GDPR DATA PROTECTION POLICY
Scope
J & E Shepherd, Head Office 13 Albert Square, Meadowside, Dundee, DD1 1XA, Hardies LLP t/a Hardies Property & Construction Consultants Registration Number SO300703, Registered office Swilken House, 35 Largo Road, St Andrews KY16 8NJ (collectively referred to as Group, Firm, we, us, our in this Data Protection policy) are committed to being fully compliant with all applicable UK and EU data protection legislation in respect of personal data, as well to safeguarding the “rights and freedoms” of persons whose information we collect pursuant to the General Data Protection Regulation (“GDPR”) which provides, implements, maintains and periodically reviews the lawfulness of this policy and amends if and when required and is authorised by the Managing Partner.
This policy statement shall take into consideration the following: organisational structure, management responsibility, jurisdiction and geographical locations and may comprise of a defined part of the group as a whole.
Objectives
The Firms objectives for this statement are as follows:
- To enable J & E Shepherd and Hardies Property & Construction Consultants to meet their personal data obligations in relation to how personal information is managed;
- To support our objectives;
- To set appropriate systems and controls according to meet our assessed risks;
- To ensure that we are compliant with all applicable obligations, whether statutory, regulatory, contractual and/or professional; and
- To safeguard personnel interests.
Good Practice
J & E Shepherd and Hardies Property & Construction Consultants shall ensure compliance with data protection legislation and good practice, by at all times:
- Processing personal information only when to do so is absolutely necessary for organisational purposes;
- Ensuring that the least possible amount of personal data is collected, and that personal data is never processed unduly;
- Informing individuals of how their personal data is or will be used and by whom;
- Processing only pertinent and adequate personal data;
- Processing personal data in a lawful and fair manner;
- Keeping a record of the various categories of personal data processed;
- Ensuring that all personal data that is kept is accurate and up-to-date;
- Retaining personal data no longer than required by statute or regulatory body, or for organisational purposes;
- Giving individuals the right of ‘subject access’, as well as all other individual rights pertaining to their personal data;
- Ensuring that all personal data is maintained securely;
- Transferring personal data outside of the EU only in situations where it shall be appropriately secured;
- Applying various statutory exemptions, where appropriate;
- Implementing an incident management records system, pursuant to this Policy;
- Identifying stakeholders, both internal and external, and ascertaining their involvement within the operation of the incident management records system; and
- Identifying personnel that are responsible and accountable for this.
Notification
J & E Shepherd and Hardies Property & Construction Consultants have registered with the Information Commissioner as a ‘data controllers’ that engages in processing personal information of data subjects. We have identified all of the personal data that we process and recorded it in our Data Inventory Schedule.
The Data Protection Officer (“DPO”) shall retain a copy of all notifications made by the Group to the Information Commissioner’s Office (“ICO”) and the ICO Notification schedule shall be used as a record of all notifications made.
The ICO notification shall be reviewed on an annual basis and the DPO shall be responsible for each annual review of the details of the notification, keeping in mind any changes to our activities. These changes shall be ascertained by reviewing the Data Inventory Schedule and the management review. Data protection impact assessments shall be used to ascertain any additional relevant requirements.
This policy applies to all employees of the Group and subcontractors. Breaches of the GDPR policy shall be dealt with according to our Disciplinary Policy as detailed in the employment handbook and contract of employment. If there is a possibility that the breach could amount to a criminal offence, the matter shall be referred to the relevant authorities.
All third parties working with or for J & E Shepherd and Hardies Property & Construction Consultants who have or may have access to personal data are required to read,
understand and fully comply with this policy at all times. All aforementioned third parties are required to enter into a data confidentiality agreement prior to accessing any personal data.
The data protection obligations imposed by the confidentiality agreement shall be equally onerous as those to which we have agreed to comply with. J & E Shepherd and Hardies Property & Construction Consultants shall at all times have the right to audit any personal data accessed by third parties pursuant to the confidentiality agreement. Furthermore, it shall be established prior to the processing of data what the relationship is with any third party. In particular this refers to processors and other controllers. For the avoidance of doubt we will never enter into joint controller arrangements unless expressly agreed by the Group.
