1. Introduction
HDS is strongly committed to protecting personal data in our possession. This privacy statement describes why and how we collect and use personal data and provide information about the rights of the data subjects. It applies to personal data provided to us, both by individuals themselves or by others, on paper or by other electronic means.
We may need to obtain and use Personal Data about people with whom we work or who are the subjects of our activities, and this may include directly employed members of staff, past or perspective employees, volunteers, individuals on placement schemes, self employed contractors, clients, perspective customers, suppliers or any other persons who’s personal data we process or who otherwise contribute to the functioning of the business.
The obtaining and processing of personal data creates substantial risks to an organisation and there are differing data privacy laws across different jurisdictions which govern it’s management. This policy is constructed in the context of General Data Protection Regulation GDPR (EU Regulation) and relates to the treatment of Personal Data in the context of the material rules, laws and regulations regarding the processing of such data.
The term Data Privacy is often used collectively to refer to both Data Privacy and Data Protection. This policy covers both.
1.1 Key Definitions
Personal Data Information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as;
a name, an identification number, location data, an online identifier, or one of more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.
Data Subject The identified or identifiable natural person
Special (often referred to as sensitive) data racial or ethnic origin, political opinions, religious or philosophical beliefs, or trades union membership, or that includes genetic data, biometric data to reveal the identity of a person, or data concerning health, sex life or sexual orientation. Personal data relating to criminal convictions is also considered sensitive.
Controller The natural or legal person, or body which, alone or jointly determines the purpose and means of the processing of personal data. HDS is a controller of personal data.
Our or We refers to HDS
2. Scope
2.1 Objective
This document provides a framework for the protection of personal data in the possession of HDS to;
- Minimise risk to data subjects
- Enable compliance to regulatory requirements
- Protect the integrity and reputation of the business
HDS will maintain a data protection process that is consistent with the nature and scale of the organisation with particular attention to the handling of privacy risks that are most likely to affect data subjects. These types of risks may occur during the collection, usage, processing and deletion of Personal Data and/or the mishandling of Privacy & Data Protection Incidents.
2.2 Applicability & reach
All employees, partners, suppliers, service providers and third parties are subject to governance under this policy to the extent they perform services to the business. Accordingly, appropriate provisions should be incorporated into third party service agreements and contractor agreements.
3. Guiding Principles
3.1 Data Protection Principals
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
- processing will be fair, lawful and transparent
- data is collected for specific, explicit, and legitimate purposes
- data collected will be adequate, relevant and limited to what is necessary for the purposes of processing
- data will be kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
- data is not kept for longer than is necessary for its given purpose
- data will be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures.
plus - we will comply with the relevant GDPR procedures for international transferring of personal data
- We will take an added level of care while obtaining and processing ‘special data’ or data relating to children or vulnerable persons as prescribed by law.
3.2 Fair, Lawful and Transparent processing
Processing of Personal Data shall be in compliance with GDPR and this policy.
We acknowledge that processing may be only be carried out where a lawful basis for processing exists and we shall assign a lawful basis against each processing activity. Such basis may include one or more of the following,
- Consent,
- The performance of a contract,
- There is a legal obligation,
- To protect the vital interests of the subject,
- In the public interest,
- The legitimate interest of HDS that does not override the interests or rights and freedoms of the data subject
Where personal data is obtained directly from the subject they shall be provided at the point of obtaining;
- our identity and contact details,
- the purpose of processing and if that is based on our legitimate interest an explanation of the interest,
- the categories of recipients,
- of any transfer outside of the EEA,
- the period of retention,
- their rights including the rights of correction, erasure to withdraw consent and to complain,
- where there is automated decision making, the logic of such processing and the significance and the envisaged consequences on the subject
Where we rely on consent, we recognise the high standard attached to its use. Consent shall be freely given, be specific, informed and unambiguous. Where consent is to be sought, we shall do so on a specific and individual basis where appropriate. Subjects will be given clear indication of the processing activity, informed of the consequences of their consent and of their right to withdraw consent at any time.
Withdrawal of consent shall be as easily exercised as it was to provide consent in the first instance.
Subjects shall at all times have transparent access to their personal data. Such rights are described in section 3.8.
