Northwood Nursing and Care Services Ltd
General Data Protection Regulations (GDPR) policy PP0016
Rev NA 25.05.2018
Northwood Nursing and Care Services Ltd. (NNCS) “the Company” is a
Data Controller and Processor for the purposes of the EU General
Data Protection Regulation (GDPR) which come into effect as of
25th May 2018. The GDPR describes how organisations including the
company must collect, handle and store personal information. The
Company collects and uses certain types of personal information
about the following categories of individuals (“data subjects”):
- Customers/Clients/Service Users (“SU”)
Prospects i.e. data subjects potentially interested in the
Company and its products and services.
- Other individuals who come into contact with the Company.
The Company will process this personal information in the
to use SU contact information (i.e. name, address, email
address, telephone number) to communicate with the SU regarding
the NNCS services that the SU requires.
to use medical information from the SU to ensure NNCS employees
and/or contractors understand the medical conditions that
dictate the care that the SU needs from NNCS.
to contact interested parties regarding the organisation’s
to research the performance of the organisation’s services.
to allocate the organisation’s resources to stakeholders
according to their relevant needs.
to process financial transactions related to the organisation’s
to allow the completion of marketing material e.g. with
- to ensure company building security e.g. via CCTV.
to comply with statutory and contractual obligations relating to
- to comply with other statutory and legal obligations.
This policy is intended to ensure that personal information is
dealt with properly and securely and in accordance with the EU
General Data Protection Regulation (the “GDPR”) and other
related legislation. It will apply to information regardless of
the way it is used or recorded and applies for as long as the
information is held.
The GDPR applies to all computerised data and manual files if they
come within the definition of a filing system. Broadly speaking, a
filing system is one where the data is structured in some way that
it is searchable based on specific criteria (so you would be able
to use something like the individual’s name to find their
information), and if this is the case, it does not matter whether
the information is located in a different physical location.
This policy will be updated as necessary to reflect best practice,
or amendments made to the GDPR and guidance from the supervisory
authorities, and shall be reviewed every year.
WHAT IS PERSONAL DATA?
‘Personal data’ is information that identifies an individual and
includes information that would identify an individual to the
person to whom it is disclosed because of any special knowledge
that they have or can obtain. A sub-set of personal data is known
as ‘special category personal data’. This special category data is
information that relates to:
- race or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- physical or mental health
- an individual’s sex life or sexual orientation
genetic or biometric data for the purpose of uniquely
identifying a natural person.
Special Category information is given special protection, and
additional safeguards apply if this information is to be collected
and used. Information relating to criminal convictions shall only
be held and processed where there is legal authority to do so.
WHAT ARE THE DATA PROTECTION PRINCIPLES?
The data protection principles as laid down in the GDPR are
followed at all times:
personal data shall be processed fairly, lawfully and in a
transparent manner, and processing shall not be lawful unless
one of the processing conditions can be met:
personal data shall be collected for specific, explicit, and
legitimate purposes, and shall not be further processed in a
manner incompatible with those purposes
personal data shall be adequate, relevant, and limited to what
is necessary for the purpose(s) for which it is being processed
personal data shall be accurate and, where necessary, kept up to
personal data processed for any purpose(s) shall not be kept for
longer than is necessary for that purpose/those purposes
personal data shall be processed in such a way that ensures
appropriate security of the data, including protection against
unauthorised or unlawful processing and against accidental loss,
destruction, or damage, using appropriate technical or
In addition to this, the Company is committed to ensuring that at
all times, anyone dealing with personal data shall be mindful of
the individual’s rights under the law (as explained in more detail
The Company is committed to complying with the principles of GDPR
at all times. This means that the Company will:
inform individuals as to the purpose of collecting any
information from them, as and when we ask for it
be responsible for checking the quality and accuracy of the
regularly review the records held to ensure that information is
not held longer than is necessary, and that it has been held in
accordance with the Records Retention Policy.
ensure that when information is authorised for disposal it is
ensure appropriate security measures to safeguard personal
information whether it is held in paper files or on our computer
system and follow the relevant security policy requirements at
share personal information with others only when it is necessary
and legally appropriate to do so.
set out clear procedures for responding to requests for access
to personal information known as subject access requests.
report any breaches of the GDPR in accordance with the procedure
You have the right to:
- ask for access to your personal information.
ask for rectification of the information we hold about you.
