Data Protection Policy
1 Policy Statement
Every individual has rights in relation to how the information from which they can be identified (known as personal data) is handled. During the course of our business, we may collect, store and process personal data about our customers, our staff and other third parties.
Provira Limited (Provira, or the Company) is committed to ensuring that it complies with the requirements of applicable data protection legislation (as amended or replaced from time to time), including the Data Protection Act 2018 (the Act) and the UK GDPR (together the Data Protection Legislation). The Data Protection Legislation is designed to protect the use of information from which individuals (or ‘data subjects’) may be identified and to provide those individuals with rights in relation to their personal data held by organisations. There is also legislation in place which gives people privacy rights in relation to electronic communications. This is contained in the Privacy and Electronic Communications (EC Directive) Regulations 2003.
This data protection policy sets out the principles which we will apply to our processing of personal data to ensure that we respect and safeguard the rights and freedoms of individuals and process their personal data in accordance with the Data Protection Legislation.
2 Who does this policy apply to?
This policy applies to and must be complied with by all employees (whether temporary or permanent), workers, contractors, agents, representatives and other third parties (referred to collectively as staff) acting for or on behalf of the Company.
It is the responsibility of every member of staff to ensure that they understand the content of this policy, and to seek guidance where any doubt exists. It is expected that all staff will adhere to this policy during the course of their duties.
This policy does not form part of any member of staff’s contract of employment and it may be amended at any time. Any breach of this policy will be taken seriously and will be dealt with under the Company’s formal disciplinary procedure and in serious cases may be treated as gross misconduct leading to summary dismissal or (in the context of self-employed workers, contractors or agents) as a potential contractual breach. Serious breaches could also result in personal criminal liability under the Act.
3 Why do we have this policy?
We recognise the importance of personal data to our business and of protecting that personal data and respecting the privacy rights of individuals. This is key to the success of our business and to maintaining the trust and confidence of our customers and our staff.
In addition, failure to comply with our data protection obligations could expose the Company to enforcement action by the Information Commissioner’s Office (the ICO) which is the UK’s supervisory authority for regulating data protection. The ICO can impose restrictions on our use of personal data and impose fines. Affected individuals may also complain or claim compensation. There may also be negative publicity as a result of any breach that is made public.
4 Who is responsible for implementing the policy?
Steve Gauke is the Company’s Head of Data Protection (HDP) responsible for ensuring that the Company complies with the Data Protection Legislation and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the HDP.
Responsibility for monitoring and reviewing the operation of this policy and making recommendations for change to minimise risks lies with the HDP who will review this policy at least annually, and more regularly where specific issues arise, to ensure that it meets legal requirements and reflects best practice.
5 Definition of key data protection terms
data subjects means all living individuals about whom we hold, or may hold, personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
personal data means any information (which is stored electronically or in certain paper-based filing systems) relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour (for example where they are discussed in emails).
controller means the person who or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data.
processors means any person or organisation that is not a controller that processes personal data on behalf of a controller and on the controller’s instructions. Staff of data controllers are excluded from this definition but a processor could include a supplier which handles personal data on the controllers behalf (for example Microsoft will be a processor on behalf of any data stored in Microsoft Outlook).
processing is any operation or set of operations performed on the personal data and includes collecting, recording, holding, organising, amending, retrieving, using, structuring, storing, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
special categories of personal data means information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. These special categories of personal data can only be processed under strict conditions.
Generally, we will not process any special categories of personal data or criminal convictions data unless we have the data subject’s explicit consent (subject to some limited circumstances in relation to employees).
6 Data protection principles
When we process personal data, we must comply with the six data protection principles. The six principles are as follows:
lawfulness, fairness and transparency | personal data shall be processed lawfully, fairly and in a transparent manner |
purpose limitation | personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes |
data minimisation | personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed |
accuracy | personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay |
storage limitation | personal data shall not be kept in a form which permits identification of individuals for longer than is necessary for the purposes for which the personal data are processed |
integrity and confidentiality | personal data shall be processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, employing appropriate technical or organisational measures |
7 Registration with the ico
The Company is registered with the ICO under registration number ZA809102. This registration must be renewed annually.
