1. Statement and purpose of policy
- Digital Operations Group is committed to ensuring that all personal data handled by us will be processed according to a legally compliant standard of data protection and data security.
- We confirm for the purposes of the data protection laws, that Jed Keenan is Data Controller for the personal data accessible to staff of Digital Operations Group. This results in the Data Controller determining the purposes and manner that all personal data of subscribers, staff and any third parties is processed.
- The purpose of this policy is to help Digital Operations Group achieve its data protection and data security aims by:
- Notifying staff, subscribers and any third parties of the types of personal data that Digital Operations Group can hold about them, and what exactly is done with that information;
- Setting out the rules on data protection and the legal conditions that will be satisfied when collecting, receiving, handling, processing, transferring and storing personal data; and
- Clarifying the responsibilities and duties of staff in respect of data protection and data security, and ensuring staff understand legal standards.
- This is a statement of policy only and does not form part of the contract of employment.
- Digital Operations Group will amend this policy as and when required.
- For the purposes of this policy:
- Data protection law means all applicable laws relating to the processing of Personal Data, including and for the period during that it is in force the General Data Protection Regulation (Regulation (EU) 2016/679).
- Data subject means the individual, be they a subscriber, staff member or a third party, to whom the personal data relates.
- Personal data means any information that relates to an individual who can be identified from that information.
- Processing means any use that is made of data, including collecting, storing, amending, disclosing, and destroying it.
- Special categories of personal data means information about an individual's gender, racial or ethnic origin, sexual orientation, disabilities, political opinions, religious or philosophical beliefs, trade union membership and biometric data.
2. Data protection principles
- Staff whose work involves using personal data relating to subscribers, employees and/or third parties will comply with this policy and with the following data protection principles that require that personal data is:
- Processed lawfully, fairly and in a transparent manner: Digital Operations Group will always maintain a lawful basis to process personal data, as set out in the data protection legislation. Personal data is processed as necessary to perform a contract with the Data Subject, to comply with a legal obligation that the data controller is the subject of, or for the legitimate interest of the Digital Operations Group or the party to whom the data is disclosed. The Data Subject is told who controls the information, the purposes the information is processed and, to whom it is disclosed.
- Collected only for specified, explicit and legitimate purposes: Personal data is not be collected for an original purpose and then used for any other purpose. When Digital Operations Group wants to change the way personal data is used, we will first inform the Data Subject.
- Processed only where it is adequate, relevant and limited to that necessary for the purposes of processing: Digital Operations Group will only collect personal data to the extent required for the specific purposes notified to the Data Subject.
- Kept accurate and that all reasonable steps to ensure that all inaccurate information is rectified or deleted without delay: Checks to personal data are made when collected and regular checks are made afterwards. Digital Operations Group makes reasonable efforts to rectify or erase inaccurate information.
- Kept only for the period necessary for processing: Information is not being kept longer than it is needed and all reasonable steps to delete information is taken when data is no longer required by Digital Operations Group. For guidance on how long particular information is kept see the Data Retention Policy and Record Retention Schedule, or contact the Data Protection Officer.
- Secure: Appropriate measures are adopted by the Digital Operations Group to ensure all data is stored securely.
3. Responsibility for data protection and data security
- Maintaining an appropriate standard of data protection and data security is a shared task. This policy and the rules contained in it apply to all employees of Digital Operations Group, irrespective of seniority, tenure and working hours, including executive and non-executive directors and officers, consultants and contractors, agency staff, apprentices, trainees, homeworkers and any volunteers.
- Questions about this policy, or requests for further information, are addressed by the Data Protection Officer.
- All Staff have personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here, and to ensure that measures are undertaken to protect the data security. Managers have special responsibility for leading by example, compliance monitoring and any enforcement. The Data Protection Officer will be notified as soon as reasonably practicable when this policy has not been followed, or if it is suspected this policy has not been followed.
