BREEDON GROUP PLC
DATA PROTECTION COMPLIANCE POLICY
About this policy
Any organisation which processes any personal data (whether that personal data is held in a paper or electronic format e.g. on computers, laptops, ipads, smartphones, electronic networks, CDs, USBs etc.) must comply with the European Data Protection Directive (95/46/EC) (the "Directive"), which is implemented in the UK by the Data Protection Act 1998 (the "Data Protection Laws").
Accordingly Breedon Group plc and its subsidiary and associated companies (including without limitation Breedon Cement Limited, Breedon Southern Limited, Breedon Northern Limited and Breedon Group Services Limited) (each of which are together referred to in this policy as “Breedon Group”) and each worker must comply with the Data Protection Laws.
To help achieve compliance with the Data Protection Laws, this policy sets out what Breedon Group and each worker needs to do when processing personal data. The types of personal data that we may typically handle include details of current, past and prospective workers as well as personal data about other individuals with whom we deal, such as, for example, customers, suppliers, contracted hauliers and their employees.
This policy covers:
- Who does this policy apply to?
- Consequences of breaching the Data Protection Laws and this policy
- Terms used in the Data Protection Laws and this policy
- The Data Protection principles
- How do I process personal data fairly and lawfully (Principles 1 and 2)?
- How do I ensure processing is adequate, relevant and not excessive (Principle 3)?
- How do I keep personal data accurate and up to date (Principle 4)?
- How do I ensure that personal data is not kept longer than necessary (Principle 5)?
- How do I process data in accordance with data subjects' rights (Principle 6)?
- What security measures must I comply with (Principle 7)?
- When can I transfer personal data outside of the EEA (Principle 8)?
Who does this policy apply to?
This policy applies to all Breedon Group's workers. For the purposes of this policy, "worker" means all of Breedon Group's permanent and temporary employees, and any other individuals who are working for any Breedon Group company but are not directly employed, including company officers, consultants, contractors, contracted hauliers and their employees, work experience candidates and agency workers. Use of the term "worker" is not to be taken to imply that any particular individual has employment status with the company. When we refer to “you” in this policy, we mean each individual worker.
If there is anything in this policy which you do not understand or you have questions about, or if you are in any way uncertain as to what you must do in order to ensure compliance with the Data Protection Laws, then contact the Compliance Team for assistance. Contact details for the Compliance Team are given at the end of this policy document.
Consequences of breaching the Data Protection Laws and this policy
Breaches of the Data Protection Laws can result in enforcement action by the Information Commissioner against Breedon Group, and in serious cases the Information Commissioner has power to impose fines of up to £500,000. Data protection laws in the EEA will change in the near future, when the new EEA Data Protection Regulation replaces the existing Directive. The Regulation will mean even more stringent compliance obligations and even bigger fines for data protection breaches: up to 4% of annual global turnover. Further, some breaches of the Data Protection Laws are a criminal offence. Consequently any breach of this policy may result in disciplinary action by the company.
Terms used in the Data Protection Laws and in this policy
This section gives definitions of the terms used in the Data Protection Laws and which are used in this policy.
Means information from which a living individual can be identified.
This includes factual information such as telephone numbers, bank account details, credit card numbers, names, addresses, e-mail addresses, photographs, CCTV footage, voice recordings and vehicle tracking data. It also includes expressions of opinion and indications of intentions about individuals (and their own expressions of opinion/intentions), such as performance appraisals.
Information which does not on its own identify an individual is still ‘personal data’ for the purposes of the Data Protection Laws if it can be combined with other information that Breedon Group holds or that Breedon Group could obtain fairly easily. For example, if personal data has been anonymised by Breedon Group but the company also holds the key to ‘de-anonymise’ the information, or could fairly easily obtain that key, then the anonymised information will still be personal data for the purposes of the Data Protection Laws.
|Sensitive Personal Data
Information relating to:
- Racial or ethnic origin;
- Political opinions;
- Religious beliefs or beliefs of a similar nature;
- Trade union membership;
- Physical or mental health or condition;
- Sexual life; or
- Offences or alleged offences or information relating to any proceedings for offences committed or allegedly committed.
