Marsh Industries Ltd

The board of directors have agreed that The Managing Director determines the purposes for which and the manner in which any personal data are held, or are to be processed.

The scope of policy

The policy applies to all sites and offices the Managing Director is responsible for. Marsh has instructed our agencies to ensure full compliance with all and future UK & EU legislation

Policy operational date

The policy will be reviewed every 3 years

Policy prepared by

The Directors of Marsh Industries

Date approved by Board/ Management Committee

This policy was approved on the 22nd January 2018

Policy review date

Review December 2024

Purpose of policy

Marsh Industries has introduced this policy:

• complying with the law
• following good practice
• protecting clients, staff and other individuals
• protecting the organisation

Types of data

Employees and customer details will be covered by this policy. For further data please visit the government website

Policy statement

Marsh Industries will:

• comply with both the law and good practice
• respect individuals’ rights
• be open and honest with individuals whose data is held
• provide training and support for staff who handle personal data, so that they can act confidently and consistently
• Notify the Information Commissioner voluntarily, even if this is not required

Please note the guidance from Marsh on when breaches should be reported as this is one of the main changes from the current Data Protection Act and GDPR

Key risks

Marsh Industries will to its best endeavours prevent

• information about data getting into the wrong hands, through poor security or inappropriate disclosure of information
• individuals being harmed through data being inaccurate or insufficient

The Board / Company Directors

Have overall responsibility for ensuring that the organisation complies with its legal obligations.

Data Protection Officer

The Managing Director is responsible for

• Briefing the Board on Data Protection responsibilities
• Reviewing Data Protection and related policies
• Advising other staff on tricky Data Protection issues
• Ensuring that Data Protection induction and training takes place
• Notification to the Board
• Handling subject access requests
• Approving unusual or controversial disclosures of personal data
• Approving contracts with Data Processors

Outside Organisations

Marsh will seek advice from the EEF, Northgate Arinso & its professional advisors to ensure compliance.

Employees & Volunteers

All staff and volunteers are required to read, understand and accept policies and procedures that relate to the personal data they may handle in the course of their work.

Enforcement

Breaches in compliance with Data Protection may result in disciplinary action

Scope

Business Continuity is included below but you may want to move this to a separate policy

Setting security levels

Brightwell Marketing & Blue Moon Computer Services will ensure adequate IT security systems are in place and maintained

Security measures

Marsh will ensure its IT, Computer consultants and marketing companies have a fully compliant system. The company Lawyers will address any breach in compliance by third parties.

Accuracy

Marsh will have measures in place to ensure data accuracy. For example, where information is taken over the telephone, how is it checked back with the individual? If the information is supplied by a third party, what steps will be taken to ensure or check its accuracy?

Updating

Please note the separate requirements for the data we hold. For example, we cannot keep CVs for more than 6 months unless we have express permission from the candidates

Storage

All information is stored electronically where ever possible

Retention periods

A maximum period of 2 years with permission from individuals

Archiving

The company stores invoices, its own bank information for 10 years employee data is held only when employed by the company

Responsibility

the directors are responsible for ensuring that right of access requests are handled within the legal time limit which is one month

Procedure for making request

Right of access requests must be in writing. There should be a clear responsibility for all employees to pass on anything which might be a subject access request to the appropriate person without delay.

Provision for verifying identity

Where the person managing the access procedure does not know the individual personally there should be provision for checking their identity before handing over any information

Procedure for granting access

If the request is made electronically, we will provide the information in a commonly used electronic format.

The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information

Commitment

Marsh will explain its commitment to ensuring that Data Subjects are aware that their data is being processed and

• for what purpose it is being processed
• what types of disclosure are likely, and
• how to exercise their rights in relation to the data

Procedure

When Marsh deems there are standard ways for each type of Data Subject to be informed, these will be given, for example:

• the handbook for employees
• in the welcome letter or pack for members, with occasional reminders in the newsletter
• during the initial interview with clients
• on the website

Responsibility

Individuals in the company are responsible for their actions when passing on information outside of working hours and the company premises.

Underlying principles

GDPR states we must record the lawful basis for the personal data we hold a

Opting out

Marsh Industries is not relying on consent, but will give people the opportunity to opt out of their data being used in particular ways

Withdrawing consent

Marsh the organisation may wish to acknowledge that, once given, consent can be withdrawn, but not retrospectively. There may be occasions where the organisation has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn

Induction

All employees who have access to any kind of personal data will have their responsibilities outlined during their induction procedures

Continuing training

There are opportunities to raise Data Protection issues during employee training, team meetings, supervisions, etc.

Procedure for staff signifying acceptance of policy

The policy will be included in the Company Handbook

Responsibility

The board of directors are responsible for the review

Procedure

Site Manager will be briefed on Data Protection regulation

Timing

Review will be completed by December 2020