Data Protection and Personal Data Policy

Data Protection and Personal Data Policy

Introduction and definitions

The UK General Data Protection Regulation (GDPR) protects the privacy and integrity of data held on individuals by businesses and other organisations.
 
GDPR is enforced in the UK by the Information Commissioner’s Office (ICO) with whom Lichfields is registered: registration number Z6193122.
 
Some helpful definitions:
 
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
 
Data Controller is the person, public authority, agency or body which, jointly or alone, determines the purposes and means of processing of personal data.
 
Data Processor is the person, public authority, agency or body which processes personal data on behalf of the data controller.
 
Data Protection Officer (DPO) is the person who ensures Lichfields adheres to the policies and procedures set forth in the GDPR. 
 
As your employer, Lichfields needs to keep and process information about you for normal employment purposes. The information we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. This includes using information to enable us to comply with the employment contract, to comply with any legal requirements (including right to work checks), pursue the legitimate interests of the company and protect our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.
 
It is also important you understand your responsibilities and follow the processes we have in place to protect any personal data you come into contact with whilst working at Lichfields.
 
You should have attended a GDPR training seminar or received a GDPR induction.  Please inform the DPO if you haven’t received data protection training or are unsure of your responsibilities.
 
The DPO is responsible for keeping this policy current.
  

Personal data

Personal data can be anything that identifies and relates to a living person.  This can include information that when put together with other information can then identify a person.
 
Examples of personal data include:
  1. a person’s name;
  2. location data (e.g. address or partial address);
  3. date of birth;
  4. an online identifier (e.g. email address, cookies and IP address);
  5. a person’s health data;
  6. identification number;
  7. statement of fact;
  8. any expression or opinion communicated about an individual;
  9. minutes of meetings, reports;
  10. emails, file notes, handwritten notes, sticky notes;
  11. CCTV footage if an individual can be identified by the footage;
  12. employment applications;
  13. spreadsheets and/or databases with any list of people; and
  14. employment or education history.
      

Special categories of personal data

Some information is ‘special’ and needs more protection due to its sensitivity.  It’s often information you would not want widely known and is very personal to you.  
 
This is likely to include anything that can reveal your:
  1. sexuality and sexual health;
  2. religious or philosophical beliefs;
  3. ethnicity;
  4. physical or mental health;
  5. trade union membership;
  6. political opinion;
  7. genetic/biometric data; and
  8. criminal history.
     

Uses of data

We may sometimes need to process your data to pursue our legitimate business interests. ‘Legitimate interest’ is where Lichfields processes data in ways you would reasonably expect and which have a minimal impact on your privacy, or where there is a compelling justification for the processing of your data.
 
We will never process your data where these interests are overridden by your own interests.
 
Much of the information we hold will have been provided by you, but some may come from other internal sources, such as your manager or a director, or in some cases, external sources, such as referees.
 
The sort of information we hold includes your CV, job application and references, your contract of employment, correspondence with or about you, for example letters to you about a pay rise or, at your request, a letter to your mortgage company confirming your salary; information needed for payroll, benefits and expenses purposes; contact and emergency contact details; records of holiday, sickness and other absence; and records relating to your career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records etc.
 
As a small or medium-sized enterprise (SME) Lichfields currently has no legal requirement to report on special category metrics. However, where necessary, we may keep information relating to your health, which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We may also need this data to administer and manage statutory and company sick pay, health insurance or life insurance policies.
 
If we were to process any special categories of information relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, biometric data or sexual orientation, we would always obtain your explicit consent prior to processing unless the information was required to protect your health in an emergency, or if we are legally obligated. Where we are processing data based on your consent, you have the right to withdraw that consent at any time.
 
In addition, we may monitor computer and telephone/mobile telephone use, as detailed in our Information Technology and Data Policy available via the Employee Handbook on the intranet. We also keep records of your hours of work by way of timesheets and signing in/out sheets.
 
We will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to our external payroll provider, pension or life insurance schemes.
 
If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.
 

Your rights

Under the GDPR you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification or erasure of your personal data; the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.  Your rights have been listed and explained in full below.
 