8 How AND WHY we collect Personal Data
We collect only as much information as we need for specific identified purposes and we do not use it in a manner that is incompatible with that purpose. No matter how it is collected, recorded or used, we must always deal with personal data in accordance with this policy to ensure compliance with the Data Protection Legislation.
We inform individuals of the purposes at the time we collect their personal data in accordance with Data Protection Legislation by way of our Privacy Notice, a copy of which can be found on our website.
We follow the procedures set out in this policy to ensure that the personal data in our records is accurate and not held for longer than is necessary.
During the course of our business we acquire and process personal data about our customers which we require to carry out our business. We also acquire and process personal data about our staff for staff administration purposes. We do not act for or employ persons under 18 years of age and we will not ordinarily acquire or process personal information about children
During the course of our business we acquire and process personal data about:
- Individual customers.
- Our suppliers (including our professional advisers) for the purposes of receiving services and fulfilling our obligations in respect of that supplier relationship.
- Our staff for the purposes of fulfilling our legal obligations (such as carrying out right to work checks and compliance with health and safety and equality legislation), monitoring staff and managing staff welfare and training needs; and
- Other third parties, such as other professional advisers who are advising our customers, or employees at other organisations we come into contact with. The specific purposes for which we collect that data will vary depending on the identity of the third party providing the information and the nature of our relationship with them.
We collect information in a number of ways, including:
- Directly from the individual or through communications with them, i.e. application from the customer, or a job application and subsequent forms from a member of staff.
- Information from third parties, such as professional advisers, recruitment agents, credit reference agencies, or the lender in respect of a customer that has entered into a loan with them etc;
- Information that is collected when individuals use our website.
- From publicly accessible sources such as LinkedIn, Twitter etc.
9 What personal data we collect and our legal basis for processing
Customer data
As a credit broker, we will typically collect the following information from our customers or prospective customers:
- Basic personal information such as name, title, date of birth and/or age;
- Contact details such as email address, postal address and telephone number;
- Information about the finance they wish to obtain, such as the amount they wish to borrow;
- In respect of a probate advance, information about any inheritance estate the customer is due to receive, including their relationship with the deceased;
- Information from credit reference agencies or fraud prevention agencies;
- Information about visits to our website, and the device used to access the website;
- Other personal details that the customer choose to provide on the website or via email or telephone.
We process customer data where necessary for the purposes of our contract for services with them, for our legitimate interests in providing our contractual services to them, or where necessary for compliance with a legal obligation to which we are subject, and with consent where none of the aforementioned bases for processing apply.
Supplier and other third party data
We will typically collect the following personal data:
- Name, email address, address, phone number and financial information (such as bank account details for payment of invoices).
- Information that is collected when individuals use our website(s), which may be used by us to identify and validate the individual’s use of the website, including information about their computer, including their IP address, operating system and browser type; and
- We will not ordinarily acquire special categories of personal data relating to suppliers and other third parties.
We process supplier data where necessary for the purposes of our contract for services with them, for our legitimate interests in managing a contract with their employer or other related party, where necessary for compliance with a legal obligation to which we are subject and with consent where none of the aforementioned bases for processing apply.
Staff data
As an employer, we will typically collect the following information:
- Name, residential address, phone number, bank account details, employment history, education, qualifications and family details;
- Information from outside sources such as referees, recruitment agencies, and the UK government’s Disclosure and Barring Service; and
- Special categories of personal data primarily comprising health information to enable us to comply with our legal obligations under employment legislation and health and safety legislation.
- The Company will process personal data about its employees in accordance with the ICO’s Employment Practices Code. https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf. This will include carrying out checks from time to time to ensure that records are not irrelevant, excessive or out-of-date.
We process employee data where necessary for the purposes of our contract with employees or for compliance with a legal obligation to which we are subject (for example in relation to tax and health and safety compliance) and with consent where none of the aforementioned bases for processing apply (for example, in respect of the offer of employee benefits in respect of which employees may choose to opt in to receive information from a third party supplier, e.g. pension or health cover provider).
