document.
If MYSHON enters into discussions about a merger or acquisition with a third party, MYSHON will seek to protect employees’ data in accordance with the data protection principles wherever possible. However, under the Transfer of Undertakings (Protection of Employment) Regulations 2006, some personal information must be shared if a merger or acquisition is to go ahead. This will be communicated to the individual at the time if this is to be the case.
The organisation keeps a record of its processing activities in respect of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).
As a data subject, individuals have a number of rights in relation to their personal data.
Subject Access Requests
Individuals have the right to make a subject access request. The Human Resource Manager is responsible for dealing with data subject access requests.
If an individual makes a subject access request, MYSHON will disclose:
Whether or not their data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
To whom their data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
For how long their personal data is stored & how that period is decided;
Their rights to rectification or erasure of data, or to restrict or object to processing;
Their right to complain to the Information Commissioner if they think MYSHON has failed to comply with their data protection rights; and
Whether or not MYSHON carries out automated decision-making and the logic involved in any such decision-making.
MYSHON will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless they agree otherwise.
Should the individual request additional copies, MYSHON will charge a fee, which will be based on the administrative cost to the organisation of providing the additional copies.
To make a subject access request, the individual should send the request to [email protected] In some cases, MYSHON may need to ask for proof of identification before the request can be processed. MYSHON will inform the individual if it needs to verify their identity and the documents it requires.
MYSHON will normally respond to a request within a period of one month from the date it is received. In some cases, such as where MYSHON processes large amounts of the individual’s data, it may respond within three months of the date the request is received.
MYSHON will write to the individual within one month of receiving the original request to tell them if this is the case.
Unfounded or Excessive requests
If a subject access request is manifestly unfounded or excessive, MYSHON is not obliged to comply with it. Alternatively, MYSHON can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request.
A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the company has already responded. If an individual submits a request that is unfounded or excessive, MYSHON will notify them that this is the case and whether or not it will respond to it.
Individuals have a number of other rights in relation to their personal data. They can require MYSHON to:
Rectify inaccurate data;
Stop processing or erase data that is no longer necessary for the purposes of processing;
Stop processing or erase data if the individual’s interests override the organisation’s legitimate grounds for processing data, including where MYSHON relies on its legitimate interests as a reason for processing data;
Stop processing or erase data if processing is unlawful; and
Stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override MYSHON legitimate grounds for processing data.
To ask MYSHON to take any of these steps, the individual should send the request to the HR Department.
MYSHON may reserve its right to withhold the employee’s right to access data where any statutory exemptions apply in accordance with any guidance issued by the ICO.
MYSHON takes the security of all personal data seriously and has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.
MYSHON has in place systems and network restrictions and where necessary encryption, along with robust processes for the secure internal sharing of personal data in the performance of their duties. MYSHON ensures compliance with its Data Security Policy at all times and reminds employees of their responsibilities under this policy.
Where MYSHON engages third parties to process and review personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Some of the processing that MYSHON carries out may result in risks to privacy. Where processing would result in a high risk to individual’s rights and freedoms, MYSHON will carry out a data protection impact assessment to determine the necessity and proportionality of processing.
This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
If MYSHON discovers that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery.
MYSHON will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
International data transfers
Personal data may be transferred to countries outside the EEA in circumstances relating to the legitimate processing of data and for the updating of clients regarding performance. Data may only be transferred outside the EEA on the basis of having in place a declaration of adequacy, binding corporate rules and other security and compliance safeguards.
Where an employee or individual is required to disclose personal data to any other country, the individual must ensure first that there are adequate safeguards for the protection of data in the host country. For further guidance on the transfer of personal data outside the UK, please contact the HR Department.
Individual obligations and responsibilities
Employees and individuals are responsible for assisting MYSHON in keeping their own personal data up to date. Employees and Individuals should let the MYSHON know if data provided to the company changes, for example if an employee or individual moves address or changes their bank details.
Employees may have access to the personal data of other individuals and of our customers and clients in the course of their employment. Where this is the case, MYSHON relies on individuals to help meet its data protection obligations to staff, customers and clients.
All employees who handle personal data are required to have confidentiality clauses in their contracts of employment.
If an employee acquires or has access to any personal information in the course of their duties, the individual must ensure that:
The information is accurate and up to date;
The use of the information is necessary for a relevant purpose and that it is not kept longer than necessary; and
The information is secure.
In particular, an employee should ensure that they:
Use password-protected and encrypted software for the transmission and receipt of data which contain personal information;
Use a secure online sharing system or secure area on the MYSHON network for sharing of personal data; and
Lock files containing personal information in a secure cabinet.