GDPR background
The purpose of the GDPR is to ensure the “rights and freedoms” of living individuals, and to protect their personal data by ensuring that it is never processed without their knowledge and, when possible, their consent.
Definitions (as per the GDPR)
- Child means anyone under the age of 13. It may only be lawful to process the personal data of a child under the age of 13 upon receipt of consent from the child’s parent or legal custodian.
- Data controller may be a natural or legal person, whether a public authority, agency or other body which, individually or jointly with others, is in charge of ascertaining the purposes and means by which personal data shall be processed. Where EU or Member State law predetermines the purposes and means of processing personal data, the data controller or, if appropriate, the specific criteria for selecting the data controller, may be provided for by EU or Member State law.
- Data subject refers to any living person who is the subject of personal data (see above for the definition of ‘personal data’) held by an organisation. A data subject must be identifiable by name, ID, address, online identifier or other factors such as physical, physiological, genetic, mental, economic or social.
- Data subject consent refers to any specific indication by the data subject that signifies consent to the processing of personal data. Consent may take place by way of a written or oral statement or by clear, unambiguous action and must be given freely at all times, without duress, with the data subject being properly informed.
- Establishment refers to the administrative head office of the ‘data controller’ in the EU, where the main decisions regarding the purpose of its data processing activities are made.
- ‘Data controllers’ based outside of the EU are required to appoint a representative within the jurisdiction in which they operate to act on its behalf and liaise with the relevant regulatory and supervisory authorities.
- Filing system refers to any personal data set which is accessible on the basis of certain benchmarks, or norms and can be centralised, decentralised or dispersed across various locations.
- Personal data – means any information relating to a data subject.
- Personal data breach refers to a security breach which results in the disclosure, alteration, destruction or loss of personal data, as well as unauthorised access to personal data that is stored, transmitted or processed by any other means, whether accidentally or unlawfully. All personal data breaches must be reported to relevant regulatory authority by the ‘data controller’ at all times, whereas the data subject need only be informed of a data breach when it is likely that the breach will have an adverse effect on his or her privacy or personal data.
- Processing refers to any action taken in relation to personal data, including but not limited to collection, adaptation or alteration, recording, storage, retrieval, consultation, use, disclosure, dissemination, combination or deletion, whether by automated means or otherwise.
- Profiling refers to any form of personal data processing that is automated, with the intention of assessing personal aspects of a data subject or analysing a data subject’s employment performance, economic status, whereabouts, health, personal preferences and behaviour. The data subject has a right to object to profiling and a right to be informed of the fact that profiling is taking place, as well as the intended outcome(s) of the profiling
- Special categories of personal data refers to personal data covering such matters as racial or ethnic origin, beliefs – whether religious, political or philosophical – membership of a trade-union and data relating to genetics, biometric identification, health, sexual orientation and sex life.
- Territorial scope the GDPR applies to all EU based ‘data controllers’ who engage in the processing of data subjects’ personal data as well as to ‘data controllers’ located outside of the EU that process data subjects’ personal data so as to provide goods and services, or to monitor EU based data subject behaviour.
- Third party is a natural or legal person other than the data subject who is authorised to process personal data, whether a public authority, agency or other body controller, processor or any other person(s) under the direct authority of the controller or processor.
Responsibilities under the GDPR
J & E Shepherd and Hardies Property & Construction Consultants are Data Controllers pursuant to the GDPR.
Appointed employees with managerial or supervisory responsibilities are responsible for ensuring that good personal data handling practices are developed, reviewed and encouraged.
Data Protection Officer
The position of DPO, which involves the management of personal data within the Group as well as compliance with the requirements of the GDPR and demonstration of good practice protocol. The data protection officer is Judith Darnell, Business & HR Manager.
The DPO reports to the Partners of J & E Shepherd and Hardies Property & Construction Consultants and, amongst other things, is accountable for the development and implementation of the policy framework, data protection compliance and for day- to-day advice, both in terms of security and risk management. In addition, the DPO is directly responsibility for the oversight of data processed.
