Clicky

Current Vacancies
Menu

Electronic Data Protection Policy

Policy Statement

All organisations that process personal data are required to comply with data protection legislation. This includes the Data Protection Act 1998 (or its successor) and the EU General Data Protection Regulation (together the ‘Data Protection Laws’). These laws give individuals (known as ‘data subjects’) certain rights over their personal data while imposing obligations on organisations that process their data.

System People Ltd (“the Company”) collects and processes both personal data and sensitive personal data. The Company must do so to comply with legislation and operational requirements. This policy outlines how the Company implements the Data Protection Laws.

Definitions

  • Consent: Freely given, specific, informed and unambiguous agreement to the processing of personal data.
  • Data Controller: Determines the purposes and means of processing personal data.
  • Data Processor: Processes data on behalf of the controller.
  • Personal Data: Information identifying an individual directly or indirectly.
  • Personal Data Breach: Accidental or unlawful access, destruction, loss or disclosure of personal data.
  • Processing: Any operation on personal data (e.g. collection, storage, deletion).
  • Profiling: Automated processing to analyse or predict personal characteristics.
  • Pseudonymisation: Processing data to make it non-identifiable without additional information.
  • Sensitive Personal Data: Includes racial/ethnic origin, political opinions, health data, and more.
  • Supervisory Authority: In the UK, this is the Information Commissioner’s Office (ICO).

Data Processing

The Company is a Data Controller under the Data Protection Laws. It processes data relating to:

  • Staff administration
  • Marketing and PR
  • Accounts and records
  • Work-seeker data for employment services
  • Client data for staffing services

Data Protection Principles

Personal data must be:

  • Processed lawfully, fairly and transparently
  • Collected for specified purposes
  • Adequate and limited to what’s necessary
  • Accurate and kept up-to-date
  • Retained only as long as necessary
  • Securely processed
  • Managed with accountability and documented compliance

Legal Bases for Processing

The Company processes personal data only when it has a legal basis, including:

  • Consent
  • Contract performance
  • Legal obligations
  • Vital interests
  • Public interest
  • Legitimate interests

Privacy by Design

The Company incorporates data protection into processing activities by:

  • Minimising data
  • Pseudonymising/anonymising data
  • Securing data systems

Individual Rights

The Company will respond to individuals exercising their data rights:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability
  • Objection to Processing

Privacy Notices

Issued at the time of data collection, or within one month if collected indirectly.

Subject Access, Rectification, and Erasure

Handled in accordance with GDPR. Third parties will be informed where appropriate.

Restriction, Portability, and Objection

Requests will be assessed and responded to within one month. Where complex, this may be extended.

Automated Decision-Making

Only permitted under strict legal or contractual conditions. No profiling of children.

Meeting Recordings

Recordings are not permitted unless agreed by all attendees. Unauthorised recording is misconduct.

Recording Storage

Recordings must be securely stored, retained only as long as necessary, and disposed of securely.

Personal Data Breaches

Reporting: Report all breaches to Tony Higgins, Funding & Development Director.

As Data Controller: If risk exists, notify the ICO. If outside the UK, notify the relevant supervisory authority.

As Data Processor: Notify the controller as soon as the breach is known.

Communication: Affected individuals will be notified unless mitigated or disproportionate.

Home Working

Staff must:

  • Use only approved devices
  • Maintain network security
  • Log out of systems when unattended
  • Secure printed documents
  • Follow encryption and disposal policies

Compliance

This policy is part of staff training and compliance. Breaches may lead to disciplinary action.

Human Rights

The Company respects individuals’ rights under the Human Rights Act 1998:

  • Privacy
  • Expression
  • Belief
  • Assembly
  • Freedom from discrimination

Complaints

Contact: Tony Higgins, Managing Director, System People Ltd or the ICO at ico.org.uk

Review

This policy is approved by the Board and reviewed bi-annually.

Annex A – Legal Bases for Processing

Personal Data

  • Consent
  • Contract
  • Legal obligation
  • Vital interest
  • Public interest
  • Legitimate interest

Sensitive Personal Data

  • Explicit consent
  • Employment law obligations
  • Vital interests
  • Not-for-profit organisations
  • Public data
  • Legal claims
  • Public interest
  • Healthcare management
  • Public health
  • Archiving and research