Individuals who have access to personal data are also required:
To access only data that they have authority to access and only for authorised purposes;
Not to disclose data except to individuals, whether inside or outside the company, who have appropriate authorisation;
To keep data secure by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction;
Not to remove personal data, or devices containing or that can be used to access personal data, from the company’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
Not to store personal data on local drives or on personal devices that are used for work purposes.
Where information is disposed of, employees should ensure that it is destroyed. This may involve the permanent removal of the information from the server, so that it does not remain in an employee’s inbox or ‘rubbish’ folder.
Hard copies of information may need to be confidentially shredded. Employees should never dispose of personal information in a wastepaper basket or recycle bin.
Further details about MYSHON security procedures can be found in its Data Security policy.
If an employee acquires any personal information in error by whatever means, the individual shall inform the HR Manager immediately and, if it is not necessary for them to retain that information, arrange for it to be handled by the appropriate individual within MYSHON.
An employee or individual must not take any personal information away from MYSHON premises or properties, unless in except circumstances where the individual has obtained the prior consent of a member of senior management to do so.
If an employee is in any doubt about what an individual may or may not do with personal data, the individual should seek advice from the HR Department. If the individual cannot get in touch with a member of the HR Department, the individual should not disclose the information concerned until advice has been sought.
A significant or deliberate breach of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
An employee’s personnel file is likely to contain information about their work history with MYSHON and may, for example, include information about any disciplinary or grievance procedures, warnings, absence records, appraisal or performance information and personal information about the employee including address details and national insurance number.
There may also be other information about the employee located within MYSHON, for example in their line manager’s email inbox or desktop computer; with payroll; or within documents stored in a relevant HR filing system.
MYSHON may collect relevant special categories of personal data from employees for equal opportunities monitoring purposes. Where such information is collected, MYSHON will anonymise it, unless the purpose for which the information is required is for the full use of the individual’s personal information.
MYSHON will inform employees on any monitoring questionnaire of the use to which the data will have. The individuals or posts within MYSHON who will have access to that information and the security measures that MYSHON will put in place will ensure that there is no unauthorised access to this type of data or information.
MYSHON will ensure that personal information about an employee, including information in personnel files, is securely retained, and for only as long as it is deemed necessary as per the HR retention document in existence. MYSHON will keep hard copies of information in a locked filing cabinet. Information stored electronically will be subject to access controls and passwords and encryption software will be used where necessary.
Correction, updating and deletion of data
MYSHON has a system in place that enables employees to check their personal information on a regular basis so that they can correct, delete or update any data.
If an employee becomes aware that MYSHON holds any inaccurate, irrelevant or out-of-date information about them, the individual must notify the HR Department immediately and provide any necessary corrections and/or updates to the information.
MYSHON may monitor employees by various means including, but not limited to, recording employees’ activities on CCTV, checking emails, listening to voicemails and monitoring telephone conversations.
If this is the case, MYSHON will inform the employee that monitoring is taking place, how data is being collected, how the data will be securely processed and the purpose for which the data will be used. The employee will be entitled to be given any data that has been collected about them if it is to be used against them or processed in any way.
MYSHON will not retain such data for any longer than is absolutely necessary.
In exceptional circumstances, MYSHON may use monitoring covertly. This may be appropriate where there is, or could potentially be, damage caused to MYSHON by the activity being monitored and where the information cannot be obtained effectively by any non-intrusive means (for example, where an employee is suspected of stealing property belonging to MYSHON).
Covert monitoring will take place only with the approval of Senior Management.
Consequences of non-compliance
MYSHON are under an obligation to ensure that they have regard to the data protection principles above when accessing, processing, retaining or disposing of personal data.
Failure to observe the data protection principles within this policy may result in the employer incurring fines. It may also result in disciplinary action of an employee up to and including dismissal.
Taking information off site
Where laptops are used off site, employees must follow MYSHON relevant policies relating to the security of information and the use of computers for working at home/bringing your own device to work.
Employees must ensure that they do not leave their laptop, pen drive, other device or any hard copies of personal data on the train, in the car or any other public place.
Individuals must also take care when observing the information in hard copy or on-screen that such information is not viewed by anyone who is not legitimately privy to that information.
Review of Procedures and Updates
MYSHON provides guidance on data protection issues to all employees who handle personal information in the course of their duties at work as outlined within this Policy. MYSHON will continue to provide such employees with updates on Data Protection on a regular basis.
MYSHON will update employees regarding any changes to the General Data Protection Regulations and how this may affect them during their working day. Any changes to Policy or processes will also be communicated and cascaded down to teams.
MYSHON will provide training to all individuals about their data protection responsibilities as part of the induction process and on a regular basis thereafter. Reference should be made to this policy or to the HR Department if a line manager or employee is unsure of their compliance requirements.
Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.
MYSHON will review and ensure compliance with this policy at regular intervals in line with ICO direction or changes in regulation.