Security and Confidentiality Policy
Burlington Uniforms is a responsible member of the business community. Part of our responsibility is the maintenance of security and confidentiality.
This document sets out the responsibilities of the company for the integrity and security of data held about individuals. It describes the data held, who may or will process or have access to that information, the principles by which the company will abide, the rights of data subjects, general principles of security and confidentiality and to whom data will be disclosed.
Senior management is responsible for the formulation, implementation and review of this policy. The directors are ultimately responsible for ensuring that this policy and its implementation is compliant with The Data Protection Act 1998 and any other statute, secondary legislation, EU regulation or directive or best practice.
Protection of Persons and Property
Burlington Uniforms will maintain measures to ensure the security of its premises and persons on the premises.
All premises are to be alarmed with a connection to a central monitoring station. The monitoring station will be alerted in the event of burglary or attempted burglary, fire or damage to premises.
Premises are protected by a system of secondary grilles and shutters that are activated before premises are left unattended at night, weekends, and holiday periods.
During working hours there is access to premises by entry-phone so that unauthorised access is prevented.
Our Health and Safety Policy contains instructions for dealing with bomb alerts, fire and similar emergencies that present a risk or risks to life and limb.
No employee is to enter company premises alone outside business hours, at weekends or holiday periods without informing the Managing Director or General Manager. They are to report by telephone when they leave and are outside the premises so that management may know that they are safe.
Goods in Transit
A detailed record is kept of goods leaving our premises. Carriers operate a track and trace system and consignments require a signature on delivery. With these checks in place the same number of garments that leave our premises will reach their destination.
Data, Information and Intellectual Property
We treat data as an asset that must be protected against loss and unauthorised access. We employ information security techniques to protect information from unauthorised access by users inside and outside the company.
Data Held About Individuals
“Data” means information that (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such equipment or is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.
“Data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed and for the purposes of this policy means the Managing Director of Burlington Uniforms Limited.
“Data subject” means an individual who is the subject of personal data.
Employee means any employee of Burlington Uniforms Limited and includes those employed as casual labour and those engaged as independent contractors.
“Personal data” means data which relate to a living individual who can (a) be identified from those data or (b) from those data and any other information which is in the possession of, or likely to come into the possession of, the data controller.
The Company is registered with the Information Commissioner’s Office as required by the Act, and will continue to be so registered.
Purposes for which Data is held
The company holds data for the purpose of staff administration. This is information that is held or processed for the purposes of appointment or cessation, pay, superannuation, discipline, promotion, training or other personnel matters relating to staff. The information that we hold is restricted to data which are necessary for staff administration.
Individuals about whom we hold information is restricted to any employee or other person (e.g. a spouse or partner to whom pension or death in service benefits are paid) whose personal information needs to be processed for staff administration.
Disclosures (except those made with the subject's consent) are restricted to those we are required by law to make to third parties for the purpose of staff administration, e.g. H.M. Revenue and Customs, the courts (for attachment of earnings orders etc.), other government departments or agencies.
We will not retain personal information after the employment relationship ends longer than is necessary for staff administration or is required by law.
Accounts and Records
We may hold information about individuals for the purpose of keeping accounts and records. This information may be processed for the purpose of keeping accounts relating to our business, deciding whether or not to accept a person or individual as a customer or supplier, keeping records of purchases, sales or other transactions to ensure that relevant deliveries, payments or services take place, or making financial or management transactions to help carry out our business activities.
Information held on individuals for the above purposes may include the sizes, measurements and requirements of wearers and the opinion of wearer's about our goods and services obtained as customer feedback or through customer satisfaction surveys.
Advertising, Marketing and Public Relations
We may hold information on any person whose personal information we need to process for advertising, marketing and public relations.
Such information is restricted to information that is necessary for our advertising, marketing and public relations (e.g. the contact details of procurement officers that we might nominate as referees when we submit a tender or pre-qualification questionnaire).
Disclosure is restricted to those which we need to make to third parties for the purpose of advertising, marketing or public relations.
We will not keep personal information after the relationship between Burlington Uniforms and the customer or supplier ends unless and for so long as is necessary for the purpose of our advertising, marketing and public relations.
