GDPR Policy
Records Management (GDPR) Policy
This policy applies CETA Consulting and should be read in conjunction with the Company’s Data Protection (GDPR) Policy.
POLICY APPROVAL and REVIEW
Review date: January 2020.
Adopted: January 2020.
Next review date: January 2021.
CONTENTS
- Introduction / overview
- Legal framework
- Responsibilities
- Management of candidate and staff records
- Retention of candidate and staff records and other information
- Storing and protecting information
- Disposal of data
- Introduction / overview
- CETA Consulting is committed to maintaining the confidentiality of its information and ensuring that all records within the company can only be accessed by individuals with appropriate authority. In line with the requirements of the General Data Protection Regulation (GDPR), the Company also has a responsibility to ensure that all records are only kept for as long as is necessary to fulfil the purpose(s) for which they were originally intended.
- This policy outlines how records are stored, accessed, monitored, retained and disposed of, in order to meet statutory requirements.
- This document complies with the requirements set out in the GDPR (operational from 25 May 2018). This policy should be read in conjunction with the Company’s Data Protection (GDPR) Policy.
- The retention periods outlined in this policy are good practice guidelines only. In consultation with the Company, individual partners should ensure that they consider requirements specific to their own setting. The retention periods are based on information provided by the Information Records Management Society (IRMS) and are not an exhaustive list of records that may be kept by the company.
- The name of colleague with specific responsibility for data protection: Anna Verebes, COO.
- Contact: anna@cetaconsulting.com
- Legal framework
This policy has due regard to legislation including, but not limited to:
- the General Data Protection Regulation (2016);
- the Freedom of Information Act 2000; and
- the Limitation Act 1980 (as amended by the Limitation Amendment Act 1980).
- Responsibilities
- The Company’s Management Board holds overall responsibility for this policy.
- The Company’s Data Protection Officer (DPO) is responsible for promoting compliance with this policy and informing its review on an annual basis.
- The DPO is responsible for ensuring that all records are stored securely, in accordance with the retention periods outlined in this policy, and for ensuring that records are disposed of correctly.
- All colleagues are responsible for supporting the DPO in ensuring that any records for which they are responsible are accurate, maintained securely and disposed of correctly, in line with the provisions of this policy.
- Management of candidate and staff records
Candidate and staff records are specific documents that are used throughout a candidate and staff’s time in the recruitment/employment system. They are passed on to each partner that employs a candidate / staff and include all personal information relating to them
- The following information is easily accessible from a candidate / staff’s record:
- Forename, surname, gender and date of birth;
- ID and Passport Number
- date when the file was opened
- date when the file was closed, as appropriate
- place of birth, place of residency
- family status, family members’ details
- details of qualifications
- details of previous work experiences
- Candidate / Staff files also include:
- application forms;
- interview questionnaires
- photos
- copies of personal documents
- copies of visa application documents
- copy of employment contract
- health check documents
- notes of CETA employees
4.3 Hard copies of documents are stored in a securely locked filing cabinet in a securely locked room
4.4. Wherever possible, CETA Consulting avoid sending candidate / staff records by post. Where a candidate / staff record must be sent by post, it is sent using the ‘special delivery’ service, with an accompanying list of the files included. The partner to whom the file is sent is required to sign a copy of the list and return this to CETA Consulting, indicating that the files have been received.
- Retention of candidate/staff records and other candidate/staff -related information
The retention period for individual candidate / staff records is 3years. Electronic files and electronic copies of any other information are also destroyed, in line with the retention periods above.
- Storing and protecting information
- Each colleague of the Company conducts a ‘back-up’ of information, in line with agreed procedures, to ensure that, in the event of a security breach (e.g. a virus), all data can still be accessed, and to prevent any loss or theft of data.
- Confidential paper records are kept in a locked filing cabinet, drawer or safe, with appropriately restricted access. They are not left unattended or in clear view when held in a location with general access.
- Digital data is encrypted, whilst in storage. No personally identifiable data remains on generally accessible or multi-user machines, once a user logs out.
- All electronic devices are protected, using either password, personal identification number (PIN) or biometric recognition, in order to protect the information on the device, in case of theft.
- Circular emails are sent blind carbon copy (bcc), so that email addresses are not disclosed to other recipients.
- When sending confidential information by fax, colleagues check that the fax address is correct for the recipient before sending.
- Where, in line with GDPR policy and protocol, personal information (that could be considered private or confidential) is taken off the premises (either in electronic or paper format), colleagues take extra care to follow the same procedures for security (e.g.keeping devices under lock and key) as they would on the company premises. The person taking the information from the company premises accepts full responsibility for the security of the data.
- Before sharing data, colleagues ensure that:
- they have the consent of the data subjects to share it
- adequate security is in place to protect it
- the data recipient has been outlined in a Privacy Notice.
- Colleagues implement a ‘clear desk policy’, in order to avoid unauthorised access to physical records containing sensitive or personal information. All confidential information is stored in a securely locked filing cabinet, drawer or safe with restricted access. Visitors are not allowed access to confidential or personal information. Visitors to areas that contain sensitive information are supervised at all times.
- The physical security of the Company’s buildings and storage systems, and access to them, is reviewed termly by the GDPR DPO, in conjunction with the Site Manager.
- The Company takes its duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary action.
- The GDPR DPO is responsible for ensuring that continuity and recovery measures are in place to ensure the security of protected data.
- Disposal of data
- Where the disposal of information is identified as ‘standard disposal’, this is done through recycling, appropriate to the form of the information, e.g. paper recycling, electronic recycling.
- Where the disposal of information is identified as ‘secure disposal’, this is achieved through shredding or pulping, for hard copy; electronic information is ‘scrubbed clean’ and, where possible, cut. The GDPR DPO keeps a record of all files that have been destroyed.
- Where information is kept, for administrative purposes, the GDPR DPO reviews the information again after a period of three years and conducts the same process. However, where information must be kept permanently, this information is exempt from the normal review procedures