Data Protection & GDPR Policy

Policy statement of: AWT Ltd

Info: 21 October 2022 Version 1

Albion Water Treatment Ltd (AWT) is fully committed to complying with the Genera Data Protection Regulations or GDPR which came into force on 25 May 2018.

Introduction

AWT will follow procedures to ensure that all employees, contractors, agents, consultants and other parties who have access to any personal information held by or on behalf of us are fully aware of and abide by their duties and responsibilities under the GDPR

Statement of Policy

We need to collect and use information about people with whom we work in order to carry out our business and provide our services. These may include members of the public, current, past and prospective employees, clients, customers and suppliers. In addition, we may be required by law to collect and use information. All personal information, whether in paper, electronic or any other format, must be handled and managed in accordance with this policy and our procedures.

Data Protection Principles

We fully support and comply with the EU General Data Protection Regulation (GDPR) and the six principles of the Data Protection Act. In summary, this means personal information must be:

processed fairly and lawfully and in a transparent manner
collected for specified, explicit and legitimate purposes
adequate, relevant and limited to what is necessary
accurate and where necessary kept up to date
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed
processed in manner that ensures appropriate security of the personal data

Accountability is central to GDPR. Data Controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the regulator: the Information Commissioner’s Office or ICO.

Our purpose for holding personal information, along with a description of the categories of people and organisations to which we may disclose it, are included on our Privacy Notice which is available via the website.

Disclosure of Personal Information

Strict conditions apply to the disclosure of personal information both internally and externally. We will not disclose personal information to any third party unless we believe it is lawful to do so. Respect to confidentiality will be given where appropriate.

Handling of Personal Information

Through appropriate training and responsible management all staff will

fully observe conditions regarding the fair collection and use of personal information
meet our legal obligations to specify the purposes for which personal information is gathered and used
collect and process appropriate personal information only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
ensure the accuracy and quality of personal information used
where possible pseudonymise or anonymise personal identifiers within information held
apply strict checks to determine the length of time personal information is held
ensure that the rights of people about whom information is held can be fully exercised under the GDPR
take appropriate technical and organisational security measures to safeguard personal information
be responsible and able to demonstrate compliance with all of the above

Compliance

We will ensure that:

our purposes for processing personal data are clearly set out in the Privacy Notice.
all Subject Access Requests (SARs) will be dealt with in accordance with the GDPR and within the one month limit allowed.
provide re-training at appropriate intervals to remind staff of their obligations under the GDPR
everyone managing and handling personal information understands that they are directly and personally responsible for following good data protection practice
only staff who need access to personal information as part of their duties are authorised to do so
everyone managing and handling personal information is appropriately trained to do so
everyone managing and handling personal information is appropriately supervised
anyone wanting to make enquiries about handling personal information knows what to do
queries about handling personal information are promptly and courteously dealt with
methods of handling personal information are clearly described
a review and audit is made of the way personal information is managed
methods of handling personal information are regularly assessed and evaluated.

Staff Responsibilities

All staff have a responsibility to protect the personal information held by the company. They will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:

they are appropriately trained in the handling of personal information
paper and electronic records or documents containing personal/sensitive data are kept securely
personal data held on computers, mobile devices and computer systems is protected by individual strong passwords which, where possible, have forced changes periodically
access controls are placed on electronic records containing personal and sensitive information

Third Party Users of Personal Departmental Information

Any third parties who are users of personal information supplied by AWT will be required to confirm and demonstrate that they will abide by the requirements of the GDPR. There will be an expectation that these parties will audit their compliance with the GDPS and will provide assurances to AWT in this respect.

Responsibilities regarding GDPR compliance must be covered off as part of any contracts, Service Level Agreements (SLAs), Data Sharing/Access Agreements (DSAs) with third parties.