1. Policy Statement
1.1 Everyone has rights with regard to how their personal information is handled. During the course of our activities it is necessary for us to collect, store and process personal information about our staff, customers, suppliers and other third parties. The correct and lawful treatment of this data is an essential part of maintaining trustworthy business relationships and be an attractive employer, and, ultimately, provide for successful business operations.
1.2 Data users are obliged to comply with this policy when processing personal data on behalf of any entity within Hall & Riley Builders. Any breach of this policy will be taken seriously and may result in disciplinary action. The data protection laws applicable in the UK (DP Legislation) include provisions for criminal offences for certain mishandling of data.
2. About this policy
2.1 The types of personal data that any entity within Hall & Riley Builders (we) may be required to handle include information about current, past and prospective suppliers, clients and staff and others that we hold relationships with. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the DP Legislation.
2.2 This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
2.3 This policy does not form part of any employee’s contract of employment and may be amended any time.
2.4 This policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, transfer, store and/or use personal data.
3. Definitions of data protection terms
3.1 Data is information which is held electronically, or in certain paper based filing systems.
3.2 Data subjects for the purpose of this policy include all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
3.3 Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour. Personal data does not need to contain the name of an individual to be classified as personal data. The use of a unique identification number (such as an employee number), location data, or an online identifier (such as an IP address) may, in some circumstances, be sufficient to identify an individual.
3.4 Data controllers are the people or organisations that determine the purpose(s) for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies that meet the DP Legislation requirements. Each Hall & Riley Builders entity is the data controller of all personal data used in its business for its own commercial purposes.
3.5 Data processors include any person or organisation that processes personal data on the instruction of a data controller. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on a Hall & Riley Builders entity’s behalf.
3.6 Data users are those employees (hereafter referred to as those people employed by Hall & Riley Builders and those working on Hall & Riley Builders premises/infrastructure and where Hall & Riley Builders policies are applicable) whose work involves processing personal data.
Data users must protect the data they handle in accordance with this policy and any applicable data security procedures at all times.
3.7 Data processors include any person or organisation that processes personal data on the instruction of a data controller. Employees of data controllers are excluded from this definition but it could include suppliers that handle personal data on Hall & Riley Builders entity’s behalf.
3.8 Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring personal data to third parties.
3.9 Sensitive personal data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, the use of genetic data or biometric data for the purpose of uniquely identifying individual, physical or mental health or condition or sexual life or sexual orientation, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.
3.10 DP Legislation refers to any current or future laws or directives that are or will be applicable in the UK with respect to data processing. This includes the Data Protection Act 1998, General Data Protection Regulation and the Data Protection Bill (when in force).
3.11 Service provider means any third party company that provides services to Hall & Riley Builders.
4. Data protection principles
4.1 Anyone processing personal data must comply with the principles for processing personal data as contained within DP Legislation. These provide that personal data must be:
(1) Processed fairly, lawfully and transparently;
(2) Processed for specified, explicit and legitimate purposes and processed in a manner consistent with those explicit purposes;
(3) Adequate, relevant and limited to the purpose;
(5) Not kept longer than necessary for the purpose; and
(6) Processed securely.
4.2 Personal data must be processed in a manner that will enable Hall & Riley Builders to demonstrate accountability in meeting each of the six principles.
5. Fair, lawful and transparent processing
5.1 DP Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly, in a transparent manner and without adversely affecting the rights of the data subject. Data processing must be done in line with data subjects’ rights under the DP Legislation.
5.2 For personal data to be processed lawfully, they must be processed on the basis of one of the legal grounds set out in the DP Legislation. These include:
5.2.1 the data subject’s consent to the processing for one or more specific purposes which are made clear to the data subject, or
5.2.2 that the processing is necessary for:
188.8.131.52 the performance of a contract with the data subject (for example an employment contract or a contract for the provision of services);
184.108.40.206 for the compliance with a legal obligation to which the data controller is subject; or
220.127.116.11 for the legitimate interest of the data controller or another party to whom the data is disclosed (where legitimate interest has been specifically identified and advised to a data subject) and where the processing of data for this legitimate interest does not seriously impact on the interests or fundamental rights of data subjects.
5.3 There are other conditions that may be relied on, in limited cases, to permit the processing of personal data. If the processing you are considering does not fall under one of the conditions above, then contact the Compliance team for further guidance.