If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
 
These rights are relevant to every individual, including of course, members of the public. This means all personal data you come into contact with during your work with Lichfields must also be handled by you in line with these rights. We have explained each right along with how we and you must meet these rights. 
 
We have a guidance note in the Quality Management Handbook which explains how to process personal data in your line of work.
 
The GDPR sets legislative requirements for organisations processing personal data which we must follow when handling data:
  1. the right to be informed;
  2. the right of access;
  3. the right to rectification;
  4. the right to erasure;
  5. the right to restrict processing;
  6. the right to data portability;
  7. the right to object; and
  8. rights in relation to automated decision making and profiling.
     

Right to be informed

This right encompasses our obligation to provide ‘fair processing information’ to individuals, typically through a privacy notice.  It emphasises the need for transparency over how we use personal data.  The information we supply about the processing of personal data must be: concise, transparent, intelligible and easily accessible; written in clear and plain language; and free of charge.
 
At the time data is collected, and where we have obtained personal data directly from an individual, the individual must give their consent to their data being obtained, and have the opportunity to opt out of any subsequent uses of their data.  We must ensure individuals have a very clear and unambiguous understanding of the purpose(s) for collecting the data and how it will be used.
 
Our privacy notice is available to all visitors to our website: https://lichfields.uk/privacy-notice/
 
Where our business contacts wish to receive marketing material, such as blog posts, insights and/or news, they subscribe via our website choosing the content they wish to receive.  They supply their email address, and may unsubscribe immediately or at any time thereafter.  Each blog post, insight and/or news item has an unsubscribe option. Their email address is not used for any other marketing purposes.
 
A record of who, when, how, and what we told people who consented to receive marketing material, such as blog posts, insights and/or news is retained by the Marketing Department.
 
Where we collect personal data from others, for instance, during public consultations, client projects or surveys, a short-form privacy notice must be included.  All such notices must be signed off first by Sophie Jefferson or Helen Ashby-Ridgway in her absence.
  

Right of access

Individuals will have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information (which largely corresponds to the information that should be provided in a privacy notice about fair processing).  This will usually be obtained via a “Subject Access Request” (SAR)
 
All reasonable SARs are free of charge, need to be made in writing, and once the identity of the person making the request is verified a response should be received as soon as possible but in any event within one month. 
 
When receiving a request for personal data, its rectification or deletion, the identity etc. of the person must be verified – so we do not assist identity theft.  Where we have reasonable doubts concerning the identity of the person making the request we may request the provision of additional information necessary to confirm the identity of the data subject.
 
The information should be provided in a commonly used format.  Our IT department will provide information requested in .pst files (for emails), or for other information via .pdf or Microsoft packages (e.g. MS Word or MS Excel).  Where possible this information will be sent electronically by OneDrive. 
 
Personal data relating to other individuals must be redacted or removed before data is provided to the data subject.
 
Applicants are asked to send subject access requests to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to: dpo@lichfields.uk
 

Right to rectification

The GDPR gives individuals the right to have personal data rectified where it is inaccurate or incomplete.  Where personal data has been disclosed to a third party we must also inform the third party of the rectification. Where appropriate the individual must be informed about the third party to whom the data has been disclosed.
 
We aim to keep all personal data up-to-date and accurate. Where we are in doubt of the accuracy of personal data it will not be used.
 
Please refer any right to rectification requests to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to: dpo@lichfields.uk 
 
Lichfields employees – potential, past and current
Changes to personal data relating to staff held in the ‘Personal’ tab, bank details in the ‘Payroll’ tab, memberships in the ‘Professional membership’ tab on the HR System can be rectified by the individual.  For all other changes a request will be made to HR.
 
Changes to personal data relating to candidates on iCIMS, our recruitment software, can be rectified by the individual or the recruitment agency representing the candidate.
 
Any other changes should be referred to the HR Department.
 

Right to erasure

Sometimes referred to as “the right to be forgotten” this enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. 
 
Individuals have a right to have personal data erased and to prevent processing in specific circumstances, such as:
  1. Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  2. When the individual withdraws consent.
  3. When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  4. The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
  5. The personal data has to be erased in order to comply with a legal obligation.
  6. The personal data is processed in relation to the offer of information society services to a child.
     
