TELEPHONE: 01928 716702

EMAIL

© Integrated Health & Safety Ltd 2018

Data Protection Policy

Including GDPR

Scope

 

1.   Integrated Health and Safety are a business to business organisation and do not carry out any activity

with individuals on a personal basis.

 

2.   The company has completed the ICO checklist provided to support the GDPR Regulations and the outcome

is generally that the activity of the company is not applicable and / or low-risk.

 

3.   Specifically and significantly the company does not receive, store or process personally identifiable

information (Pii). When dealing with individuals as part of business activity such data is restricted to

the name only.

 

4.   The vast majority of data held would be considered commercial rather than personal.

 

5.   The outcome of the ICO checklist activity indicates that no specific data protection measures are required

other than a need to apply common sense precautions but the company has decided to develop and adopt

a data protection policy in any event.

 

 

Potential data hazards and company precautions

 

6.   It is recognised that 97% of data loss or data “abuse” is as a result of human error. Staff are instructed

specifically to be careful when working with PC’s and distributing data including the following:-

 

a.   The need to transfer data, is it essential? Legitimate business purposes only.

 

b.   Who data is being sent to, care with “reply all”, “excessive cc distribution”, etc.

 

c.   Ensuring that passwords are in place on all devices and regularly changed

 

d.   Not leaving computers turned on when unattended, use of timeout facilities etc.

 

e.   Minimise personal use of business computers, no inappropriate content / website use / linking

to social media.

 

 

7.   Client data is used by all company employees based on their duties within the company and the needs

of the client.

 

8.   Data is stored for as long as required, normally for the duration of any particular project or ongoing

commitments with clients and subsequently for a period of 7 or 13 years to provide a small “buffer”

beyond statutory obligation.

 

9.   Antivirus and firewall software is in place on all devices.

 

10. The company employs a professional IT support organisation to manage the systems and this includes

a weekly remote monitoring of all devices including checking for viruses and indeed any IT issues.

 

11. In respect of permission to use data as noted above, this is in relation to business and commercial data,

not Pii. It is understood by the business community including our clients that use of data supplied is an

essential part of business. As a company we do not seek authority from our clients to legitimately use

business data gained from our clients as indeed this is the essence of what we do.

 

12. We undertake only to transfer client data to other parties for legitimate business purposes related to

the particular client activity and not for any other purpose.

 

13. We very specifically will not transfer or supply client dated to any third party for purposes not related

to current business activity without client approval, this includes for marketing purposes.

 

14. Should any client request details of the data that we hold related to them we would establish the legitimacy

of the request in the first instance and subsequently undertake to supply this data if genuine.

 

15. Should a client request us to destroy his data we would do this where possible but where we have

a contractual obligation to hold data for either 6 or 12 years (depending on the contractual arrangements)

we would destroy the data at either 6 years or 12 years following the last commercial activity with the client.

Any data held that could be considered not relevant to the contractual arrangements would be destroyed

as soon as was reasonably practicable.

 

16. In the unlikely event that we suffer a data loss or become aware of our client data being transferred

unintentionally to others we undertake to notify both the ICO and our client within 72 hours and take

whatever appropriate action is required, seeking advice from our professional IT support company.

 

17. The data protection officer for the company is David Maddock.

 

 

D Maddock Director

16th May 2018

Integrated Health and Safety Ltd

Vale House, Aston lane North,

Preston Brook,

Cheshire WA7 3PE

Telephone: 01928 716702

advice@ihsafety.co.uk