Login

Fillable Printable UK Data Protection Policy

Fillable Printable UK Data Protection Policy

UK Data Protection Policy

UK Data Protection Policy

Balfour Beatty respects the privacy of all individuals and takes very seriously its responsibilities under the Data
Protection Act 1998 (“DPA”). This policy is designed to ensure that all information held on individuals is properly
handled in all cases.
The DPA requires that the “personal data” of living individuals that is kept by Balfour Beatty plc and its UK
operating companies on computer or well structured paper files must be “processed” in accordance with eight
principles (which are described in Table A).
Personal data is defined very widely and is any data from which a living individual can be identified either
from the information alone, or with other information which is in (or likely to come into) the possession of the
UK operating company. Examples of personal data include names, addresses, photographs, CCTV images of
individuals, salary/job titles or opinions which allow individuals to be identified. Personal data also includes
“sensitive personal data” this is information about an individual’s racial or ethnic origin, political opinions,
religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health or
condition, sexual life or criminal offences/proceedings.
“Individuals” could be any living person for example, employees, agency staff, customers, contractors,
suppliers and job applicants.
“Processing” includes obtaining, recording, holding, using, disclosing or erasing the personal data. In effect
almost any activity involving personal data will fall within the scope of the DPA.
Balfour Beatty’s policy is to comply with the DPA and it does not condone anyone processing personal data
inappropriately on its behalf. Any breach by Balfour Beatty or any of its UK operating companies of the DPA may
lead to fines and/or enforcement action being taken against Balfour Beatty and/or a UK operating company by
the Information Commissioner (the body that enforces compliance with the DPA). Of equal concern is that any
breach may attract media scrutiny and may lead to a potentially adverse impact on our reputation.
This policy applies to all UK operating companies and all staff working within them (including employees,
agency workers, contractors and temporary staff) who may process personal data about employees or other
individuals. Compliance with this policy is mandatory.
The Managing Director (or his/her delegate) for each UK operating company has the responsibility for
establishing and implementing effective practices and procedures across it to give effect to this policy. When
implementing this policy, UK operating companies may find the separate document: Implementation of Balfour
Beatty UK Data Protection Policy: General Guidance useful.
UK Data Protection Policy
UK Data Protection Policy
This policy requires the following.
1. Each UK operating company must be registered with the Information Commissioner as a data controller for
the personal data that it processes and must keep that registration up-to-date.
2. Each UK operating company must appoint a Data Protection Officer (“DPO”) whose role is to ensure
compliance by their operating company with the DPA, this policy and any relevant operating company
procedures and practices. Specific responsibilities include assessing the current knowledge of data
protection within the operating company, ensuring that appropriate training on data protection is provided
to operating company staff as required and managing any data security breaches (such as the loss of a
laptop or memory stick with personal data stored on it).
3. A process must be established so that any data security breach (such as a loss of personal data) is
immediately reported to the DPO and all staff must co-operate with the DPO in the investigation and
management of that breach.
4. Each UK operating company must satisfy itself that any third party that it appoints to process personal data
on its behalf (such as a payroll processor or a flexible benefits administrator) understands its responsibilities
under the DPA. The operating company should enter into a written contract with that third party that
requires the third party to act only on instructions from the operating company and to comply with
obligations equivalent to those imposed on the operating company relating to security of the personal data.
5. Personal data must be processed in accordance with the eight principles set out in the DPA (see Table A),
and the practices and procedures of the UK operating company.
Our reputation and our ongoing relationships with our employees and customers are some of our most
valuable assets. By adhering in our daily business work to this policy we will all contribute to maintaining
Balfour Beatty’s good name and its good relationships with its customers and other stakeholders.
If you have any questions about this policy or need further assistance on data protection matters, please ask
your operating company’s Data Protection Officer. Further information can also be found in Balfour Beatty’s
e-learning course on data protection and in the separate document: Implementation of Balfour Beatty UK Data
Protection Policy: General Guidance, available from your operating company’s Data Protection Officer.
We will review this policy on a regular basis.
Ian Tyler
Chief Executive
August 2009
F
or processing to be fair and lawful, the DPA requires that certain information be
provided to individuals about how their personal data is to be processed. Each UK
operating company must:
only use information in a way that individuals would reasonably expect; and
ensure individuals are made aware of, in a “privacy notice”, the identity of the
operating company that will be processing the personal data, the purposes for
which it is processed and any other additional information necessary to ensure that
t
he processing is fair in the circumstances (eg: any third parties, such as other
operating companies or Group Head Office, to whom it may be disclosed).
Privacy notices do not have to be actively communicated each time personal data of
the individual is processed, provided that the individual has been made aware of the
privacy notice, that he or she has the right to see it if he/she wishes and where to find
it/who to contact for a copy. Privacy notices could be written (eg: in job application
forms, employment contracts or privacy policy) or electronic (eg: published on a website).
For processing to be fair and lawful, the DPA requires that one of the following
conditions must also be met:
(i) The individual consents to the processing; or
(ii) The processing is necessary:
to enter into or perform a contract with the individual;
to comply with a legal obligation of the operating company (other than a
contractual one); or
for the legitimate interests of the operating company or a third party to whom
the data is disclosed.
There is no automatic right to transfer personal data between operating companies, to
our joint venture partners or to Group Head Office one of the above conditions must
be met before doing so.
Particular care should be taken with sensitive personal data and any processing of it
should first be discussed with the DPO as it is likely to be necessary to first obtain the
express consent of the individual to that processing.
Each UK operating company should anticipate and fully describe upfront all of the
processing activities that are proposed for that personal data. If the personal data later
needs to be processed for a different purpose, operating companies should consider if
it is necessary to seek the consent of the individual to the processing of their personal
data for that new purpose.
Personal data should only be collected if it is really needed. Duplicate files of the same
personal data held by multiple persons should not be kept where possible.
Each UK operating company should conduct regular reviews to see if personal data
held is still accurate.
Each UK operating company should conduct regular reviews of the personal data held
and safely delete/dispose of outdated data.
Each UK operating company should respond to requests by individuals for details of
the individual’s personal data held by the operating company (known as “data subject
access requests”) within the time period set out in the DPA.
Each UK operating company should consider using measures such as password
protection or encryption or restricting access to personal data to those who have a
legitimate need to know.
Special care must be taken to ensure that transfers to our joint venture partners are
permitted under the DPA there is no automatic right under the DPA for such transfer.
1
. Personal data must be
processed fairly and lawfully.
2. Personal data must be obtained
and processed only for a lawful
purpose and must not be further
processed in a manner which is
incompatible with that purpose.
3. Personal data held must be
relevant and not excessive given
the purpose for which it is
processed.
4. Personal data held must be
accurate and kept up to date.
5. Personal data processed for a
specific purpose must not be
kept for longer than is necessary.
6. Personal data must be
processed in accordance with
the rights of the individual.
7. Appropriate measures must be
taken to prevent unauthorised or
unlawful processing, loss or
damage to personal data.
8. Personal data must not be
transferred outside the EEA
unless the destination country
has adequate protection.
Table A
UK Data Protection Policy
Login to HandyPDF
Tips: Editig or filling the file you need via PC is much more easier!
By logging in, you indicate that you have read and agree our Terms and Privacy Policy.