GTT Europe Limited
Data Protection Policy
Aims of this Policy
GTT Europe needs to keep certain information on its employees, customers and channel partners to carry out its day to day operations, to meet its objectives and to comply with legal obligations.
GTT Europe is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.
This policy covers all employed staff and contractors.
In line with the Data Protection Act 1998 principles, GTT Europe will ensure that personal data will:
• Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
• Be obtained for a specific and lawful purpose• Be adequate, relevant but not excessive
• Be accurate and kept up to date
• Not be held longer than necessary
• Be processed in accordance with the rights of data subjects
• Be subject to appropriate security measures
• Not to be transferred outside the European Economic Area (EEA)
The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.
• Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
• Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
• Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
• Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
• Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.
Type of information processed
GTT Europe processes the following personal information:
• Information on applicants for posts, including references
• Employee information – contact details, bank account number, payroll information, supervision and appraisal notes
• Customers – contact details
• Suppliers – contact details
Personal information is kept in the following forms:
• Paper -based systems
• Computer-based systems
Groups of people within the organisation who will process personal information are:
Under the Data Protection Guardianship Code, overall responsibility for personal data in an organisation rests with senior management. In the case of GTT Europe, this is the management board.
The management board delegates tasks to the Information Officer. The Information Officer is responsible for:
• understanding and communicating obligations under the Act
• identifying potential problem areas or risks
• producing clear and effective procedures
All employees and contractors who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.
Breach of this policy will result in disciplinary proceedings.
To meet our responsibilities employees will:
• Ensure any personal data is collected in a fair and lawful way
• Explain why it is needed at the start
• Ensure that only the minimum amount of information needed is collected and used
• Ensure the information used is up to date and accurate
• Review the length of time information is held
• Ensure it is kept safely
• Ensure the rights people have in relation to their personal data can be exercised
We will ensure that:
• Everyone managing and handling personal information is trained to do so
• Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do
• Any disclosure of personal data will be in line with our procedures
• Queries about handling personal information will be dealt with swiftly and politely
Training and awareness raising about the Data Protection Act and how it is followed in this organisation will take the following forms:
• On induction, review of the data protection policy document
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure.
The following measures will be taken:
• Using lockable cupboards (restricted access to keys)
• Password protection on personal information files
• Setting up computer systems to allow restricted access to certain areas
• If personal data can be taken off site, in which forms (paper, memory stick, laptop) and what instruction do you give to people about keeping it safe?
• Back up of data on computers (onto a separate hard drive / onto tapes kept off site)
• Password protected attachments for sensitive personal information sent by email
Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings.
All information that:- a) is or has been acquired by you during, or in the course of your employment, or has otherwise been acquired by you in confidence; b) relates particularly to our business, or that of other persons or bodies with whom we have dealings of any sort; and c) has not been made public by, or with our authority; shall be confidential, and (save in the course of our business or as required by law) you shall not at any time, whether before or after the termination of your employment, disclose such information to any person without our prior written consent. You are to exercise reasonable care to keep safe all documentary or other material containing confidential information, and shall at the time of termination of your employment.
This policy will be reviewed annually to ensure it remains up to date and compliant with the law.