Data Protection and records management policy

1. CONTEXT AND OVERVIEW

Policy prepared by Enterprise Causeway 

Approved by Board on 25th May 2018 

Policy became operational on 11th June 2018 

Next review date 10th June 2026 

1.1 Introduction 

Enterprise Causeway, in the course of its business, gathers and uses specific personal data about individuals. This can include customers, suppliers, business contacts, employees, and other individuals that our organisation has a professional relationship with or may need to contact. 

This policy describes how this personal and business data date must be recorded, stored and processed to meet our organisations data protection standards and to comply with the current data protection legislation. 

1.2 Why this policy exists 

This policy ensures that Enterprise Causeway: 

  • Complies with the current data protection legislation and follows the guidance provided by the Information Commissioners Office (ICO) 

  • Protects the rights of staff, customers, clients, and partners. 

  • Is transparent about how we collect, store and process personal data. 

  • Protects our organisation from risks associated with a data breach. 

  • This policy covers the management of records throughout their entire lifecycle within Enterprise Causeway. It addresses record storage, retention, retrieval, and disposal. 

1.3 Compliance with Legal and Regulatory Requirements 

Enterprise Causeway is committed to complying with all applicable laws and regulations concerning records management, including but not limited to data protection, privacy, intellectual property, and industry-specific requirements. 

1.4 Protection of Confidentiality, Integrity, and Availability 

Enterprise Causeway recognizes the importance of protecting the confidentiality, integrity, and availability of records throughout their lifecycle. Appropriate security measures will be implemented to prevent unauthorized access, alteration, or loss of records. 

1.5 Data Protection Legislation 

The Data Protection Act 2018 describes how organisations including (insert your organisation’s name) must collect, store and process personal data. This legislation applies regardless of whether the data is stored electronically, on paper or on other materials. DATA PROTECTION AND RECORDS MANAGEMENT POLICY

To comply with the legislation, personal data must be collected, stored, and processed in line with the following principles: 

  1. It must be processed fairly and lawfully. 

  2. It must be collected for specified, explicit and legitimate purposes. 

  3. We must only collect what is adequate, relevant, and limited to what is necessary. 

  4. We must keep personal data accurate and, where necessary, kept up to date. 

  5. We must only keep it for no longer than is necessary. 

  6. We must only process it in a manner that ensures appropriate security. 

  7. We must clearly demonstrate appropriate accountability across our organisation, clearly identifying our data controller. 

  8. Not be transferred outside the EU unless there are appropriate written agreements in place with any 2nd or third-party processors. 

2. PEOPLE, RISKS, AND RESPONSIBILITIES 

2.1 Policy Scope 

This policy applies to: 

  • The head office of Enterprise Causeway 

  • All branches of Enterprise Causeway 

  • All staff and volunteers of Enterprise Causeway 

  • All contractors, suppliers and other people working on behalf of Enterprise Causeway. 

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside the Data protection Act 2018. This can include: 

  • Names of individuals 

  • Postal addresses 

  • E mail addresses 

  • Telephone numbers 

  • And any other information by which a person can be identified. 

2.2 Data protection risks 

This policy helps to protect Enterprise Causeway from some very real data security risks, including: 

  • Breaches of confidentiality – for instance, information being given out inappropriately 

  • Failing to address individuals’ rights – for instance, our organisation must protect the rights of individuals to have their personal data erased, updated, changed, portable and restrictions on processing. 

  • Reputational damage – for instance, our organisation could suffer if hackers successfully gained access to personal data which we hold. 

2.3 Responsibilities 

Everyone who works for or with Enterprise Causeway has a degree of responsibility for ensuring data is collected, stored, handled and processes appropriately. DATA PROTECTION AND RECORDS MANAGEMENT POLICY

Every individual or team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. However, certain people have key responsibilities as follows: 

THE BOARD OF DIRECTORS are responsible for ensuring that Enterprise Causeway meets its legal obligations under current data protection legislation. 

THE DATA PROTECTION LEAD AND THE DATA CONTROLLER [ROBIN WILSON] is responsible for: 

  • Keeping the board updated about data protection responsibilities, risks, and issues, 

  • Reviewing all data protection procedures and related policies 

  • Arranging data protection training and advice for the people covered by this policy. 

  • Handling data protection questions from staff and anyone else covered by this policy. 

