DATA PROTECTION Policy
1. Introduction
Party Walls Limited needs to gather and use certain information about individuals or service users who come into contact with Party Walls Limited in order to carry on our work. This personal information must be collected and dealt with appropriately whether it is collected on paper, stored in a computer database, or recorded on other material and there are safeguards to ensure this under the General Data Regulations (GDPR) that came into force on 25 May 2018.
2. Why this policy exists
This data protection policy ensures that Party Walls Limited:
-
Complies with GDPR and follow good practice
-
Protects the rights of staff, owners and partners
-
Is open about how it stores and processes individuals’ data
-
Protects itself from the risk of a data breach
3. Data Protection Principles
Party Walls Limited regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal. Party Walls Limited intends to ensure that personal information is treated lawfully and correctly. To this end, Party Walls Limited will adhere to processing data in accordance with its responsibilities under the GDPR.
Specifically, the Principles require that personal information:
-
Shall be processed fairly and lawfully and, in a transparent manner
-
Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes,
-
Shall be adequate, relevant and not excessive in relation to those purpose(s)
-
Shall be accurate and, where necessary, kept up to date,
-
Shall not be kept for longer than is necessary
-
Shall be processed in accordance with the rights of data subjects under the Act,
-
Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information,
4. Policy Scope
This policy applies to:
-
The head office of Party Walls Limited
-
All staff of Party Walls Limited
-
All contractors, suppliers and other people working on behalf of Party Walls Limited
It applies to all data that the company holds relating to identifiable individuals. This can include:
-
Names of individuals
-
Postal addresses
-
Email addresses
-
Telephone numbers
-
Plus any other information relating to individuals
5. Lawful purposes
All data processed by Party Walls Limited, is for the sole purpose of fulfilling our duties under the Party Wall Etc Act 1996 (the ‘Act’). External recipients of the Data will be limited to those contemplated by the Act and the Data will be stored for no longer than required under the Act and applicable law.
Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data. Where individuals want the option to revoke their consent contact details are available at source.
You have the right to request a copy of the Data, its amendment if erroneous and deletion (subject to our duties under the Act having been fulfilled and no appeal period being outstanding). You also have the right to object to its processing and the right to lodge a complaint with the Information Commissioner’s Office.
6. Archiving / removal
To ensure that personal data is kept for no longer than necessary, Party Walls Limited will put in place an archiving policy which will be reviewed annually. The archiving policy shall consider what data should/must be retained, for how long, and why.
7. Security
Party Walls Limited shall ensure that personal data is stored securely using modern software that is kept up-to-date. Access to personal data shall be limited to personal who need access in relation to our duties under the Act. When personal data is deleted such data will be irrecoverable. Appropriate back-up and disaster recovery solutions are in place.
8. Responsibilities
Everyone who works for or with Party Walls Limited has some responsibility for ensuring data is collected, stored and handled appropriately. Each individual that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
-
The board of directors is ultimately responsible for ensuring that Party Walls Limited meets its legal obligations:
-
Reviewing all data protection procedures and related policies, in line with an agreed schedule.
-
Arranging data protection training and advice for the people covered by this policy.
-
Handling data protection questions from staff and anyone else covered by this policy.
-
Dealing with requests from individuals to see the data Party Walls Limited holds about them.
-
Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
-
Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
-
Performing regular checks and scans to ensure security hardware and software is functioning properly.
-
Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services, Citrix, Dropbox, Spanning, Xero.
9. Data storage
These rules describe how and where data should be safely stored.
When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
-
When not required, the paper or files should be kept in a locked drawer or filing cabinet.
-
Employees should make sure paper and printouts are not left where unauthorized people could see them, line on a printer.
-
Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attempts:
-
Data should be protected by strong passwords that are changed regularly and never shared between employees.
-
If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
-
Data should only be stored on designated drivers and servers, and should only be uploaded to an approved cloud computing services.
-
Servers containing personal data should be cited in a secure location, away from general office space.
-
Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
-
Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
-
All servers and computers containing data should be protected by approved security software and a firewall.
10. Subject access requests
All individuals who are the subject of personal data held by Party Walls Limited are entitled to:
-
Ask what information the company holds about them and why.
-
Ask how to gain access to it.
-
Be informed how to keep it up to date.
-
Be informed how the company is meeting its data protection obligations.
If an individual contacts the company requesting this information, this is called a subject access request. Subject access requests from individuals should be made by email, addressed to the data controller at (admin@partywallslimited.com). The data controller can supply a standard request form, although individuals do not have to use this. Individuals will be charged £10 per subject access request. The data controller will aim to provide the relevant data within 14 days. The data controller will always verify the identity of anyone making a subject access request before handling over any information.
11. Providing information
Party Walls Limited aims to ensure that individuals are aware that their data is being processed, and that they understand:
-
How the data is being used
-
How to exercise their rights
To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.