Data Protection Policy and Procedures
Company Name: Teachers Together Ltd (“the Company”)
Use: Internal Policy
​
Policy No. DP02
​
Policy Name: Data Protection Policy and Procedures
​
Date: August 2024
​​
Version: 1.0
​
​
1. Overview
​
This policy applies to processing personal data in manual and electronic records the Company keeps in connection with its human resources function, as described below. It also covers the Company’s response to any data breach and other rights under the General Data Protection Regulation and the current Data Protection Act.
​
The Company processes personal data in relation to its own staff, work-seekers and individual client contacts and is a data controller for the purposes of the Data Protection Laws.
​
The Company has registered with the ICO and its registration number is ZA756790.
​
This policy applies to the personal data of job applicants, existing and former employees, apprentices, volunteers, placement students, workers, and self-employed contractors. These are referred to in this policy as relevant individuals.
The Company commits to ensuring that personal data, including special categories of personal data and criminal offence data (where appropriate), is processed in line with GDPR and domestic laws and that all its staff conduct themselves in line with this and other related policies.
​
Where third parties process data on behalf of the Company, the Company will ensure that the third party takes such measures to maintain the Company’s commitment to protecting data. In line with current data protection legislation, the Company understands that it will be accountable for processing, managing, regulating, storing, and retaining all personal data held in the form of manual records and on computers.
​
2. Definitions
​
Consent is any freely given, specific, informed and unambiguous indication of an individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
​
Data controller is an individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data.
​
Personal data is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, or online identifier. It can also include pseudonymised data.
​
Special categories of personal data are data which relate to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).
​
Personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
​
Criminal offence data is data which relates to an individual’s criminal convictions and offences.
​
Data processing is any operation or set of operations that are performed on personal data or sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
​
Data processor is an individual or organisation which processes personal data on behalf of the data controller.
​
Profiling any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
​
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to an individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual.
​
Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, data concerning health, an individual’s sex life or sexual orientation and an individual’s criminal convictions
​
Supervisory authority is an independent public authority which is responsible for monitoring the application of data protection. In the UK the supervisory authority is the Information Commissioner’s Office (ICO).
3. Types of data held
​​
Personal data is kept in personnel files. The following types of data may be held by the Company, as appropriate, on relevant individuals:
-
Name, address and phone numbers - for individual and next of kin.
-
CVs and other information gathered during recruitment.
-
References from former employers
-
National Insurance numbers
-
Job title, job descriptions and pay grades
-
Conduct issues such as letters of concern and disciplinary proceedings
-
Holiday records
-
Internal performance information
-
Medical or health information
-
Sickness absence records
-
Tax codes
-
Terms and conditions of employment
-
Training details.
​
Relevant individuals should refer to the Company’s privacy notice for more information on the reasons for its processing activities and the lawful bases it relies on for the processing and data retention periods.
​
The Company may hold personal data on individuals for the following purposes:
-
Staff administration;
-
Advertising, marketing and public relations (please refer to our Marketing Procedure Document);
-
Accounts and records;
-
Administration and processing of work-seekers’ personal data for the purposes of providing work-finding services, including processing using software solution providers and back office support;
-
Administration and processing of clients’ personal data for the purposes of supplying / introducing work-seekers.
​
4. Data Protection principles
​
All personal data obtained and held by the Company will:
-
be processed fairly, lawfully and in a transparent manner;
-
be collected for specific, explicit, and legitimate purposes;
-
be adequate, relevant, and limited to what is necessary for processing;
-
be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay;
-
not be kept for longer than is necessary for its given purpose;
-
be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage by using appropriate technical or organisation measures; and
-
comply with the relevant data protection procedures for the international transfer of personal data.
​
In addition, personal data will be processed in recognition of an individual’s data protection rights, as follows:
• The right to be informed.
• The right of access.
• The right for any inaccuracies to be corrected (rectification).
• The right to have information deleted (erasure).
• The right to restrict the processing of the data.
• The right to portability.
• The right to object to the inclusion of any information.
• The right to regulate any automated decision-making and profiling of personal data.
​
5. Procedures
​
The Company has taken the following steps to protect the personal data of relevant individuals to which it holds or to which it has access.​
​
It appoints or employs staff with specific responsibilities for:
a. the processing and controlling of data.
b. the comprehensive reviewing and auditing of its data protection systems and procedures.
c. overviewing the effectiveness and integrity of all the data that must be protected.
​
There are clear lines of responsibility and accountability for these different roles.
-
It provides information to its staff on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions relevant individuals can take if they think their data has been compromised.
-
It provides its staff with information and training to make them aware of the importance of protecting personal data, to teach them how to do this, and to understand how to treat information confidentially.​
-
It can account for all personal data it holds, where it comes from, whom it is shared with and who it might be shared with.
-
It carries out risk assessments as part of its review activities to identify any vulnerabilities in its personal data handling and processing and to take measures to reduce the risks of mishandling and potential data security breaches. The procedure includes an assessment of the impact of both the use and possible misuse of personal data in and by the Company.
-
It recognises the importance of seeking individuals’ consent for obtaining, recording, using, sharing, storing and retaining their personal data, and regularly reviews its procedures for doing so, including the audit trails that are needed and are followed for all consent decisions. The Company understands that consent must be freely given, specific, informed, and unambiguous. The Company will seek consent on a specific and individual basis where appropriate. Full information will be given regarding the activities about which consent is sought. Relevant individuals have the absolute and unimpeded right to withdraw that consent at any time.
