LEADING PRODUCER AND SUPPLIER OF PRIMARY AND RECYCLED AGGREGATES FOR OXFORDSHIRE AND THE SURROUNDING COUNTIES.

Know what you are looking for?

SMITH & SONS (BLETCHINGTON) LIMITED - 
DATA PROTECTION POLICY

Smiths Bletchington is committed to undertaking its business activities responsibly and sustainably, meeting the needs of customers, employees and other stakeholders, while managing the social and environmental impacts of our activities.

INTRODUCTION:

Smiths Bletchington and its subsidiaries needs to gather and use certain information about individuals for a variety of business purposes.

This policy sets out how we seek to protect personal data and ensure that staff understands the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Data Protection Responsible Person (DPRP) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.

For the purposes of this document Smiths Bletchington and its subsidiaries will be referred to as the Company.

SCOPE:

This policy applies to all locations of the Company.

It also applies to all staff, volunteers, contractors, suppliers and other people working on our behalf.

This policy supplements our other policies relating to internet and email use.

This policy ensures that we comply with data protection law and follow good practice. It protects the rights of staff, customers and partners. It ensures that we are open about how we store and process individuals’ data and protects us from a data breach. It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside the Data Protection Act 1998.

The business purposes for which personal data could be used include:

  • Compliance with our legal, regulatory and corporate governance obligations and good practice
  • Gathering information as part of investigation by regulatory bodies or in connection with legal proceedings or requests
  • Ensuring business policies are adhered to (such as policies covering email and internet use)
  • Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
  • Investigating complaints
  • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
  • Monitoring staff conduct, disciplinary matters
  • Marketing our business
  • Improving services
  • Personal Data means information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, customers, suppliers and marketing contacts.
  • Personal Data we may gather includes but not limited to:
  • Sensitive Personal Data includes:
  • Any use of sensitive personal data should be strictly controlled in accordance with this policy.
  • Individuals’ contact details including email addresses
  • Educational background
  • Financial and pay details
  • Details of Certificates and Diplomas
  • Education and skills
  • Marital Status
  • Nationality
  • Job Title
  • Curriculum Vitae
  • CCTV Images
  • IP address for website users
  • Racial or ethnic origin
  • Political opinions
  • Religious or similar beliefs
  • Trade Union membership (or non-membership)
  • Physical or mental health or condition
  • Criminal offences or related proceedings

DATA PROTECTION LAW:

The General Data Protection Regulation (GDPR) describes how organisations, including the Company, must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. It must be accurate and kept up to date and not held any longer than necessary. It must be processed in accordance with the rights of data subjects and not transferred outside the European Economic Area (EEA) unless that country or territory also ensures an adequate level of protection.

RESPONSIBILITIES:

The Board of Directors is ultimately responsible for ensuring that the Company meets its legal obligations. Under GDPR the Company is deemed a Data Controller.

The Data Protection Responsible Person is responsible for:

  • Keeping the board updated about data protection responsibilities, risks and issues.
  • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
  • Arranging data protection training and advice for the people covered by this policy.
  • Handling data protection questions from staff and anyone else covered by this policy.
  • Dealing with requests from individuals to see the data the Company holds on them (Subject Access Requests).
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
  • Ensuring compliance with the Data Protection Code of Practice for Surveillance Cameras and Personal Information where applicable.

The IT Manager is responsible for:

  • Ensuring all systems, services, and equipment used for storing data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Evaluating any third party services the company is considering using to store or process data. For instance, cloud computing services.

The Commercial and Distribution Manager is responsible for:

  • Approving any data protection statements attached to communications such as email and letters.
  • Addressing any data protection queries from clients, target audiences and media outlets.
  • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.

PROCEDURES:

General guidelines:

  • The only people able to access data covered by this policy should be those who need it for their work.
  • Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
  • The Company will provide training to all employees to help them understand their responsibilities when handling data.
  • Employees should keep all data secure by taking sensible precautions and following the guidelines held within the Employee Information Binder.
  • Strong password must be used and never shared.
  • Personal data should not be disclosed to unauthorised people, either within the company or externally.
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
  • Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.

Reporting Breaches

All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:

  • Investigate the failure and take remedial steps if necessary.
  • Maintain a register of compliance failures.
  • Notify the Supervisory Authority of any compliance failures that are material either in their own right or a part of a pattern of failures.

Subject Access Requests

All individuals who are the subject of personal data held by the Company are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how the company is meeting its data protection obligations.

Any such Subject Access requests from individuals should be made by email, addressed to the Data Protection Responsible Person at info@smithsbletchington.co.uk.

The Data Protection Responsible Person will aim to provide the data within 14 days.

The Data Protection Responsible Person will always verify the identity of anyone making a subject access request before handing over any information.

Disclosing Data for other reasons

In certain circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, the Company will disclose requested data. However, the Data Protection Responsible Person will ensure the request is legitimate, seeking assistance from the Board and from the company’s legal advisers where necessary.

Providing Information

The Company aims to ensure that individuals are aware that their data is being processed, and that they understand:

  • How the data is being used
  • How to exercise their rights
  • To these ends, the Company has a privacy statement, setting out how data relating to individuals is used by the company. This is available on request. A version of this statement is also available on the Company’s websites.

Ric Clemmey
Managing Director

August 2021