The term 'processing' covers virtually anything you can do with personal data (whether processed in an electronic format or in a structured paper-based format), including:
- Obtaining, recording, retrieving, consulting or holding it;
- Organising, adapting or altering it;
- Disclosing, disseminating or otherwise making it available; and
- Aligning, blocking, erasing or destroying it.
||This is the individual to whom the personal data relates.
||A party who (either alone or jointly) determines the purposes for which and the manner in which any personal data is, or will be, processed. Breedon Group is a data controller.
||A party who processes personal data on behalf of a data controller (other than an employee of the data controller). For example, some of our suppliers (such as our payroll providers, expenses system providers, healthcare providers, pension providers, IT helpdesk and our telephony providers) are data processors for Breedon Group.
|European Economic Area or "EEA"
||Means European Union member states plus Norway, Liechtenstein and Iceland.
The Data Protection principles
The Data Protection Laws contain eight principles that all data controllers must comply with when processing personal data. The table below gives a high level summary of the principles. The sections that follow describe how you apply those principles in practice.
EIGHT DATA PROTECTION PRINCIPLES
- Personal data must be processed fairly and lawfully;
- Personal data must be obtained for one or more specified and lawful purposes and must not be processed incompatibly with those purposes;
- Personal data must be adequate, relevant and not excessive in relation to the purposes for which the data are processed;
- Personal data must be accurate and kept up to date;
- Personal data must not be kept for longer than is necessary;
- Personal data must be processed in accordance with the rights of the data subject under the Data Protection Laws;
- Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data as well as against accidental loss, destruction of or damage to that data; and
- Personal data must not be transferred outside of the EEA unless the recipient provides an adequate level of protection in line with the Data Protection Laws.
How do I process personal data fairly and lawfully (Principles 1 and 2)?
To process personal data fairly, you need to make sure that you only process personal data if the data subject has been told:
– who the data controller is (this will depend on the Breedon Group you are a worker of);
– the purpose for which the data is to be processed by Breedon Group; and
– the identities of anyone to whom the data may be disclosed or transferred.
This information is contained in so-called "privacy notices" which we give to workers, applicants and any other individuals about whom we process personal data. You must ensure that you are familiar with our privacy notices and do not process personal data for any purpose other than those contained in the privacy notices. Our general privacy notice can be found on our website at www.breedongroup.com.
Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Data Protection Laws. This means that personal data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose before carrying out any new processing, except in certain circumstances where a legal exemption from this obligation applies.
You should only collect the minimum amount of personal data necessary for your purpose. In particular, please be cautious when inputting information about individuals into Customer Relationship Managememt (“CRM”) systems/contacts databases. Do not include information that is not required, e.g. notes/observations about an individual, because this could go beyond the purpose for which the data was originally collected and may result in a claim against Breedon Group for unlawful processing of personal data.
To process personal data lawfully, Breedon Group must meet certain conditions that are set out in the Data Protection Laws. Those conditions which are most relevant to us as an organisation are summarised in Tables A and B below. Please consult the Compliance Team about any other conditions that may apply when processing personal data.
One of the conditions for processing personal data is that the data subject has given their consent to such processing. Relying on consent to process personal data may be appropriate in some circumstances, but keep in mind that if other conditions are relevant they should be relied on instead – in other words, consent is a condition of 'last resort'. Also note that the consent must be fully informed, i.e. the data subject must know what they are consenting to, and the data subject must have a genuine choice as to whether to give consent or not.
When processing non-sensitive personal data, you must make sure that at least one of the conditions in Table A applies.
When processing sensitive personal data, you must make sure that one of the conditions in Table A applies and at least one of the conditions in Table B also applies. The conditions in Table B are fairly limited, so when processing sensitive personal data it is likely that we will need to get written consent from the data subject to enable their sensitive personal data to be processed.