- Any breach of this policy will be taken seriously and can result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing Subscriber, Staff or Third Party personal data without authorisation or a legitimate reason to do so, constitutes gross misconduct and leads to dismissal without notice.
4. Personal data and activities covered by this policy
- This policy covers personal data:
- That relates to individuals that can be identified either from that information in isolation or by reading it together with other information retained;
- Stored digitally or in paper records;
- In the form of statements of opinion as well as factual data;
- That relates to current, past or future Subscribers, Staff or Third Party whose personal data Digital Operations Group handle or control;
- That Digital Operations Group obtain, is provided to us, which we hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
- This personal data is subject to the legal safeguards set out in the general data protection regulations.
5. Personal data processed regarding Staff
- Digital Operations Group collects personal data about Staff that:
- Is provided by Staff, or that Digital Operations Group gathers before or during employment or engagement with Digital Operations Group;
- Is provided by third parties, such as references or information from suppliers or another party that Digital Operations Group does business with; or
- Is in the public domain.
- The types of personal data that Digital Operations Group collects, stores and uses about Staff includes records relating to:
- The home address, contact details and those of the next of kin;
- Recruitment including the completed application form or curriculum vitae, references received, and details of qualifications;
- Pay records, national insurance number and details of taxes and any employment benefits such as pension;
- Telephone, email, internet, or instant messenger usage;
- Performance and any disciplinary matters, grievances, complaints or concerns that members of Staff are or have been involved.
6. Sensitive personal data
- Digital Operations Group will from time to time need to process sensitive personal data; sometimes referred to as 'special categories of personal data'.
- We will only process sensitive personal data when:
- We have a lawful basis for doing so, such as when it is necessary for the performance of the employment contract; and
- One of the following special conditions for processing personal data applies:
- The Data Subject has given explicit consent.
- The processing is necessary for the purposes of exercising the rights and obligations under employment law of the either Digital Operations Group or the Data Subject.
- The processing is necessary to protect the Data Subject's vital interests, and the Data Subject is physically incapable of giving consent.
- Processing relates to personal data manifestly made public by the Data Subject.
- The processing is necessary for the establishment, exercise, or defence or legal claims; or
- The processing is necessary for reasons of substantial public interest.
- Before processing any sensitive personal data, Staff will notify the Data Protection Officer of the proposed processing, in order for the Data Protection Officer to assess whether the processing complies with the criteria noted above.
- Sensitive personal data is not be processed until this assessment has taken place and the individual has been properly informed of the nature of the processing, the purposes it is being carried out and the legal basis for it.
- Our Privacy Policy sets out the type of sensitive personal data that Digital Operations Group processes, what it is used for and the lawful basis for the processing.
7. Use of personal data
- Digital Operations Group publicises the reasons for processing personal data, how this information is used and the legal basis for any processing in the Privacy Policy. Digital Operations Group does not process Staff personal data for any other reason.
- In general Digital Operations Group will use information to carry out our business, to administer Staff employment or engagement and to deal with any problems or concerns, including, but not limited to:
- Staff Address List: To compile a list of home addresses and contact details, so that Staff can be contacted outside working hours.
- Sickness records:
- To maintain a record of Staff absence because of sickness and copies of any doctor's notes or other documents supplied in connection with health issues;
- To inform colleagues and others that Staff members are absent through sickness, only as reasonably necessary to manage any absence;
- To inform the Staff appraisal process purposes of sickness absence level;
- To publish internally aggregated, anonymous details of sickness absence levels.
- Monitoring IT systems: To monitor use of email, the internet, telephone, and other communications or IT resources.
- Disciplinary, grievance or legal matters: In connection with any disciplinary, grievance, legal, or regulatory matters or proceedings that involve Staff.
- Performance Reviews: To undertake performance reviews.
- Equal Opportunities Monitoring: To conduct monitoring for equal opportunities purposes and to publish aggregated and anonymised information about Digital Operations Group's workforce.
