Login
  1. Home >
  2. Policy Template >
  3. Data Protection Policy Template >
  4. UK Data Protection Policy

Fillable Printable UK Data Protection Policy

Fillable Printable UK Data Protection Policy

UK Data Protection Policy

UK Data Protection Policy

BalfourBeattyrespectstheprivacyofallindividualsandtakesveryseriouslyitsresponsibilitiesundertheData
ProtectionAct1998(“DPA”).Thispolicyisdesignedtoensurethatallinformationheldonindividualsisproperly
handledinallcases.
TheDPArequiresthatthe“personaldata”oflivingindividualsthatiskeptbyBalfourBeattyplcanditsUK
operatingcompaniesoncomputerorwellstructuredpaperfilesmustbe“processed”inaccordancewitheight
principles(whicharedescribedinTableA).
Personaldataisdefinedverywidelyandisanydatafromwhichalivingindividualcanbeidentifiedeither
fromtheinformationalone,orwithotherinformationwhichisin(orlikelytocomeinto)thepossessionofthe
UKoperatingcompany.Examplesofpersonaldataincludenames,addresses,photographs,CCTVimagesof
individuals,salary/jobtitlesoropinionswhichallowindividualstobeidentified.Personaldataalsoincludes
“sensitivepersonaldata”thisisinformationaboutanindividual’sracialorethnicorigin,politicalopinions,
religiousbeliefsorotherbeliefsofasimilarnature,tradeunionmembership,physicalormentalhealthor
condition,sexuallifeorcriminaloffences/proceedings.
“Individuals”couldbeanylivingpersonforexample,employees,agencystaff,customers,contractors,
suppliersandjobapplicants.
“Processing”includesobtaining,recording,holding,using,disclosingorerasingthepersonaldata.Ineffect
almostanyactivityinvolvingpersonaldatawillfallwithinthescopeoftheDPA.
BalfourBeatty’spolicyistocomplywiththeDPAanditdoesnotcondoneanyoneprocessingpersonaldata
inappropriatelyonitsbehalf.AnybreachbyBalfourBeattyoranyofitsUKoperatingcompaniesoftheDPAmay
leadtofinesand/orenforcementactionbeingtakenagainstBalfourBeattyand/oraUKoperatingcompanyby
theInformationCommissioner(thebodythatenforcescompliancewiththeDPA).Ofequalconcernisthatany
breachmayattractmediascrutinyandmayleadtoapotentiallyadverseimpactonourreputation.
ThispolicyappliestoallUKoperatingcompaniesandallstaffworkingwithinthem(includingemployees,
agencyworkers,contractorsandtemporarystaff)whomayprocesspersonaldataaboutemployeesorother
individuals.Compliancewiththispolicyismandatory.
TheManagingDirector(orhis/herdelegate)foreachUKoperatingcompanyhastheresponsibilityfor
establishingandimplementingeffectivepracticesandproceduresacrossittogiveeffecttothispolicy.When
implementingthispolicy,UKoperatingcompaniesmayfindtheseparatedocument:ImplementationofBalfour
BeattyUKDataProtectionPolicy:GeneralGuidanceuseful.
UKDataProtectionPolicy
UKDataProtectionPolicy
Thispolicyrequiresthefollowing.
1.EachUKoperatingcompanymustberegisteredwiththeInformationCommissionerasadatacontrollerfor
thepersonaldatathatitprocessesandmustkeepthatregistrationup-to-date.
2.EachUKoperatingcompanymustappointaDataProtectionOfficer(“DPO”)whoseroleistoensure
compliancebytheiroperatingcompanywiththeDPA,thispolicyandanyrelevantoperatingcompany
proceduresandpractices.Specificresponsibilitiesincludeassessingthecurrentknowledgeofdata
protectionwithintheoperatingcompany,ensuringthatappropriatetrainingondataprotectionisprovided
tooperatingcompanystaffasrequiredandmanaginganydatasecuritybreaches(suchasthelossofa
laptopormemorystickwithpersonaldatastoredonit).
3.Aprocessmustbeestablishedsothatanydatasecuritybreach(suchasalossofpersonaldata)is
immediatelyreportedtotheDPOandallstaffmustco-operatewiththeDPOintheinvestigationand
managementofthatbreach.
4.EachUKoperatingcompanymustsatisfyitselfthatanythirdpartythatitappointstoprocesspersonaldata
onitsbehalf(suchasapayrollprocessororaflexiblebenefitsadministrator)understandsitsresponsibilities
undertheDPA.Theoperatingcompanyshouldenterintoawrittencontractwiththatthirdpartythat
requiresthethirdpartytoactonlyoninstructionsfromtheoperatingcompanyandtocomplywith
obligationsequivalenttothoseimposedontheoperatingcompanyrelatingtosecurityofthepersonaldata.
5.PersonaldatamustbeprocessedinaccordancewiththeeightprinciplessetoutintheDPA(seeTableA),
andthepracticesandproceduresoftheUKoperatingcompany.
Ourreputationandourongoingrelationshipswithouremployeesandcustomersaresomeofourmost
valuableassets.Byadheringinourdailybusinessworktothispolicywewillallcontributetomaintaining
