Marston Foods aims to ensure that all personal data collected about personnel is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR) and the expected provisions of the Data Protection Act 2018 (DPA 2018) as set out in the Data Protection Bill. This policy applies to all personal data, regardless of whether it is in paper or electronic format.
2. Legislation and Guidance.
This policy meets the requirements of the GDPR and the expected provisions of the DPA 2018. It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR and the ICO’s code of practice for subject access requests. It meets the requirements of the Protection of Freedoms Act 2012 when referring to our use of biometric data.
3. Roles and Responsibilities.
This policy applies to all staff employed by Marston Foods Ltd. and to external organisations or individuals working on our behalf. Staff who do not comply with this policy may face disciplinary action.
4. Staff Responsibilities.
Staff are responsible for:
• Collecting, storing and processing any personal data in accordance with this policy.
• Informing the Company (HR or Department Manager) of any changes to their personal data, such as a change of address or phone number.
5. Data Protection Principles.
The GDPR is based on data protection principles that this Company must comply with. The principles say that personal data must be:
• Processed lawfully, fairly and in a transparent manner.
• Collected for specified, explicit and legitimate purposes.
• Adequate, relevant and limited to what is necessary to fulfil the purposes for which it is processed. • Accurate and, where necessary, kept up to date.
• Kept for no longer than is necessary for the purposes for which it is processed.
• Processed in a way that ensures it is appropriately secure.
6. Collecting Personal Data.
We will only process personal data where we have legal reasons to do so under data protection law: • The data needs to be processed so that the Company can fulfil a contract with an individual, or the individual has asked the Company to take specific steps before entering into a contract.
• The data needs to be processed so that the Company can comply with a legal obligation.
• The data needs to be processed to ensure the vital interests of the individual.
• The data needs to be processed so that the Company can carry out its official functions.
• The data needs to be processed for the legitimate interests of the Company or a third party (provided the individual’s rights and freedoms are not overridden).
• The individual has freely given clear consent for special categories of personal data, we will also meet one of the special category conditions for processing which are set out in the GDPR and Data Protection Act 2018.
Whenever we first collect personal data directly from individuals, we will provide them with the relevant information required by data protection law.
7. Limitation, Minimisation and Accuracy.
We will only collect personal data for specified, explicit and legitimate reasons. We will explain these reasons to the individuals when we first collect their data. If we want to use personal data for reasons other than those given when we first obtained it, we will inform the individuals concerned before we do so and seek consent where necessary. Staff must only process personal data where it is necessary in order to do their jobs. When staff no longer need the personal data they hold, they must ensure it is deleted.
8. Sharing Personal Data.
We will not normally share personal data with anyone else, but may do so where:
• There is an issue with an employee that puts the safety of our staff at risk.
• We need to liaise with other agencies – we will seek consent as necessary before doing this.
• Our suppliers or contractors need data to enable us to provide services to our staff – for example, IT companies.
When doing this, we will:
Only appoint suppliers or contractors, which can provide sufficient guarantees that they comply with data protection law.
Establish a data sharing agreement with the supplier or contractor, either in the contract or as a standalone agreement, to ensure the fair and lawful processing of any personal data we share.
Only share data that the supplier or contractor needs to carry out their service, and information necessary to keep them safe while working with us.
We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for:
• The prevention or detection of crime and/or fraud.
• The apprehension or prosecution of offenders.
• The assessment or collection of tax owed to HMRC.
• In connection with legal proceedings.
• Where the disclosure is required to satisfy our safeguarding obligations.
• Research and statistical purposes, as long as personal data is sufficiently anonymised or consent has been provided. We may also share personal data with emergency services and local authorities to help them to respond to an emergency that affects any of our staff.
Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.
9. Subject Access Requests and other rights of individuals.
Individuals have a right to make a ‘subject access request’ to gain access to personal information that the Company holds about them. This includes:
• Confirmation that their personal data is being processed.
• Access to a copy of the data.
• The purposes of the data processing.
• The categories of personal data concerned.
• Who the data has been, or will be, shared with.
• How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period.
• The source of the data, if not the individual.
• Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual.
Subject Access Requests must be submitted in writing (letter or email) to either the Department Manager or the HR Manager. They should include:
• Name of individual.
• Correspondence address.
• Contact number and email address.
• Details of the information requested.
9. Responding to Subject Access Requests
When responding to requests, we:
• May contact the individual to confirm the request was made.
• Will respond without delay and within 1 month of receipt of the request. Where a request is complex we will tell the individual that we will comply within 3 months of the request, informing them of this within 1 month and explaining why the extension is necessary.
• Will provide the information free of charge.
10. Data Security and Storage of Records.
We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage.
• Paper-based records that contain personal data are kept under lock and key when not in use.