- ask for the erasure of information about you.
ask for our processing of your personal information to be
receive your data in a form allowing you to transit it to
another data controller (portability).
- object to us processing your information.
If you want to use your rights, for example, by requesting a
copy of the information which we hold about you, please contact
our Data Privacy & Protection (GDPR) Coordinator.
If at any time you are not happy with how we are processing your
personal information then you may raise the issue with the Data
Privacy & Protection (GDPR) Coordinator and if you are not happy
with the outcome you may raise a complaint with the Information
Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF.
WHAT WE DO FOR BREACHES OF ANY REQUIREMENT OF THE GDPR
Any and all breaches of the DPA, including a breach of any of
the data protection principles shall be reported as soon as it
is discovered, to the Data Privacy & Protection (GDPR)
Once notified, the Data Privacy & Protection (GDPR) Coordinator
shall assess with the help of management:
- the extent of the breach
the risks to the data subjects as a consequence of the breach.
any security measures in place that will protect the
any measures that can be taken immediately to mitigate the risk
to the individuals.
Unless the Data Privacy & Protection (GDPR) Coordinator with the
help of management conclude that there is unlikely to be any
risk to individuals from the breach, it must be notified to the
Information Commissioner’s Office within 72 hours of the breach
having come to the attention of the Company, unless a delay can
- The Information Commissioner shall be told:
details of the breach, including the volume of data at risk, and
the number and categories of data subjects.
the contact point for any enquiries (which shall usually be the
Data Privacy & Protection (GDPR) Coordinator).
- the likely consequences of the breach.
measures proposed or already taken to address the breach.
If the breach is likely to result in an elevated risk to the
rights and freedoms of the affected individuals then the Data
Privacy & Protection (GDPR) Coordinator with the help of
management shall notify data subjects of the breach without
undue delay unless the data would be unintelligible to those not
authorised to access it, or measures have been taken to mitigate
any risk to the affected individuals. Data subjects shall be
- the nature of the breach;
- who to contact with any questions;
- measures taken to mitigate any risks.
The Data Privacy & Protection (GDPR) Coordinator with the help
of management shall then be responsible for instigating an
investigation into the breach, including how it happened, and
whether it could have been prevented. Any recommendations for
further training or a change in procedure shall be reviewed by
senior management and a decision made about implementation of
DO WE DISCLOSE PERSONAL DATA?
The following list includes the most usual reasons that the
Company will authorise disclosure of personal data to a third
to give a confidential reference relating to a current or former
employee or volunteer.
- for the prevention or detection of crime.
- for the assessment of any tax or duty.
where it is necessary to exercise a right or obligation
conferred or imposed by law upon us (other than an obligation
imposed by contract).
for the purpose of, or in connection with, legal proceedings
(including prospective legal proceedings).
- for the purpose of obtaining legal advice.
for research, historical and statistical purposes (so long as
this neither supports decisions in relation to individuals, nor
causes substantial damage or distress).
The Company may receive requests from third parties (i.e. those
other than the data subject, the Company, and its employees) to
disclose personal data it holds about individuals. This
information will not generally be disclosed unless one of the
specific exemptions under the GDPR which allow disclosure applies,
or where disclosure is necessary for the legitimate interests of
the third party concerned or the Company.
All requests for the disclosure of personal data must be sent to
our Data Privacy & Protection (GDPR) Coordinator, who will review
with management and decide whether to make the disclosure,
ensuring that reasonable steps are taken to verify the identity of
the requesting third party before making any disclosure.
CONDITIONS FOR PROCESSING IN THE FIRST DATA PROTECTION PRINCIPLE?