8. Accuracy and relevance
- Digital Operations Group will:
- Ensure that any personal data processed is up to date, accurate, adequate, relevant and, given the purpose it was collected, not excessive.
- Not process personal data obtained for a particular purpose for any other purpose, unless the Data Subject has agreed to this or, that this is reasonably expected to happen.
- When Staff, Subscribers or Stakeholders consider that any information held about them is inaccurate or out of date, then they should tell the Data Protection Officer. If the Data Protection Officer agrees that the information is inaccurate or out of date, then it will be corrected promptly. If the Data Protection Officer does not agree with the correction, then they will note the the suggested changes. In either situation a reply explaining the response will be promptly supplied.
9. Storage and retention
- Personal data, and sensitive personal data, will be kept securely in accordance with our this Policy.
- The periods Digital Operations Group hold personal data are contained in the Record Retention Schedule.
10. Individual rights
- Staff, Subscribers and Stakeholders have the following rights in relation to personal data.
- Subject access requests:
- Staff and Subscribers have the right to make subject access requests. When a subject access request is submitted, the Data Subject is informed:
- Whether or not the Data Subject's personal data is processed and if so why, the categories of personal data concerned and the source of the data when it is not collected directly;
- To whom Data Subject's personal data is disclosed, including to recipients outside of the European Economic Area (EEA) and the safeguards that apply to such transfers;
- For how long Data Subject's personal data is stored, and or how that period is decided;
- Data Subject's rights of correction or erasure of data, or to restrict or object to processing;
- Data Subject's right to complain to the Information Commissioner's Office when the Data Subject believes that Digital Operations Group have failed to uphold data protection regulation; and
- Of the rational applied in any decisions.
- Digital Operations Group will provide Data Subjects with a copy of the personal data undergoing processing. This is normally in digital form, unless otherwise agreed.
- To make a subject access request, contact the Data Protection Officer at This email address is being protected from spambots. You need JavaScript enabled to view it.
- Digital Operations Group will need to ask for proof of identification before a request can be processed. We will let the Data Subject know when their Data Subject's identity needs verifying, and the documents required to do so.
- Digital Operations Group will normally respond to requests within 20 working days from the date that the request was received. In very rare instances, for example where there is a large amount of personal data being processed, the response will be within 40 working of the date the request is received. Digital Operations Group will reply in writing within 10 working days of receiving the original request when this is the case.
- Where a request is manifestly unfounded or excessive, Digital Operations Group are not obliged to comply with it.
- Other rights:
- Staff, Subscribers and Stakeholders have a number of other rights in relation to personal data. Data Subjects can require Digital Operations Group to:
- Rectify inaccurate data;
- Stop processing or erase data that is no longer necessary for the purposes of processing;
- Stop processing or erase data where a Data Subject's interests override Digital Operations Group's legitimate grounds for processing the data, where Digital Operations Group rely on its legitimate interests as a reason for processing data;
- Stop processing data for a period of time where data is inaccurate or where there is a dispute about whether a Data Subject's interests override Digital Operations Group's legitimate grounds for processing the data.
- To request that Digital Operations Group take any of these steps, send the all requests to the Data Protection Officer.
11. Data security
- Digital Operations Group will use appropriate technical and organisational measures to keep personal data secure, in particular to protect against unauthorised or unlawful processing and against all accidental loss, destruction or damage.
- Maintaining data security means making sure that:
- Only Staff that are authorised to use the information are able to access it;
- All personal data is encrypted;
- Information is accurate and suitable for the purpose that it is processed; and
- Authorised Staff only access information when it is needed for authorised purposes.
- By law, Digital Operations Group uses procedures and technology to secure personal data throughout the period that it is held or controlled, from obtaining to destroying the information.
- Personal data is not transferred to any person to process, for example while performing services for Digital Operations Group or on its behalf. This is unless that person or their organisation has either agreed to comply with Data Security Procedures or that Digital Operations Group are satisfied that adequate alternative measures exist.
