1 Introduction

Dustair is committed to conducting its business in accordance with all applicable data protection laws and its ethical and moral obligations.

This policy sets out how we, at Dustair will meet data protection obligations and how the third parties we work with will meet their obligations to our business and the personal data they process on our behalf or because of the business relationship with them.

We recognise there are changes to data protection laws, codes of practice and the outcome of case law may, depending on what it is, have an impact on what and how we do things. We intend to stay abreast of any such changes and make necessary adjustments to our processing activities or documentation as a result.

All documentation will be reviewed at least annually and shall be supported by, where applicable the results of risk assessments, privacy impact assessments or changes to the way we do business which in turn change the nature of what and how we do things where personal data are concerned.

2 Scope

This policy applies to the personal data that are processed by Dustair, whether that be for employees, members of the society or of any third parties which we work with.

This data protection policy shall set out the reasons why data protection is important, what the Dustair stance is on meeting data protection obligations, contacts and responsibilities and how violations are dealt with.

This data protection policy shall be supported by further documentation that shall include:

  • How to deal with a subject access request
  • Breach notification policy
  • Privacy impact assessment templates and guidelines for use
  • Supplier due diligence process
  • Business Continuity plan

Our privacy notice sets out the personal data we process on our membership.

3 Importance of data protection

We all as individuals have the right to have our personal data managed in a manner which is compliant with law. Law that protects our rights to privacy.

The Data Protection Act describes how organisations, including the Dustair must collect, handle, store, share, dispose of personal data. These rules apply whether the data is electronic, hard copy or other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by Data Protection Principles.

4 Principles relating to processing

We will in all instances be completely fair and transparent in the processing we do, act in accordance with all laws, not just data protection laws. It’s our duty to provide those individuals whose data we process with a privacy notice prior to the processing of their data, setting out what we intend to do with their data, why it will be processed along with other important information such as how long it will be retained for, which other parties may have access to it.

Dustair are the data controller and depending on the data, choose an appropriate legal condition for processing, this may differ depending on the data in question. We have set out in our privacy notice the different sets of data, what the purposes are for processing and the legal condition for processing.

As far as employee’s data is concerned, all processing activities are related to employment matters, for. There are also special category data which are processed in relation to your employment with Dustair and are processed in relation to sickness or injury. We don’t process this data for any other reason and our processing of this is documented in a separate policy referring specifically to the special category data we process.

You can find out more in the employee privacy notice.

We understand the importance of keeping your information up to date, after all, if you’re processing personal data, we need to make sure it’s accurate, no point in having it otherwise. Naturally, we want to make those changes as quick as possible, just let us know any changes so we can make this happen. Don’t worry, well remind you annually on your renewal form but we’d prefer to capture it as soon as possible.

It is important to us and to you, that the we only process the data that is absolutely necessary for the purpose that we have set out. You will find that the forms we use for data capture along with data we hold is kept to a minimum and will be retained only as long as necessary to achieve the purpose for which it was obtained in the first place. This information about retention can be found in the retention schedule.

We also want to make sure that only those people who need to see your personal data are those that need to see it for the purpose of their employment, the administration of the business and looking after the customer orders. Access to all personal information is controlled in-line with our access control statement as part of security of processing and is on a need to know basis.

We have assessed the risks associated with the personal data we hold and have taken a risk-based approach to its processing. Those risks are to the confidentiality, integrity and availability of our information. For example:

Confidentiality: For example – Information not been secured and given out inappropriately.

Integrity: For example – Allowing data to be changed when it shouldn’t be.

Availability: For example – Not having the access to information when it is needed.

Our technical measures are robust, assessed at least annually or as the risks to our business changes and are updated accordingly.

Similarly, our organisational measures are reviewed at least annually (or with changes to the business, codes of practice, case law that might influence change) and should changes be necessary they are made.

As part of that risk-based approach, ethical, moral obligations and desire to keep privacy at the core of how we behave, where there are changes to, or new, systems, technology, process we will consider the necessity of conducting a privacy impact assessment and take onboard the outcome prior to progressing with any of those changes. Our Privacy Impact Assessment template and guidelines for use support this policy along with our approach to privacy by design (keeping privacy at the core of what we do).

5 Contacts and Responsibility

Who does what and who’s responsible for, it’s a great question and were all responsible for it. As a business we all have access to, and process varying degrees on personal data. As a result, we must all understand what our responsibilities are to confidentiality and the data protection principles.

Our collective knowledge and understanding along with our approach to privacy by design is what will give our members, employees and other stakeholders confidence in what and how we do things.

Whilst Ian Marshall is responsible for ensuring that the Dustair meets its data protection obligation on a day to day basis, the board are ultimately responsible.

It is Ian Marshalls responsibility to:

  • Ensure he is kept up to date with data protection responsibilities, risk and issues.
  • Review and update where necessary data protection procedures and policies in line with an agreed annual schedule.
  • Arrange data protection training and advice for all employees of the Dustair.
  • Handling any data protection related questions
  • To deal with any individual that wishes to exercise their data subject rights
  • Carrying out due diligence, contract review with data processors and potential data processors.
  • Ensuring that the IT systems are fit for purpose and any security controls in place are based on risk and proportionality.