10 Credit reference and fraud prevention agencies
A lender that we pass a customer’s information to may run a check with credit reference agencies (CRAs) and fraud prevention agencies to make a decision as to whether to provide the customer with a loan. If the loan application is refused by one of our partner lenders on the basis of information they have received from CRA, they must inform the customer of this and provide them with the details of the agency concerned.
Separately, when a customer makes a loan application through our website, we may pass the customer’s information to credit reference agencies and fraud prevention agencies to verify their identity and allow the lender to ‘pre-approve’ the loan prior to receiving the requisite probate documents.
More information about CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and data protection rights with the CRAs are explained in more detail in the CRA information notice (CRAIN) available at: https://www.experian.co.uk/crain/index.html
If false or inaccurate information is provided and fraud is identified, details will be passed to fraud prevention agencies. Law enforcement agencies may access and use this information. We and other organisations may also access and use this information to prevent fraud and money laundering.
11 Rights of individuals
Under Data Protection Legislation, data subjects have various rights in respect of the use of their personal data, in addition to the right to be informed (which we comply with by providing individuals with a copy of our Privacy Notice). Data subjects may contact the Company in order to exercise their rights and it is important that all staff are aware of requests that we may receive, either verbally or in writing. The rights of individuals are summarised below, please ensure that you are familiar with these rights so you can identify when a request is made.
If you receive, or think you may have received, a request from an individual to exercise any of their rights under Data Protection Legislation, you must notify the HDP immediately at [email protected].
Under Data Protection Legislation, Provira is required to provide information to individuals without undue delay and, in some cases, no later than one month from receipt of a valid request. Under Article 12(3) of the UK GDPR this period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We must inform the data subject of any extension within one month of receipt of the request, along with reasons for the delay.
It is therefore important that all relevant information is passed to the HDP so that the request can be dealt with appropriately.
11.1 Right to access (article 15 UK GDPR)
A data subject is entitled to be informed if any of their personal data is being processed and, if that is the case, to be provided with a copy of the personal data. This is more commonly known as submitting a “Data Subject Access Request” or “DSAR”.
No charge may be made, unless the request is manifestly unfounded or excessive, in which case a reasonable fee may be payable.
All DSARs must be immediately reported to the HDP for consideration. The Data Protection Legislation places strict timeframes on complying with a DSAR and so prompt reporting is essential.
11.2 Right to erasure (or ‘right to be forgotten’) (article 17 UK GDPR)
A data subject is entitled to request that any personal data held about them is deleted without undue delay in the following circumstances:
- The personal data are no longer necessary in relation to the purposes for which they were collected;
- If the processing of personal data is based upon the consent of the data subject, the data subject withdraws their consent and there are no other legal grounds for processing;
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- The personal data have been unlawfully processed; or
- The personal data have to be erased in order to comply with a legal obligation.
The limited scope of this right means that we are not required to erase the personal data of existing customers or staff where we still have a necessity to keep it. In addition, even where one of the above conditions apply there are circumstances in which we may refuse to comply with a request in accordance with article 17(3) UK GDPR, including where the continued processing is necessary for compliance with a legal obligation to which we are subject.
However where we are processing personal data on the basis of consent which is withdrawn and we have no other reason to retain it we will be required to erase it in response to such a request. The HDP should be contacted in all cases to determine how to respond to such a request.
11.3 Right to rectification (article 16 UK GDPR)
A data subject is entitled to request that any personal data held about them that is inaccurate is rectified. If personal data is incomplete, the data subject has the right for that data to be completed.
11.4 Right to restriction of processing (article 18 UK GDPR)
A data subject is entitled to request that any personal data held about them is restricted (i.e. blocked or suppressed) in the following circumstances:
- The accuracy of the personal data is contested by the data subject; in such cases the data may be restricted for the period it takes for Provira to verify the accuracy of it;
- When processing is unlawful and the data subject opposes erasure and requests restriction instead;
- Provira no longer needs the personal data for the purposes of the processing but the data subject requires the data to establish, exercise or defend legal claims; and
- The data subject has objected to processing (where it was necessary for the performance of a public interest task or legitimate interest purposes) and the Company is considering whether its legitimate grounds override the rights of the individual.
