ESP Systex Ltd is committed to a policy of protecting the rights and privacy of individuals (includes staff, customers and others) in accordance with the Data Protection Act. The Company needs to process certain information about its staff, clients, customers and other individuals it has dealings with for administrative purposes (e.g. to recruit and pay staff, to provide services, to collect fees, and to comply with legal obligations to funding bodies and government). To comply with the law, information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.
The policy applies to all staff and clients of the Company. Any breach of the Data Protection Act 1998 or the Company Data Protection Policy is considered to be an offence and in that event, ESP Systex Ltd disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with the Company, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that departments/sections who deal with external agencies will take responsibility for ensuring that such agencies sign a contract agreeing to abide by this policy. Under the Data Protection Act we are recognised by the ICO as a Data Processor with our Clients being the Data Controller.
The Data Protection Act 1998 enhances and broadens the scope of the Data Protection Act 1984. Its purpose is to protect the rights and privacy of living individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, is processed with their consent.
Sensitive Data: Different from ordinary personal data (such as name, address, telephone) and relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Sensitive data are subject to much stricter conditions of processing.
Data Controller: Any person (or organisation) who makes decisions with regard to particular personal data, including decisions regarding the purposes for which personal data are processed and the way in which the personal data are processed
Data Processor: Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Data Subject: Any living individual who is the subject of personal data held by an organisation.
Processing: Any operation related to organisation, retrieval, disclosure and deletion of data and includes: Obtaining and recording data Accessing, altering, adding to, merging, deleting data Retrieval, consultation or use of data Disclosure or otherwise making available of data
Third Party: Any individual/organisation other than the data subject, the data controller (Company) or its agents.
All processing of personal data must be done in accordance with the eight data protection principles.
Data Subjects have the following rights regarding data processing, and the data that are recorded about them:
Acting as a data processor for our clients, ESP Systex are required to handle various different aspects of personal customer detail, for example Names, Addresses, account details, journey details and Credit/Debit Card information.
To ensure our compliance to privacy and data protection legislation, agents are required to be comprehensively trained to ensure that no data is passed to end users, before their identity has been satisfactorily verified.
While dealing with phone calls it is vital that Data Protection (DP) is confirmed. For all production services we must ask the customer for the information we require before continuing according to the individual clients’ business rules identified at the setup of the contract.
**Note - Agents should not announce details and ask a customer to confirm it is correct, they must ensure that the information is provided directly by the customer. Examples of information that may be required in accordance with client business rules are:
Wherever possible, personal data or sensitive data should not be obtained, held, used or disclosed unless the individual has given consent. The Company understands "consent" to mean that the data subject has been fully informed of the intended processing and has signified their agreement, whilst being in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing. There must be some active communication between the parties such as signing a form and the individual must sign the form freely of their own accord. Consent cannot be inferred from non-response to a communication. For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.
In most instances consent to process personal and sensitive data is obtained routinely by the Company (eg when a new member of staff signs a contract of employment). Any Company forms (whether paper-based or web-based) that gather data on an individual should contain a statement explaining what the information is to be used for and to whom it may be disclosed. It is particularly important to obtain specific consent if an individual's data are to be published on the Internet as such data can be accessed from all over the globe. Therefore, not gaining consent could contravene the eighth data protection principle.
If an individual does not consent to certain types of processing (eg direct marketing), appropriate action must be taken to ensure that the processing does not take place.
If any member of the Company is in any doubt about these matters, they should consult the Group IT Manager.
All staff are responsible for ensuring that any personal data (on others) which they hold are kept securely and that they are not disclosed to any unauthorised third party
All personal data should be accessible only to those who need to use it. You should form a judgment based upon the sensitivity and value of the information in question, but always consider keeping personal data:
Care should be taken to ensure that PCs and terminals are not visible except to authorised staff and that computer passwords are kept confidential. PC screens should not be left unattended without password protected screen-savers and manual records should not be left where they can be accessed by unauthorised personnel.
Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data. Manual records should be shredded or disposed of as "confidential waste". Hard drives should be wiped clean before disposal to CESG standards.
This policy also applies to staff and clients who process personal data "off-site". Off-site processing presents a potentially greater risk of loss, theft or damage to personal data. Staff and clients should take particular care when processing personal data at home or in other locations outside the Company premises.
