Data Protection Policy
Bristow & Sutor is committed to protecting the rights and freedoms of data subjects (natural persons), the safe and secure processing of their data in accordance with the EU General Data Protection Regulation (GDPR), the Data Protection Act 2018, and related legislation.
We hold personal data about our employees, clients, suppliers, and other individuals such as clients’ debtors for a variety of business purposes.
This policy sets out how we seek to protect personal data and ensure that our employees understand the rules governing their use of the Personal Data to which they have access in the course of their work.
In particular, this policy requires employees to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated, to ensure that relevant Data Protection issues are addressed.
Bristow & Sutor’s leadership is fully committed to ensuring continued and effective implementation of this policy, and expects all Bristow & Sutor employees share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action.
This policy has been approved by Bristow & Sutor’s Chief Executive Officer, Andy Rose.
The purposes for which personal data may be used by us include the following:
- Providing services on behalf of clients, such as debt collection and enforcement, acting upon arrest warrants, and dealing with Attachment of Earnings orders (AOE)Compliance with our legal, regulatory and corporate governance obligations and good practice
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requestsEnsuring business policies are adhered to (such as the Information Security Policy, covering email and internet use)
- Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
- Investigating complaints, checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities, staff absences, tracking of company vehicles, administration, and assessments
- Monitoring activities, such as CCTV monitoring of visitors and staff, recording of staff conduct (staff visits to debtors and phone conversations with debtors)Marketing our business
- Improving services
'Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Personal data we gather may include: an individual’s name, date of birth, gender identity, photo, phone number, email address, address, banking/credit, questions and responses, internal IDs, external IDs, audio and video recordings, passport number, driving license number, Vehicle Registration Number.
Special Categories of personal data
Special categories of data include information about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences or related proceedings, and genetic and biometric information - any use of special categories of personal data should be strictly controlled in accordance with this policy.
'Data Controller’ means the natural or legal person, public authority, agency or other body which, either alone, jointly, or in common with others, determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.
'Processor’ means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller.
'Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
This is the national body responsible for data protection. The supervisory authority for our organisation is The Information Commissioners Office (ICO).
This policy applies to Bristow & Sutor, all employees, contractors, suppliers and other people working on behalf of Bristow & Sutor who must be familiar with this policy and comply with its terms.
It applies to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.
Everyone who works for or with Bristow & Sutor has some responsibility for ensuring data is collected, stored, and handled appropriately.
Each employee that handles personal data must ensure that it is handled and processed in line with this policy and GDPR principles. However, these people have key areas of responsibility:
Board of Directors
The board of directors is ultimately responsible for ensuring that Bristow & Sutor meets its legal obligations.
Data Protection Officer
The Data Protection Officer is responsible for:
- Keeping the board updated about data protection responsibilities, risks, and issues
- Reviewing all data protection procedures and policies on a regular basis
- Arranging or approving data protection training and advice for all staff members and those included in this policy
- Handling data protection questions from staff and anyone else covered by this policy
- Dealing with requests from individuals to see the data Bristow and Sutor holds about them (also called ‘subject access requests’)
- Dealing with requests by Data Subjects seeking to exercise other rights
- Checking and approving any contracts or agreements with third parties that may handle the personal data on behalf of the company
- Answering questions on data protection from staff, board members, and other stakeholders
Our Data Protection Officer has overall responsibility for the day-to-day implementation of this policy. Please contact the DPO for further information about this policy, if necessary: firstname.lastname@example.org
Heads of ICT and Development
The Head of ICT and Head of Development are responsible for:
- Ensuring all systems, services, and equipment used for storing data meet acceptable security standards
- Performing regular checks and scans to ensure security hardware and software is functioning properly
- Evaluating any third-party services the company is considering using to store or process data; for instance, cloud computing services
The Marketing Manager is responsible for co-ordinating with the DPO to ensure:
- Data protection statements attached to emails and other marketing materials are approved
- Data protection queries from clients and target audiences are addressed
- All marketing initiatives adhere to the EU General Data Protection Regulation (GDPR), the Data Protection Act 2018, and related legislation
Our operational managers with support from the board and DPO are responsible for:
- Analysing and documenting the type of personal data we hold
- Checking procedures to ensure they cover all the rights of the individual
- Identify the lawful basis for processing data
- Implementing and reviewing procedures to detect, report, and investigate personal data breaches
- Store data in safe and secure ways
- Assess the risk that could be posed to individual rights and freedoms should data be compromised
It is the responsibility of all staff to:
- Fully understand the data protection obligations
- Check that any of their data processing activities comply with our policy and are justified
- Not use data in any unlawful way
- Not store data incorrectly, be careless with it or otherwise cause us to breach data protection laws and our policies through their actions
- Raise any concerns, notify us of any breaches or errors, and report anything suspicious or contradictory to this policy or our legal obligations without delay
- Comply with this policy at all times
5. The Principles
Bristow & Sutor shall comply with the principles of data protection (the Principles) listed in the EU General Data Protection Regulation. We will make every effort possible in everything we do to comply with these principles. The Principles can be summarised as follows:
1. Lawfulness, fairness, and transparency
Data collection must be fair, for a legal purpose, and we must be open and transparent as to how the data will be used
2. Purpose Limitation
The data we collect must be for a specific purpose and we will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this
3. Data minimisation
The data we hold must be adequate, relevant, and not excessive, given the purpose for which it was obtained.
The data we hold must be accurate and, where necessary, kept up to date.
Individuals may ask that we correct inaccurate personal data relating to them. If it is believed that information is inaccurate, staff will be required to record the fact that the accuracy of the information is disputed and inform the Operational Manager in charge
5. Retention Limitation
We cannot store data longer than necessary.
We must retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our Data Retention Policy.
6. Integrity and confidentiality
The data we hold must be kept safe and secure. All staff must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the DPO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
As an organisation, we must ensure accountability and transparency in all our use of personal data. We must show how we comply with each Principle. Our Operational Managers are responsible for keeping a written record of how all the data processing activities for which they are responsible comply with each of the Principles. This must be kept up to date and must be approved by the DPO.
6. Lawful basis for processing data
Bristow & Sutor has conducted a Data Protection Impact Assessment (DPIA) which demonstrates our commitment to the first Principle. The DPIA process provides documentation that shows we have considered which lawful basis best applies to each processing purpose, and fully justifies these decisions.
Operational Managers must review the DPIA documentation and ensure that any data for which they are responsible has a written lawful basis approved by the DPO.
Operational Managers must ensure that each of their team members is aware of the lawful basis for processing any data that they are working with and ensure all actions comply with the lawful basis.
Deciding which condition to rely on
In making an assessment of the lawful basis, we must first establish that the processing is necessary. This means the processing must be a targeted, appropriate way of achieving the stated purpose.
Following the Data Protection Impact Assessments carried out, we have considered the appropriate lawful basis for data processing:
The data processing we carry out in the enforcement of debts for councils is necessary for:
- The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (the council). [GDPR Art 6 1(e)];
- Compliance with a legal obligation to which the controller (the council and Bristow & Sutor) is subject. [GDPR Art 6 1(c)];
- The purposes of carrying out the obligations and exercising specific rights of the controller (the council) or of the data subject in the field of employment and social security and social protection law. [GDPR Art 9 2(b)];
- The establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity. [GDPR Art 9 2(f)];
- Our legitimate interest, where our enforcement agent’s record visits or we record telephone calls with our office staff. [GDPR Art 6 1(f)].
We must also ensure that individuals whose data is being processed by us are informed of the lawful basis for processing their data, as well as the intended purpose. This occurs via the privacy notice. This applies whether we have collected the data directly from the individual, or from another source.
7. Our procedures
Controlling vs. Processing Data
Bristow & Sutor is classified as a Data Controller and a Data Processor depending on the data we are processing and the purpose for which it is being processed.