The individual has given consent that is specific to the
particular type of processing activity, and that consent is
informed. unambiguous and freely given.
The processing is necessary for the performance of a contract,
to which the individual is a party, or is necessary for the
purpose of taking steps with regard to entering into a contract
with the individual, at their request.
The processing is necessary for the performance of a legal
obligation to which we are subject.
The processing is necessary to protect the vital interests of
the individual or another.
The processing is necessary for the performance of a task
carried out in the public interest, or in the exercise of
official authority vested in us.
The processing is necessary for a legitimate interest of the
Company or that of a third party, except where this interest is
overridden by the rights and freedoms of the individual
OUR PARTNER DATA PROCESSOR AGREEMENTS WITH PARTNERS
- Be in writing.
Contain the following information on the processing: its subject
matter and duration; the nature and purpose of the processing.
the type of personal data; the categories of individuals who are
the data subjects.
Expressly state that the Processor can only act on your
instructions as the Controller.
Require the Processor to impose a duty of confidentiality on
Require the Processor to implement relevant security measures to
protect the data. NB We will specify what those measures are,
and what we impose will depend upon the type and sensitivity of
Require the Processor to seek your prior written permission as
Controller to engage a sub-contractor.
Require the Processor to make all necessary arrangements to
ensure that as the Controller you can respect the rights of the
individuals under data protection law. As an example, The
Processor must be required to make available any personal data
should an individual make a Subject Access Request; must be able
to delete or rectify data if necessary and must enable data
portability where applicable.
Require the Data Processor to have in place the necessary means
of assisting you as the Controller to meet your obligations
under data protection law. This includes ensuring security of
data, co-operating in relation to your notification of breaches
to the Information Commissioner’s Office and data subjects, and
with preparation of data protection impact assessments
Require the Processor to assist you as the Controller in meeting
any obligations imposed by the Information Commissioner’s
Office, by allowing access to information, and details of
activities and systems if and when required.
Require the Processor to delete or return the data at the end of
the contract. The choice of whether the data is returned or
deleted is our decision as the Controller.
Require the Processor to provide us with all necessary
information regarding processing activities to demonstrate
compliance – including security measures taken, disclosures
made, what has been done to the information plus anything else
we need to know as Controller to allow the processing to be
Provide that any legal requirements that the Processor is
subject to which may require the disclosure of the personal data
(such as Freedom of Information) should be notified to you as
the Controller in advance, where possible.
Be governed by law of England and Wales failing which other EU
or member state law.
NB: The GDPR refers to the possible development of standard
clauses covering the compliance matters listed above. The position
will therefore be monitored.
OUR DOCUMENT RETENTION POLICY
The main aim of this policy is to enable Northwood Nursing and
Care Services Ltd. to manage our records effectively and in
compliance with data protection and other regulation. As an
organisation we collect, hold, store and create significant
amounts of data and information and this policy provides a
framework of retention and disposal of categories of information
Northwood Nursing and Care Services Ltd. is committed to the
principles of data protection including the principle that
information is only to be retained for as long as necessary for
the purpose concerned. The table below sets out the main
categories of information that we hold, the length of time that we
intend to hold them, and the reason for this.
This policy sets out the destruction procedure for documents at
the end of their retention period. The Data Privacy & Protection
(GDPR) Coordinator shall be responsible for ensuring that this is
carried out appropriately, and any questions regarding this policy
should be referred to them. If a document or information is
reaching the end of its stated retention period, but you are of
the view that it should be kept longer, please refer to the Data
Privacy & Protection (GDPR) Coordinator, who will confer with
management and decide as to whether it should be kept, for how
long, and note the new time limit and reasons for extension.
DELETION OF DOCUMENTS
When a document is at the end of its retention period, it should
be dealt with in accordance with this policy.
This should be made available for collection in the confidential
waste bins or sacks located around the office or shredded.