When processing is restricted we are entitled to store the personal data but we cannot process it in any other way.
11.5 Right for data to be transferred to a third party (or right to ‘data portability’) (article 20 UK GDPR)
A data subject is entitled to receive certain types of their personal data we process and which they have provided to us in a structured, commonly used and machine-readable format and to transmit that data to another controller. This means that data subjects can obtain and reuse their personal data for their own purposes across different services and move, copy or transfer it from one IT environment to another.
11.6 Right to object (article 21 UK GDPR)
A data subject has the right to object to:
- Direct marketing;
- processing based on legitimate interests or the performance of a public interest task provided they have grounds relating to their particular situation (unless Provira, as the controller, can demonstrate compelling legitimate grounds for the processing which override the rights of the individual or if the processing is for the establishment, exercise or defence of legal claims); and
- Processing for scientific or historical research purposes or statistical purposes (unless the processing is necessary for the performance of a task carried out for reasons of public interest).
Any objections received from a data subject should be referred to the HDP for consideration.
11.7 Rights related to automated decision making including profiling (article 22 UK GDPR)
Automated individual decision-making is a decision made by automated means without any human involvement (for example, a recruitment aptitude test which uses pre-programmed algorithms and criteria). We do not rely solely upon automated decision making and all applications are carefully reviewed by experienced professionals.
Provira uses limited automated decision software provided by third parties to verify customers’ identities for anti-fraud and anti-money laundering checks. Accordingly, whilst the Company makes decisions based on automated processing, all decisions are subject to manual oversight and as such this right does not apply. However, you should still be able to recognise when a request related to automated decision-marking or profiling is received so that it can be reported to the HDP who can respond appropriately.
11.8 Right to complain to the ICO
Data subjects, including staff, have a right to complain to the ICO about how their personal data has been handled. Complaints can be made to Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; telephone number: 0303 123 1113.
12 Accuracy of personal data
We must ensure that the personal data we collect, record and use is accurate and up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals thereafter. All errors and mistakes should be rectified as soon as reasonably practical after the mistake has been discovered. In some instances it will be sufficient to correct the error and not make reference to the earlier mistake. However, the fact that a mistake has been made should be recorded where the mistake has had an effect on the individual or may have such an effect.
13 Data retention
We must ensure that the personal data we process is not kept for longer than necessary.
To comply with this principle, we have established defined periods for which it will retain different types of information. These periods are reasonable and proportionate in each case.
Once a retention period has expired, unless there is a reasonable and justifiable need to retain such information (for example, ongoing litigation) it should be securely deleted.
Please see Appendix 1 for details of our retention periods and destruction procedures.
14 Transferring personal data to third parties
From time to time it may be necessary for Provira to transfer data to third parties. For example, we may transfer personal data to:
- Refer customers to a finance provider, or to enable the lender to make a lending decision and enter into a loan with customers;
- Comply with our legal obligations (for example informing HM Revenue & Customs about payments to our staff);
- Search their records (for example if we do identity verification checks on customers);
- Enable them to work on our behalf or provide us with advice (e.g. third party advisors, suppliers or service providers); or
- If Provira, or substantially all of its assets, are acquired by a third party.
Before we supply such data we must have established an appropriate legal basis for the transfer.
In most cases, we should also have entered into a written agreement with the third party regarding the use of the data and confirmation that they will only use the data for the agreed purpose. Where the data is being shared with a third party processor, the agreement in place must contain the prescribed clauses required by article 28 UK GDPR.
The Company does not transfer any personal data outside of the UK.
15 Data security
Provira must ensure that appropriate technical and organisational measures are implemented to ensure security of processing and protections against unauthorised or unlawful processing of personal data, and against the accidental loss or destruction of, or damage to, personal data. Individuals may apply to the courts for compensation if they have suffered damage arising from any such processing or loss of data.