TABLE A – Key conditions for processing any personal data (one or more must apply)
||Processing is carried out in order to pursue Breedon Group’s legitimate business interests: e.g. collecting personal data from our customers/clients so that Breedon Group can provide its products/services. Much of the processing of personal data that Breedon Group does as an organisation falls under this condition.
This condition only applies if the processing does not adversely affect the individual concerned. If there is a serious mismatch of competing interests between the business and the individual, the individual’s interests will have priority over business interests. If you are unsure whether there are competing interests, please contact the Compliance Team.
||Processing is carried out in order to enter into a contract between Breedon Group and the data subject or to perform such a contract.
||Processing is carried out in order to comply with legal obligations placed on Breedon Group. This does not apply to contractual obligations.
|Vital Interests of Data Subject
||Processing is carried out in order to protect the data subject's vital interests: e.g. where an individual’s personal data needs to be disclosed in a medical emergency.
TABLE B – Key conditions for processing sensitive personal data (one or more must apply)
||Processing is carried out by Breedon Group in the exercise of its legal obligations or rights in connection with employment such as sick pay administration, or checking that an individual is eligible to work in the UK.
||Processing is carried out in order to monitor equal opportunities within Breedon Group in respect of race or ethnic origin.
||Processing is carried out in order to establish, exercise or defend the legal rights of Breedon Group.
|Publicly Available Information
||The personal data has been made public as a result of steps deliberately taken by the data subject. Be cautious where relying on this condition – information available publicly such as on the internet, may not have been made public by the data subject themselves, in which case this condition would not apply.
|Vital Interests of Data Subject
||Processing is carried out in order to protect the data subject's vital interests: e.g. where an individual’s sensitive personal data needs to be disclosed in a medical emergency.
How do I ensure processing is adequate, relevant and not excessive (Principle 3)?
Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject. Any personal data which is not necessary for that purpose should not be collected in the first place.
As well as ensuring that any personal data which you process is necessary and relevant for the purpose for which you are processing it, you must at the same time ensure that you have adequate personal data for your purpose. In other words, you should obtain enough information about an individual to enable you to perform your purpose(s) but no more.
How do I keep personal data accurate and up to date (Principle 4)?
Personal data must be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out of date personal data should be destroyed or erased from Breedon Group’s systems.
Although ultimately it is Breedon Group's responsibility to make sure personal data is up to date and accurate, Breedon Group will often be reliant on data subjects themselves to tell us of changes to their personal data. From a practical perspective it is often useful to encourage data subjects to contact us if personal data we hold about them becomes out of date or if they are aware of any inaccurate data we hold about them.
If you are involved in planning an activity or project that includes processing of personal data, think about appropriate methods that can be implemented easily to encourage data subjects to notify us about changes to their personal data.
How do I ensure personal data is not kept for longer than necessary (Principle 5)?
Personal data should not be kept longer than is necessary for the purpose for which it was obtained. This means that personal data should be destroyed or erased from our systems when it is no longer required.
You must consider whether there are any data retention practices and procedures that are specific to your department, and with which you will need to comply. It may also be the case that you will need to make decisions about how long to keep certain personal data on a case by case basis. If you are unsure about whether certain personal data should be retained, you should contact the Compliance Team.
How do I process data in accordance with data subjects' rights (Principle 6)?
Data Subjects are granted various rights by the Data Protection Laws. The key rights, and the actions you need to take when they are exercised, are as follows:
(a) The right to ask to see what personal data Breedon Group holds about them. Please refer any written requests to the Compliance Team immediately as Breedon Group has only up to 40 days in which to respond to such requests.
Sometimes requests for personal data may be made over the telephone – in which case you should:
(i) Check the caller's identity to make sure that information is only given to a person who is entitled to it.
(ii) Ask the caller to put their request in writing if you are not sure about the caller's identity and where their identity cannot be checked.
(iii) Refer to the Compliance Team for assistance in difficult situations. No-one should be bullied into disclosing personal data.