3.3 Purpose Limitation
Personal Data shall be processed exclusively for specified and legitimate purposes known to the data subject when collecting the Personal Data. Personal Data shall not be used for a secondary purpose that is incompatible with the legitimate purposes for which the Personal Data was originally collected without a legitimate reason to do so.
3.4 Data Minimisation
Personal data obtained for a purpose shall be adequate, relevant and limited to what is necessary for that particular purpose and shall be guided by the principle of data minimisation.
The aim shall be to collect, process and use only the Personal Data required to facilitate the processing purpose, i.e. as little Personal Data as possible to comply with the principal of privacy by design and default. In particular options and techniques to facilitate anonymous or pseudonymous data processing should be used, provided that the cost and effort involved is commensurate with the desired purpose.
3.5 Data Accuracy
Personal Data must be factually correct and if applicable, kept up to date. Appropriate procedures and mechanisms shall be provided to ensure that inaccurate or incomplete data is corrected or erased.
Where personal data has been corrected and such data has been shared with third parties, we will inform those third parties of the correction where possible unless to do so will cause a disproportionate effect on us.
3.6 Retention
Personal Data which is no longer required for the legitimate purposes must be erased. If a statutory
retention period applies, the data should be restricted rather than erased, i.e. operational access
permissions are to be revoked except for archiving and backup purposes only.
3.7 Document & IT security
Personal Data shall be protected in accordance with regulation to ensure that Personal Data remains confidential and secure against un-authorised access and against accidental loss, destruction or damage. Technical and organisational measures for data safeguarding shall be constructed to protect the confidentially and integrity of personal data. Such measures shall take account of technologies that are currently available, and shall be appropriate for the nature of the operation.
3.8 Accountability
The business shall document adherence to the principals and obligations of GDPR in a manner that is both lawful and consistent with the scale and nature of the operation.
3.9 Rights of Data Subjects over their personal data
We respect the rights of persons over their personal data. In general, Data Subjects have the following rights:
- to be informed about the data we hold on them and what we do with it
- to access the personal data that we hold. ‘access’
- to correction of any inaccuracies in the personal data held ‘rectification’
- to have data deleted in certain circumstances. ‘erasure’
- to restrict the processing of the data;
- to transfer the data that we hold on you to another party. This is also known as ‘portability’;
- to object to the inclusion of any information;
- to make a submission to any automated decision-making or profiling of data.
Addition rules and considerations also apply for the obtaining and processing of special data and personal data relating to children.
4. The type of personal data that we hold
We may retain a number of categories of personal data on our partners, employees and those that work with us to administer their work, or that is necessary for the delivery of their duties and responsibilities, or personal data relating to customers, partners or suppliers in the course of business. Much of this data is held in personnel files, or on operational systems and other electronic media.
4.1 For the purpose of employment or in the course of working
We may retain among other categories of personal data the following types of information:
personal details such as name, address, phone numbers, PPS number, next of kin, bank details, tax codes, CV and related documents, educational and professional certification, job title(s) and job descriptions, salary details, reviews and terms and conditions of employment, annual, a record for different forms of leave, training records, informal and formal grievance or disciplinary records, and performance records. We may also hold travel documentation or medical information where necessary.
We may hold other information relating to individuals that is necessary for their particular role.
4.1 For the purpose of the operation of our business
We may retain among other categories of personal data the following types of information:
personal details such as name, phone numbers, job title(s), Identification documents. personal data relating to Taxation and Audit services provided, Credit Reports, and personal data related to other advices and services provided by HDS.
This data may include the personal data of third parties with whom we have been contracted to provide a service.
5. Our responsibilities and actions
We shall obtain and process personal data lawfully and respect the rights of data subjects.
5.1 Processing personal data
We will process personal data only where we have a lawful reason to do so. This may rely upon consent from the data subject, the performance of a contract to which the data subject is a party or while entering into such contract, to comply with legal obligations, if it is in the vital interest of the subject, if it is in the public interest or if it is in the legitimate interest pursued by the controller or a third party. We shall make subjects aware of the lawful reason for processing
5.2 Obtaining personal data fairly
We shall obtain personal data fairly and subject to the conditions in section 3.2 of this document.
