Data protection policy
As part of Arriva Plc, Grand Central takes its responsibilities under the UK Data Protection Act 1998 ('the Act') very seriously. These regulations impose restrictions on how we and our suppliers may use personal information.
As a supplier you will be expected to provide clear evidence that you adhere the principles and the approach outlined in this policy.
Our Data Protection Policy sets out the roles and responsibilities of employees with regard to the processing of personal information and our expectation of any supplier who also has responsibilities under the UK Data Protection Acts.
Everyone has rights with regard to how their personal information is handled. During the course of our activities Grand Central and its Suppliers will collect, store and process personal information about staff, customers, suppliers and others that we communicate with and we recognise the need to treat this in a confidential, secure and lawful manner.
Personal information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards. In the UK, these are specified in regulations which implement the EU Directive on Data Protection. This policy is based on UK law and should provide sufficient information, instruction and training to know how to identify personal information and process it appropriately.
Failure to comply with the Act may result in legal penalties and fines and in some circumstances individuals may be held personally liable.
Any breach of this policy will be taken seriously.
Data protection: core principles
The Act outlines eight core principles which broadly set out the way in which personal information should be used. These provide that personal information must be:
- Processed fairly and lawfully;
- Processed for limited purposes and in an appropriate way;
- Be obtained only for one or more specified and lawful purposes, and should not be processed in any manner incompatible with that purpose or those purposes;
- Adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- Accurate and, where necessary, kept up to date;
- Not be kept for longer than is necessary for that purpose or those purposes;
- Processed in accordance with the rights of Data Subjects under the Act;
- Secure, meaning that appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal information and against accidental loss or destruction of, or damage to, personal information; and
- Not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.
If you comply with this policy you will also comply with the principles above and therefore keep within the law.
Is data about a living individual who can be identified:-
- from the data; or
- from that data and other information which is in the possession of or is likely to come into the possession of the Data Controller.
Personal information includes any expression of opinion about an individual and any indication of the intentions of the Data Controller or any other person in respect of the individual. Note the definition does not cover companies (although it does cover individuals within companies) nor does it cover information about the deceased.
"Sensitive personal information"
Includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal information can only be processed under strict conditions, and will usually require the express consent of the person concerned.
For the purpose of this policy include all living individuals about whom we hold personal information. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their personal information.
Are the people who or organisations which determine the purposes for which, and the manner in which, any personal information is processed. They have a responsibility to establish practices and policies in line with the Act. Both the group as a whole and the individual group companies are the Data Controllers of all personal information used in the business.
Include any person who processes personal information on behalf of a Data Controller. Employees of Data Controllers are excluded from this definition but it could include suppliers which handle personal information on our behalf.
Is any activity that involves use of the data. You (and therefore the group company who employs you) will process personal information when you obtain, record or hold personal information, or carry out any operation or set of operations on the personal information including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal information to third parties.
Guidance on the core principles expected by Grand Central
The following sections of this policy provide further guidance on how to comply with the principles.
Fair and lawful processing
It is important when collecting data on behalf of Grand Central that the Data Subject knows how the data will be used and that you only use the data in accordance with how you said you would use it.
From time to time, you may come across sensitive personal information. Because of its nature, this sort of data should be handled with particular care.
Where personal information is used, you will work to ensure that it is accurate and handled in accordance with the security measures outlined by the Act. Individuals may ask to correct data that is held about them. Such requests should be recorded and actioned. They may also ask that we stop contacting them, and again a record should be kept and the relevant database manager(s) notified of such requests.
The Act is intended not to prevent the processing of personal information, but to ensure that it is done fairly and without adversely affecting the rights of the Data Subject. The Data Subject must be told who the Data Controller is, the purpose for which the personal information is to be processed, and the identities of anyone to whom the personal information may be disclosed or transferred.
For personal information to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the Data Subject has consented to the processing, or that the processing is necessary for the legitimate interest of the Data Controller or the party to whom the data is disclosed. When sensitive personal information is being processed, more than one condition must be met. In most cases the Data Subject's explicit consent to the processing of such personal information will be required.
Processing for limited purposes
When we or our Suppliers do use personal information, it should only be used to the least extent possible (i.e. no more with it than necessary). Personal information for one purpose must not be used for another. If it becomes necessary to change the purpose for which personal information is processed, the Data Subject should be informed of the new purpose before any processing occurs.
Adequate, relevant and non-excessive processing
Personal information should only be collected to the extent that it is required for the specific purpose notified to the Data Subject. Any personal information which is not necessary for that purpose should not be collected in the first place. Once collected, it should be deleted or securely destroyed as soon as possible after it is no longer required.
Personal information must be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal information at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date personal information should be destroyed.
Personal information should not be kept longer than is necessary for the purpose. Suppliers will be asked to demonstrate that personal information is destroyed or erased from their systems when it is no longer required.
Processing in line with Data Subject's rights/subject access requests
Data must be processed in line with Data Subjects' rights. Data Subjects have a right to:
- Request access to any personal information held about them by a Data Controller;
- Prevent the processing of their personal information for direct-marketing purposes;
- Ask to have inaccurate personal information amended; and
- Prevent processing that is likely to cause damage or distress to themselves or anyone else.
From time to time, individuals may make a request from Grand Central or from the Suppliers for a copy of all or some of the personal information that is held about them. This is called a 'Subject Access Request'. The request must be made in writing and a request should be forward to the relevant account manager or Compliance Officer immediately. It is important that the request is given proper consideration and dealt with within the legal time-limit (40 days in the UK).
Keeping Data Secure
All too often, stories are seen in the media which highlight the consequences of losing personal information. Often the personal information is lost as a result of laptops being stolen/misplaced or folders being left on public transport, etc. Suppliers are expected to have in place a variety of policies which provide guidance as to how personal information should be stored in order to reduce and, if possible, eliminate the risks involved in processing personal information.
If employees need to take laptops, USB sticks or mobile phones containing personal information out of the secure office environment, the device should contain sufficient security features (such as encryption) to protect the information.
Sending Data to other People/Organisations
Personal information should not be sent to a third party or another organisation unless the Data Subject has given their authority to do so or can otherwise be justified under the Act. On that basis, it is important that you consider the basis you are relying on to pass data to another organisation before you transmit the data. If you are in any doubt about whether or not you can lawfully transmit data, you should contact your Compliance Officer and the Grand Central Data Protection Officer.
If the data is being sent to a third party so that they can process the data on your behalf then a contract should be in place with that organisation to ensure that you are complying with all relevant pieces of legislation, guidance and Grand Central terms.
Suppliers are invited to comment on this policy and suggest ways in which it might be improved by contacting [email protected]