Anything that contains personal information should be treated as
confidential. Where deleting electronically, please refer to the
Data Privacy & Protection (GDPR) Coordinator to ensure that this
is carried out effectively.
Other documentation can be deleted or placed in recycling bins
Certain information may be automatically archived by the computer
systems. Should you want to retrieve any information, or prevent
this happening in a particular circumstance, please contact the
Data Privacy & Protection (GDPR) Coordinator.
Much of the retention and deletion of documents may be automatic,
but when faced with a decision about an individual document, you
should ask yourself the following:
- Has the information come to the end of its useful life?
Is there a legal requirement to keep this information or
document for a set period?
Would the information be likely to be needed in the case of any
Is the information contentious, does it relate to an incident
that could potentially give rise to proceedings?
Would the document be useful for the organisation as a
precedent, learning document, or for performance management
- Is the document of historic or statistical significance?
Northwood Nursing and Care Services Ltd. is committed to
protecting and respecting the privacy of its workforce. For the
purposes of Data Protection legislation, the Company is the Data
Controller as well as a Processor in certain circumstances. This
means it is in charge of personal information about you. The Data
Protection & Privacy (GDPR) Coordinator for the Company is listed
on an insert in this document with their contact details.
How we use your information
We process personal data relating to those we employ or engage to
work at the Company. This is for employment purposes to assist in
the running of the Company and to enable individuals to be paid.
This personal data includes identifiers such as names and national
insurance numbers, employment contracts and remuneration details,
qualifications and absence information. It may also include
sensitive personal data such as ethnic group, medical information
and trade union membership, where this information has been shared
with the Company.
During the recruitment process we may receive information about
you from a previous employer or an educational establishment which
you have previously attended. You will know about this because you
will have supplied us with the relevant contact details.
Collecting and using your information in this way is lawful
As an employee, worker or contractor, you have obligations under
your employment contract to provide the organisation with data.
In particular, you are required to report absences from work and
information about disciplinary or other matters.
You may also have to provide the organisation with data in order
to exercise your statutory rights, such as in relation to
statutory leave entitlements. Failing to provide the data may
mean that you are unable to exercise your statutory rights.
Contact details, your right to work in the UK, and payment
details etc., have to be provided to enable the organisation to
enter a contract of employment with you. If you do not provide
other information, this will hinder our ability to administer
the rights and obligations arising from our employment
How we share your information with third parties
We will not share information about you with third parties
without your consent unless the law allows us to. We may be
required, by law, to pass on some of the personal data which we
collect to our local authority and relevant regulators.
We may disclose details about you including national insurance
number and absence information to a payroll provider to enable
We may disclose details about you to our HR provider for the
purposes of HR management.
We share your identity and pay information with HMRC in
conjunction with your legal obligation to pay income tax and
make national insurance contributions.
If you have decided to become part of a salary sacrifice scheme
such as that for child care vouchers, we share your details with
the provider to the extent necessary for them to provide the
vouchers to you.
We may share your details with a pension provider in order to
make sure that you pay the correct amount and maintain your
entitlement to a pension.
Our disclosures to third parties are lawful because one of the
following reasons applies:
The processing is necessary for the performance of your
The processing is necessary for the performance of a legal
obligation to which the Company is subject.
The processing is necessary to protect the vital interests of
The processing is necessary for the performance of our business
function which is a function in the public interest.
How long we keep your personal information
We only keep your information for as long as we need it or for as
long as we are required by law to keep it. Full details are given
in our Records Retention Policy.
SECURITY OF PERSONAL DATA
The Company will take reasonable steps to ensure that members of
staff and volunteers will only have access to personal data where
it is necessary for them to carry out their duties. All staff and
volunteers will be made aware of this Policy and their duties
under the GDPR. The Company will take all reasonable steps to
ensure that all personal information is held securely and is not
accessible to unauthorised persons.
For further details as regards security of IT systems, please
refer to the ICT Policy.
The need for a policy
All the Company’s information communication technology (ICT)
facilities and information resources remain the property of the
Company and not of particular individuals, teams or departments.