The DPO shall at all times be the first point of contact for any employees who require guidance in relation to any aspect of data protection compliance.
The DPO/Data Controller is responsible for other procedures, such as the Subject Access Request Policy.
It is not merely the DPO who is responsible for data protection, indeed all members of J & E Shepherd and Hardies Property & Construction Consultants who process personal data are responsible for ensuring compliance with data protection laws. J & E Shepherd and Hardies Property & Construction Consultants GDPR Training Policy provides for specific training for such employees as well as for general members of the Group.
Generally, attendees of events and clients, as well as staff of J & E Shepherd and Hardies Property & Construction Consultants, are personally responsible for ensuring that all personal data they have provided and has been provided about them to is accurate and up-to-date.
Risk Assessment
It is vital that J & E Shepherd and Hardies Property & Construction Consultants are aware of all risks associated with personal data processing and it is via its risk assessment process that the Group is able to assess the level of risk.
The Group is also required to carry out assessments of the personal data processing undertaken by other organisations on its behalf and to manage any identified risks, so as to mitigate the likelihood of potential non-compliance with this policy.
Where personal data processing is carried out by using new technologies, or when a high risk is identified in relation to the “rights and freedoms” of natural persons, The Group are required to engage in a risk assessment of the potential impact. More than one risk may be addressed in a single assessment (also known as a ‘Data Protection Impact Assessment’ (“DPIA”).
It is the role of the DPO to ensure that appropriate controls are in place to ensure that the risk level associated with personal data processing is kept to an acceptable level, as per the requirements of the GDPR and the Group’s documented risk acceptance criteria.
8. Principles of data protection
The principles of personal data processing are as follows:
- All personal data must be processed lawfully and fairly at all times.
- Policies must also be transparent, meaning that J & E Shepherd & Hardies Property & Construction Consultants must ensure that its personal data processing policies, as well as any specific information provided to a data subject, are readily available, easily accessible and clear, drafted using clear and plain language.
- The data subject must be provided with the following information:
- Controller – the identity and contact details of the data controller and any of its representatives, if appropriate;
- Data Protection Officer – the contact details of the DPO;
- Purpose – the purpose or purposes and legal basis of processing;
- Storage period – the length of time for which the data shall be stored;
- Rights – confirmation of the existence of the following rights:
- Right to request access;
- Right of rectification;
- Right of erasure; and the
- Right to raise an objection to the processing of the personal data;
- Categories – the categories of personal data;
- Recipients – the recipients and/or categories of recipients of personal data, if applicable;
- Location – if the controller intends to make a transfer of personal data to a third country and the levels of data protection provided for by the laws of that country, if applicable; and
- Further information – any further information required by the data subject in order to ensure that the processing is fair and lawful.
- Personal data may only be collected for specified, explicit and legitimate reasons. When personal data is obtained for specific purposes, it must only be used in relation to that purpose and cannot be different from the reasons formally notified to the Information Commissioner, as part of J & E Shepherd and Hardies Property & Construction Consultants GDPR ICO registration.
- Personal data must be adequate, relevant and restricted to only what is required for processing. In relation to this, the DPO shall at all times:
- Ensure that personal data which is superfluous and not necessarily required for the purpose(s) for which it is obtained, is not collected;
- Approve all data collection forms, whether in hard-copy or electronic format;
- Carry out an annual review of all methods of data collection, checking that they are still appropriate, relevant and not excessive; and
- Ensure secure deletion or destruction of any personal data that is collected in a manner that is excessive or unnecessary according to the Groups policies.
- Personal data must be accurate and up-to-date:
- Data should not be kept unless it is reasonable to assume its accuracy and data that is kept for long periods of time must be examined and amended, if necessary;
- All staff must receive training from the Group’s Data Protection Officer or Data Controller to ensure they fully understand the importance of collecting and maintaining accurate personal data;
- Individuals are personally responsible for ensuring that the personal data held by the Group is accurate and up-to-date J & E Shepherd & Hardies Property & Construction Consultants will assume that information submitted by individuals via data collection forms is accurate at the date of submission;
- All employees of the Group are required to update any changes to personal information as soon as reasonably possible, to ensure records are up-to-date at all times;
- The DPO must ensure that relevant and suitable additional steps are taken to ensure that personal data is accurate and up-to-date;
- The DPO shall, on an annual basis, carry out a review of all personal data controlled by and as soon as reasonably possible by referring to the Data Inventory Register and ascertain whether any data is no longer required to be held for the purpose notified to the ICO, arranging for that data to be deleted or destroyed in a safe manner.
