Redcar Bulk Terminal regards the lawful and correct processing of personal and sensitive data as an integral part of its purpose. Redcar Bulk Terminal believes this is vital for maintaining the confidence of customers, suppliers, employees and other stakeholders about whom we process data.
The key principles of this policy are as follows:
- Redcar Bulk Terminal will fully implement all aspects of GDPR
- Redcar Bulk Terminal will ensure all employees and others handling personal data are aware of their obligations and rights under GDPR, and
- Redcar Bulk Terminal will implement adequate and appropriate measures to ensure the security of all data contained in or handled by its systems
This policy provides guidance about the protection, sharing and disclosure of personal data within Redcar Bulk Terminal.
DEFINITIONS OF PERSONAL DATA AND SENSITIVE PERSONAL DATA
“Personal data”, or “personal information”, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (i.e. anonymised data).
Examples of personal data that Redcar Bulk Terminal processes include:
- names, addresses, emails, phone numbers and other contact information
- some financial information including national insurance numbers and payroll data, and
- photographs, video and audio recordings
“Sensitive personal data” means any personal data that reveals racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and any personal data relating to criminal offences and convictions. Sensitive personal data attracts additional legal protection.
DATA PROTECTION PRINCIPLES
Redcar Bulk Terminal adheres to the data protection principles set out in the GDPR, which requires that all personal data be:
- processed lawfully, fairly and in a transparent manner
- collected only for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- accurate and where necessary kept up to date
- not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed
- processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage
- not transferred to another country without appropriate safeguards being in place, and
- made available to data subjects and data subjects allowed to exercise certain rights in relation to their personal data
Redcar Bulk Terminal is responsible for and must be able to demonstrate compliance with the data protection principles listed above at all times.
Personal data must not be used other than for the specific purpose required to deliver a product or service. The individual should always know that their data is being processed. When that data is especially sensitive, consent is required before the data can be processed by Redcar Bulk Terminal, unless there is another legal basis for processing this.
Personal data can be in computerised and/or in a physical format. It may include such documentation as:
- paper documents (e.g. CVs, employee records, letters received and sent)
- electronic records
- photographs, and
- videos and tape recordings
Backup data (e.g. archived data or disaster recovery records) also falls under GDPR; however, a search within them should only be conducted if specifically asked for by an individual as an official Subject Access Request.
RIGHTS OF ACCESS BY INDIVIDUALS
The GDPR gives every living person (or their authorised representative) the right to apply for access to the personal data which organisations hold about them irrespective of when and how this is compiled (e.g. hand written records, electronic and manual records held in a structured file). This is called a ‘Subject Access Request’.
Redcar Bulk Terminal's Duties
Understanding and complying with the Data Protection Principles is key to Redcar Bulk Terminal’s responsibilities as a data controller. Therefore, Redcar Buk Terminal will, through the use of appropriate measures and controls:
- ensure there are lawful grounds for using any personal data
- ensure that the use of the data is fair and meets one of the specified conditions
- only use sensitive personal data if it is absolutely necessary and we have obtained the individual’s explicit consent (unless an exemption applies)
- explain to individuals, at the time their personal data is collected, how that information will be used
- only obtain and use personal data for those purposes which are known to the individual
- ensure personal data is only used for the purpose it was given. If we need to use the data for other purposes, further consent will be obtained
- only keep personal data that is relevant to Redcar Bulk Terminal
- keep personal data accurate, up to date and only held for as long as is necessary
- always adhere to our Subject Access Request Procedure and be receptive to any queries, requests or complaints made by individuals in connection with their personal data
- ensure individuals are given the opportunity to 'opt in' to receiving mass communications, and
- take appropriate technical and organisational security measures to safeguard personal data
In addition, Redcar Bulk Terminal will ensure that:
- enquiries about handling personal data are dealt with promptly
- methods of handling personal data are clearly described in polices and guidance
- a review and audit of data protection arrangements is regularly undertaken
- methods of handling personal data are regularly assessed and evaluated, and
- suitable protections are in place before any personal data is transferred to a third party
ROLES AND RESPONSIBILITIES
EMPLOYEES AND CONTRACTORS
Maintaining confidentiality and adhering to data protection legislation applies to everyone at Redcar Bulk Terminal. Redcar Bulk Terminal will take necessary steps to ensure that everyone managing and processing personal data understands that they are responsible for following good data protection practice. Employees will receive training and must read this policy as part of their induction.
All employees and contractors have a responsibility to:
- observe all guidance and codes of conduct in relation to obtaining, using and disclosing personal data
- obtain and process personal data only for specified purposes
- only access personal data that is specifically required to carry out their activity or work
- record data accurately in both manual and electronic records
- ensure any personal data held is kept secure
- ensure that personal data is not disclosed in any form to any unauthorised third party, and
- ensure personal data is sent securely
Failure by an individual to adhere to any guidance in this policy may result in disciplinary action.
All Senior Managers within each business unit are responsible for:
- determining what personal data is held by their area and ensuring that the data is adequately secure, access is controlled and that the data is only used for the intended purposes
- providing clear messaging to their teams about data protection requirements and measures
- ensuring personal data is only held for the purpose intended
- ensuring personal data is not communicated or shared for non-authorised purposes, and
- ensuring personal data is password protected when transmitted electronically or appropriate security measures are taken to protect the data when in transit or storage
INFORMATION COMMISSIONER’S OFFICE (ICO)
The ICO is the UK’s independent authority set up to uphold information rights in the public interest and data privacy for individuals. The ICO has wide-ranging powers to investigate complaints relating to use of personal data and personal data breaches. Any failure to comply with data protection obligations may lead to investigation by the ICO which could result in serious financial or other consequences for British Steel.
DEALING WITH A PERSONAL DATA BREACH
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data.
Personal data breaches can include:
- access by an unauthorised third party
- sending personal data to an incorrect recipient
- computing devices containing personal data being lost or stolen
- alteration of personal data without permission, and
- loss of availability of personal data
If a data breach is suspected, the person who identified the breach should immediately notify the Data Protection Officer and provide all relevant details regarding the breach.
Following notification of a breach, the Data Protection Officer will take the following action as a matter of urgency:
- implement a recovery plan, which will include damage limitation
- assess the risks associated with the breach
- inform the appropriate people and organisations that the breach has occurred, and
- review Redcar Bulk Terminal’s response and update our information security as appropriate
GLOSSARY OF TERMS USED IN THIS POLICY
“Data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is processed. The data controller for the purposes of this document is Redcar Bulk Terminal.
“Data processor” means any person who processes personal data on behalf of the data controller but is not employed by them.
“Data subject” means an individual who is the subject of personal data. This includes employees, contractors, customers, consultants and visitors.
“Processing” means recording or holding data or carrying out any operations on that data including organising, altering or adapting it; disclosing the data or aligning, combining, blocking or erasing it.
“Subject access request” means a written, signed request (which includes email and other written formats) from an individual to see personal data which Redcar Bulk Terminal holds about them. Data controllers must provide all such information in a readable form within one month of receipt of the request.
“Third party” means in relation to personal data, any person other than the data subject, the data controller, or any data processor or other person authorised to process data for data controller or processor. For example, the Police or HMRC.