Collective general expectations of staff at the Dustair are:

  • The only people that are able to access data covered by this policy should be those who need it for their work.
  • Data should not be shared informally. Should access to confidential information be necessary, this should be sought from (Name)
  • Dustair will provide all employees training on an annual basis to those that require it, to help them understand and stay on top of their responsibilities when handling data.
  • Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
  • Personal data should not be disclosed to unauthorised people, either within the company or external.
  • Opinion should be sought of Ian Marshall if one is unsure of any aspect of data protection and how it should be handled.
  • All employees are under a duty of confidence with regards to personal data.
  • Data should be held in as few places as necessary. Unnecessary copies should not be made.

6 Retention

As a business we don’t like to keep hold of personal data that we don’t need. When it’s time to destroy documents containing personal data we check them to make sure we don’t need to retain them any longer. If they do need to be retained, then we’ll shred them confidentially on the premises (using one of the office shredders) and electronically destroy or anonymise personal data. If they do need to be kept for any reason, we’ll review and make a note and set a new date.

See the records retention schedule for timeframes against data.

7 Security of processing

It stands to reason that we and you don’t want people accessing your personal information unless it is authorised or necessary for the purpose we have gathered it for. This is the same for our commercial information also and have conducted a risk assessment which has helped us determine how we will protect your personal information and the businesses commercial information.

Appropriate organisational and technical measures have been employed by Dustair to stop unauthorised access, protect the confidentiality and integrity of the information we hold.

Like every business, what makes us successful is our team, your part of that team now and we need you to do your bit in protecting our business and your colleagues/customers/supplier’s data. If you see something that could compromise any of the above, is contradictory to this or other such supporting data protection and information security policies/processes we’d hope and expect you to bring it to your managers attention. After all, a compromise isn’t good for the individual or the business and we need to do everything within our power to stop it happening.

As we review our internal policies/processes at least annually it’s an ideal opportunity to see what is and isn’t working. If somethings not working we need to identify why and make the changes, your help and support in this process is crucial. Nobody wants to be doing something that doesn’t work, identifying the problem and the solution can only make us more secure and compliant.

Key points to assist in the security of information at the Dustair:

  • A strong passphrase should always be used. This would be a passphrase made up of three or more unconnected words, should not be shared or written down and made available to others. It should also only be used on a single system and shall be changed every *** day’s.
  • When data is stored on paper it should be kept secure and away from where unauthorised people can see it. This is includes a clear desk policy that we have in place along with paper that has been printed on, it should not be left unattended on a printer.
  • When not required, paper or files should be kept secured in a locked draw and cabinet, nothing left out on desks.
  • Any printouts and other pieces of paper that has personal data on should be shredded and disposed of securely when it is no longer required.
  • Electronic data should only be saved to the locations indicated on the network, never to the hard drive or desk top of the machine and should not be shared with unauthorised people.
  • Backups are done every day
  • When monitor screens are left unattended they shall be locked.
  • Visitors on the premises shall be accompanied at all times.
  • Access to systems shall be determined based on role within the business and formally given on first day of employment. Should roles change, access to certain systems and information may change as a result. Access shall be revoked prior to a member of staff leaving the business. See Access Control Policy.
  • Removable media (USB Sticks, CD’s) of any sort is not permitted within the business.

8 Classification of data

At the Dustair, we operate a data classification policy to enable staff to make the right decisions about how different pieces of personal data are handled. We split personal data into three categories, they are:

Public: This is information that we are happy being in the public domain, information such as marketing material or the information on our website.

There is little control over this.

Confidential: Information that contains business details or business contract details. Customer data

Access is limited to least privilege, should not be reproduced and shall be shredded.

Strictly confidential: The is all other information such as personnel records, any payment data.

It should be strictly controlled, shredded if hard copy and if communicated electronically shall be done through encrypted means.

9 Data subject rights

There are eight rights we all have as individuals.

9.1 The right to be informed

Individuals have the right to be given a “fair processing notice, privacy notice or transparency notice”; we all want to know what is going to happen with our personal data and why, how long it’s going to be kept for and what to do if we’re not happy with the way in which it is being used.

A privacy notice will give you a clear picture of what and how we do things with personal data. This notice must be provided either the first time of contact with the individual or within 30 days if we have obtained their data via a third party.

9.2 The right top access (Subject Access Requests)

We all have the right to know what personal data a business holds and processes on us. There may be an occasion where you get asked the question or want to know yourself. If this is the case direct the enquiry to Ian Marshall immediately. We only have a short amount of time (30 days) in which to respond and want to ensure that we respond in the correct and appropriate manner.

9.3 Right to rectification

Having accurate data is critical, inaccurate data helps nobody. Individuals have the right to amend (rectify) their data if they believe it is inaccurate or incomplete. It’s important that these changes are done immediately.

9.4 Right to Erasure

If an individual wishes to exercise this right it will be the businesses decision to assess whether or not to do so and is based on a number of factors. In the first instance, should someone suggest they wish to exercise this right, refer them to Ian Marshall.

9.5 Right to restrict processing and Right to object to processing

As with the right to erasure, should an individual wish to exercise these rights, raise the matter immediately with Ian Marshall

9.6 Right to portability

Given the nature of how Dustair operates this is not something that we would need to comply with.