BalfourBeatty’sgoodnameanditsgoodrelationshipswithitscustomersandotherstakeholders.
Ifyouhaveanyquestionsaboutthispolicyorneedfurtherassistanceondataprotectionmatters,pleaseask
youroperatingcompany’sDataProtectionOfficer.FurtherinformationcanalsobefoundinBalfourBeatty’s
e-learningcourseondataprotectionandintheseparatedocument:ImplementationofBalfourBeattyUKData
ProtectionPolicy:GeneralGuidance,availablefromyouroperatingcompany’sDataProtectionOfficer.
Wewillreviewthispolicyonaregularbasis.
IanTyler
ChiefExecutive
August2009
F
orprocessingtobefairandlawful,theDPArequiresthatcertaininformationbe
providedtoindividualsabouthowtheirpersonaldataistobeprocessed. EachUK
operatingcompanymust:
onlyuseinformationinawaythatindividualswouldreasonablyexpect;and
ensureindividualsaremadeawareof,ina“privacynotice”,theidentityofthe
operatingcompanythatwillbeprocessingthepersonaldata,thepurposesfor
whichitisprocessedandanyotheradditionalinformationnecessarytoensurethat
t
heprocessingisfairinthecircumstances(eg:anythirdparties,suchasother
operatingcompaniesorGroupHeadOffice,towhomitmaybedisclosed).
Privacynoticesdonothavetobeactivelycommunicatedeachtimepersonaldataof
theindividualisprocessed,providedthattheindividualhasbeenmadeawareofthe
privacynotice,thatheorshehastherighttoseeitifhe/shewishesandwheretofind
it/whotocontactforacopy.Privacynoticescouldbewritten(eg:injobapplication
forms,employmentcontractsorprivacypolicy)orelectronic(eg:publishedonawebsite).
Forprocessingtobefairandlawful,theDPArequiresthatoneofthefollowing
conditionsmustalsobemet:
(i) Theindividualconsentstotheprocessing;or
(ii)Theprocessingisnecessary:
toenterintoorperformacontractwiththeindividual;
tocomplywithalegalobligationoftheoperatingcompany(otherthana
contractualone);or
forthelegitimateinterestsoftheoperatingcompanyorathirdpartytowhom
thedataisdisclosed.
Thereisnoautomaticrighttotransferpersonaldatabetweenoperatingcompanies,to
ourjointventurepartnersortoGroupHeadOfficeoneoftheaboveconditionsmust
bemetbeforedoingso.
Particularcareshouldbetakenwithsensitivepersonaldataandanyprocessingofit
shouldfirstbediscussedwiththeDPOasitislikelytobenecessarytofirstobtainthe
expressconsentoftheindividualtothatprocessing.
EachUKoperatingcompanyshouldanticipateandfullydescribeupfrontallofthe
processingactivitiesthatareproposedforthatpersonaldata.Ifthepersonaldatalater
needstobeprocessedforadifferentpurpose,operatingcompaniesshouldconsiderif
itisnecessarytoseektheconsentoftheindividualtotheprocessingoftheirpersonal
dataforthatnewpurpose.
Personaldatashouldonlybecollectedifitisreallyneeded.Duplicatefilesofthesame
personaldataheldbymultiplepersonsshouldnotbekeptwherepossible.
EachUKoperatingcompanyshouldconductregularreviewstoseeifpersonaldata
heldisstillaccurate.
EachUKoperatingcompanyshouldconductregularreviewsofthepersonaldataheld
andsafelydelete/disposeofoutdateddata.
EachUKoperatingcompanyshouldrespondtorequestsbyindividualsfordetailsof
theindividual’spersonaldataheldbytheoperatingcompany(knownas“datasubject
accessrequests”)withinthetimeperiodsetoutintheDPA.
EachUKoperatingcompanyshouldconsiderusingmeasuressuchaspassword
protectionorencryptionorrestrictingaccesstopersonaldatatothosewhohavea
legitimateneedtoknow.
Specialcaremustbetakentoensurethattransferstoourjointventurepartnersare
permittedundertheDPAthereisnoautomaticrightundertheDPAforsuchtransfer.
1
.Personaldatamustbe
processedfairlyandlawfully.
2.Personaldatamustbeobtained
andprocessedonlyforalawful
purposeandmustnotbefurther
processedinamannerwhichis
incompatiblewiththatpurpose.
3.Personaldataheldmustbe
relevantandnotexcessivegiven
thepurposeforwhichitis
processed.
4.Personaldataheldmustbe
accurateandkeptuptodate.
5.Personaldataprocessedfora
specificpurposemustnotbe
keptforlongerthanisnecessary.
6.Personaldatamustbe
processedinaccordancewith
therightsoftheindividual.
7.Appropriatemeasuresmustbe
takentopreventunauthorisedor
unlawfulprocessing,lossor
damagetopersonaldata.
8.Personaldatamustnotbe
transferredoutsidetheEEA
unlessthedestinationcountry
hasadequateprotection.
TableA
UKDataProtectionPolicy
About Us
Privacy Policy
Contact Us
Terms of Use
Pricing
2025©Handypdf.com
Login to HandyPDF
Tips: Editig or filling the file you need via PC is much more easier!
By logging in, you indicate that you have read and agree our Terms and Privacy Policy.