Riverside Environmental Services Limited holds personal and confidential information about its employees, customers, board members, employment applicants and suppliers. All individuals have a right to privacy and the company is bound by the Data Protection Act 1998 and GDPR
This policy is concerned with the storage, processing and accessibility of all personal information held by Riverside Environmental Services. It outlines the position of the company with regard to the nature of data to be held, the fair and lawful processing of such data, and deals with issues relating to the confidentiality of information and its availability to our customers.
The company welcomes the objectives of Data Protection legislation, recognising that personal information is confidential and that unauthorised disclosure may constitute a breach of contract and an offence under the Data Protection Act and GDPR.
RESL have appropriate procedures in place to protect the security of client and employee data and to ensure personal data breaches are detected, reported and investigated effectively.
RESL will hold data in accordance with our Data Retention Policy. We will only hold data for as long as necessary for the purposes for which we collected it.
RESL is a ‘data controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.
The aims of this policy are as follows:
In adopting this Policy, Riverside Environmental Services is guided by the following broad Data Protection principles:
In addition to these, Riverside Environmental Services shall also recognise the following:
Individual Data Subjects: Information Access
Individuals may request a copy of information held about them by Riverside Environmental Services and can seek its amendment/erasure if this is inaccurate or no longer required. The procedure for dealing with such requests is set out in the “Access to Personal Information Policy”.
Duties of Employees and Board Members
It is the responsibility of all employees and Board Members to maintain confidentiality as set out within this policy. A breach of confidentiality is a serious offence.
You will receive appropriate training on the provisions and implementation of Data Protection Legislation.
It is your responsibility to inform a senior manager when you are made aware of a breach of confidentiality. The senior manager is then responsible for taking appropriate action when he/she is made aware of such a breach.
Disclosure of Information
Information on individuals is considered to be confidential, and will only be passed to other organisations with the express written consent of the individual concerned, unless there are exceptional circumstances. Such circumstances include:
Requests from third parties for such access shall only be considered where these are made in accordance with the process specified in the “Access to Personal Information Policy”.
Personal data breaches
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
Recital 87 of the GDPR makes clear that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.
A personal data breach means a breach of security leading to the accidental, unlawful or deliberate:
A breach is more than just about losing data.
What breaches do we need to notify the ICO about?
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.
In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for individuals. Recital 85 of the GDPR explains that:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. You need to assess this case by case, looking at all relevant factors.
Reporting a Breach
We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur (whether in respect of you or someone else) then we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals then we must also notify the Information Commissioner’s Office within 72 hours.
The types of breaches that require reporting to the ICO are:
The ICO website at www.ico.org.uk\for-organisations\report-a-breach contains the necessary link and forms for reporting such breaches.
If there is a breach, the DPO and board member should be advised. Either or both will then determine what type of breach has occurred and what requires reporting to the ICO.
Confidentiality – Employees’ Responsibilities
You will not disclose, either during or after the termination of your employment, any information of a confidential nature relating to the company, its customers or suppliers or any third party which may have been obtained in the course of this employment without first obtaining the written permission of the Managing Director. This does not apply where such information is in the public domain otherwise than by your default.
You will not make any public statement or any statement to a person employed or associated with the media concerning the company, its customers or suppliers or their activities without first obtaining the written permission of your manager.
You will not place yourself in a position in which your interests conflict with those of the company.
Intellectual Property and Patents
It will be part of your duties, as an employee of Riverside Environmental Services, to consider how the products, services, processes, equipment or systems of the company might be improved promoted and marketed. Any invention, development, process, plan, design, formula, specification, programme or other matter whatsoever (collectively known hereafter as ‘the Inventions’) made, developed or discovered by you, either alone or in concert, whilst you are employed by the company shall forthwith be disclosed to the company and, subject to Section 39 of the Patents Act 1977 and any succeeding statutory provision, shall belong to and be the absolute property of the company or such subsidiary as it may designate.
The company shall decide, in its sole discretion, whether and when to apply for patent, registered design or other protection in respect of the Inventions and reserves the right to work any of the Inventions as a secret process, in which event you shall observe the obligations relating to confidential information which are contained in your contract of employment.
Any patent rights expected as a result of work undertaken by you as part of your work are the property of the company.
The copyright in any material produced by you relating to your employment with the company rests with the company. You undertake to provide Riverside Environmental Services with every assistance in protecting the company’s intellectual property rights.
Monitoring and Responsibilities
It is the responsibility of the Managing Director to ensure that implementation of the Data Security – Protection and Confidentiality Policy (including Intellectual Property) is monitored.
Riverside Environmental Services shall ensure that it has a named Data Controller, who will offer advice to employees, Board Members and customers on the implementation of this Policy.
The capture, availability, processing, and purging of personal data shall comply with company policies and all appropriate legislation, and will be monitored and managed by the Data Controller.
A review of the effectiveness of this policy will be undertaken by the Data Controller every year and a report summarising the findings of this review will be submitted to the Board.