Where we rely upon consent, it shall be freely given, specific, informed and unambiguous. If there are consent is requested we shall inform the subject of any implications to them of not providing consent. Such consent shall be as easily withdrawn as it was given.
5.3 Retention
We shall retain personal data only as long as is necessary. The details of the categories of data and purposes, together with retention durations are provide in our Data Retention Policy
5.4 Erasure of data
We shall delete personal data that we hold in the following circumstances:
- where it is no longer necessary for us to keep the data;
- where we relied on consent to process the data and the subject subsequently withdraws that consent. Deletion is subject to the absence of another applicable legal basis to our continued use of your data;
- where the subject objects to the processing and the Company has no overriding legitimate interest to continue the processing;
- where we have unlawfully processed your data;
- where we are required by law to erase the data.
Third parties to whom the data was disclosed will be informed of the erasure where possible unless to do so will cause a disproportionate effect on us.
5.5 Maintaining records
We have an obligation not only to be compliant but to demonstrate compliance. To this end, we shall keep records to document the obtaining, processing, any further processing or transfers, and our actions to observe the rights of the data subject.
5.6 Subject access to personal data (Access Request)
Subjects have a right to access personal data that we hold on them by making an Access Request. We will comply with the request without delay, and within one month unless we have a valid reason to extend this period, where we may extend for up to two months. Where we extend this time limit we will inform the subject of the reason.
We shall not charge for Access Requests unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request.
All access requests received shall be notified to the Data Protection Representative without delay.
5.7 Third party access to personal data
We shall not disclose personal data in out possession to others without informing the subject, except where such disclosure is mandated or permitted by law.
Where we engage third parties to process data on our behalf, we shall ensure that the third party takes appropriate measures to protect the integrity and confidentiality of personal data. We shall at a minimum have signed agreements or written confirmation from third parties that they are processing such personal data in a manner that is compliant with applicable law and GDPR.
5.8 Third party access to personal data (employment)
In the course of managing employees and others who engage with us we may be required to disclose certain data/information.
For the purpose of employment and welfare we may disclose data where it is necessary and includes but is not limited to the following circumstances; employee benefits operated by third parties; disability – to facilitate reasonable adjustments to assist them at work; health data – to comply with health and safety or occupational health obligations; administration of sick pay; to consider how an individual’s health affects his or her ability to do their job; employee insurance policies or pension plans; to assist law enforcement or a relevant authority to prevent or detect crime or prosecute offenders or to assess or collect any tax or duty.
Disclosures shall only be made where they are necessary.
5.9 Restriction of processing
Subjects have the right to restrict the processing of personal data in certain circumstances. They are:
- where we are informed by the subject that the data we hold is not accurate. In this instance we shall take reasonable and practical steps to stop processing until such time as we ensure that the data is accurate
- where the subject has objected to the processing of data, and that operation relies on a ‘public interest’ or ‘legitimate interests pursued by the controller’ basis for processing, processing may be restricted while we reconsider the appropriateness of the reason for processing;
- when the data has been processed unlawfully;
- where we no longer need to process the data but the subject needs the data in relation to a legal claim.
Where data processing is restricted, we will continue to hold the data but will not process it unless the subject has consented, our consideration has found that the basis for request to restrict is not valid, or processing is required in relation to a legal claim. Where the data to be restricted has been shared with third parties, we will inform those third parties of the restriction where possible unless to do so will cause a disproportionate effect on us.
The subject shall be informed before any restriction is lifted.
5.10 Portability
Subjects have the right to obtain personal data ‘concerning him or her, which he or she has provided to the controller’ and to transfer such data to another party in a structured, commonly used machine-readable format.
We are obliged to transfer such data where:
1. Processing is based on consent or in the performance of a contract, or
2. Data is processed by automated means.
Such data shall be transmitted directly to another controller where technically feasible and upon request from the subject.
We will respond to a portability request without undue delay, and within one month at the latest unless the request is complex or we receive a number of requests in which case we may write to the subject to inform them that we require an extension and the reasons for this. The maximum extension period is two months.
