USAVE Privacy Notice
The Person Responsible
The person responsible for the USAVE Privacy Policy is Martin Hale Compliance & Finance Director
How to contact Martin by post telephone email or website
By Post
USAVE Utility Contracts
Cumbernauld Business Park
Office 7
Ward Park Road
Cumbernauld
G67 3JZ
By Telephone
Tel 0800-368-8136
By Email
By Website
usavecontracts.com
The General Data Protection Regulations 2018 focuses on looking after the privacy and enhancing the rights of the individual and based on the premise that consumer and data subjects (including employees) should have knowledge of what data is held about them, how it’s held and how it’s used.
USAVE's policy is to ensure that we only retain any personal information for as long as is necessary to fulfil the business purpose for which it was collected and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We prohibit all persons who use information, which relates to identifiable individuals such as clients and employees, from using such data in an unauthorized way.
Employee data
Personal data provided by an employee of USAVE will be held and processed both electronically and manually by the Company after employment with the company in line with a legal basis for processing data depending on the type of data such as;
Necessary for the performance of a contract (for bank details and other personal data for the purposes of paying an employee; providing and administering benefits such as pension, life insurance, permanent health insurance and medical insurance; undertaking performance appraisals and reviews; maintaining sickness and other absence records and taking decisions as to your fitness for work; providing references and information to future employers, and if necessary, governmental and quasigovernmental bodies for social security and other purposes, including the Inland Revenue)
Compliance with a legal obligation (employee right to work in the UK documents)
Compliance with employment law (employee health, race, or ethnicity data)
With the employees consent the company may process Sensitive Personal Data at any time, whether before, during or after an individuals employment, where the Sensitive Personal Data relates to the following:
Racial or ethnic origin: any processing for the purposes of operating the Company's equal opportunity policy.
Employees health: any processing for the purposes of operating the Company's sickness policy monitoring absence and any relevant pension scheme.
An offence committed, or allegedly committed, by you or any related proceedings: processing for the purpose of the Company's disciplinary procedures.
For all Sensitive Personal Data any processing in connection with a Change of Control of the Company or the transfer of any business in which the employee performs their duties or any after processing in the legitimate interest of the Company
The employee is required to provide the Company with the necessary information to update their personal records, i.e. change of name, address, marital status or number of children. In addition, periodically, the Company will send you the information held on its system in order that you may verify that it is accurate.
The employee has the right to know and ask: (a) whether their personal information is being processed, why and how and with whom it’s shared; (b) about access to your data and to have inaccurate data rectified; and (c) us about your right to require us, as an employer to erase personal data about them in certain circumstances.
It has been and remains company policy to maintain high standards in the storage and use of personal data. These standards enable us to ensure client and employee confidentiality, as well as meet our obligations under the General Data Protection Regulations.
‘Personal data’ is ‘any information related to a natural person or data subject that can be used to directly or indirectly identify a person.’ This may include name, a photo, a personal email address, bank details, post’s on social media, location data, medical information or a computer IP address. Personal data also includes any expression of opinion about an individual.
Sensitive data’ is ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation or biometric data’.
Everyone’s work involves the use of personal data, and all staff are aware of and observe the requirements of The General Data Protection Regulations 2018. The Regulations include criminal offences for the companies, individual managers, and employees if Data Protection law is breached.
The Regulations apply to all types of personal and sensitive data stored either on computers or in manual files. It requires every organisation or individual using personal data (the ‘data controller’) to notify the Information Commissioners Office of the purposes for which they hold data, the types of data held, the sources of data and the persons or organisations to whom data might be disclosed. An indication of our notification details is given as follows.
Data controllers are required to act in accordance with the six General Data Protection Regulation principles.
USAVES’s Notification
USAVE's notification covers normal business activities for USAVE UTILITY CONTRACTS LTD and all trading companies within the group. So long as USAVE is using personal data within an authorised work context. USAVE will be covered by the notification.
The six General Data Protection Regulation principles
The Regulations requires personal data to:
Be processed lawfully, fairly, and transparently.
Collected for specified explicit and legitimate purposes.
Adequate, relevant, and limited to what’s truly necessary.
Accurate, kept up to date and every reasonable step to be taken to ensure that inaccurate data is deleted or rectified.
Ensure identification of data subject is for no longer than necessary.
Confirm appropriate protection measures are in place against unlawful or unauthorised processing, as well as accidental loss or destruction.
Individual rights
Any individual has the right to:
Have their personal data erased.
Transfer their personal data to another service provider.
The rectification of inaccurate personal data without delay
Receive transparent notices about how their data is used.
Access their personal data (subject access request) without charge and within one month of their request; and
Where personal data is processed automatically, an outline of the logic involved in any decision making process.
