Data Protection and Retention Policy
1.1 This policy is designed to inform all individuals upon which we hold any data that could enable identification, indirectly or directly of the data process from data collection, data retention and data deletion.
1.2 The policy falls in- line with the new GDPR 2018 regulations. Air Technology Systems want to ensure all whom we hold data on have all the information required in order to make an informed decision as to whether to supply the data requested.
1.3 Any data provided will NOT be shared outside of ATS, without prior consent.
2.1 This Data Protection and Retention Policy is applicable to all those upon whom we hold data and it includes:
- Employees Partners/spouses
2.2 This policy applies to all processing of personal data in both electronic and hard formats.
2.3 Where the collection and retention of data is required by law, these regulations override this policy and the law must be followed.
3.1 Data Subject– The identified or identifiable person to which the data refers to.
3.2 Process, processed, processing– Operations performed may include, collection, recording and retrieval.
3.3 Consent- Any freely given, specific informed and unambiguous indication of the data subjects wishes by which he or she by statement of clear affirmation agrees to the processing of personal data relating to them.
3.4 Special category of data – Personal data relating to race, or ethnic origins, political opinions, religious beliefs, trade union memberships or data concerning health, sex life or sexual orientation.
4.0 DATA PROTECTION RISK
4.1 This policy helps to protect Air Technology Systems Ltd form data security risk including.
4.2 Breaches of confidentiality – information being given out inappropriately.
4.3 Failing to offer Choice – all individuals should be free to choose how the company uses data relating to them.
4.4 Reputational Damage – Air Technology Systems could suffer if hackers successfully gained access to sensitive data.
5.1 Everyone who works for and on behalf of Air Technology Systems has some form of responsibility for ensuring data is collected, stored and handled correctly.
5.2 Each department that handles personal data must ensure that it is processed in-line with this policy and the GDPR principles.
5.3 The following have key areas of responsibility:
- The Board of Directors: ultimately responsible for ensuring that Air Technology Systems meets its legal obligations.
- The Data Protection Officer, Hannah Peters, is responsible for:
- Keeping the board of directors up to date about responsibilities risk and issues.
- Reviewing all data protection procedures and polices
- Handling data protection polices
- Dealing with data requests from data subjects.
- Checking and approving contracts with any third parties which may hold sensitive data.
- IT: is externally managed by TechTeam (UK) Limited for more information in regards to their GDPR policy please contact firstname.lastname@example.org
- Marketing: is externally managed by Blue Chilli, for information on their GDPR policy please see www.bluechillistudio.co.uk
- Supply Chain & Contractors– may hold data on our employees and so is responsible for the safe storage and use of this data.
6.0 STAFF GUIDELINES
6.1 The only individuals able to access the data covered by this policy are those who require it for their work.
6.2 Data will not be shared informally, if an employee requires data then a request should be made to the Data Protection Officer.
6.3 Employees are reminded to keep all data secure, by taking sensible precautions and following the guidelines outlined within this policy.
6.4 Personal data will not be disclosed to unauthorised personnel, within the company or externally.
6.5 Data will be regularly reviewed and updated if it is found to be out of date, irrelevant or no longer required it will be deleted.
7.0 STORAGE OF DATA
7.1 When storing data certain considerations need to be made in order to ensure the correct and safe storage of information.
7.2 Data which is on paper will be kept in a secure place, only accessed by authorised personnel.
7.3 When the data is no longer required, the files will be kept in a locked draw or filing cabinet.
7.4 All employees should make sure that no paper or printouts are left where unauthorised personnel can see them.
7.5 All printouts that are no longer required will be shredded and disposed of.
7.6 Electronically stored data will be protected from unauthorised access, accidental deletion and hacking. All data held electronically by Air Technology Systems is safeguarded by:
- Protected by strong passwords
- Locked away when stored on removable devices
- Data to only be stored on designated devices and servers.
- Data is never saved directly to laptops and computers.
- All servers and devices which hold data are protected by approved security software and firewalls.
7.7 NO DATA WILL BE HELD BY AIR TECHNOLOGY SYSTEMS FOR LONGER THAN REQUIRED
7.8 To review the data held by Air Technology Systems and the reason for holding it, please see our MSF250 Data Retention Plan
8.0 DATA USE
8.1 Any personal data provided to Air Technology Systems will only be held if required by law or if it falls into the scope of the business.
DATA WILL NOT BE USED UNLAWFULLY OR FOR ANY OTHER REASON THAN IT WAS COLLECTED FOR.
8.2 If the data is required for another purpose than that of its original use the data subject should shall be notified and consent obtained.
8.3 When working with personal data the following should be followed, in order to protect the data subject:
- Screens of computers are always locked when left unattended.
- Staff will not share personal data informally, in particular it should never be left on someone’s desk.
- Personal data will not be transferred outside the European Economic Area.
- No copies of personal data will be save to an individual’s computer.
9.0 DATA DELETION
9.1 All information held on data subjects will be deleted when no longer required, the methods of data deletion can be found in ATS Data Retention Plan (see appendix 1).
9.2 Data subjects have the right to be forgotten, with all data held on them being deleted, the request for data to be deleted should be made via the Data Protection Officer.
Exceptions to this rule are:
- When the information is required to be retained by law for a certain length of time.
- Or required by organisation as one of the defined process.
10.0 SUBJECT ACCESS REQUESTS
10.1 Individuals who are data subjects of Air Technology Systems are entitled to:
- Ask what information the company holds about them and why
- Ask how to gain access to this data
- Be informed on how the company is meeting its data protection obligations.
10.2 Requests for information regarding data held on data subjects should be made to the Data Protection Officer, who will verify the identity of the individual prior to releasing the data.
10.3 Hannah Peters is the appointed Data Protection Officer for Air Technology Systems, her contact email is email@example.com