For example, our clients are the Controllers of the debtors’ data. Bristow & Sutor is the Controller of the recordings of debtors captured by Enforcement Agents. Bristow & Sutor is Joint Controller of transaction data from payments made by debtors to Bristow & Sutor on behalf of the client and other personal data on cases, which is necessary for defense of legal claims.
As a Data Processor, when processing data on behalf of our clients, we must comply with our contractual obligations and act only on the documented instructions of the Data Controller. If we at any point determine the purpose and means of processing outside the instructions of the controller, we shall be considered a Data Controller.
As a Data Processor, we must:
- Not use a sub-processor without written authorisation from the Data Controller
- Co-operate fully with the ICO or other supervisory authority
- Ensure the security of the processing
- Keep accurate records of processing activities
- Notify the controller of any personal data breaches
If you are in any doubt about how we handle data, contact our Data Protection Officer for clarification.
8. Special Categories of personal data
What are special categories of personal data?
Previously known as sensitive personal data, this means data about an individual, which is more sensitive, so requires more protection. This type of data could create more significant risks to a person’s fundamental rights and freedoms, for example by putting them at risk of unlawful discrimination. The special categories include information about an individual’s:
- Ethnic origin
- Trade union membership
- Biometrics (where used for ID purposes)
- Sexual orientation
In most cases where we process special categories of personal data we are required to do this by law (e.g. processing is necessary for the establishment, exercise or defence of legal claims by our clients or processing is necessary for the purposes of carrying out our obligations and exercising specific rights in the field of employment and social security and social protection law).
The condition for processing special categories of personal data must comply with the law. If we do not have a lawful basis for processing special categories of data that processing activity must cease.
9. Rights of individuals
Individuals have rights in connection with their data, which we must respect and comply with to the best of our ability. The GDPR provides the following rights for individuals and where applicable, we must ensure individuals can exercise their rights:
1) The right to be informed:
Data Subjects have the right to be informed. We must inform Data Subjects of the reason for processing their data, when we first contact them.
2) The right of access (subject access request):
Data Subjects have the right to request from us confirmation as to whether we hold their personal data and, where it is established that we do, a copy of the personal data together with specific details regarding the processing of such data.
Within Bristow & Sutor, requests from data subjects are managed by our Senior Officer. Where requests of data subjects are received by any other department, the request should be forwarded to the Compliance Department - email@example.com.
Please note: Specific requests for personal information such as Audio and Video recordings should be handled differently from a full Subject Access Request. Where specific requests for access to audio and video recordings are received, the request should be forwarded to firstname.lastname@example.org.
3) The right to rectification:
If any of the personal information we hold about a Data Subject is inaccurate or out of date, we must make the necessary corrections, once we have been made aware.
4) The right to object:
Data Subjects have the right to object to the processing of their personal data where we are relying on Legitimate Interest and there is something about the particular situation which makes the Data Subject want to object on the grounds that it impacts on their fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process the information which override the rights and freedoms of the data Subject.
This only applies to telephone and video recordings.
5) The right to erasure:
Data Subjects rights to erasure enables them to ask us to delete or remove personal data where there is no good reason for us continuing to process it. They also have the right to ask us to delete or remove their personal data where they have successfully exercised their right to object to processing, where we may have processed their information unlawfully, or where we are required to erase their personal data in order to comply with the law.
Note, however, that we may not always be able to comply with an erasure request for specific legal reasons. Right to erasure does not apply in the following scenarios: (i) When the lawful basis for processing the data is 'legal obligation' - Bristow & Sutor has the legal obligation to keep financial records after a case has been completed, (ii) for the establishment, exercise or defense of legal claims – it is within Bristow & Sutor’s legal rights to retain records of dealing with debtors, in case we later receive legal claims.
Please refer to the earlier section about the ‘lawful basis of processing data’ and our Retention Policy for how long we retain personal information.