- The DPO shall also ensure that where inaccurate or out-of-date personal data has been passed on to third parties, that the third parties are duly informed and instructed not to use the incorrect or out-of-date information as a means for making decisions about the data subject involved. The DPO shall also provide an update to the third party, correcting any inaccuracies in the personal data.
- The form in which the personal data is stored must such that the data subject can only be identified when it is necessary to do so for processing purposes. The following principles apply:
- Personal data that is kept beyond the retention date must be either encrypted or pseudonymised and kept to an absolute minimum, to ensure the protection of the data subject’s identity should a data breach incident occur;
- Personal data must be retained according to the Retention Requirements Policy and must be destroyed or deleted in a secure manner as soon as the retention date has passed; and
- Should any personal data be required to be retained beyond the retention period set out in the Records Retention Procedure, this may only be done with the express written approval of the DPO, which must be in line with data protection requirements.
- The processing of personal data must always be carried out in a secure manner.
- Personal data should not be processed in an unauthorised or unlawful manner, nor should it be accidentally lost or destroyed at any time and as soon as reasonably possible shall implement robust technical and organisational measures to ensure the safeguarding of personal data.
-
Security controls
Security controls are necessary to ensure that risks to personal data are identified by as soon as reasonably possible or are appropriately mitigated as much as possible to reduce the potential for damage or distress to data subjects whose personal data is being processed and are subject to regular audit and review.
Personal data shall not be transferred to a country outside of the EU unless the country provides appropriate protection of the data subject’s ‘rights and freedoms’ in relation to the processing of personal data.
-
Adequacy of transfer
The following safeguards and exceptions are in place to ensure that data is not transferred to a country outside of the EU, with the transfer being off limits, unless one or more of the safeguards or exemptions listed below apply:
Safeguards
- Assessing the adequacy of the transfer, by reference of the following:
- The nature of the personal data intended to be transferred;
- The country of origin and country of intended destination;
- The nature and duration of the personal data use;
- The legislative framework, codes of practice and international obligations of the data subject’s country of residence; and
- (UK only) the security measures to be implemented in the country of intended destination in relation to the personal data.
Exemptions
No transfer of personal data to a third country may take place unless one of the following preconditions is satisfied:
- Explicit consent has been provided by a fully informed data subject, who has been made aware of all possible risks involved in light of appropriate safeguards and an adequacy decision;
- The personal data transfer is a prerequisite to the performance of a pre-existing contract between the data controller and the data subject or when the data subject requests that pre-contractual measures are implemented;
- The personal data transfer is a prerequisite to the conclusion or performance of a pre-existing contract between the data controller and another person, whether natural or legal, if it is in the interest of the data subject;
- The personal data transfer is in the public interest;
- The personal data transfer is required for the creation, exercise or defence of legal claims;
- The data subject is not capable of giving consent, whether due to physical or legal limitations or restrictions and the personal data transfer is necessary for the protection of the key interests of the data subject or of other persons;
- The personal data transfer is made from an approved register, confirmed by EU or Member State law as having the intention of providing public information and which is open to consultation by the public or by an individual demonstrating a legitimate interest, but only so far as the legal requirements for consultation are fulfilled.
-
Accountability
According to the GDPR accountability principle, the data controller is responsible both for ensuring overall compliance with the GDPR and for demonstrating that each of its processes is compliant with the GDPR requirements.
To this extent data controllers are required to:
- Maintain all relevant documentation regarding its processes and operations;
- Implement proportionate security measures;
- Carry out Data Processing Impact Assessments (“DPIAs”);
- Comply with prior notification requirements;
- Seek the approval of relevant regulatory bodies; and
- Appoint a DPO where required.
