GDPR Policy

Our GDPR Policy

Definition of Personal Data:

This policy applies to the holding and processing of personal data, held either in manual or electronic format by SPC Ltd, which may lead to the identity of an individual being revealed to unauthorised persons. Examples of personal data includes, but is not limited to, the following types of information:

• Names, addresses and phone numbers of employees / contacts
• Formal HR records including national insurance numbers, salary, performance / disciplinary records and contracts of employment
• Medical or health information
• Training details

Responsibilities / Procedural Requirements as Regards Handling Personal Data:

• The Directors shall act as Data Protection Officers
• The confidentiality of personal data and associated non-disclosure requirements are clearly communicated during staff induction training and stipulated within each contract of employment
• Detailed procedural requirements as regards the handling of personal data is specified within the Quality Management System
• Annual refresher training is undertaken across the workforce to ensure that the procedural requirements with respect to the confidential handling of personal data remains robustly understood and implemented

Storage of Personal Data:

Specific provisions are in place for the handling of personal data as implemented directly by the Directors as follows:

• Electronic Personal Data – all held in password protected folders with accesses only permitted to the Directors
• Hard Copy Personal Data – held under lock and key within filing cabinets held in the Office which can only be accessed by the Directors
• Personal data is prohibited from being held on temporary electronic storage devices including USB memory sticks

Unauthorised Release of Personal Data:

• Under no circumstances will personal data be released without documented consent from the individual to whom the personal data relates
• Should there be an accidental release of personal data, this will be made known to the individual to whom it relates
• Disciplinary action will be taken against any individual responsible for the release of personal data with immediate corrective action undertaken to prevent reoccurrence

Periodic Verification of Personal Data Procedural Control:

• Adherence with the requirements of this GDPR Policy / procedural requirements is verified periodically throughout the year through the undertaking of internal audits
• Immediate corrective action will be undertaken should any breaches of this GDPR Policy / procedural requirements be identified during the undertaking of internal audits with disciplinary action undertaken where necessary

 

Adam Tarling

Director