  • Dealing with data subject access requests (DSARs) 

  • Checking and advising on any of the organisation’s contracts or agreements with third parties that may handle/process any personal data on behalf of (insert organization’s name). 

  • Ensuring that records are effectively managed, easily accessible, and retained for appropriate periods based on legal, regulatory, and operational requirements. 

THE IT SERVICES PROVIDER [SIMPLY TECH SOLUTIONS LTD] is responsible for: 

  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards in line with the National Cyber Security Center’s “Cyber Essentials” guidance. 

  • Performing regular checks and scans to ensure security hardware and software, including firewalls, and antivirus are functioning properly. 

  • Evaluating or advising on any third-party/additional services that our organisation is considering using to store or process data. For instance, cloud storage services. 

THE MARKETING AND COMMUNICATIONS OFFICER [DEBBIE RYMER] is responsible for: 

  • Approving any data protection statements attached to communications such as e mails and letters. 

  • Addressing any data protection queries from journalists or media outlets. 

  • Where necessary working with other staff to ensure marketing initiatives abide by data protection principles. 

2.4 General staff guidelines 

  • The only people able to access data covered by this policy should be those who need it for their work on behalf of Enterprise Causeway 

  • Data should not be shred informally. When access to confidential information is required, employees can request it from their respective line managers. 

  • Enterprise Causeway will provide training to all employees to help them understand their responsibilities when handing data. 

  • Employees should keep all data secure by taking sensible precautions and following the guidelines below.

    • Strong passwords must be used, and they should never be shared. 

    • Personal data should not be disclosed to unauthorised people, either within our organisation or externally 

    • Personal data should be regularly reviewed and updated if it is found to be out of date or inaccurate. If no longer required, it should be deleted and disposed of 

    • Employees should request assistance from their line manager, or data protection lead they are unsure about any aspect of data protection. 

    • When not required, the paper or files should be kept in a locked drawer or filing cabinet. 

    • Employees should make sure paper and printouts are not left where unauthorised people could see them, for example on a printer or copier. 

    • Data printouts should be shredded and disposed of securely when no longer required. 

3 DATA STORAGE AND RETENTION 

3.1 Responsibility and Clarification: 

DATA CONTROL LEAD [ROBIN WILSON] 

Questions about storing data safely or securely should be referred to the Data controller [Robin Wilson] for clarification or direction. 

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot have access to or see it. 

The following guidelines also apply to data that is stored digitally or electronically but has been printed of for any reason: 

  • When not required, the paper or files should be kept in a locked drawer or filing cabinet. 

  • Employees should make sure paper and printouts are not left where unauthorised people could see them, for example on a printer or copier. 

  • Data printouts should be shredded and disposed of securely when no longer required. 

When data is stored digitally or electronically, it must be protected from unauthorised access, accidental deletion, and malicious hacking attempts: 

  • Data should be protected by strong passwords that are changed regularly and never shared between employees. 

  • If data is stored on removable media (CD, detachable hard drive or data stick), these should be kept locked away securely when not in use and consideration should be given to encryption. 

  • Data should only be stored on designated drives and servers and should only be uploaded to Enterprise Causeway’s approved cloud computing services. 

  • Servers containing personal data should be sited in a secure location, away from general office space. 

  • Data should be backed up on a daily basis. Those backups should be tested regularly, in line with Enterprise Causeway’s standard back up procedures. 

  • Data should never be saved directly to laptops or other devices like tablets or smart phones. 

  • If Enterprise Causeway laptops are being used, then the hard drive should be encrypted. 

  • All servers and computers containing personal data should be protected by approved security software and a firewall. 

3.2 Data use 

Personal data is of no value to Enterprise Causeway unless the organisation can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption, or theft: 

  • When working with personal data, employees should ensure the screens of their computers are always locked when unattended. 

  • Personal data should not be shared informally. It should never be sent by e mail, as this form of communication is not secure. If it has to be sent by email, then it should at a minimum be password protected. 

  • Data should be encrypted before being transferred electronically. The IT services provider SIMPLY TECH SOLUTIONS Ltd should be contacted, and their advice sought on how to send data to authorised external contacts. 

  • Personal data should never be transferred outside the EU unless a formal and enforceable legal contract is in place with the recipient/processor. 

  • Employees should not save copies of personal data to their own desk top computers or laptops. Always access and update the central copy of the data on the main drive. 

