NuGreen: Data Protection Policy
NuGreen is committed to a policy of protecting the rights and privacy of individuals through the careful and considered processing of their personal data.
This supports the overall goals of the company by building employee, supplier, and customer confidence, while maintaining our legal obligations.
NuGreen Data Protection procedures are designed to comply with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR), which officially replaced the EU GDPR on the 1st January 2021.
NuGreen’s policies and procedures are also compliant with the Privacy and Electronic Communications Regulations (PECR).
On the 28th June 2021 the EU published its adequacy decision regarding the UK GDPR. The EU adequacy decision states that the UK provides adequate protection for personal data transferred from the EU to the UK under EU GDPR. This decision will remain under review, but is expected to be effective until 27th June 2025, with review and renewal taking place approximately every four years.
This means the EU has declared the UK GDPR an equivalent of the EU GDPR and that NuGreen’s procedures are therefore also compliant with EU GDPR.
The individual to whom the personal data refers
This is any data that can be used to identify an individual either directly (such as their first name, or a formal email address e.g. [email protected]) or indirectly (such as their last name, their address, their phone number, or an informal email address e.g. [email protected]).
For the purposes of this policy, it specifically includes the personal data of NuGreen customers, suppliers, sales leads and employees.
Special Category Data:
This is more sensitive data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning a subject’s sex life or their sexual orientation. It also includes health information, which is most of the SC data we process.
Using personal data is referred to as processing. Storing, sharing or editing personal data are all processing activities.
This is the entity that decides what data can be processed, why it needs to process the information and under what legal basis it is doing so.
This is a third party that uses personal data on the instruction of the data controller.
Data Subject Access Request:
This is when a data subject requests to see the personal data we process. They can make the request verbally or in writing, but NuGreen require a written confirmation for our records, so there is a form they need to complete to make an official request.
Data Subject Restriction Request:
This is when a data subject requests that we stop processing their data but does not wish for us to delete the date. This is most likely to occur when they have requested access to their data and want us to stop processing until after they have had an opportunity to review the data we hold. They can make this request verbally or in writing, but they must complete a NuGreen Restriction Form for our records.
Data Subject Rectification Request:
This is when a data subject requests that we amend their personal data; it might be that they have a new phone number of email address. As we use their data across several pieces of software, it is important that a rectification form is completed so we can locate and amend all the relevant entries and so we can inform them when rectification is complete.
Data Subject Deletion Request
This is when the data subject requests that we delete their data and cease processing it. They can make the request verbally or in writing, but they must complete a Data Subject Deletion form for our records.
Data Subject Objection
This is when the data subject requests that we stop processing their data as they do not believe we have sufficient legal basis to process their information or that we are doing so unlawfully. They can make the request verbally or in writing, but they must complete a Data Subject Objection form for our records.
All employees are responsible for following NuGreen procedures correctly. You will be provided with training to support your understanding of these procedures and the effectiveness of this training will be assessed periodically. Data Protection can seem incredibly complex – and from a legal perspective it is – but as an employee the most effective way to comply with the regulation is to follow the procedures defined by NuGreen, and to work within the rules defined by NuGreen policies.
In addition to the rules found across NuGreen policies, under this Data Protection Policy these fundamental rules apply:
- Employees must not use personal data or special category data outside the scope of their defined job role.
- Employees must securely maintain all electronic devices or written records that contain personal data, in accordance with NuGreen policies.
- Employees must be aware of their surroundings when discussing, disclosing or working with personal data in non-NuGreen work areas or public spaces and should desist or relocate if they believe there is a risk that personal data will be audible, visible or legible .
- Employees must not use special category data in public spaces or non-NuGreen approved work areas. The only exception to this is where a TSM is required to use special category data while onsite at a hospital or clinic, as this is within the scope of their defined job role.
- Employees must report loss or theft of devices containing personal or special category data immediately.
- Employees must report any security compromise – such as accidental disclosure of a password, download of a virus, physical tampering, or compromise of a locked cabinet – immediately.
- Employees must report Data Subject Access requests, restriction requests, rectification requests, deletion requests or objections immediately. NuGreen will need to send them a form to complete for our records and we have legal obligations to comply with requests within specific timeframes.