We have put in place procedures to maintain the security of all personal data from the point of collection to the point of destruction.
In particular we seek to maintain:
- The confidentiality of personal data – only individuals who are authorised to process the relevant personal data can access it (and access rights are regularly reviewed to ensure they remain appropriate) and personal data shall only be disclosed to third parties in accordance with section 14 (Transferring Personal Data to Third Parties) of this policy;
- The integrity of personal data – all personal data should be accurate, adequate and suitable for the purpose for which it is processed; and
- The availability of personal data – authorised users should be able to access the data if they need it for authorised purposes.
We have also implemented various technical and organisational measures to ensure the security of personal data, and include but are not limited to:
Technical measures
- Protection against malicious software or viruses (software should not be installed from removable media or downloaded from the internet without virus checking it first).
- Using secure internet links or secure file transfer protocol where personal data is transferred out of the Company electronically.
- Backing up data should be taken of all data on our systems; data should not be stored on local drives or exchangeable media as these will not be backed up.
- User access controls such as passwords and where appropriate, multi-factor authentication.
- Secure destruction or deletion of data via shredding and secure disposal of computer equipment and removable media.
- Secure disposal of equipment or its re-use/re-conditioning.
- Regular technical audits.
- Vulnerability assessments.
Organisational measures
- Entry controls to premises (visitors must sign in at reception and must be escorted around the premises at all times).
- Secure access to computer facilities (keypads or locks on doors; authorised personnel allowed access only).
- Where data is taken off site, you must use encrypted devices or other appropriate measures.
- Equipment – if you are leaving your PC unattended then ensure that you have locked the screen. Even while at your PC, you should make sure anyone who passes by is unable to see your monitor.
- Secure lockable hard-copy filing system (hard copy confidential documents, such as HR documents, are kept in locked cabinets to which only authorised individuals have access).
- Secure methods of disposal – Hard-copy and electronic documents are sanitised, removed and destroyed in accordance with the Company’s data retention procedures (as detailed in this policy).
16 Data security breach
If there is a breach or suspected, threatened or potential breach of security in respect of any personal data or any other confidential documents, you must immediately report this to the HDP.
Examples of data security breaches include:
- Personal data accidentally being sent to someone (either internally or externally) who does not have a legitimate need to see it (for example by sending an email to the wrong recipient);
- Databases containing personal data being compromised, for example as the result of a cybersecurity breach or the Company being “hacked”;
- The loss or theft of laptops, mobile devices or paper records containing personal data;
- Papers not properly disposed of in secure disposal bins;
- Staff accessing or disclosing personal data outside the requirements or authorisation of their job;
- Being deceived by a third party into improperly releasing the personal data of another person; or
- The loss of personal data due to unforeseen circumstances such as fire or flood.
It is the Company’s policy that all employees must report any realised or suspected data breaches to the HDP as soon as discovered and no later than 24 hours of the occurrence. You can do so by emailing [email protected].
The HDP will keep a log of all breaches and take any further action required including:
- Notifying a personal data breach to the supervisory authority (the ICO) within 72 hours of having become aware of such breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons; and
- Communicating the breach to the affected data subject(s) without undue delay, unless the data is encrypted or otherwise unintelligible to unauthorised parties, measures have been taken such that the risk to rights and freedoms is unlikely to materialise or it would involve disproportionate effort (in which case a public communication may be made).