-
The rights of data subjects
Data subjects enjoy the following rights in relation to personal data that is processed and recorded:
- The right to make access requests in respect of personal data that is held and disclosed;
- The right to refuse personal data processing, when to do so is likely to result in damage or distress;
- The right to refuse personal data processing, when it is for direct marketing purposes;
- The right to be informed about the functioning of any decision-making processes that are automated which are likely to have a significant effect on the data subject;
- The right not to solely be subject to any automated decision making process;
- The right to claim damages should they suffer any loss as a result of a breach of the provisions of the GDPR;
- The right to take appropriate action in respect of the following: the rectification, blocking and erasure of personal data, as well as the destruction of any inaccurate personal data;
- The right to request that the ICO carry out an assessment as to whether any of the provisions of the GDPR have been breached;
- The right to be provided with personal data in a format that is structured, commonly used and machine-readable;
- The right to request that his or her personal data is sent to another data controller; and
- The right to refuse automated profiling without prior approval.
-
Data access requests
J & E Shepherd and Hardies Property & Construction Consultants Subject Access Request Policy sets out the procedure for making data access requests to data subjects and outlines how the Group will comply with the requirements of the GDPR regarding this.
-
Complaints
All complaints about J & E Shepherd and Hardies Property & Construction Consultants processing of personal data may be lodged by a data subject directly with the DPO by filling in the appropriate form providing details of the complaint. The data subject must be provided with a Fair Processing Policy at this stage.
Complaints may also be made by a data subject directly to the relevant regulatory body and J & E Shepherd and Hardies Property & Construction Consultants hereby provides the relevant contact details;
All complaints in relation to how a complaint has been handled and any appeals following the submission of a complaint shall be dealt with by the DPO.
-
Consent and other conditions for processing data.
Consent to the processing of personal data by the data subject must be:
- Freely given and should never be given under duress, when the data subject is in an unfit state of mind or provided on the basis of misleading or false information;
- Explicit;
- Specific;
- A clear and unambiguous indication of the wishes of the data subject;
- Informed;
- Provided either in a statement or by unambiguous affirmative action;
- Demonstrated by active communication between the data controller and the data subject and must never be inferred or implied by omission or a lack of response to communication;
- In relation to sensitive data, consent may only be provided in writing, unless there is an alternative legitimate basis for the processing of personal data.
Usually, J & E Shepherd and Hardies Property & Construction Consultants will obtain consent to process personal and sensitive data (special category) when a new data subject signs a contract or induction programmes if they are employees. Data subjects have the right to withdraw consent at any time.
J & E Shepherd and Hardies Property & Construction Consultants collects consent when attendees of events and when clients use our websites to engage with the Group.
The online form clearly explains the reason and purpose for collecting the data, the legitimate interest of the Group, the name of the data controller, the name of the DPO, details of our data retention policy, information about International transfers, ways to withdraw consent and details of how to complain about the Group to the ICO. Consent, Legitimate Interest or necessary for a contract as a condition are always specified as the reason the data will be processed.
Implied Consent – When a commercial contract has been created or a customer indicates that they wish to receive a service or information from us.
In accordance with the GDPR and in particular with the PECR we will use the Implied Consent when a client or attendee of our events indicate their Implied Consent by completing a form or by giving us their contact details including their email address. We do not use Implied Consent to promote the aims and objectives of the group, merely to deal with contractual arrangements or to answer a request for information about a product or service we provide.
We understand that Implied Consent is for the time being and always ensure the customer, or attendee know that they can Opt-out of future communications whenever they wish.
The Legitimate Interest as a condition for processing data To provide an exceptional Service.
This is our Legitimate Interest as a group and means we will from time to time use this
as a condition to process the data of clients and others where we have assessed risk and where we think it may benefit the Group as a whole.
When we use our Legitimate Interest as a condition for processing data we always consider the potential impact on any data subjects we may communicate with.
We measure whether the data subject might reasonably expect us to process their data. For example, if we have had a previous engagement or sent a previous communication with or to the data subject we believe this might in many cases mean they would expect us to process their data unless they told us not to in the past. This assumes that they did not Opt-out of future communications, or object to our marketing. However, we also believe that there are occasions other than this where data subjects might understand we would Legitimately process their data using this condition.
