Policy statement of: AWT Ltd
Info: 21 October 2022 Version 1
Albion Water Treatment Ltd (AWT) is fully committed to complying with the Genera Data Protection Regulations or GDPR which came into force on 25 May 2018.
AWT will follow procedures to ensure that all employees, contractors, agents, consultants and other parties who have access to any personal information held by or on behalf of us are fully aware of and abide by their duties and responsibilities under the GDPR
Statement of Policy
We need to collect and use information about people with whom we work in order to carry out our business and provide our services. These may include members of the public, current, past and prospective employees, clients, customers and suppliers. In addition, we may be required by law to collect and use information. All personal information, whether in paper, electronic or any other format, must be handled and managed in accordance with this policy and our procedures.
Data Protection Principles
We fully support and comply with the EU General Data Protection Regulation (GDPR) and the six principles of the Data Protection Act. In summary, this means personal information must be:
- processed fairly and lawfully and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and where necessary kept up to date
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed
- processed in manner that ensures appropriate security of the personal data
Accountability is central to GDPR. Data Controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the regulator: the Information Commissioner’s Office or ICO.
Our purpose for holding personal information, along with a description of the categories of people and organisations to which we may disclose it, are included on our Privacy Notice which is available via the website.
Disclosure of Personal Information
Strict conditions apply to the disclosure of personal information both internally and externally. We will not disclose personal information to any third party unless we believe it is lawful to do so. Respect to confidentiality will be given where appropriate.
Handling of Personal Information
Through appropriate training and responsible management all staff will
- fully observe conditions regarding the fair collection and use of personal information
- meet our legal obligations to specify the purposes for which personal information is gathered and used
- collect and process appropriate personal information only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
- ensure the accuracy and quality of personal information used
- where possible pseudonymise or anonymise personal identifiers within information held
- apply strict checks to determine the length of time personal information is held
- ensure that the rights of people about whom information is held can be fully exercised under the GDPR
- take appropriate technical and organisational security measures to safeguard personal information
- be responsible and able to demonstrate compliance with all of the above
We will ensure that:
- our purposes for processing personal data are clearly set out in the Privacy Notice.
- all Subject Access Requests (SARs) will be dealt with in accordance with the GDPR and within the one month limit allowed.
- provide re-training at appropriate intervals to remind staff of their obligations under the GDPR
- everyone managing and handling personal information understands that they are directly and personally responsible for following good data protection practice
- only staff who need access to personal information as part of their duties are authorised to do so
- everyone managing and handling personal information is appropriately trained to do so
- everyone managing and handling personal information is appropriately supervised
- anyone wanting to make enquiries about handling personal information knows what to do
- queries about handling personal information are promptly and courteously dealt with
- methods of handling personal information are clearly described
- a review and audit is made of the way personal information is managed
- methods of handling personal information are regularly assessed and evaluated.
All staff have a responsibility to protect the personal information held by the company. They will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:
- they are appropriately trained in the handling of personal information
- paper and electronic records or documents containing personal/sensitive data are kept securely
- personal data held on computers, mobile devices and computer systems is protected by individual strong passwords which, where possible, have forced changes periodically
- access controls are placed on electronic records containing personal and sensitive information
Third Party Users of Personal Departmental Information
Any third parties who are users of personal information supplied by AWT will be required to confirm and demonstrate that they will abide by the requirements of the GDPR. There will be an expectation that these parties will audit their compliance with the GDPS and will provide assurances to AWT in this respect.
Responsibilities regarding GDPR compliance must be covered off as part of any contracts, Service Level Agreements (SLAs), Data Sharing/Access Agreements (DSAs) with third parties.
This policy and any amendments to it will be posted on the AWT website.
Existing staff and any relevant third parties will be advised of the policy and where to find it.
New members of staff and interested third parties will be made aware of this policy.
All staff and relevant third parties must be familiar with and comply with this policy at all times.