This document has been produced solely for Thrive Architects and should be read in conjunction with other HR published documents.

SECTION 1: Introduction

1.1 The GDPR (General Data Protection Regulation) will come into force on 25 May 2018. The regulation replaces the current Data Protection Act. Both employers and their employees have new responsibilities to consider to help ensure compliance. After Britain leaves the European Union, a new UK Data Protection Act will ensure that the GDPR principles remain in UK law.

What is GDPR?

1.2 The GDPR (General Data Protection Regulation) is concerned with respecting the rights of individuals when processing their personal information.

SECTION 2: Why Do We Hold Personal Data

2.1 Due to Employment & health & safety legislation the company is required to hold certain personal information on the employee. Such as Full name, address, date of birth, copy of a passport and or driving licence, bank details, next of kin and any medical conditions that the company requires in order to protect an employee or others or to assist in their working conditions.

2.2 This may mean informing the main first aiders if someone suffers from a blood disorder or heart problem, something that if the first aider is not aware of may impact on the health and wellbeing of that person or their recovery. The first aiders will sign a confidentiality form to ensure extra protection and no actual physical data will be held by them. This list is not exhaustive.

2.3 Your personal information is held by the main data controllers Allison Osborne and Dawn Masterman. It is held in paper and digital format for the purpose stated above to ensure the person is legally allowed to work in the UK, next of kin to ensure we can contact a family or friend in the event of illness or accident and bank details so we can pay your salary.

2.4 We will not pass on any of your personal data unless you have requested that we do so. For example, for a mortgage application or tenancy reference. We may be asked by a governing body such as HMRC or the Police for example and under these circumstances we will provide information.

SECTION 3: Risk Assessment & Privacy Impact Assessment (PIA)

3.1 We first carried out a risk assessment on the privacy of your data and have put in place the following to ensure a higher level of security. We have installed new lockable cabinets replacing some older more flimsy cabinets. A new server and security software has also been purchased and now in full working order to protect the data held in digital format.

3.2 We will continue to review and upgrade the security of where information is being held both in paper and digital format to ensure the maximum personal information protection is maintained. We will continue to review the relevance of the data we hold on, you and inform you of any changes.

3.3 The paper format is secured in lockable cabinets and the digital information is held under secure drives on the sever which can only be accessed by the two main controllers. Any passwords to any folders are secured in a new safe and only accessible by the four Romsey based directors. This is a back-up plan in the event that one or both data controllers are unable to work.

3.4 Each individual will be notified once paper format is transferred to digital and that the paper format has been destroyed from shredding and then disposing in a confidential waste bin. The confidential bins are emptied by a secure company and a certificate of waste disposal provided to ensure an audit trial and compliance to the GDPR.

3.5 All personal information held by the company will be retained up to four years after employment ends.

SECTION 4: Subject Access Requests (personal data requests)

4.1 If you wish to view the personal information that we hold you may do so, and we will comply within one month.

4.2 We have the right to refuse or charge for the request if it is considered that the request is manifestly unfounded or excessive.

4.3 If we refuse you will be given the reason why and informed of the right to complain to a supervisory authority and to a judicial remedy. This will be within the month of request.

SECTION 5: Personal Data Breach

5.1 In the event that a personal data breach has been detected that is likely to result in a risk to the rights and freedom of an individual, we will inform the ICO within 72 hours and, if the risk is deemed to be high, also inform the individual concerned.

SECTION 6: Consent

6.1 Some of you may not mind your photo or some of your personal information being shared within an internal newsletter or on the company’s website but due to the GDPR we will always seek confirmation from you if this is acceptable and the type of information that can be shared. For example, if you have completed a marathon in aid of a charity you may be happy to have your picture and name on some internal and external social media. However, that will not allow the company to assume this consent is for all future publicity and we will therefore always seek a consent from you.

SECTION 7: Your Obligations

7.1 All staff have a responsibility to ensure that they comply with the data protection principles. Line managers have responsibility for the type of personal data they collect and how they use it. Staff should not disclose personal data outside the organisation’s procedures, or use personal data held on others for their own purposes.

7.2 Please be mindful that if you take a picture of another member of staff at a company event and post it on social media without consent you could find yourself in trouble.

SECTION 8: Where To Find Out More

8.1 Further information can be found on the ICO website and also the ACAS website:

Information Commissioner’s Office (ICO) or telephone 0303 123 1113

Advisory, Conciliation and Arbitration Service (ACAS) or telephone 0300 123 1100