17 Staff obligations
All staff will:
- Observe all forms of guidance, codes of practice and procedures about the collection and use of personal data;
- Complete all training and periodic eLearning required by the Company;
- Understand fully the purposes for which the Company uses personal data;
- Only collect and process personal data in accordance with the purposes for which it is to be processed by the Company to meet its business needs or legal requirements;
- Only access personal data that they require to carry out their jobs properly;
- Ensure that the personal data held by the Company in relation to them is accurate, complete and up-to-date;
- Ensure personal data is correctly inputted into the Company’s systems by following our standard procedures;
- Ensure personal data is destroyed securely when it is no longer required, in accordance with section 13 (Data Retention) of this policy and Appendix 1;
- Immediately notify the HDP on receipt of a data subject request from an individual in accordance with section 11 of this policy;
- Ensure that no personal data about a fellow member of staff, customer or supplier is disclosed on social networking sites or elsewhere online, including but not limited to LinkedIn, Facebook, Twitter and other online forums and social media sites (such disclosure may amount to breach of the Data Protection Legislation and this policy); and
- Be responsible for complying with this policy.
18 The Company’s obligations
The Company will:
- Be responsible for complying with this policy;
- Ensure that there is always one person with overall responsibility for ensuring compliance with the Data Protection Legislation and this policy. This will be the HDP whose details are set out above;
- Provide training for all staff members who handle personal data (if an employee is unsure of his or her responsibilities he or she should the HDP who will consider whether further training is necessary);
- Provide clear lines of reporting and supervision for compliance with the Data Protection Legislation and this policy;
- Maintain an accurate and up-to-date registration with the ICO as a data controller;
- Maintain and update its records of processing activities under its responsibility and make such records available to the ICO on request, as required under Article 30 of the UK GDPR;
- Undertake suitable and sufficient monitoring, including spot checks without notice, to ensure that the Data Protection Legislation and this policy are being complied with by the Company and all members of staff;
- Implement appropriate technical and organisational measures to ensure the safety and security of personal data which is processed by the Company; and
- Adopt best practices in relation to the obligations placed on the Company as a data controller, in particular it will observe all relevant codes of conduct, regulations and guidance issued by the ICO in relation to the processing of personal data.
19 Failure to comply with this policy
Compliance with our data protection procedures is vital and is closely monitored and enforced. Any breach of this policy will be taken seriously and will be dealt with under the Company’s formal disciplinary procedure and in serious cases may be treated as gross misconduct leading to summary dismissal or (in the context of self-employed agents) as a potential contractual breach.
Where offences have been committed, for example involving dishonesty or fraud, criminal proceedings which may result in a fine or imprisonment. Managers and Directors may also be prosecuted if the offence was committed with their consent or collusion or by virtue of their neglect.
In addition to the restrictions on data use which are contained in Data Protection Legislation, employees should also be aware that a person may be committing an offence under the Computer Misuse Act 1990 where, without appropriate authorisation, they access computer programs or data or they modify the contents of any computer.
If you are ever in doubt about how to carry out a piece of work or answer a call – STOP and get advice from the HDP at [email protected].
20 review of this policy
The Company’s approach to data protection is kept under regular review and will be adjusted and optimised based on such monitoring.
This policy (and its underlying procedures) will be reviewed by the HDP at least annually, or more regularly in relation to regulatory developments or any specific issues that are identified through our monitoring.
Appendix 1 – DATA RETENTION
The data protection principles under Data Protection Legislation are set out within our Data Protection Policy at Section 6. In accordance with these principles, the personal data which is processed by the Company must be adequate, relevant and limited to what is necessary and not kept for longer than is necessary.
To ensure that the personal data we process is not kept for longer than is necessary, the Company has defined periods for which it will retain different types of information. Once a retention period has expired, and unless there is a reasonable and justifiable need to retain information (for example, ongoing litigation), the relevant information should be securely deleted.