5.4 When sensitive personal data is required to be processed, additional conditions to those set out above must also be met. If you are intending to process sensitive personal data, please contact the Compliance team.
5.5 The DP Legislation establishes a requirement to be transparent with the data subject. Where we collect personal data directly from data subjects, we will inform them about the purpose(s) for which we intend to process the personal data, the contact information for Hall & Riley Builders, the details of the Data Protection Officer, the legal basis upon which the processing is reliant (for example consent or a legitimate business interest), details about where the personal data is stored and transfers outside of the UK and/or the European Economic Area, the types of third parties the personal data will be shared with (if any), the period of time the personal data will be stored for, and their rights.
5.6 If we receive personal data about a data subject from other sources, we will provide the data subject with this information as soon as possible thereafter, but always within one month of having collected the personal data.
5.7 We will normally only process sensitive personal data if the data subject has explicitly consented to its processing or there is a legal or regulatory obligation for us to do so. We may also process sensitive personal data where this is necessary for the purposes of equal opportunity and diversity monitoring provided this is carried out with appropriate safeguards for the individual(s) concerned. The Hall & Riley Builders Employee handbooks contain more detailed information for staff about when sensitive personal data may be processed.
5.8 When processing personal data as data controllers in the course of our business, it is important that we ensure that we have met the above requirements as a breach could result in severe penalties.
6. Processing for specified, explicit and legitimate purposes
6.1 In the course of our business, we may collect and process personal data that is received directly from a data subject or from other sources. We will only process personal data for legitimate regulatory, client service or business purposes or for any other purposes specifically permitted by the DP Legislation. We will notify those purposes to the data subject when we first collect the data or as soon as possible thereafter.
6.2 Personal data may only be processed for the purpose for which it was originally collected. Processing for another purpose to that which was originally specified requires approval from your Business Unit/Function Director. In considering the use of the personal data for another purpose, the Director should have due regard for whether it is connected with the original purpose, the context in which the personal data was collected, whether it relates to sensitive data and the potential impact on a data subject. Where we process personal data for a different purpose than it was originally collected for, we must notify the data subject(s).
7. Adequate, relevant and limited to the purpose
We will only collect personal data to the extent that it is required for the specific purposes notified to the data subject. You must consider whether the personal data you are requesting a data subject to provide is necessary with a view to minimising the personal data we collect. Furthermore, the personal data should only be accessible by those who need to know, see or process that personal data.
8. Accurate data
8.1 We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals thereafter. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
8.2 Staff are responsible for checking and updating their personal data held on Hall & Riley Builders People-Self-Service and must notify us immediately of any changes to their personal circumstances.
8.3 If requested by a data subject to update, rectify or correct any of that data subject’s personal data, that request should be actioned as soon as reasonably practicable, and we should also ensure that any service provider which we use to process personal data, shall be informed of the request so that they too can action the request.
8.4 In the event that we consider that a request to correct “inaccurate data” is wrong, we should advise the data subject of this as soon as reasonably practicable. Any course of action taken must be recorded appropriately.
9. Data retention
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. Reference should be made to the Hall & Riley Builders Document Retention policy. We will take all reasonable steps to destroy or erase from our systems, all data which is no longer required.
10. Data security
10.1 We will process personal data we hold in accordance with the objectives of the Hall & Riley Builders Information Security Policy (ISP). The ISP requires us to operate a range of controls to secure personal information against unlawful or unauthorised processing and against the accidental loss of or damage to, personal data.
10.2 We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if they agree to comply with those procedures or policies, or if they put in place adequate measures which are the same or higher standard to those contained within the ISP.
10.3 We will maintain data security by protecting the confidentiality, integrity and access of personal data, defined as follows:
(a) Confidentiality means that only people who are authorised to use the data can access it.
(b) Integrity means the security of the personal data must be effective.
(c) Access means that only authorised users (being those who need access to the personal data for a justifiable business reason) should be able to access the data. Personal data should therefore be securely stored on relevant Hall & Riley Builders network domain.
10.4 Security procedures include:
(a) Entry controls. Any stranger seen in Hall & Riley Builders premises should be challenged.
(b) Secure lockable physical storage. Pedestals and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
(c) Methods of disposal. Paper documents should be disposed in the confidential waste bins. Digital storage devices should be appropriately wiped when they are no longer required.
(d) Equipment. Data users must ensure that individual monitors so not show confidential information to passers- by and that they lock their computer when it is left unattended.
