Hudson James Human Capital Group Limited
1. ABOUT THIS DOCCUEMNT 1
2. DATA PROTECTION PRINCIPLES 1
3. TYPES OF PROTECTION WE INCORPORATE 1-2
4. FAIR AND LAWFUL PROCESSING 2
5. HOW WE ARE LIKELY TO USE YOUR PERSONAL DATA 2
6. VISITING OUR WEBSITE 1
7. PROCESSING FOR LIMITED PURPOSES 2
8. ADEQUATE, RELEVANT AND NON-EXCESSIVE PROCESSING 2
9. ACCURATE DATA 3
10. DATA RETENTION 3
11. PROCESSING IN LINE WITH YOUR RIGHTS 3
12. DATA SECURITY 3
13. PROVIDING INFORMATION TO THIRD PARTIES 3-4
14. SUBJECT ACESS REQUESTS 4
15. BREACHES OF DATA PROTECTION PRINCIPLES 4
16. FURTHER INFORMATION 4
1. About this document
1.1 During the course of our activities, we, Hudson James, will process personal data (which may be held on paper, electronically, or otherwise) and we recognise the need to treat it in an appropriate and lawful manner in accordance with the General Data Protection Regulation (GDPR) 2018. The purpose of this notice is to make you aware of how we handle and manage personal data you share with us and that we hold about you, including how we collet, process, protect and share that data.
2. Data protection principles
2.1 We will comply with the eight data protection principles in the DPA, which state that personal data must be:
- processed fairly and lawfully;
- processed for limited purposes and in an appropriate way;
- adequate, relevant and not excessive for the purpose;
- up to date and accurate;
- not kept longer than necessary for the purpose;
- processed in line with individuals’ rights;
- Safe and secure;not transferred to people or organisations situated in countries without adequate protection.
2.2 “Personal data” means recorded information we hold about you from which you can be identified. It may include contact details, other personal information, photographs, expressions of opinion about you or indications as to our intentions about you. “Processing” means doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.
3. Types of protection we incorporate
3.1 Below are the HJ-Wide data protection requirements we incorporate across the whole of our business, this section shows you how your data is protected within our work environment on both IT and Paper based systems:
- heavily secured networked and standalone PC’s;
- no use of the data on mobile devices not owned and covered by HJ-Group;
- data may be used only by individuals with contractual authorisation for data use;
- data use must be in office environment described in security plan or by HJ- Group owned devices;
- password-protected access to all computers and devices that can access the data;
- automatic activation of password-protection after five minutes of inactivity on computers and mobile devices;
- secure storage and encryption of all removable devices;
- printouts are stored in locked compartments or rooms when not in use and can only be accessed by authorised individuals;
- shredding of all detailed listings and printouts that are no longer needed;
- preparation and maintenance of logs of all data files acquired as well as dates that data and paperwork are received and returned or destroyed;
- pledge to destroy or return all files containing Restricted Data 3 years after consent has been given;
- report any and all violations to the ICO and data subject through our heavily defined Breach Management Procedure;
- brief all staff that have access to the Restricted Data about our Data Protection Plan, appropriate data use, and penalties for inappropriate use.
4. Fair and lawful processing
4.1 We will only process your personal data where you have given your consent or where the processing is necessary to comply with our legal obligations. In other cases, processing may be necessary for the protection of your vital interests or your legitimate interests.
4.2 We will only process “sensitive personal data” about ethnic origin, political opinions, religious or similar beliefs, trade union membership, health, sex life, criminal proceedings or convictions, where a further condition is also met. This will mean that you have given your explicit consent, or that the processing is legally required for employment purposes. The full list of conditions is set out in the GDPR.
5. How we are likely to use your personal data
5.1 We will only process personal information under legitimate interest, explicit consent or to provide the service requested from us. We pride ourselves in these three principles and we will never deviate from them.
5.2 We may process sensitive personal data as appropriate:
- information about an employee’s physical or mental health or condition in order to take decisions as to the employee’s fitness for work;
- the employee’s racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation;
- In order to comply with legal requirements and obligations to third parties.
6. Visiting our website
Your Internet browser has the in-built facility for storing small files – “cookies” – that hold information which allows a website to recognise your account. Our website takes advantage of this facility to enhance your experience. You have the ability to prevent your computer from accepting cookies but, if you do, certain functionality on the website may be impaired.
We use Google Analytics and cookies to gather general information about visitors to our websites in order to better understand how our websites are used. We may share this general information with trusted third parties so they too may understand how our websites are used.
However, you can opt out from the collection of their data by installing a browser add-on from the following link: https://tools.google.com/dlpage/gaoptout.
For browsers which cannot install a plugin you prevent further data collection by clicking here: Click Here to Opt out Of Google Analytics.
Our websites may contain links to external websites operated by other organisations. Those organisations may collect personal information from visitors to their site. We cannot guarantee the content or privacy practices of any external websites and does not accept responsibility for those websites.
Security – Hudson James Human Capital is committed to protecting the security of your personal information. We use a variety of measures, including but not limited to, firewalls and SSL encryption in order to protect your personal information from:
Unauthorised access, improper use or disclosure, unauthorised modification or alteration, unlawful or accidental loss.
7. Processing for limited purposes
We will only process your personal data for the specific purpose or purposes notified to you or for any other purposes specifically permitted by the GDPR.
8. Adequate, relevant and non-excessive processing
Your personal data will only be processed to the extent that it is necessary for the specific purposes notified to you.
9. Accurate data
We will keep the personal data we store about you accurate and up to date to the best of our ability. Data that is inaccurate or out of date will be amended or destroyed. Please notify us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you.
10. Data retention
We will not keep your personal data for longer than is necessary. This means that data will be destroyed or erased from our systems when it is no longer required. For guidance on how long certain data is likely to be kept and why before being destroyed, contact our DPO.
11. Processing in line with your rights
You have the right to:
- request access to any personal data we hold about you;
- prevent the processing of your data for direct-marketing purposes;
- ask to have inaccurate data held about you amended;
- prevent processing that is likely to cause unwarranted substantial damage or distress to you or anyone else;
- object to any decision that significantly affects you being taken solely by a computer or other automated process;
- the requirement to give express consent in certain circumstances;
- the right to withdraw consent;
- the right to be informed;
- the right to data portability;
- right to object;
- rights in relation to automated decision making and profiling;
- the right to rectification of incorrect or incomplete data;
- the right to erasure (the right to be ‘forgotten’).
12. Data security
12.1 We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
12.2 We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.
13. Providing information to third parties
13.1 We will only transfer your personal data to a third party if explicit consent is given. We do not condone the misuse or selling of personal data, to reinforce this, we only keep personal data on our systems for 3 years after explicit consent is given or 28 days when legitimate interest is in use. After this period, we vow to delete all information we hold on you and to contact all third parties we have distributed it to instructing them to do the same.
Subject access requests
If you wish to know what personal data we hold about you, you must make the request in writing (e-mail). Note that you will be charged a fee if it is excessive or unfounded. All such written requests should be sent to the DPO.
14. Breaches of data protection principles
If you consider that the data protection principles have not been followed in respect of personal data about yourself or others you should raise the matter with our Data Protection Officer as soon as possible. We understand the information we receive is personal and that is why we take a very sensitive approach to how we handle it.
15. Further information
15.1 Further information or advice on the content or application of this policy is available from:
- Hudson James – Data Protection Officer (firstname.lastname@example.org)
- The Information Commissioner’s Office (ICO)