Statutory books and registers
Record type | Retention period |
Certificate of incorporation | Permanently |
Change of name certificates | Permanently |
Shareholder register and other statutory registers | Permanently |
Board minutes | Permanently |
Minutes of shareholder meetings | Permanently |
Central business records
Record type | Retention period |
Accounts records | 7 years |
Complaints records | 6 years from the conclusion of the complaint |
Major agreements of historical significance | Permanently |
HR records
Record type | Retention period |
Accident books, reports and records | 3 years from the date of the last entry (if an accident relates to a young adult – until that person reaches 21 years) |
Income tax and NI records and correspondence with HMRC | 7 years after the end of the financial year to which they relate |
Retirement Benefits Schemes—notifiable events | 6 years from the end of the scheme year in which the event took place |
Statutory Maternity Pay records | 3 years after the end of the tax year in which the maternity period ends |
Statutory Sick Pay records | 3 years after the end of the tax year to which they relate |
Application forms and interview notes for unsuccessful candidates (the same data for successful candidates will be transferred to their Personnel files – see Personnel files below) | 1 year |
Parental leave records | 5 years from the birth or adoption of the child or 18 years if the child receives a disability allowance |
Pension scheme investment policies | 12 years from the end of any benefit payable under the policy |
Personnel files and training records (including identification checks, immigration checks, disciplinary records and working time records) | 6 years after employment ceases |
Redundancy records | 6 years from date of redundancy |
CCTV
Record type | Retention period |
Images captured through CCTV | 2 weeks from the date of recording in accordance with the CCTV system overwrite system |
Customer records
Record type | Retention period |
Customer Application Data | Personal information is anonymised 5 years after the application date (where no loan was issued) |
Customer Loan Data | Personal information is anonymised 5 years after the loan is fully repaid (where a loan was successfully issued) |
Appendix 2 – Data security breach procedure
A data security breach is defined in the UK GDPR as:
‘Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’.
Breaches may be caused by accidental or deliberate means and are not just limited to loss of personal data. It can include any event affecting the confidentiality, integrity or availability of personal data.
Data security breaches include confirmed, suspected, threatened or potential incidents.
As a data controller we are required to undertake certain actions in respect of a data security breach as follows:
Report a breach to our supervisory authority, the ICO, without undue delay and where feasible not later than 72 hours of becoming aware of the breach (unless it is unlikely to result in a risk to the rights and freedoms of natural persons), providing the following information:
- Nature of the breach;
- Categories and approximate number of affected individuals (where possible);
- Categories and approximate number of affected personal data records (where possible);
- Name and contact details of DPO;
- Likely consequences of breach; and
- Measures taken or planned by the data controller to address the breach including measures to reduce adverse effects, if applicable.
Notify individuals without delay if the breach is likely to result in a high risk of adversely affecting their rights and freedoms, providing the following information in clear and plain English:
- The nature of the data security breach;
- The name and contact details of a contact who can provide more information if required (the HDP);
- Likely consequences of the breach; and
- Measures taken or planned to address the breach including measures to reduce adverse effects, if applicable.
Keep a record of the breach, its effects and the remedial action taken (the Data Breach Register). In accordance with our obligations under the UK GDPR, article 33(5), we are required to maintain a Data Breach Register containing at least (a) the facts relating to the breach, (b) the effects of the breach and (c) the remedial action taken in response. This document is held and maintained by the HDP.
In addition if we process personal data on behalf of another data controller we must notify that data controller without delay after becoming aware of a data security breach.
Data security breach responsibilities
For staff
All staff are responsible for immediately reporting actual, suspected, threatened or potential information security incidents to the HDP and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.
For the HDP
Once a data breach has been reported an initial assessment should be made to establish the severity of the breach and establish a data breach response team where appropriate.
The HDP will prioritise any investigation, afford it adequate resources and expedite it urgently to determine whether the supervisory authority or affected individuals are required to be notified. If reports are required to be made to the supervisory authority and affected individuals these will be made within the statutory prescribed timeframe. If full details cannot be provided to the supervisory authority we will provide as much information as possible with an explanation of the reasons for the delay and an indicative timetable for follow up reporting.
The HDP will be responsible for overseeing the implementation of this procedure and training in respect of it, as well as managing any breach and for updating the Data Breach Register. Suitable delegation may be appropriate in some circumstances.
Data Breach Management Plan
The management response to any reported data security breach co-ordinated by the DPO will involve the following four elements, in this order of priority.
1 Containment and recovery.
2. Assessment of risks.
3. Further notification.
4. Evaluation and response.
Each of these four elements should be conducted and recorded on the Data Breach Register, which should include a timeline of the incident management.