3.3 Data accuracy 

Current UK data protection legislation requires Enterprise Causeway to take all reasonable steps to ensure that personal data is kept accurate and up to date. The more important it is that personal data is accurate, the greater the effort we must put into ensuring its accuracy. 

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible. 

  • Data will be held in as few places as is necessary for our organisation to effectively perform its functions. Staff should not create any unnecessary additional data sets, folders, or files. 

  • Employees should take every opportunity to ensure data is updated. For instance, by confirming a customer or client’s details whenever they call or make contact. 

  • Enterprise Causeway will make it easy for data subjects to update their information that we hold about them. For instance, via our website or by contacting our office(s) directly either via e mail or telephone. 

  • Data should be updated as inaccuracies are discovered. For instance, if a customer/client can no longer be reached on a particular phone number or at a particular address, then it should be removed from the organisation’s database. 

  • Where we conduct any marketing activities it is the responsibility of the marketing and communications officer [Debbie Rymer] to ensure marketing databases are accurate, kept up to date and that appropriate consent has been obtained for all the data subjects on of these databases. 

3.4 Subject access requests 

We recognise the importance of the rights of data subjects. To facilitate their rights, we will ensure that they can easily contact us by telephone number or email or alternative means such as social media or letter for one or more of the following reasons: 

  • To ask us to amend or update any information about them that is wrong or incomplete, this is known as the right to rectification. 

  • To ask us to delete information about them, this is known as the right to erasure. 

  • To tell us they no longer agree to us using information about them and asking us to stop, this is known as a right to object. 

  • To tell us to stop using information about them to inform them of our services, this is known as the right to restrict processing. 

  • To facilitate a "data subject access request", which is a request for us to send them the information we have about them. 

  • To ask us to provide them or someone else (on their request) in a structured, commonly used, and machine-readable format with the information they have provided to us about them. This is known as the right of "data portability". 

  • To ask us not to use information about them in a way that allows computers to make decisions about them based solely on automated processing. 

  • Sometimes we will not stop using their information when they ask us to, for the reasons described in this notice, but we will tell them about this if they make a request. 

  • In other cases, if we stop using their information, we will not be able to provide the services that they are asking us to provide. We will tell them about this if they make a request. 

All subject access requests will be recorded, and the identity of the applicant will be verified prior to releasing any personal data. We will take all reasonable steps to process a Data Subject Access Request within 1 month in line with current UK data protection legislation. We will not charge any fee for processing a Data Subject Access Request. 

Where we have evidence that a data subject access request is vexatious or excessive then we reserve the right to decline to process the request. This will only be in exceptional circumstances and only with the approval of the data controller. 

3.5 Disclosing data for other reasons 

In certain circumstances, UK Data Protection legislation allows personal data to be disclosed to law enforcement agencies without the consent of the data owner. For instance, in completing a potential money laundering violation. 

Under these circumstances Enterprise Causeway will disclose only the minimum required data to comply with our legal obligations. 

However, the data controller will ensure that nay disclosure is legitimate, seeking legal or specialist data privacy advice where necessary. 

Providing information 

Enterprise Causeway aims to ensure that individuals are aware that their persona data is being processed, and they understand:

• How their personal data is being used 

• How to exercise their rights as a data subject 

Accordingly, Enterprise Causeway has a privacy statement which includes a specific section relating to our use of cookies on our website. This Privacy Statement sets out how personal data relating to individuals is managed and used by our organisation. 

3.6 Retention and disposal 

Questions about retention or disposal of data should be referred to [Robin Wilson] for clarification or direction. 

Unless otherwise specified the retention and disposal policy refers to both paper copy documents and those stored digitally or electronically.

3.7 Data and records review:

Records should be assessed during regular annual data reviews to determine specific retention and disposal requirements for each project area. This review will determine whether records should be destroyed, retained for a further period, or transferred to an archive for permanent preservation. 

3.8 Retention dates:

Records should be kept for as long as they are needed to meet the operational needs of Enterprise Causeway, together with legal and regulatory requirements. The following guidelines provide general retention and disposal periods for different categories of Enterprise Causeway records. For specific retention requirements, please consult [Robin Wilson] for clarification or direction. 

  • General Records: 

    • Destroy after an agreed period: Destroy records after [7 years] from the date of creation or the end of the relevant business activity unless there are specific legal or regulatory requirements for longer retention. 