Direct marketing
Direct marketing is a communication that promotes a product or service, including a website or mobile application that is sent directly to a specific business contact by post, telephone, email, or text message. Consent to direct marketing does not remain valid indefinitely. USAVE will ensure that the company will only promote products or services to individuals from whom we have received opt-in consent and we will ensure our marketing database reflects individuals’ relevant preferences]. [For example, if consent is given when an individual signs up to a service, consent for direct marketing is likely to be deemed withdrawn when the individual cancels their agreement with us.
Right to object to automated decision taking.
A data subject has the right to object to decisions taken by automated means in circumstances where the decision:
Is taken by or on behalf of the Company.
Significantly affects that individual.
Is based solely on the processing by automatic means of the individual’s personal data.
Is taken for the purpose of evaluating matters relating to them.
Examples of areas likely to be affected are:
Personnel/HR, where automated decisions may be taken, for example, in respect of absence from work due to illness or accident or an individual’s performance at work
Credit scoring, where an automated decision may be taken by reference to the data subject’s credit worthiness.
Subject rights – what we will do if we receive a request.
A data subject has the right to access personal data which has been collected about them. To do this they make a Data Subject Access Request (DSAR). We will accept a request by verbal, written or electronic means. Standard DSAR forms can make it easier for us to recognise a subject access request and make it easier for the individual to include all the details we might need to locate the information they want however we must make sure we tell a data subject that it is not compulsory for them to complete a DSAR form and we will not try to use this as a way of extending the one month time limit for responding. Individuals can obtain a standard DSAR form from the Information Commissioners Office website - https://ico.org.uk.
Requests from employees should be referred to Martin Hale Compliance & Finance Director
All other requests, such as those from clients, will also be handled by Martin Hale Compliance & Finance Director
Our responsibility
The General Data Protection Regulations carry penalties for individuals (as well as for companies) who breach the provisions.
Use of Data
A Data Protection contact has been appointed within the business and given responsibility for handling queries relating to the use of personal and sensitive data, particularly in relation to new developments in the business and in systems. They will also review the use and storage of personal and sensitive data on a regular basis to ensure that data is used only in accordance with the company’s notifications and the principles.
Personal and sensitive data may be disclosed only as described in the Company’s notification and in accordance with the principles. Permissible disclosures are to:
Managers and employees who need access to such data in order to fulfil the properly authorised requirement of their job]
Anyone who has a legal right to demand it, for example the Department of Social Security, which has an overriding right to access personal data in many circumstances.
USAVE warrants and undertakes to hold the Customer’s personal data on a secure server and in accordance with the Data Protection Act 1998. USAVE shall not disclose any of the Customer’s personal data to third parties except as necessary for the performance of the Services or as required by law.
USAVE will not collect any unnecessary personal data. Any personal data collected will only be used in the performance of a contract or provision of a service. The Customer reserves the right to access any personal data USAVE hold and to have this data removed.
Disclosure should only be made where we have told the individual who we may pass their details to and the reasons why.
Anyone in doubt about whether a particular disclosure is permitted should speak to Martin Hale Compliance & Finance Director. Unauthorised disclosure will be treated by the Company as a disciplinary offence and may also be a criminal offence.
Security
Appropriate measures will be taken by USAVE to prevent unauthorised access to, disclosure of or damage to personal and sensitive data. Aspects to be considered include:
Physical security of manual files, disks, tapes and printouts -Lockable storage units
Secure placing and password protection of terminals and personal computers
Security of laptop computers and mobile phones – All will be locked and passwords in place which will be changed regularly. No passwords will be written down and everything will be managed centrally by the USAVE IT team.
For anyone working between the office and home, laptops will be checked regularly and ensure that McAphee VPN is installed and regularly updating, this will be checked independently.
Laptops and phones will not be left unattended at any time and will be kept on his or her person at all times when not locked away securely.
The reliability of colleagues, including careless talk outside the workplace is forbidden
Legal Penalties
Contravention of the General Data Protection Regulations may lead to action by the Information Commissioners Office, who has wide-ranging powers to restrict the personal and sensitive data which the Company is permitted to hold and the purposes for which it can be used. Note also that criminal cases may be brought against companies and individuals who handle personal and/or sensitive data in an unauthorised manner.
If a data subject suffers loss or damage because of unauthorised disclosure, inaccurate or missing data, or the loss or destruction of data, they may seek compensation in the Courts.
Further information
You can find further information about the General Data Protection Regulations from the Information Commissioners website http://www.ico.gov.uk/ and you may wish to refer to the various guides issued in relation to the General Data Protection Regulations.
How to complain
You can also complain to the ICO if you are unhappy with how USAVE have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113