- Security procedures include:
- All desks or cupboards containing confidential data are kept locked.
- Computer terminals are locked with strong passwords that are changed regularly.
- Unattended computer terminals are routinely logged out or turned off.
- When viewing personal data discretion will be used to ensure that it is not visible to others.
- Data stored on external drives will be encrypted and password protected, and securely stored when not being used.
- The Data Protection Officer approves cloud drives being used to store data, and this will also be password protected.
- Sensitive personal data will never be saved directly to any laptops, tablets or smartphones.
- All servers containing sensitive personal data is protected by security software.
- Servers containing personal data are located in a secure location, away from general office space.
- Data is regularly backed up in line with Digital Operations Group's Back-up Procedure.
- Telephone precautions are of particular concern. Staff dealing with telephone enquiries will take serious consideration to avoid inappropriate disclosures. In particular:
- The identity of any telephone caller is verified before any personal data is disclosed;
- When the caller's identity cannot be verified satisfactorily they are asked to put their query in writing;
- Will not permit callers to bully them into disclosing information. In case of any issues or uncertainty, the Data Protection Officer is contacted
- The method of disposal of personal data, whether on paper or on any external hard drives, will be their physical destruction. Paper documents are shredded and hard drives are rendered permanently unreadable.
12. Data impact assessments
- Some of the processing that Digital Operations Group carries out can result in risks to privacy.
- Where processing results in a risk to privacy, Digital Operations Group will carry out a Data Protection Impact Assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which an activity is carried out, the risks for individuals and the measures that will be put in place to mitigate those risks.
13. Data breaches
- Where there is discovery of a breach of personal data that poses a risk to the rights and freedoms of individuals, Digital Operations Group will report it to the Information Commissioner within 1 day of it's discovery.
- Digital Operations Group records all data breaches regardless of their effect.
- Where the breach is likely to result in a high risk to Data Subjects' rights and freedoms, Digital Operations Group will inform affected individuals of the breach and provide all information about the likely consequences of the breach and the mitigation measures we have taken and the required response by Data Subjects.
14. International data transfers
- In the course of carrying out normal operations, Digital Operations Group will need to transfer personal data to a country outside the European Economic Area (EEA) including to all companies or individuals with whom Digital Operations Group have a business relationship.
- Personal data is only transferred to a country outside of the EEA where there are adequate protections in place. To ensure personal data receives an adequate level of protection, Digital Operations Group have put in place appropriate procedures with all third parties that process personal data on its behalf so that personal data is treated by those third parties in a way that is consistent with and respects eneral Data Protection Regulation.
- For more information regarding international transfers of personal data, contact the Data Protection Officer.
15. Individual responsibilities
- Staff are responsible for helping Digital Operations Group keep their personal data up to date.
- Staff will let their manager know when personal data provided to Digital Operations Group changes, for example when moving residence or changing bank details.
- Staff will have access to the personal data of other members of Staff and of Subscribers in the course of their employment. Where this is the case, Digital Operations Group relies on Staff to help meet its data protection obligations.
- Individuals who have access to personal data are required:
- To access only personal data they have authority to access and only for authorised purposes;
- Not to disclose personal data except to individuals both inside or outside of Digital Operations Group who have appropriate authorisation;
- To keep personal data secure, for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction;
- Not to remove personal data, or devices containing or that can be used to access personal data, from Digital Operations Group's premises without adopting appropriate security measures including encryption and strong password protection, to secure the data and the device; and
- Not to store personal data on external hard drives or on personal devices that are used for work purposes.
Training
- Digital Operations Group provides training to all Staff about their data protection responsibilities as part of the induction process and at regular intervals throughout their employment.
- Staff whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy receive additional training to help them understand and appreciate their duties and to fully comply with these duties.
Contact us about this Policy
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone: 020 8528 3135
|