The subject shall be informed if we decide not to take any action as a result of the request and of their right to complain to the Data Protection Commissioner.
The right to data portability relates only to the categories of personal data define above.
5.11 Exercising a right to object to processing
Subjects have a right to object to processing of their personal data.
Where processing is carried out;
- on the basis of either ‘public Interest’ or ‘the legitimate interest of the controller’ we shall cease processing unless;
a. we can demonstrate that a ‘compelling legitimate grounds for the processing which override the interests rights and freedoms of the data subject’ or
b. it is for the establishment, exercise or defence of a claim.
note; This relates to these two basis of processing only. - 2. for the purpose of direct marketing, we shall cease processing (and/or profiling) relating to this activity
We shall inform the subject if a decision is made not to take action on the objection, and provide the reason for that decision.
5.12 Automated decision making
Data subjects have a right not to be subject to automated decision making ‘which creates legal effects concerning him or her or similarly significantly effects him or her’
We may carry out automated decision making with no human intervention in the following circumstances:
- a)when it is needed for entering into or the carrying out of a contract
- b) when the process is permitted by law
- c) where the subject has given explicit consent.
In circumstances where we use special category data, for example, data about health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership we shall ensure that one of the following applies to the processing:
- a) the subject has given consent to the processing of this data
- b) the processing is necessary for reasons of substantial public interest.
5.13 Data Breaches
A Data Privacy Incident is defined as an event which may violate Data Privacy Laws. This includes the unauthorised collection, processing, use or disclosure of Personal Data (e.g.loss of confidential customer data, transfer of customer/employee data to an unauthorised third party) in general.
Some examples of Data Privacy Incidents include:
- Reports containing Personal Data sent to unintended recipients through email or post
- The inappropriate disposal of equipment or hardcopy documentation containing Personal Data
- The unintended or incorrect transfer of Personal Data to customers, service providers or other third parties like credit reference agencies and authorities (e.g. tax authorities)
- Sharing of data containing Personal Data within the business however not consistent with the purpose for which the data was collected
- The ability to successfully respond to potential Data Privacy Incidents is dependent on timely detection and notification of these incidents.
All data breaches shall be recorded on our Data Breach Register. Where legally required (where the breach poses a risk to the subject) we will report a breach to the Data Protection Commissioner within 72 hours of discovery. In addition, where legally required (where the breach poses a high risk to the subject) we will inform the individual whose data was subject to breach.
Such events shall be reported to the Data Protection Representative immediately upon discovery, or in their absence to a Partner.
5.14 Complaints
We respect the rights and views of individuals with whom we engages, and shall respond to complaints received without delay. All Data Privacy related complaints received from customers, employees, governments or supervisory bodies must be communicated to the Data Protection Representative.
5.15 Correction of Data
In the event of a subject identifying that their personal data is incorrect we will correct that data as soon as possible. We shall comply with a request to correct within one month, however of this correction is complex or difficult to complete in this time we may extend this period by a further 2 months and will provide a reason for such delay to the subject.
6. Special categories of data/processing
6.1 Cross border transfer.
We may transfer personal data outside the European Economic Area. These countries do not always afford an equivalent level of privacy protection and in such circumstances we take specific steps, in accordance with data protection law to protect your personal information. In particular, for transfers of personal data, outside the EEA where there is no adequacy decision by the European Commission we may rely on contractual protection approved by the European Commission or the applicable safeguards under data protection law.
The business does not currently transfer personal data to any recipients outside of the EEA European Economic Area.
6.2 The Personal Data of minors
The processing of personal data relating to minors receives special attention under GDPR and we shall treat this information with particular care. Children are defined as under 16’s however some countries within the EEA may reduced this to under 13. Information obtained about children shall comply with the requirement for parental consent and shall receive additional consideration while planning an operational process.
6.3 Special (Sensitive) Data
The business recognises special categories of data, specifically personal data revealing racial or ethnic origin, political opinion, religious of philosophical beliefs, trades union membership, genetic or biometric data, or a subjects health or sexual life. The processing of these categories of information shall typically require consent
6.4 Suppliers, customers and other parties
Where we hold personal data provided by others, we shall;
a) seek assurance from the providing party that such information has been obtained fairly,
b) process such data in a manner that is consistent with GDPR, including but not limited to our obligation to co-operate with access requests received by such parties.
