Data Protection Policy in Accordance with the EU General Data Protection Regulation (GDPR)

The Housekeeping Agency | Data Protection Policy | Last updated 14/03/2019

1. Introduction

1.1. The Housekeeping Agency needs to collect and use certain types of information about certain Individuals in order to carry out its work. This work pertains predominantly to Recruitment Agency services.

1.2. Personal information must be collected and dealt with appropriately whether collected on paper, stored in a computer database, or recorded on other material and there are safeguards to ensure this under the General Data Protection Regulation 2018 (GDPR), to which this policy adheres.

1.3. The parties about whom The Housekeeping Agency may hold and process personal data (the Data Subject) include:

1.3.1. Individuals placed in employment by The Housekeeping Agency through its role as a recruitment agency.

1.3.2. Organisations or their representatives with whom The Housekeeping Agency needs to contact in the course of its everyday business.

1.3.3. Clients, organisations or their representatives who may wish to engage the services of The Housekeeping Agency.

1.3.4. Organisations who provide services to the The Housekeeping Agency.

1.3.5. Magazines and other publications with whom The Housekeeping Agency places advertisements.

1.3.6. Any other organisation or individual who contacts The Housekeeping Agency.

2. Data Controller

2.1. The Housekeeping Agency is the identified Data Controller under the GDPR, which means that we determine the purposes for which personal information is held and used. We are therefore also responsible for ensuring that this data is controlled in full compliance with the GDPR.

3. Disclosure

3.1. The Housekeeping Agency regards the lawful and correct treatment of personal information to be of the utmost importance in creating successful working relationships and to maintaining the confidence of those with whom we deal.

3.2. The Data Subject will be made aware in all circumstances of how and with whom their information will be used and shared. The Housekeeping Agency will never share personal data with other organisations (such as businesses, local authorities, funding bodies or

voluntary agencies), unless at least one of the following circumstances apply:

3.2.1. The Data Subject has given explicit, verifiable consent.

3.2.2. The sharing of data is seen to be in the legitimate interest of the Data Subject.

3.2.3. The law mandates the disclosure of personal data.

3.3. There are circumstances where the law mandates that The Housekeeping Agency disclose data (including sensitive data), without the Data Subject’s consent. These include:

a) Carrying out a legal duty or as authorised by the Secretary of State.

b) Protecting vital interests of an Individual/Service User or other person.

c) The Individual/Service User has already made the information public.

d) Conducting any legal proceedings, obtaining legal advice or defending any legal rights.

3.4. Personal data will never be sold to a third-party.

3.5. The Housekeeping Agency will adhere to the Principles of Data Protection, as detailed in the EU General Data Protection Regulation. Specifically, these Principles require that:

a) Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

b) Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

c) Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

d) Personal data shall be accurate and, where necessary, kept up to date.

e) Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data is processed.

f) Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

g) The controller shall be responsible for and be able to demonstrate compliance

with the GDPR.

3.6. The Housekeeping Agency will, through appropriate management and strict application of criteria and controls:

3.6.1. Observe fully, conditions regarding the fair collection and use of information.

3.6.2. Meet its legal obligations to specify the legitimate purposes for which information is used.

3.6.3. Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements.

3.6.4. Ensure the quality of information used.

3.6.5. Ensure that the rights, (as defined by the Information Commissioners Office), of people about whom information is held, can be fully exercised under the GDPR.

These include:

a) The right to be informed.

b) The right of access.

c) The right to rectification.

d) The right to erasure.

e) The right to restrict processing.

f) The right to data portability.

g) The right to object.

h) Rights in relation to automated decision making and profiling.

3.6.6. Take appropriate technical and organisational security measures to safeguard personal information.

3.6.7. Ensure that personal information is not transferred to a third-party without suitable consent or legal obligation.

3.6.8. Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information.

3.6.9. Set out clear procedures for responding to requests for information, erasure of

information and cessation of processing.

4. Data Collection

4.1. The Housekeeping Agency will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, over the telephone by email or via computer video conferencing (Skype).

4.2. When collecting data, The Housekeeping Agency will ensure that the Data Subject:

a) Clearly understands why the information is needed.

b) Understands what it will be used for and what the consequences are should the data subject decide not to give consent to processing.

c) Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress.

d) Has received sufficient information on why their data is needed and how it will be used.

4.3. The two key parameters through which personal data will be held and processed are Consent, and Legitimate Interest.

4.3.1. Consent is defined:

a) As offering individuals real choice and control.

b) Genuine consent puts individuals in charge, building customer trust and engagement.

c) Consent requires a verifiable positive opt-in.

