Privacy Policy

INTRODUCTION

S&K Engineering Ltd regards the lawful and correct processing of personal and sensitive data as an integral part of its purpose, and believes this is vital for maintaining the confidence of customers, suppliers, employees and other stakeholders about whom we process data.

POLICY STATEMENT

This privacy policy explains how S&K Engineering Ltd will meet its legal obligations concerning confidentiality and data security standards. The requirements within the policy are primarily based upon the General Data Protection Regulation (“GDPR”), which is the key piece of legislation covering data security and confidentiality of personal data in the European Union.

The key principles of this policy are as follows:

· S&K Engineering Ltd will fully implement all aspects of GDPR

· S&K Engineering Ltd will ensure all employees and others handling personal data are aware of their obligations and rights under GDPR, and

· S&K Engineering Ltd will implement adequate and appropriate measures to en- sure the security of all data contained in or handled by its systems

This policy provides guidance about the protection, sharing and disclosure of personal data within S&K Engineering Ltd.

DEFINITIONS OF PERSONAL DATA AND PERSONAL DATA

The Personal data or personal information, means any information about an individual or company from which that person can be identified. It does not include data where the identity has been removed.

Sensitive personal data, means any personal data that reveals racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and any personal data relating to criminal offences and convictions. Sensitive personal data attracts additional legal protection.

DATA PROTECTION PRINCIPLES

S&K Engineering Ltd adheres to the data protection principles set out in the GDPR, which requires that all personal data be:

· processed lawfully, fairly and in a transparent manner

· collected only for specified, explicit and legitimate purposes

· adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed

· accurate and where necessary kept up to date

· not kept in a form which permits identification of data subjects for longer

than is necessary for the purposes for which the data is processed

· processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage

· not transferred to another country without appropriate safeguards being in

place

· made available to data subjects and data subjects allowed to exercise certain rights in relation to their personal data

S&K Engineering Ltd is responsible for and must be able to demonstrate compliance with the data protection principles listed above at all times. Personal data must not be used other than for the specific purpose required to deliver a product or service. The individual should always know that their data is being processed. When that data is especially sensitive, consent is required before the data can be processed by S&K Engineering Ltd, unless there is another legal basis for processing this.

Personal data can be in computerised and/or in a physical format. It may include such documentation as:

· paper documents (e.g. CVs, employee records, letters received and sent)

· electronic records

· printouts

· photographs, and

· videos and tape recordings

Backup data (e.g. archived data or disaster recovery records) also falls under GDPR; however, a search within them should only be conducted if specifically asked for by an individual as an official Subject Access Request.

RIGHTS OF ACCESS BY INDIVIDUALS

The GDPR gives every living person (or their authorised representative) the right to apply for access to the personal data which organisations hold about them irrespective of when and how this is compiled (e.g. hand written records, electronic and manual records held in a structured file). This is called a ‘Subject Access Request’.

S&K Engineering Ltd DUTIES

Understanding and complying with the Data Protection Principles is key to S&K Engineering Ltd responsibilities as a data controller. Therefore, S&K Engineering Ltd will, through the use of appropriate measures and controls:

• ensure there are lawful grounds for using any personal data

• ensure that the use of the data is fair and meets one of the specified conditions

• only use sensitive personal data if it is absolutely necessary and we have obtained the individual’s explicit consent (unless an exemption applies)

• explain to individuals, at the time their personal data is collected, how

that information will be used

• only obtain and use personal data for those purposes which are known to the individual

• ensure personal data is only used for the purpose it was given. If we need to use the data for other purposes, further consent will be obtained

• only keep personal data that is relevant to British Steel

• keep personal data accurate, up to date and only held for as long as is necessary

• always adhere to our Subject Access Request Procedure and be receptive to any queries, requests or complaints made by individuals in connection with their personal data

• ensure individuals are given the opportunity to 'opt in' to receiving mass

communications, and

• take appropriate technical and organisational security measures to safe- guard personal data

In addition, S&K Engineering Ltd will ensure that:

• everyone managing and handling personal data understands that they are legally responsible for following good data protection practice and has read this privacy policy

• enquiries about handling personal data are dealt with promptly

• methods of handling personal data are clearly described in polices and guidance

• a review and audit of data protection arrangements is regularly under- taken

• methods of handling personal data are regularly assessed and evaluated, and

• suitable protections are in place before any personal data is transferred to a third party

ROLES AND RESPONSIBILITIES EMPLOYEES AND CONTRACTORS

Maintaining confidentiality and adhering to data protection legislation applies to everyone at S&K Engineering Ltd, and will take necessary steps to ensure that everyone managing and processing personal data understands that they are responsible for following good data protection practice. Employees will receive training and must read this policy as part of their induction. All employees and contractors have a responsibility to:

• observe all guidance and codes of conduct in relation to obtaining, using and disclosing personal data

• obtain and process personal data only for specified purposes

• only access personal data that is specifically required to carry out their activity or work

• record data accurately in both manual and electronic records

• ensure any personal data held is kept secure

• ensure that personal data is not disclosed in any form to any unauthorised third party

• ensure personal data is sent securely

Failure by an individual to adhere to any guidance in this policy may result in disciplinary action.

SENIOR MANAGERS

All Senior Managers within each business unit are responsible for:

• determining what personal data is held by their area and ensuring that the data is adequately secure, access is controlled and that the data is only used for the intended purposes

• providing clear messaging to their teams about data protection requirements and measures

• ensuring personal data is only held for the purpose intended

• ensuring personal data is not communicated or shared for non-authorised purposes

• ensuring personal data is password protected when transmitted electronically or appropriate security measures are taken to protect the data when in transit or storage

DEALING WITH A PERSONAL DATA BREACH

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. Personal data breaches can include:

• access by an unauthorised third party

• sending personal data to an incorrect recipient

• computing devices containing personal data being lost or stolen

• alteration of personal data without permission

• loss of availability of personal data

If a data breach is suspected, the person who identified the breach should immediately notify the Quality team and provide all relevant details regarding the breach. Following notification of a breach, the Quality team will take the following action as a matter of urgency:

• implement a recovery plan, which will include damage limitation

• assess the risks associated with the breach

• inform the appropriate people and organisations that the breach has occurred

• review S&K Engineering Ltd response and update our information security as appropriate

INFORMATION COMMISSIONER’S OFFICE (ICO)

The ICO is the UK’s independent authority set up to uphold information rights in the public interest and data privacy for individuals. The ICO has wide ranging powers to investigate complaints relating to use of personal data and personal data breaches. Any failure to comply with data protection obligations may lead to investigation by the ICO which could result in serious financial or other consequences for S&K Engineering Ltd.