7. Data Security
7.1 Data Security and personal conduct
Personal data retained by us shall, whether held in a paper or electronic or other format, be held securely and access shall be restricted.
All employees shall store personal data in a secure manner so that it is only accessed by people who have a legitimate need for access and such access is for the purpose for which the data was obtained. In particular;
- Password protection or screen locks shall be implemented on all PCs, laptops and other electronic devices that hold personal data. Passwords shall not be shared with others.
- Personal information held in a paper or other physical format should be kept in a locked filing cabinet, drawer, safe or where appropriate in a room that is secured when not under supervision.
- No files or written information of a confidential nature are to be left where they can be read by unauthorised people.
Where personal data is computerised, it should be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.
Personal data shall not be kept or transported on laptops, USB sticks, or similar devices, unless prior authorisation has been received. Where personal data is recorded on any such device it should be protected by:
- ensuring that data is recorded on such devices only where absolutely necessary.
- password protecting the device
- using an encrypted system where appropriate — a folder should be created to store files that need extra protection and all files created or moved to this folder should be automatically encrypted.
- ensuring that laptops or USB drives are not left where they can be stolen.
7.2 Training
New employees shall be provided with information on data protection as part of their induction to understand the consequences to them as individuals and the Company of any potential lapses or breaches of this policies or Data Protection procedures. This shall covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.
All staff with access to personal data and the data protection representative shall be trained appropriately to understand their responsibilities and obligations under the GDPR.
8 General
8.1 Services delivered by HDS
HDS provides Audit, Tax and Advisory services. These include audit, payroll, book-keeping, Accounts preparation, Tax services, corporate finance, personal financial planning and recruitment services.
8.2 Sub contractors;
As part of our service delivery it is necessary for us to use sub-processors. Elements of our IT support are provided by external parties and elements of these are cloud based. Our need to rely upon those systems varies depending upon the services we deliver and may change as technology evolves. All sub-processors shall provide at least the same level of protection for your data as we do.
8.3 Transfer and Disclosure of Personal Data
The business may only disclose or share Personal Data to/with other companies, third party suppliers or partners, where disclosure is required by law or has been appropriately communicated to the subject.
8.4 Data Protection statements
Any contracts the subject matter of which involves a statement or comment relating to data protection, or manuals, or any data protection statements, shall be approved by the Data Protection Representative. Approval is in relation to the data protection aspects of such documents only.
9. Roles and Responsibilities for Data Privacy
9.1 Data Protection Representative
The responsibilities of the Data Protection Representative DPR are, but are not limited to:
- Evaluate and manage privacy related events
- Evaluate Data Subject Access Requests or complaints and initiate appropriate response
- Maintain knowledge of Data Protection and stay abreast of developments that may affect the organisation
- Act as the liaison with relevant Data Protection supervisory bodies
- Keep the board informed through regular updates
- Take ownership for all aspects of the good management of this policy
- Create and maintain a Data Privacy Policy and other policies, or elements of policies, relating to Data Protection.
- Maintain oversight of all processes in relation to Data Protection
- Act as the primary contact for a Data Protection Business Partner
- Assess all external-facing Data Privacy statements for compliance with policy and law
- Implement Data Privacy training
- Implement and manage a Data Protection control process to demonstrate compliance
- Assess frequent or repetitive privacy issues and re define the control process as necessary.
The business shall provide the DPR with
- Reasonable resources to fulfil this role.
- Professional support to enable the DPR to fulfil their role in an effective manner
- The authority fulfil their role.
9.2 Data Protection Business Partner
The business may appoint a data protection business partner to provide independent and professional advice on issues relating to Data Protection. Their responsibilities include but are not limited to:
- Act as partner to the Data Protection Representative regarding privacy related processes
- Become familiarised with the Personal Data processing activity of the business
- Advise and assess, prior to implementation, on activities impacting Personal Data to assess compliance with privacy requirements as applicable
- Participate directly in large or high risk projects or events
- Advise on critical events.