Members of the Company have the right to access any personal data which are held by the Company in electronic format and manual records which form part of a relevant filing system. This includes the right to inspect confidential personal references received by the Company about that person. Any individual who wishes to exercise this right should apply in writing to the Group IT Manager. Any such request will normally be complied with within 40 days of receipt of the written request.
ESP Systex act as the data processor with our clients acting as the data controller and as such we must abide by the business rules of our client in relation to the disclosure of customer data in respect of Subject Access Requests.
ESP Systex should support our clients in meeting their statutory obligations to provide individuals with access to copies of their own personal data in response to Subject Access Requests whether this be by providing relevant information held by ESP Systex to our clients or directly to their customers, as their business rules dictate.
The Company must ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All staff and clients should exercise caution when asked to disclose personal data held on another individual to a third party. For instance, it would usually be deemed appropriate to disclose a colleague's work contact details in response to an enquiry regarding a particular function for which they are responsible. However, it would not usually be appropriate to disclose a colleague's work details to someone who wished to contact them regarding a non-work related matter.
The important thing to bear in mind is whether or not disclosure of the information is relevant to, and necessary for, the conduct of Company business. Best practice, however, would be to take the contact details of the person making the enquiry and pass them onto the member of the Company concerned.
This policy determines that personal data may be legitimately disclosed where one of the following conditions apply:
The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:
* Requests must be supported by appropriate paperwork and where client related, it should be in the format dictated by the client business rules.
When members of staff receive enquiries as to whether a named individual is a member of the Company, the enquirer should be asked why the information is required. If consent for disclosure has not been given and the reason is not one detailed above (ie consent not required), the member of staff should decline to comment. Even confirming whether or not an individual is a member of the Company may constitute an unauthorised disclosure.
Unless consent has been obtained from the data subject, information should not be disclosed over the telephone. Instead, the enquirer should be asked to provide documentary evidence to support their request. Ideally a statement from the data subject consenting to disclosure to the third party should accompany the request.
As an alternative to disclosing personal data, the Company may offer to do one of the following:
Please remember to inform the enquirer that such action will be taken conditionally: ie "if the person is a member of the Company" to avoid confirming their membership of, their presence in or their absence from the company.
If in doubt, staff should seek advice from their Head of Department/Section or the Company Data Protection Officer.
In respect of clients’ customer data, client business rules will dictate how long the data is retained.
ESP Systex clients may use their own systems or ESP Systex systems to hold and process customer data.
Where ESP Systex hold customer data on behalf of our clients, it is stored within the UK and no data is held locally. All data is stored in secure data centres in England at RackSpace in London (a respected tier 1 data centre) and within the Microsoft Azure cloud.
The main areas which are relative to how we store and protect client data are shown below:
Where data is held on ESP Systex/ESP Group systems, processes are in place for secure data disposal when no longer needed with hard drive data wiped to CESG standard. Our Asset disposal process requires that our hardware disposal partner RecycleIT collect retired hardware assets using GPS tracked vehicles, driven by CRB checked staff.
The Company discourages the retention of personal data for longer than they are required. Considerable amounts of data are collected on current staff However, once a member of staff has left the company, it will not be necessary to retain all the information held on them. Some data will be kept for longer periods than others as indicated below.
In general, electronic staff records containing information about individual members of staff are kept indefinitely and information would typically include name and address, positions held, leaving salary. Other information relating to individual members of staff will be kept by the Personnel Department for 6 years from the end of employment. Information relating to Income Tax, Statutory Maternity Pay etc will be retained for the statutory time period (between 3 and 6 years).
Information relating to unsuccessful applicants in connection with recruitment to a post must be kept for 12 months from the interview date. Personnel may keep a record of names of individuals that have applied for, be short-listed, or interviewed, for posts indefinitely. This is to aid management of the recruitment process.
Personal data must be disposed of in a way that protects the rights and privacy of data subjects (eg, shredding, disposal as confidential waste, secure electronic deletion to CESG standards).
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998
In case of any queries or questions in relation to this policy please contact the ESP Group IT Manager: George Mair - Group IT Manager