British Steel Limited and its group (“British Steel”) regards the lawful and correct processing of personal and sensitive data as an integral part of its purpose. British Steel believes this is vital for maintaining the confidence of customers, suppliers, employees and other stakeholders about whom we process data.
The key principles of this policy are as follows:
This policy provides guidance about the protection, sharing and disclosure of personal data within British Steel.
“Personal data”, or “personal information”, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (i.e. anonymised data).
Examples of personal data that British Steel processes include:
“Sensitive personal data” means any personal data that reveals racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and any personal data relating to criminal offences and convictions. Sensitive personal data attracts additional legal protection.
British Steel adheres to the data protection principles set out in the GDPR, which requires that all personal data be:
British Steel is responsible for and must be able to demonstrate compliance with the data protection principles listed above at all times.
Personal data must not be used other than for the specific purpose required to deliver a product or service. The individual should always know that their data is being processed. When that data is especially sensitive, consent is required before the data can be processed by British Steel, unless there is another legal basis for processing this.
Personal data can be in computerised and/or in a physical format. It may include such documentation as:
Backup data (e.g. archived data or disaster recovery records) also falls under GDPR; however, a search within them should only be conducted if specifically asked for by an individual as an official Subject Access Request.
The GDPR gives every living person (or their authorised representative) the right to apply for access to the personal data which organisations hold about them irrespective of when and how this is compiled (e.g. hand written records, electronic and manual records held in a structured file). This is called a ‘Subject Access Request’.
Understanding and complying with the Data Protection Principles is key to British Steel’s responsibilities as a data controller. Therefore, British Steel will, through the use of appropriate measures and controls:
In addition, British Steel will ensure that:
Maintaining confidentiality and adhering to data protection legislation applies to everyone at British Steel. British Steel will take necessary steps to ensure that everyone managing and processing personal data understands that they are responsible for following good data protection practice. Employees will receive training and must read this policy as part of their induction.
All employees and contractors have a responsibility to:
Failure by an individual to adhere to any guidance in this policy may result in disciplinary action.
All Senior Managers within each business unit are responsible for:
British Steel’s Head of Legal holds the position of Data Protection Officer. His responsibilities include:
The Data Protection Officer can be contacted at firstname.lastname@example.org.
The ICO is the UK’s independent authority set up to uphold information rights in the public interest and data privacy for individuals. The ICO has wide-ranging powers to investigate complaints relating to use of personal data and personal data breaches. Any failure to comply with data protection obligations may lead to investigation by the ICO which could result in serious financial or other consequences for British Steel.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data.
Personal data breaches can include:
If a data breach is suspected, the person who identified the breach should immediately notify the Data Protection Officer and provide all relevant details regarding the breach.
Following notification of a breach, the Data Protection Officer will take the following action as a matter of urgency:
British Steel is registered with the ICO with registration number ZA225537.
“Data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is processed. The data controller for the purposes of this document is British Steel.
“Data processor” means any person who processes personal data on behalf of the data controller but is not employed by them.
“Data subject” means an individual who is the subject of personal data. This includes employees, contractors, customers, consultants and visitors.
“Processing” means recording or holding data or carrying out any operations on that data including organising, altering or adapting it; disclosing the data or aligning, combining, blocking or erasing it.
“Subject access request” means a written, signed request (which includes email and other written formats) from an individual to see personal data which British Steel holds about them. Data controllers must provide all such information in a readable form within one month of receipt of the request.
“Third party” means in relation to personal data, any person other than the data subject, the data controller, or any data processor or other person authorised to process data for data controller or processor. For example, the Police or HMRC.
12 February 2019