11. Data subject’s rights under DP Legislation
We will process all personal data in line with data subjects’ rights, in particular their right to:
(a) Request access to any data held about them by a data controller (see also clause 15)
(b) Prevent the processing of their data for direct-marketing purposes
(c) Ask to have inaccurate data amended (see also clause 8)
(d) Object to the processing of their personal data in certain instances
(e) Withdraw their consent in the case where consent had previously been granted
Furthermore, we must assess our processing steps where such processing could cause damage or distress and address this appropriately.
12. Transferring personal data to a country outside the EEA
12.1 We may transfer any personal data we hold to a country outside the European Economic Area (EEA) provided that one of the following conditions applies:
(a) The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms
(b) The data subject has given their consent.
(c) The transfer is necessary for one of the reasons, or derogations set out in the DP Legislation, such as where it is necessary for the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.
(d) The transfer is necessary on public interest grounds or for the establishment, exercise or defence of legal claims
(e) The transfer is authorised by the relevant data protection authority where we have confirmed adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms and the exercise of their rights, as may be allowed under DP Legislation.
12.2 Subject to the requirements of clause 12.1 above, personal data we hold may also be processed by staff operating outside the EEA that work for us or for one of our service providers. Those staff and/or service providers may be engaged in, among other things the fulfilment of contracts with the data subject, the processing of payments details and the provision of support services.
13. Disclosure and sharing of personal information
13.1 Personal data may be shared with any entity within Hall & Riley Builders, so long as this has been notified to the data subject.
13.2 We may also disclose personal data we hold to third parties:
(a) In the event that we buy or sell any business or assets, in which case we may disclose personal data we hold to the prospective buyer or seller of such business or assets.
(b) If our, or substantially all of our assets, are acquired by a third party, in which case personal data we hold will be one of the transferred assets.
13.3 We may disclose or share personal data if we are under a duty to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property or safety of our employees, customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
14 Internal personal data processing
Hall & Riley Builders processes personal data relating to its employees and certain employees of service providers. Data users who process personal data on behalf of Hall & Riley Builders must process that data in a manner consistent with all relevant clauses in this policy and other applicable Hall & Riley Builders policies and those data users are also reminded of their responsibility to maintain the standards contained within this policy as guardians of personal data.
15 Dealing with subject access requests
15.1 Data subjects must make a formal request in writing for information we hold about them. Employees who receive a written request for personal data from anyone (whether this is from another Hall & Riley Builders employee, a service provider and/or customer) should forward it immediately to;
(a) Inform us if the request is from a current or former member of staff, and
(b) to their line manager, with a copy to Hall & Riley Builders, if the request is from anyone else, for example a subcontractor.
15.2 There is a statutory time period for responding to such requests so it is important that any such request is dealt with promptly as soon as it is received. In responding to a request, where the data subject has not been specific in their request, we should request them to specify exactly what information they want access to. There is no fee for the information request, however, in cases where a request is unfounded or excessive (including repetitive requests), then a reasonable fee (based on the administrative cost) may be charged.
15.3 The relevant data controller that has received the request may refuse to provide certain personal data in response to a request from an individual where the DP Legislation provides an exemption. There are very few exemptions for non-disclosure and the application of these exemptions require careful consideration.
15.4 When receiving telephone enquiries we will only disclose personal data if that request is followed up by a request in writing.
15.5 In each case where we are unclear of a requestor’s identity, we must request that the data subject provides us with identification documents.
15.6 Our employees will refer a request to their line manager for assistance in difficult situations. Employees should not be bullied into disclosing personal information.
16. Notifications to and communications with the Information Commissioner’s Office (ICO)
16.1 The ICO maintains a public register of all data controllers registered to process personal data. The Company Secretary is responsible for ensuring compliance with the requirement to manage and maintain the various company notifications made to the ICO. However, it is the responsibility of the financial director (or their equivalent) to inform of any changes to the personal data collected and/or used as soon the change occurs in order to ensure that this public register can be updated and maintained, for as long as this is legally required.
16.2 Any correspondence, apart from that relating to the notification process received, from the ICO should be sent to [email protected] as soon as possible on receipt.
17. Implementation, enforcement and reporting data privacy incidents
17.1 It is very important that we are able to deal with any data security incident as soon as possible to effectively manage the incident. As such, all Hall & Riley Builders employees must notify the company, via [email protected] immediately after becoming aware of any data security incident. In no circumstances should you communicate details of the incident outside of those managing the data security incident without first contacting the DPO.