-
Data security
All employees of J & E Shepherd and Hardies Property & Construction Consultants are personally responsible for keeping secure any personal data held by the Group for which they are responsible. Under no circumstances may any personal data be disclosed to any third party unless the Group has provided express authorisation and has entered into a confidentiality/data processor agreement with the third party. The Data Controller is responsible for this activity.
Accessing and storing personal data
Access to personal data shall only be granted to authorised personnel. All personal data must be stored:
- In a locked room, the access to which is controlled; and/or
- In a locked cabinet, drawer or locker; and/or
- (In both of the above mentioned areas paper based files must be protected from destruction by both water damage and fire)
- If in electronic format and stored on a computer, encrypted according to the requirements set out in the IT Security Policy; and/or
- If in electronic format and stored on removable media, encrypted as per J & E Shepherd and Hardies Property & Construction Consultants policy.
Before being granted access to any of the Group’s data, all staff must understand and have a copy of the Group’s IT/Security policy.
Computer screens and terminals must not be visible to anyone other than staff of J & E Shepherd and Hardies Property & Construction Consultants with the requisite authorisation.
No manual records may be accessed by unauthorised employees of the Group and may not be removed from the business premises in the absence of explicit written authorisation. Manual records must be removed from secured archiving when access is no longer needed.
All deletion of personal data must be carried out in accordance with the Group’s Data Retention Requirements. Manual records which have passed their retention date must be shredded and disposed of as ‘confidential waste’ and any removable or portable computer media such as hard drives CD’s and USB sticks must be destroyed as per Disposal of Removable Storage Media Policy prior to disposal.
Personal data that is processed ‘off-site’ must be processed by authorised staff, due to the increased risk of its loss, damage or theft.
-
Data access rights
Data subjects have the right to access all personal data in relation to them held by J & E Shepherd and Hardies Property & Construction Consultants, whether as manual records or electronic format. Data subjects therefore may at any time request to have sight of confidential personal references held by the Group as well as any personal data received from third-parties. To do so, a data subject must submit a Subject Access Request, as per our Subject Access Request Policy.
-
Disclosure of data
J & E Shepherd and Hardies Property & Construction Consultants must take appropriate steps to ensure that no personal data is disclosed to unauthorised third parties. This includes friends and family members of the data subject, governmental bodies and, in special circumstances, even the Police. All employees of the Group must exercise due caution when requested to disclose personal data to a third party.
Disclosure is permitted by the GDPR without the consent of the data subject under certain circumstances, namely:
- In the interests of safeguarding national security;
- In the interests of crime prevention and detection which includes the apprehension and prosecution of offenders;
- In the interests of assessing or collecting a tax duty;
- In the interests of discharging various regulatory functions, including health and safety;
- In the interests of preventing serious harm occurring to a third party; and
- In the interests of protecting the vital interests of the data subject i.e. only in a life and death situation.
The DPO is responsible for handling all requests for the provision of data for these reasons and authorisation by the DPO shall only be granted with support of appropriate documentation.
-
Data retention and disposal
J & E Shepherd and Hardies Property & Construction Consultants must not retain personal data for longer than is necessary and once an employee has left, or a client has either requested to be Forgotten or the data retention period has expired it may no longer be necessary for the Group to retain all of the personal data held in relation to that individual. Some data will be kept longer than others, details of this can be found in our data retention policy. Data that is required to be deleted is deleted or suppressed as required. Hardware or equipment used for processing data is regularly assessed and when necessary is disposed of in accordance with our Disposal of Removable Storage Media policy. Different retention periods apply to different types of data and data subjects. Further details can be requested from the Data Controller.
Personal data must be disposed of according to our secure disposal procedure Disposal of Removable Storage Media, to ensure that the “rights and freedoms” of data subjects it protected at all times.
-
Document owner
The Data Controller is the owner of this policy document and must ensure that it is periodically reviewed according to the review requirements contained herein.
Signed: | Date: | March 2021 | |
Position: | Managing Partner | Review Dated: | Annually |