Rules For The Holding And Processing Of Data On Individuals By The Company
Data is processed by Burlington Uniforms Limited because the processing is necessary for the performance of the purposes set out above.
Data is processed lawfully and fairly.
Personal data is obtained only for the specified and lawful purposes and will not be processed in any manner incompatible with those purposes.
Personal data will be adequate, relevant and not excessive in relation to the purpose for which they are processed.
Personal data will be accurate and, where necessary, kept up to date.
Personal data processed for the purposes set out above shall not be kept for longer than is necessary for those purposes.
Personal data will be processed in accordance with the rights of data subjects under The Data Protection Act 1998.
Appropriate measures will be taken to prevent unauthorised or unlawful processing of personal data and against accidental loss, or destruction of, or damage to, personal data.
Personal data will not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
When requested in writing the company will give to any individual a description of the personal data of which that individual is the data subject, the purposes for which they are being or are to be processed, and the recipient or classes of recipients to whom they are being disclosed.
Security and Confidentiality Of Data
Security of data is paramount. Information is stored on the company's server across four hard drives. It is backed up daily on a network of secondary hard drives. It is also backed up on portable hard drives which are removed from the premises overnight and at weekends and holidays
Data about employees is never disclosed or sold for marketing purposes.
Data is treated as an asset that must be protected against loss and unauthorised access. Information security techniques are employed to protect information from unauthorised access by users inside and outside the scheme. There are rigorous procedures for copying data and securely storing disks, memory sticks, paper copies etc.
In particular personal information should:
- Be kept in a locked filing cabinet, drawer, or safe; or
- If it is computerised, be encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up, be subject to user/share level security, screen savers, virus protection, back-up systems, dedicated servers and internal procedures and;
- If redundant, should be securely cleaned from electronic storage or securely shredded.
Remote use of Data
It will sometimes be necessary for the directors, authorised employees, or properly appointed agents of or consultants to the company to hold or process information at home or other remote sites.
In cases where such off-site processing is felt to be necessary or appropriate, the agreement of the relevant designated data controller must be obtained, and all the security guidelines given in this document must still be followed.
Data stored on portable electronic devices or removable media is the responsibility of the individual who operates the equipment. It is the responsibility of this individual to ensure that:
- consideration is given to the risks of failure to provide adequate security, which may be so high that the data should never be taken off site
- suitable back-ups of the data exist
- sensitive data is appropriately encrypted
- sensitive data is not copied onto portable storage devices without first consulting the IT Director or Operations Manager, in regard to appropriate encryption and protection measures
- electronic devices such as laptops or PDA’s, and computer media (floppy disks, USB devices, CD-ROMs etc.) that contain sensitive data are not left unattended when off site
- For some information the risk of failure to provide adequate security is so great that it should never be taken or transmitted off site and top management should periodically review all personal information in order to identify any that is in this risk category.
Access to Data
Information held about individuals will only be viewed by the following persons:
- Directors, managers and other authorised employees
- Properly appointed and authorised consultants
- the company's accountants
- any court of recognised jurisdiction or any person to whom such court orders data to be disclosed
- Any pension provider with which the company enters into business
- Such government departments and agencies to whom the Company is from time to time required to provide data
Burlington Uniforms employs CCTV cameras on its premises for the security of its real, personal or intellectual property and for the protection of its employees, visitors and contractors.
Information that CCTV cameras are in use is displayed as appropriate.
Requests for information about images captured on CCTV will be provided on reasonable request.
Disclosure of images captured on CCTV will be made for the detection of those suspected of committing criminal offences, in the prosecution of alleged offenders and where disclosure is required in civil proceedings.
Deliveries and Visits to High Security Locations
Deliveries to high security locations will be undertaken by our couriers and/or logistics providers. They have rigorous procedures for vetting staff prior to and during employment. They also treat data as an asset to be protected at all times.
Burlington Uniforms staff from time to time visit high security locations for review meetings and carrying out measuring and sizing exercises. They are instructed in the importance of following directions given to them and remaining within permitted areas. They are also trained in the importance of maintaining strict confidence in respect of any information disclosed to them or observed by them in relation to client personnel and premises.
Review of Policy
This policy is reviewed annually as part of the company’s management review procedure.
Date: 23rd July 2014
Review Date: 22nd July 2015