17.2 A potential data breach is an incident in which sensitive, confidential or otherwise protected data has been accessed, disclosed or handled in a manner inconsistent with the intended treatment of that information. Examples can include unauthorised access of data, loss of data and inappropriate disclosure of data to a recipient.
17.3 We will require all service providers who process personal data on our behalf to promptly notify us of any potential data security breaches so that we are able to take appropriate action to address the matter.
17.4 We will provide relevant staff with training about privacy to support compliance with this policy.
17.5 We will develop, maintain, and publish procedures, guidance and standards to assist achievement of compliance with this policy.
17.6 If you have any queries in relation to this policy or how to apply it you should contact your business unit/corporate function Data Protection Champion, for further information and advice contact [email protected]
The Information Commissioner’s Office website is a further source of useful information.
Hall & Riley Builders is committed to maintaining the privacy of our suppliers. We comply with data protection laws that are applicable in respect of data processing within the UK. Hall & Riley Builders determines the purposes and the manner in which personal data is processed.
This privacy notice sets out how we collect, use and protect your personal information and your rights in relation to your information.
What type of data do we collect?
As part of our on-boarding process it is necessary for us to collect and process personal data about you. Categories of personal data that we collect include:
• personal details (for example, your name)
• your bank details and national insurance number
• your contact details (for example, your address, phone number and e-mail address)
How will we use your data?
Your personal data will be stored, processed and used by us in the following ways:
• To complete and improve the supplier on-boarding process
• To send your data to third parties where appropriate (see details below)
• To administer payment processes
• To administer processes relating to the CIS scheme
• To answer your questions and enquiries
• To communicate with you and provide information about working with Hall & Riley Builders
• To contact your emergency contacts when necessary
• To perform any investigations where required
Do we pass data to third parties?
We (or an agent working on our behalf) may pass your personal data to third parties for the purpose of assisting with your on-boarding and ongoing relationship with us. These third parties may include, where applicable:
• Companies that perform background checks for us
• Insurance brokers, insurance providers, loss adjusters and legal representatives
• Other organisations where we are required by law or where we are contractually required or otherwise obligated to pass your information (such as HMRC or the Health and Safety Executive)
We may pass your personal data to government bodies, regulators, law enforcement agencies, courts/tribunals and insurers where we are required to do so, or to other organisations for the purpose of making an assessment regarding any fraud matters.
How is my data safeguarded?
The security of your data is important to us. Access to the data is only provided to our staff and other third parties who need access for the on-boarding, supplier compliance, management and payment processes.
We have in place appropriate security measures to protect the security of your personal information and keep it confidential. We review these measures regularly to make sure they remain appropriate. We cannot guarantee the security of any third-party application you may use to transmit your data (for example, internet browsers).
We may transfer and process your data outside of the UK. Where your personal information is to be transferred outside the UK we will take reasonable steps to ensure that there are appropriate safeguards to protect your information.
We will keep your personal information for at least as long as we have a relationship with you or anyone whose personal information you have provided. When deciding how long to keep your personal information after our relationship with you has ended, we will keep your information for a period of time taking into account our legal, professional and regulatory obligations as well as any investigations that may arise.
On what grounds will you process my personal data?
We must have a legal reason to process your personal information. The information you provide will be processed:
• to meet our contractual obligations to you (such as paying your salary into your bank account)
• to meet our legal obligations (such as compliance with employment law or health and safety law)
• to meet our legitimate interests to effectively maintain your services to us
• to assess your working capacity and, in some cases, for the provision of health treatment
You have rights regarding your personal information, including the right to access and correct your information and, in certain limited circumstances, restrict or object to our use of it and to request erasure of your information. We may need extra information from you to deal with any request. If you would like to discuss or exercise these rights, please contact us at [email protected] We encourage you to let us know of any changes to the information you have provided to us. If you do not want us to process your data, then it may have an impact on our service arrangement and, in some cases, remove your eligibility to work with Hall & Riley Builders.
Should you have cause for complaint, please contact us and we will follow up to resolve this. If you have a data privacy related complaint, you also have the option to direct your complaint to the Information Commissioner’s Office (ICO).
What are ‘cookies’ and why do we use them?
Hall & Riley Builders Registered Office Brian Maczka
90 – 92 Baxter Avenue, Southend on sea