4.3.2. Where consent is not required or realistically available, the legitimate interest of the Data Subject can be used as a lawful basis for data processing.

4.3.3. To determine legitimate interest, we make sure to:

a) Identify a justifiable legitimate interest of the Data Subject.

b) Show that the processing is necessary to achieve it.

c) Balance it against the individual’s interests, rights and freedoms.

4.4. The Information Commissioner’s Office clarifies that legitimate interest is comprised of three key elements:

4.4.1. A Legitimate Interest:

a) The Housekeeping Agency will clarify the legal ground for data processing through identification of a legitimate interest (e.g. direct marketing).

4.4.2. A Necessity Test:

a) The Housekeeping Agency will assess whether legitimate interest is the correct legal ground and whether the processing of personal data is necessary. (e.g. The processing of personal data is necessary for a direct marketing campaign).

4.4.3. A balance with individuals’ interests, rights and freedoms:

a) The Housekeeping Agency will not impinge an individual’s rights. We will identify privacy risks and assess whether legitimate interest is valid in each particular instance.

4.5. In order to function properly, The Housekeeping Agency collect personal data in the following ways:

4.5.1. Through inbound and outbound phone calls made to our organisation.

4.5.2. Through email communications received by The Housekeeping Agency.

4.5.3. Through client registration forms.

4.5.4. Through computer video conferencing (Skype) communications.

4.6. Personal identification information will only be collected if users voluntarily submit such information.

4.7. Personal information may be used to inform promotional information sent to users about third parties deemed relevant to their needs. Without user permission, or unless required to do so by law, we will never sell, distribute or lease any personal information to a third party.

4.8. Personal data collected will include:

4.8.1. Name

4.8.2. Address

4.8.3. Date of Birth

4.8.4. Nationality

4.8.5. Gender

4.8.6. Phone Number

4.8.7. Email Address

4.8.8. Any notes which may pertain to the wellbeing of the individual whilst on our premises.

These could include:

a) Physical Requirements

b) Dietary Requirements

c) Cultural Requirements

5. Data Storage

5.1. Information and records relating to staff, clients, candidates and other individuals with whom The Housekeeping Agency may communicate during the course of our organisational duties, will be stored securely on a dedicated hard drive and will only be accessible to authorised staff. Designation of responsibility for this authorisation sits with the Data Protection Officer.

5.2. Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately.

5.2.1. Unless otherwise confirmed through an auditable document such as a feedback form, data will be held for 2 years before it is completely removed from all systems and data storage facilities.

5.2.2. If it has been expressly stated in a feedback form or other auditable format that personal data may be kept for longer than 2 years, this will be adhered to in accordance with the consent of the Data Subject.

5.3. It is The Housekeeping Agency’s responsibility to ensure that all personal data is nonrecoverable from any computer system previously used within the organisation, which has been passed on / sold to a third-party.

5.4. If The Housekeeping Agency is requested to delete personal data, this will be done immediately and without question.

6. Data Processing

6.1. The Housekeeping Agency process personal data in the following ways:

6.1.1. Once an enquiry is received by either phone or email, the personal data included in the enquiry will be used in strict accordance with the purpose for which it was provided.

6.1.1.1. In this situation, due to the nature of the recruitment industry, consent to process data is taken to have been given upon submission of an enquiry.

6.1.1.2. The information provided may be shared with our service providers or related organisations only to provide the specific service requested.

6.1.1.3. The legitimate interest of the enquirer is also taken into account when responding to the enquiry, as it is assumed that our response is in their best interest.

6.1.1.4. A feedback form may be sent to the enquirer. This may be via email or postal mail.

7. Data Access and Accuracy

7.1. All Data Subjects have the right to access the information The Housekeeping Agency holds about them. The Housekeeping Agency will take reasonable steps ensure that this information is kept up to date by asking Data Subjects whether there have been any changes.

7.2. The Housekeeping Agency will ensure that:

a) It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection.

b) Anybody processing personal information understands that they are legally responsible for following the GDPR.

c) Anybody processing personal information is appropriately trained to do so.

d) Anybody wanting to make enquiries about handling personal information knows what to do.

e) It deals promptly and courteously with any enquiries about handling personal information.

f) It describes clearly how it handles personal information.

g) It will regularly review and audit the ways it holds, manages and uses personal information.

h) It regularly assesses and evaluates its methods and performance in relation to handling personal information.

i) All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary or legal action being taken against them or the organisation.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the GDPR.

In case of any queries or questions in relation to this policy please contact the The Housekeeping

Agency Data Protection Officer:

Samantha Cliffe

Email: info@thehousekeepingagency.co.uk

Tel: 01252 246143