(b) The right to require Breedon Group to rectify any personal data which is inaccurate. For example, if you are requested to change an address of a customer/client or supplier etc, you should make those changes immediately. If inaccurate personal data about a data subject has been passed on to a third party, it may also be necessary to take steps to correct the third party's data, depending on the nature of the data and whether the third party is still likely to be using it.
(c) The right to prevent processing of their personal data if this has caused or is likely to cause damage or distress. Please contact the Compliance Team if you receive a request to prevent processing.
(d) The right to ask for the logic involved in any automated decision taken without human input, i.e. by a computer. Again, please contact the Compliance Team if you receive such a request.
(e) The right to prevent Breedon Group sending unsolicited marketing materials to them. Depending on the type of unsolicited marketing, intended recipients may have a right to either opt-in or opt-out. Please contact the Compliance Team if you intend to send any unsolicited marketing to named individuals.
What security measures must I comply with (Principle 7)?
Personal data must be kept secure from unauthorised access and from being accidentally lost, destroyed or damaged. To do this, you should follow all applicable company security guidelines and procedures and all company policies that have a bearing on data security.
Do not disclose any personal data internally or externally to a third party (i.e. a person or organisation) unless one or more of the following apply:
(a) Either the data subject has been informed in a privacy notice that his or her personal data may be disclosed to such parties and the purpose for which it is being disclosed, or the disclosure takes place in the course of conducting Breedon Group’s legitimate business activities and the data subject would expect their personal data to be used for this purpose;
(b) The disclosure is made with the consent of the data subject to whom the personal data relates. If you are disclosing sensitive personal data, you must obtain written consent to disclosure;
(c) The disclosure will be to an organisation and/or individual entitled to receive the personal data, for example, to the Police where the information is necessary to prevent or detect crime, or to the tax authorities;
(d) The disclosure is made in order to comply with legal obligations placed on Breedon Group or to comply with a court order;
(e) The disclosure is made in the course of proceedings in court; or
(f) The Compliance Team has authorised the disclosure.
Any disclosure of personal data must be subject to appropriate security safeguards and, depending on the nature of the personal data, confidentiality obligations. In particular, any internal communications about a worker's salary, benefits or any other information about Breedon Group's workers should be communicated securely and in confidence.
If the disclosure is to a third party that provides services to Breedon Group which include the processing of personal data in respect of which Breedon Group is the data controller, only such personal data as is necessary should be disclosed to the relevant third party, and a 'Data Processor Agreement' must be put in place between Breedon Group and that third party. A Data Processor Agreement ensures that the third party is contractually obliged to comply with legally-specified minimum data protection requirements and to put appropriate security measures in place. You must contact the Compliance Team in all cases where a Data Processor Agreement is required, and the Compliance Team will provide the necessary contract terms.
If you are uncertain about disclosing any personal data to third parties you should contact the Compliance Team for guidance.
When can I transfer personal data outside the EEA (Principle 8)?
Do not transfer personal data to a country outside of the EEA (European Economic Area) unless:
(a) it is to perform a contract with the data subject; or
(b) the data subject has consented; or
(c) the country is on the Information Commissioner's approved countries list (please contact the Compliance Team for details of approved countries); or
(d) a contract has been put in place with the third party/third parties to which the personal data will be transferred, in the form of the European Commission’s relevant approved standard contract for transfers of personal data outside of the EEA (known as “Model Contracts”).
Note that a transfer of personal data outside of the EEA not only includes sending relevant data to an entity in a non-EEA country (e.g. by email) but also includes allowing access to that data from outside the EEA. For example, where a Breedon Group group company holds or transfers personal data on or to servers in the EEA, and the data is then accessible by individuals in a non-EEA country, this is considered to be a transfer of data to that non-EEA country.
If you are considering a transfer of personal data outside the EEA, or are unsure about whether such a 'transfer' of personal data will take place, contact the Compliance Team for advice.
COMPLIANCE TEAM CONTACT DETAILS