The staff handbook details what is expected from employees under ‘confidential information & company property’. You should read the employee privacy notice, so you understand your own rights regarding the data NuGreen processes about you. All employees should also apply the following data protection good practice.
Data Security and Storage
Store as little personal data as possible on your computer or laptop; only keep those files that are essential. Personal data received on disk or memory stick should be saved to the relevant file on the server or laptop. The disk or memory stick should then be securely returned (if applicable) or processed for safe storage or disposal.
Always lock (password protect) your computer or laptop when left unattended; this is especially important when using your laptop or computer away from the office.
Ensure your laptop is always locked (password protected) when left unattended, even for short periods of time.
Do not use passwords that are easy to guess. Make sure you follow the strict password setting guidelines that are provided upon entering your password. For example, using lower case and upper-case letters.
Protect Your Password
Rules for passwords are:
- Do not give out your password
- Do not write your password somewhere on your laptop
- Do not keep it written on something stored in the laptop case
Laptops and Portable Devices
- All laptops and portable devices that hold data containing personal information are protected with a suitable encryption program.
- When travelling in a car, make sure the laptop is out of sight, preferably in the boot. If you must leave your laptop in an unattended vehicle at any time, put it in the boot and ensure all doors are locked and any alarm set.
- Never leave laptops or portable devices in your vehicle overnight.
- Do not leave laptops or portable devices unattended in restaurants or bars, or any other venue. When travelling on public transport, keep it with you always,
- Do not leave it in luggage racks or even on the floor alongside you.
Non-compliance with this policy could have a significant effect on the efficient operation of NuGreen and may result in financial loss and an inability to provide necessary services to our customers.
The Senior Management team will put in place suitable technical security measures to protect and manage IT systems utilised throughout NuGreen, including measures to prevent or identify data breaches caused by malicious activity from outside agents.
The senior management team and the preferred IT supplier will administer password rights across the critical IT platforms utilised by NuGreen.
The senior management team will assess the viability of appointing a Data Protection Officer (DPO) at such time as NuGreen recommends it, or where NuGreen becomes legally obliged to do so.
Quality and Regulatory Affairs (NuGreen)
The NuGreen team will manage the data as required by the Data Controller (DC) (The Company) under the DPA and UK GDPR, and is legally responsible for compliance, which means that NuGreen determines what purposes personal information held will be used for. NuGreen will consider legal requirements and ensure that it is properly implemented through strict application of criteria and controls:
- a) Observe fully conditions regarding the fair collection and use of information.
- b) Meet its legal obligations to specify the purposes for which information is used.
- c) Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements.
- d) Ensure the quality of information used.
- e) Ensure that the rights of people about whom information is held, can be fully exercised under the DPA. These include:
- i) The right to be informed that processing is being undertaken
- ii) The right of access to one’s personal information
iii) The right to prevent processing in certain circumstances, and
- iv) The right to correct, rectify, block or erase information which is regarded as wrong information
- f) Take appropriate technical and organisational security measures to safeguard personal information,
- g) Ensure that personal information is not transferred abroad without suitable safeguards,
- h) Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information,
- i) Set out clear procedures for responding to requests for information.
NuGreen will map the personal data collected and processed by NuGreen , categorise it, assign an appropriate legal basis and establish a compliant procedure for processing the data.
NuGreen will ensure that a minimal amount of data is being processed and will establish and enforce retention periods for all personal and special category data.
NuGreen will liaise with all departments to ensure potential new data processing activities are handled appropriately.
NuGreen will utilise data maps, data asset registers, data privacy impact assessments, legitimate interest assessments and other auditing tools where appropriate to inform policy and procedure, and to record, assess and monitor compliance.
NuGreen will publish an employee privacy notice (available internally) and a public facing privacy notice (available via our website) as part of NuGreen ’s obligation to clearly and concisely notify data subjects how their data is being processed, for what purpose and what rights they have as a result.
NuGreen will incorporate the principle of data protection by design into all aspects of its activity when drafting policies and procedures for NuGreen.
NuGreen will assess and review the appropriateness of appointing a Data Protection Officer (DPO) to oversee NuGreen s data governance, even where one is not required by law, and make recommendations to senior management where appropriate for a viability assessment of this role.
NuGreen will establish as security incident response team (SIRT) and publish a procedure for Security Incident Management.
NG RG POL15 v1