    • Automatically select for permanent preservation records that are deemed valuable for historical, legal, or archival purposes. These should be transferred to the designated archives for permanent preservation. This includes records related to property ownership, significant transactions, legal matters, and other critical business activities. 

  • Financial Records: 

    Destroy after an agreed period: Destroy financial records, including invoices, receipts, and financial statements, after [7 years] from the end of the financial year to meet HMRC requirements or as per specific legal or regulatory obligations. 

  • Personnel Records:

    Destroy after an agreed period: Destroy personnel records, including employment contracts, performance appraisals, leave records, and disciplinary records, after [7 years] from the termination of employment or the end of the employee's relationship with Enterprise Causeway, unless there are legal requirements for longer retention. 

  • Legal and Contracts: 

    Destroy after an agreed period: Destroy legal and contract records, such as agreements, contracts, leases, and licenses, after [7 years] from the date of termination or expiration of the contract, unless there are legal or regulatory requirements for longer retention. 

  • Project Records: 

    Destroy after an agreed period: Destroy project-related records, including project plans, reports, communications, and deliverables, after [5 years] from the project's completion or closure, unless there are specific legal, contractual, or regulatory requirements for longer retention. 

  • Miscellaneous Records:

    Retention periods for other types of records should be determined based on their specific legal, operational, and regulatory requirements. Please consult [Robin Wilson] for guidance on retention periods for these records. 

3.9 Enterprise Causeway archive store:

The archive records store is a secure facility located within Unit 9, Enterprise Causeway, Loughanhill Industrial Estate. 

Access to the storage room is restricted to authorised personnel only, ensuring the confidentiality and integrity of the archived records. 

The storage room is equipped with appropriate security measures, including access control systems, and fire suppression systems, to safeguard the records from unauthorized access, theft, damage, or loss. 

3.10 SIMPLY TECH SOLUTIONS digital storage 

  • Enterprise Causeway contract SIMPLY TECH SOLUTIONS for data storage. 

  • SIMPLY TECH SOLUTIONS adheres to Enterprise Causeway policy for data retention and maintains strict confidentiality and data privacy standards ensuring legal compliance. 

  • SIMPLY TECH SOLUTIONS have reliable backup systems and robust security measures in place. 

  • The data Controller [Robin Wilson] is the specific contact point for queries on data storage and retrieval with SIMPLY TECH SOLUTIONS. 

  • An automated ticket system is in place to notify SIMPLY TECH SOLUTIONS and request and retrieve records. NIITEC are contracted to respond to queries within 12 hours. 

3.11 Data Retrieval from SIMPLY TECH SOLUTIONS 

  • In case of contract termination or unforeseen circumstances where SIMPLY TECH SOLUTIONS is unable to maintain and store Enterprise Causeway records, the data Controller [Robin Wilson], is responsible for initiating the data retrieval process. 

  • Timelines: In the event of contract termination, all data will be retrieved from SIMPLY TECH SOLUTIONS within 5 working days to minimize disruption to business operations. 

  • Data Transfer: The data retrieval process will utilise a cloud-based format. Access to the retrieved data will be password-controlled and require verification by two authorized personnel to ensure confidentiality and security during transfer. 

3.12 Document Disposal schedule 

Records on disposal schedule will fall into the following main categories: 

  • Destroy after an agreed period – where the useful life of a series or collection of records can be easily predetermined (for example, destroy after 7 years as per HMRC requirement to retain or destroy 2 years after the end of the financial year). 

  • Automatically select for permanent preservation – where certain groups of records can be readily defined as worthy of permanent preservation and transferred to an archive (for example where they relate to property ownership).

3.13 Disposal Methods 

  • Physical Records: Physical records should be securely destroyed through burning or crosscut shredding. This can be done in-house or by using a certified document management destruction company. 

  • Electronic Records: Electronic records, including backups, should be permanently deleted using appropriate software. Consideration should be given to ensuring that all automatic "shadow" copies are also deleted, rendering electronic records non-recoverable. Therefore, destruction of electronic records should render them non-recoverable even using forensic data recovery techniques. 

3.14 Records Disposal Documentation 

  • Records that are disposed of should be documented for audit purposes. This information should be recorded within Enterprise Causeway's data audit folder to provide an audit trail for inspections conducted by the Information Commissioner or for any Data Subject Access Requests (DSARs). 

Download PDF version of the Enterprise Causeway Data Protection Policy