A refusal to comply with a request for erasure is legitimate where the personal data is processed for the following reasons:
  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
  • for public health purposes in the public interest;
  • archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  • the exercise or defence of legal claims.
     
All automated correspondence from Lichfields contains an option to unsubscribe from further communications. A record is retained by the Marketing Department where an individual has unsubscribed to any marketing material: blog posts, insights and/or news. 
 
We will retain just enough information about the individual to ensure that the deletion is respected in future should a system go down and we need to re-install data from back up.
 
Where such information has been disclosed to a third party we will inform the individual.  We will also request the data to be erased from the third party’s records.
 
Please refer any right to erasure requests to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to: dpo@lichfields.uk
 
Disposal of records
Paper records containing personal data must be disposed of securely when no longer needed.
 
When electronic data is no longer required, it must be deleted. 
 
Lichfields’ computers, memory sticks or mobile phones are not given away or sold before all information stored on them has been removed or deleted.
 
Personal data collected on behalf of our clients is deleted at the conclusion of each assignment. 
 
Review files
Only request, create and retain personal data where absolutely necessary. Securely dispose of or delete any personal data which is out of date, irrelevant or no longer required.  Where you need to retain personal data, inform Sophie Jefferson, who keeps a record of all “Personal protection folders”, the job name and number, the Lichfields team with access to the personal data, and the date the folder was created.
 

Right to restrict processing

In some circumstances individuals have a right to ‘block’ or suppress processing of personal data.  When processing is restricted, we are permitted to store the personal data, but not further process it.  In these circumstances we can retain just enough information about the individual to ensure that the restriction is respected in future.
 
Please refer any right to processing requests to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to: dpo@lichfields.uk
 
The list of restricted data is maintained by the DPO.
 

Right to data portability

Individuals are allowed to obtain and reuse their personal data for their own purposes across different services.  It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
 
Where a request for personal data is made, the information will be provided in a commonly used format.  E.g. pst files (for emails), or for other information via .pdf or Microsoft packages (e.g. MS Word or MS Excel).  This information will be sent electronically to the individual using one of the formats or via OneDrive.
 
Please refer any right to data portability requests to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to: dpo@lichfields.uk
 

Right to object

Individuals have the right to object to their data being processed.  Where Lichfields receives such a request we will stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing, which overrides the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims.
 
Any right to object requests must be sent to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to: dpo@lichfields.uk
 
Right to object requests are recorded and the outcome logged, this list is maintained by the DPO.
 

Rights related to automated decision making including profiling

The GDPR has provisions on automated decision-making (making a decision without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).
 
Lichfields only performs automated decision making during the recruitment process to determine if a candidate has the right to work in the UK. 
 

Security

We have taken appropriate measures and put security controls in place to prevent the personal data we hold being accidentally or deliberately compromised.
 
We design and organise our security to fit the nature of the personal data we hold, taking into consideration the harm which may result from a security breach.
 
We maintain an information asset register where we record all our personal data processing activities. 
 
Disclosing data
Lichfields will never reveal personal data to third parties (third parties include our clients and local authorities) without the prior consent of the individual concerned, through legal compulsion or other reasonable justification.
 

The use of data protection impact assessment

Data protection impact assessments (also known as privacy impact assessments or PIAs) help to identify the most effective way to comply with our data protection obligations and meet individuals’ expectations of privacy. 
 
We will use data protection impact assessments when:
  • introducing new technologies; or
  • a new process is likely to result in a high risk to the rights and freedoms of individuals.
 
Our Data protection impact assessment form (with instructions) can be accessed from the intranet in: Administration; GDPR or DMS 15898007.
 

Using email, cloud services, and other systems, and how to be compliant when using these services

Many of our technology systems are cloud based, our Information technology and data policy gives guidance on: password security; which systems are considered safe for personal data; and keeping data secure whilst in transit either on physical media (USB sticks, laptops, iPads etc.) or via cloud based file shares.
 