• Papers containing confidential personal data must not be left on office desks, in the canteen area, pinned to notice/display boards, or left anywhere else where there is general access.
• Passwords must be kept confidential and changed immediately if there is a suspicion that they have been compromised.
• No personal data is to be stored on removable media such as USB memory devices.
• Employees who store personal information on their personal devices are expected to follow the same security procedures as for Company owned equipment.
• Where we need to share personal data with a third party, we carry out due diligence and take reasonable steps to ensure it is stored securely and adequately protected.
11. Retention and Disposal of Records
Records Management is the process by which Marston Foods manage all aspects of any type of ‘record’ whether internally or externally generated and in any format or media type, from their creation, throughout their lifecycle and to their eventual disposal.
The data protection principles, which directly relate to the management, retention and disposal of personal data are that the personal data must:
I. be accurate and kept up to date.
II. not be kept longer than necessary for the purpose for which it was obtained
III. be processed by a Department Manager or HR Manager who has in place appropriate technical and organisational measures to prevent unauthorised processing and accidental loss.
12. Retention Periods
Marston Foods will not retain Data any longer than necessary and in determining an appropriate retention period will take into account the following:
I. The current and future value of the Data.
II. The costs, risks and liabilities associated with retaining the Data.
III. The ease or difficulty in ensuring the Data remains accurate and up-to-date.
Exceptions to the Retention Period.
In the majority of cases, data will be securely disposed of when it reaches the end of the retention period. When assessing whether Data should be retained beyond the retention period Marston Foods will consider whether:
• The Data is subject to a request pursuant to the DPA.
• Marston Foods is the subject of, or involved in ongoing legal action to which the data is or may be relevant.
• The Data is or could be needed in connection with an ongoing investigation.
• There is a greater public interest in retaining the Data.
• There are changes to the regulatory or statutory framework.
13. Disposal of Data.
The destruction of Data is an irreversible act and must be clearly documented. All Data identified for disposal will be destroyed under confidential conditions. Marston Foods may sub-contract to another organisation its obligations to dispose of data under confidential conditions. Where the obligation to securely dispose of data is subcontracted, Marston Foods will satisfy itself of the subcontractor/third party’s experience and competence to do so.
13a. Manual Records.
Where Data is held in paper or other manual form, the retention period has expired and none of the exceptions for retaining data beyond the retention period is satisfied, Marston Foods will ensure the data is shredded or otherwise confidentially disposed of.
13b. Electronic Records.
Where Data is held in an electronic format Marston Foods will, where feasible, use its reasonable endeavours to:
I. Surround the Data with such technical and security measures to ensure it is not accessible other than by a Data Processor.
When the data is no longer required:
II. Put the data beyond use so that the Data is no longer on a live electronic system and cannot be accessed by its own employees (with the exception of IT support) or a Data Processor.
III. Permanently delete the Data from Marston Foods electronic systems when and where this becomes possible
We never sell, rent or exchange mailing lists.
In accordance with the Privacy and Electronic Communications (EC Directive) Regulations 2003, we never send bulk unsolicited emails, (Spam) to email addresses.
We may send emails to existing customers or prospective customers who have made an enquiry with us, regarding products or services directly provided by us.
All emails sent by us will be clearly marked as originating from us.
Cookies used by Marston Foods
As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser.
Our cookies do not contain or pass any personal, confidential or financial information or any other information that could be used to identify individual visitors.
The tracking cookies that we use are for Google Analytics. These allow us to count page visits and traffic sources, so we can measure and improve the performance of our site. These are anonymous and so don’t hold any private data about you. Nor can they be used to share information about you with third parties.
What exactly is a Cookie?
Cookie is technical term for a tiny text file left on your computer by websites you visit. Each cookie is accessible only by the website that created it, and is used to store useful information on how you use that particular site.
If you know where to look, you’ll find hundreds, perhaps even thousands of cookies stored on your computer’s hard disk. Each one is unique, and relates to a specific website. Don’t panic, a cookie cannot contain viruses or malware and cannot install anything on your computer.
Cookies are useful. When you do an online shop on an ecommerce site and it greets you by name, it’s because it detected the cookie stored on your computer from your last visit. Equally, when you click a “Like” button and your Facebook account automatically opens up showing your profile, Facebook cookies on your computer have allowed this to happen.
Why we tell you about our cookies
It’s the law. The Privacy and Electronic Communications Regulations have been updated this year, stating that site users should be fully informed about the information being stored in cookies on websites they visit.
What should you do?
If you’re happy with the above then please continue to use Marston Foods without changing your settings and we will assume that you are happy to receive all cookies on the Marston Foods website. However, if you would like to you can change your cookie settings at any time.
We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers.