Floreo Associates, through the nature of its business, sometimes has to deal with personal and/or potentially sensitive data. This data may be from personal or corporate clients, employees or other organisations and may be in the form of personal or contact details, employment and educational histories, other types of personal data appropriate to the nature of our business.
The law in the UK relating to processing data is called the Data Protection Act 1998 and it places obligations on all organisations that process personal information and gives individuals certain rights. The Act states that those who record and use personal information must be open about how the information is used and must follow the eight principles of “good data handling”.
Under UK law, all individuals and companies who store and manipulate personal data are required to register themselves as Data Controllers with the Information Commissioner’s Office (ICO). This process is called notification and requires data controllers to list the types of data they process and the reasons they process that data. This information is then made available to the public for inspection via a public register. The main purpose of notification and the public register is to promote openness in the use of personal information. Notification helps us, as a company, to be transparent and open about how and why we process data and helps our clients and staff to understand how their personal information is being processed.
Floreo Associates has registered its business and all employees as Data Controllers, and additionally signed a code of good practice called the “Personal Information Promise”. This promise is made by our Managing Director and demonstrates Floreo Associates’s senior level commitment to Data Protection. The promise lists a number of key commitments that our Managing Director has made on behalf of Floreo Associates. and all its subsidiaries to protect personal information.
The aim of this data protection policy is to set out simply and clearly the obligations and commitments of Floreo Associates and its employees with regards to processing personal data. This policy is an extension of Floreo Associates’s legal requirements, which are covered in detail in the Data Protection Act 1998. Details of legal requirements regarding data protection can be found at www.ico.gov.uk.
Data Protection Principles
The Data Protection Act 1998 aims to promote high standards in the handling of personal information and so protect the individual’s right to privacy. The act covers any information relating to living individuals which is held on computer. This may include information such as name, address, date of birth and opinions about the individual or any other information from which the individual can be identified. The processing of personal information can broadly be described as obtaining, disclosing, recording, holding, using, erasing or destroying personal information. The definition is very broad and will cover virtually any action which is carried out on a computer. Firms and/ or individuals who hold and process data in this way are called Data Controllers and they must follow the eight data protection principles of good information handling. These say that personal information must be:
Fairly and lawfully processed;
Processed for specific purposes;
Adequate, relevant and not excessive;
Accurate and, where necessary, kept up to date;
Not kept for longer than is necessary;
Processed in line with the rights of the individual;
Kept secure; and not transferred to countries outside the European Economic Area unless the information is adequately protected.
Floreo Associates and its subsidiaries process personal data as a necessary part of their business activities. Any personal data that the company, or an individual acting on behalf of the company collects, stores or processes in any way, whether on a computer or on paper, will have appropriate safeguards applied to it to ensure that Floreo Associates complies with the Act.
Floreo Associates and its subsidiaries who handle personal data are registered with the Information Commissioner’s Office as Data Controllers, allowing them to process personal information for various purposes. Floreo Associates will only collect Data for the sole purpose of meeting specifically planned, agreed and necessary purposes and will retain that information as long as those purposes remain valid. These purposes currently include:
Staff administration including, but not limited to: appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to its staff.
Advertising Marketing and Public Relations including, but not limited to: advertising or marketing the business of the data controller, activity, goods or services and promoting public relations in connection with that business or activity, or those goods or services.
Accounts and Records including, but not limited to: keeping accounts related to any business or other activity carried on by the data controller, or deciding whether to accept any person as a customer or supplier, or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by him or to him in respect of those transactions, or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity.
Consultancy or Advisory Services including, but not limited to: giving advice or rendering professional services, the provision of services of an advisory, consultancy or intermediary nature.
Any personal data collected by Floreo Associates will only be passed to a third party where required by law, to comply with a statutory obligation or where Floreo Associates has obtained the express written consent of the individual concerned.
In accordance with its duty to comply with the Data Protection Principals, Floreo Associates will:
Ensure that all data processed is done so fairly and under both the letter and the spirit of the law;
Clearly record the specific purposes under which Floreo Associates will process data;
Ensure that data collected and processed only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
Ensure that data is true and meaningful and regularly updated;
Ensure that data is never held for longer than is required;
Process data in such a way that the rights of individuals under the Act are easily and swiftly exercised;
Take appropriate physical and electronic safety measures in order to safeguard the data;
Never transfer personal information to countries which do not have a similar or equivalent policy or similar safeguarding process for personal data.
As the nature of Floreo Associates’s business means that it may, from time to time, process sensitive personal information about an individual. On such occasions, Floreo Associates will ensure that it has explicit consent to hold use and retain such data regarding the individual. Sensitive personal data may include: personal data about an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sex life, details of the commission or alleged commission of any offence and any court proceedings relating to the commission of an offence.
Subsidiaries of Floreo Associates may share personal data between each other in order to simplify administrative tasks and maintain consistent records throughout the company.
Personal Information Promise
In addition to notifying the Information Commissioner’s Office, Floreo Associates’s Managing Director has signed the Personal Information Promise. This promise is an extension of the legal requirements the company has to comply with and lists the key commitments that the senior management have made on behalf of Floreo Associates to protect client’s personal Data. These include a promise to:
Value the personal information entrusted to the company and make sure that we respect that trust;
Go further than just the letter of the law when it comes to handling personal information and adopt good practice standards;
Consider and address the privacy risks first when planning to use or hold personal information in new ways, such as when introducing new systems;
Be open to individuals about how we use their information and who we give it to;
Make it easy for individuals to access and correct their personal information;
Keep personal information to the minimum necessary and delete it when we no longer need it;
Have effective safeguards in place to make sure personal information is kept securely and does not fall into the wrong hands;
Provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don’t look after personal information properly;
Put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises; and
Regularly check that we are living up to our promises and report on how we are doing.
Note to Data Subjects
Under the Data Protection Act 1998, individuals have a right to obtain a copy of personal information held about them on computer and in some manual filing systems. This is known as the right of subject access. Subject access requests must be processed within 40 days, although Floreo Associates has the right to request any information they reasonably require to find the information and check the identity of the individual making the enquiry. Floreo Associates can legally charge a fee of up to £10 to respond to a request. If the details held about you are inaccurate, you have the right to ask the company to correct, rectify, block or erase such inaccurate information. In certain circumstances you may have the right to prevent processing.