Where personal data needs to be sent to a third party, it should only be transmitted via encrypted USB memory or by OneDrive, part of our Office365 subscription. OneDrive ensures only the intended recipient can open the data (or provide access to others). It also provides an accurate audit trail. 
 

Anonymising and encryption of data

Anonymisation is the process of removing personally identifiable information from data sets so that the people whom the data describes remain anonymous. 
 
Encrypting data is the translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, only those who have access to a secret key or password are able to decrypt it.
 
We inform those giving feedback during public consultations and surveys that where we publish or share their personal data it shall be anonymised.
 
Where we are privy to physical or mental health conditions during, for example, a planning application we ensure their sensitive data is not publicly shared.
 
You can redact data using pdfDocs. You will require training to ensure the correct use of the redaction tools. Speak to IT or refer to the training guide on the Intranet (DMS 15911808).
 
Senior planners and above have been provided with secure hardware encrypted USB sticks. We are also able to encrypt normal USB sticks and drives if required for larger transfers. Individual files can be password protected and passwords provided. Speak to IT if you require assistance.
 

Protocols of transferring data to third parties

Using OneDrive during transfer from one device to another, or to another business or individual, the data is encrypted (e.g. information sent across the internet or over a wireless connection). This provides effective protection against interception of the communication by a third party whilst the data is in transfer.  Instructions on how to use OneDrive can be found on the intranet (DMS 15910780).
 

Sending personal data outside the European Economic Area (EEA) and the UK

Some of the data we collect is transferred to, and stored at, destinations outside the European Economic Area ("EEA") and the UK.  Where this is the case we only use companies who comply with the data protection requirements recognised by the ICO, and we do not transmit personal data.
 
Consent is either obtained or data anonymised, as required, before placing data on the internet.
 

Third party processors

Where Lichfields uses a third-party processor, we will always have a written contract in place to evidence and govern the working relationship; the processor must guarantee that they will meet the requirements of GDPR and protect the rights of data subjects.
 
Where Lichfields is the data processor, we have a contract in place with the data controller which must always be used.
 
Processing includes obtaining, recording, holding, accessing, storing, retrieving, disclosing and erasing or destruction of data.
 
Where Lichfields is the processor we will only act on the documented instruction of a controller.
 

Conditions for processing

Unless a relevant exemption applies, at least one of the following conditions is met whenever we process personal data:
  • The individual has consented to their personal data being processed. This consent is fully recorded.
  • The processing is necessary:
a.  in relation to a contract which the individual has entered into; or
b.  because the individual has asked for something to be done so they can enter into a contract.
  • The processing is necessary because of a legal obligation that applies to the individual (except where an obligation is imposed by a contract).
  • The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.
  • The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
  • The processing is in accordance with the “legitimate interests” condition.
 
We use data protection impact assessments before: using new technologies, and when processing is likely to result in a high risk to the rights and freedoms of individuals.
 

Working with other businesses

When Lichfields is not designing and/or collecting personal data, or where another party is co-ordinating the consultation and exhibition services, all our staff are expected to understand the need for personal data security.
 

Implications of failure to comply

Failure to comply with the requirements of GDPR may result in:
  1. Damage to Lichfields’ reputation;
  2. Legal action;
  3. Fines and damages (up to €20m or 4% of turnover – whichever is higher);
  4. Suspension/withdrawal of the right to process personal data by the ICO; and
  5. Loss of confidence in the integrity of Lichfields’ systems and procedures.
  6. You may be subject to investigation and subsequent action under our disciplinary procedure.
 
Our Data breach and information security incident policy (DMS 15770215) sets out the procedure which should be followed and ensures a consistent and effective approach is in place for managing data breaches and information security incidents across the company.
 

Complaints

If you have any concerns as to how your data is processed, you can contact:
Non Lichfields employees should be directed to: dpo@lichfields.uk
 

Lichfields staff should contact:

Sophie Jefferson, Data Protection Officer, sophie.jefferson@lichfields.uk
Bruce McLeod, Finance and Operations Director, bruce.mcleod@lichfields.uk
 

Or you can write to the:

Data Protection Officer
The Minster Building
21 Mincing Lane
London, EC3R 7AG