6) The right to restrict processing:
The right to restrict processing enables Data Subjects to ask us to suspend the processing of their personal data in the following scenarios: (i) if our use of the data is unlawful but they do not want us to erase it, (ii) Data Subjects have objected to our use of their data but we need to verify whether we have overriding legitimate grounds to use it, or (iii) where Data Subjects need us to hold the data even if we no longer require it as they need it to establish, exercise or defend legal claims.
Please refer to the earlier section about the ‘lawful basis of processing data’.
7) The right to data portability (request to transfer):
This right is not applicable based on the processing activities that we carry out.
8) Rights in relation to automated decision making and profiling:
This right is not applicable to the majority of the data processing activities that we carry out.
10. Privacy notices
When to supply a privacy notice
A privacy notice must be made available at the time the data is obtained if obtained directly from the data subject. If the data is not obtained directly from the data subject, the privacy notice must be provided within a reasonable period after having obtained the data, which means within one month.
If the data is being used to communicate with the individual then the privacy notice, or access to it, must be supplied at the latest when the first communication takes place.
If disclosure to another recipient is envisaged then the privacy notice, or access to it, must be supplied prior to the data being disclosed.
Please refer to our privacy notices:
11. Third parties
Using third party controllers and processors
As a Data Controller and Data Processor, we must have written contracts in place with any third party Data Controllers and Data Processors with whom we work. These contracts must contain specific clauses, which set out our and their liabilities, obligations, and responsibilities.
As a Data Controller, we must only appoint processors who can provide sufficient guarantees under GDPR that the rights of data subjects will be respected and protected.
As a Data Processor, Bristow & Sutor must only act on the documented instructions of a controller. We must only appoint sub-processors that have been approved by the Controller and that can provide ‘sufficient guarantees’ that the requirements of the General Data Protection Regulation (GDPR) will be met, the rights of the data subjects protected, and that they have entered into an article 28 compliant contract.
The GDPR makes written contracts between controllers and processors a general requirement. Our contracts with Data Controllers and Data Processors follow the standard contractual clauses under Article 28 which set out the subject matter and duration of the processing, the nature and stated purpose of the processing activities, the types of personal data and categories of data subject, and the obligations and rights of the controller.
12. Criminal offence data
Criminal record checks
Most of our clients require that our employees’ criminal record is checked. Therefore, we do specifically ask that employees obtain criminal record information. The criminal record information is considered in the recruitment selection process and is to be used as part of the application to obtain a certificate where one is required (for Enforcement Agents).
13. Audits, monitoring, and training
Regular data audits to manage and mitigate risks will be conducted and updated in the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible, and any further regulations or retention timescales that may be relevant.
Access to and use of the Company network and IT systems will be monitored in accordance with the provisions of the IT Security Policy. Remote access by third party contractors to maintain and support Company IT systems will be subject to appropriate monitoring and control measures as defined by IT services. Third party access will only be granted where the applicant has agreed to the terms and conditions of the ICT Acceptable Use Policy.
All employees will receive adequate training on provisions of data protection law specific for their roles. You must complete all training as requested.
If you require additional training on data protection matters, contact the DPO.
14. Reporting breaches
Any breach of this policy or of data protection laws must be reported as soon as practically possible. This means as soon as you have become aware of a breach. Bristow & Sutor has a legal obligation to report any data breaches to the ICO within 72 hours.
All employees have an obligation to report actual or potential data protection incidents and breaches. This allows us to:
- Investigate the failure and take remedial steps if necessary
- Maintain a Data Breach register
- Notify the ICO of any Data Breaches that are material either in their own right or as part of a pattern of failures
Any member of staff who fails to notify of a breach, or is found to have known or suspected a breach has occurred but has not followed the correct reporting procedures, will be liable to disciplinary action.
Please refer to our Data Breach reporting procedure in Central Files.
Failure to comply
We take compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures, which may result in dismissal.
If you have any questions or concerns about anything in this policy, do not hesitate to contact the DPO
Andy Rose – Chief Executive Officer
Bristow & Sutor
Last Review Date: 28th January 2019