-
It has the appropriate mechanisms for detecting, reporting, and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the Information Commissioner and is aware of the possible consequences.
-
It is aware of the implications of the international transfer of personal data.
-
The Company will only process personal data where it has a legal basis for doing so.
-
The Company will review the personal data it holds on a regular basis to ensure it is being lawfully processed and it is accurate, relevant and up to date.
-
Before transferring personal data to any third party (such as past, current or prospective employers, suppliers, customers and clients, intermediaries such as umbrella companies, persons making an enquiry or complaint and any other third party (such as software solutions providers and back office support)), the Company will establish that it has a legal reason for making the transfer.
-
The Company shall provide any information relating to data processing to an individual in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. The Company may provide this information orally if requested to do so by the individual.
​​
6. Privacy by design and by default
​
The Company has implemented measures and procedures to protect the privacy of individuals and ensures that data protection is integral to all processing activities. This includes implementing measures such as:
-
providing privacy notices when personal data is collected
-
data minimisation (i.e. not keeping data for longer than is necessary);
-
pseudonymisation;
-
anonymisation;
-
cyber security.
​
7. Automated decision making
​
The Company will not subject individuals to decisions based on automated processing that produce a legal effect or a similarly significant effect on the individual, except where the automated decision:
• Is necessary for the entering into or performance of a contract between the data controller and the individual;
• Is authorised by law; or
• The individual has given their explicit consent.
The Company will not carry out any automated decision-making or profiling using the personal data of a child.
8. Access to data
Relevant individuals have a right to be informed whether the Company processes personal data relating to them and to access the data that the Company holds about them. Requests for access to this data will be dealt with under the following summary guidelines:
​
-
This may be extended by a further two months when requests are complex or numerous. A form on which to make a subject access request is available from the Company Director and the access request should be sent to them.
-
The Company will not charge for the supply of data unless the request is manifestly unfounded, excessive, or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the staff making the request.
-
The Company will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within one month as a maximum.
​
Relevant individuals must inform the Company immediately if they believe that the data is inaccurate, either because of a subject access request or otherwise. The Company will take immediate steps to rectify the information.
​
For further information on making a subject access request, staff should refer to our subject access request policy.
9. Data disclosures
​
The Company may be required to disclose certain data/information to any person. The circumstances leading to such disclosures include:
-
Any employee benefits operated by third parties.
-
Disabled individuals - whether any reasonable adjustments are required to assist them at work.
-
Individuals’ health data - to comply with health and safety or occupational health obligations towards the staff.
-
For Statutory Sick Pay purposes.
-
HR management and administration - to consider how an individual’s health affects their ability to do their job.
-
The smooth operation of any staff insurance policies or pension plans.
These kinds of disclosures will only be made when strictly necessary for the purpose.
10. Charges
Where requests from an individual are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either:
-
Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
-
Refuse to act on the request.
Where the individual makes the request by electronic means the Company shall provide the information in a commonly used electronic form, unless otherwise requested by the individual.
11. Data security
The Company adopts procedures designed to maintain the security of data when it is stored and transported. In addition, staff must:
-
ensure that all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them;
-
ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised people;
-
refrain from sending emails containing sensitive work-related information to their personal email address;
-
check regularly on the accuracy of data being entered into computers;
-
always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them; and
-
use computer screen blanking to ensure that personal data is not left on screen when not in use.
​
Personal data relating to staff should not be kept or transported on laptops, USB sticks, or similar devices unless authorised by the line manager or Company Director. Where personal data is recorded on any such device, it should be protected by:
-
ensuring that data is recorded on such devices only where necessary;
-
using an encrypted system — a folder should be created to store the files that need extra protection, and all files created or moved to this folder should be automatically encrypted; and
-
ensuring that laptops or USB drives are not left lying around where they can be stolen.
​
Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice, dependent on the severity of the failure.
12. International data transfers
The Company does not transfer personal data to any recipients outside of the EEA.
​
If the Company transfers the individual’s personal data to a third country or to an international organisation, the individual shall have the right to be informed of the appropriate safeguards in place relating to the transfer.
13. Erasure
Individuals have the right to ask the Company to erase their personal data.
​
If a request is received, the Company will check with the individual whether all or part of the data is to be removed, and if the Company can contact them again or not. The Company will then honour the request.
​
If the Company has made the data public, it shall take reasonable steps to inform other data controllers and data processors to erase the personal data, this can take a long time.
​
If the Company will update any third parties as necessary, however the Company will not be able to audit those third parties to ensure that the rectification has been carried out.
14. Breach notification
Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of the Company becoming aware of it and may be reported in more than one instalment.
​
Individuals will be informed directly if the breach is likely to result in a high risk to the rights and freedoms of that individual.
If the breach is sufficient to warrant notification to the public, the Company will do so without undue delay.
15. Training
New staff must read and understand the policies on data protection as part of their induction.
​
All staff receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.
​
The nominated data controller/auditors/protection officers for the Company are trained appropriately in their roles under data protection legislation.
​
All staff who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of the Company’s policies and procedures.
16. Records
The Company keeps records of its processing activities including the purpose for the processing and retention periods in its HR data records. These records will be kept up to date so that they reflect current processing activities.
17. Complaints
If you have a complaint or suggestion about the Company’s handling of personal data then please contact the Company Director.
​
Alternatively you can contact the ICO directly on 0303 123 1113 or at https://ico.org.uk/global/contact-us/email/