By following this policy, we will help ensure that ICT facilities
Legally; securely; without undermining the Company; effectively;
in a spirit of cooperation, trust and consideration for others,
so that they remain available.
The policy relates to all ICT facilities and services provided by
the Company, although special emphasis is placed on email and the
internet. All employees, volunteers and any other users of our IT
are expected to adhere to the policy.
Deliberate and serious breach of the policy statements in this
section may lead to the Company taking disciplinary measures in
accordance with our relevant policy. The Company accepts that ICT
– especially the internet and email system – is a valuable
business tool. However, misuse of this facility can have a
negative impact upon employee and volunteer effectiveness as well
as the productivity and the reputation of the organisation.
In addition, all of the Company’s phone, internet and email
related resources are provided for business purposes. Therefore,
the organisation maintains the right to monitor the volume of
internet and network traffic, together with the email systems. The
specific content of any transactions will not be monitored unless
there is a suspicion of improper use.
As a user of the Company’s equipment and services, you are
responsible for your activity. Please adhere to the following:
Do not disclose personal system passwords or other security
details to other employees, [volunteers] or external agents,
and do not use anyone else's log-in; this compromises the
security of the Company
If someone else gets to know your password, ensure that you
change it or ask your manager who can change it for you.
If you intend to leave your computer or workstation unattended
for any reason, you should lock the screen to prevent
unauthorised access. If you fail to do this, you will be
responsible for any misuse of it while you are away. Logging off
is especially important where members of the public have access
to the screen in your absence.
Any pen drives or other storage devices used on the Company’s
network should be secure and only those that are the property of
the Company should be used.
If you are recording or obtaining information about individuals,
make sure you are not breaking data protection legislation, and
are compliant at all times with the Company’s Data Protection
Policy. When you are on the internet and using email, make sure
your actions are in the interest (and spirit) of the Company and
do not leave the Company open to legal action (for example
libel) or reputational damage. Avoid trading insults over the
Do not attempt to gain unauthorised access to information or
facilities. The Computer Misuse Act 1990 makes it a criminal
offence to obtain unauthorised access to any computer (including
workstations and PCs) or to modify its contents. If you do not
have access to information or resources you feel you need,
inform your manager.
Use of Email
When to use email:
Use email in preference to paper to reach people quickly (saving
time on photocopying / distribution) and to help reduce paper
Use the phone for urgent messages (email is a good backup in
such instances). Use of email by employees and volunteers of the
Company is permitted and encouraged, where such use supports the
goals and objectives of the Company.
However, the Company has a policy for the use of email whereby
employees and volunteers must ensure that they:
comply with current legislation; use email in an acceptable way;
do not create unnecessary business risk to the Company by their
misuse of the internet.
Sending confidential information to external locations without
appropriate safeguards in place. See below for more details.
Distributing, disseminating or storing images, text or materials
that might be considered indecent, pornographic, obscene or
Distributing, disseminating or storing images, text or materials
that might be considered discriminatory, offensive or abusive,
constitutes a personal attack, is sexist or racist, or might be
considered as harassment or bullying.
Using copyrighted information in a way that violates the
Breaking into the Company’s or another organisation’s system, or
unauthorised use of a password / mailbox.
Broadcasting unsolicited personal views on social, political,
religious or other non-business-related matters.
Undertaking deliberate activities that waste employees’ or
volunteers’ effort or networked resources.
Deliberately or recklessly introducing any form of computer
virus or malware into the corporate network.
Always exercise caution when committing confidential information
to email since the confidentiality of such material cannot be
guaranteed. The Company reserves the right to monitor electronic
communications in accordance with applicable laws and policies.
The right to monitor communications includes messages sent or
received by system users (employees, volunteers contractors and
temporary employees) within and outside the system as well as
deleted messages. See below for more detail.
General points on email use:
When publishing or transmitting information externally be aware
that you are representing the Company and could be seen as
speaking on the Company's behalf. Make it clear when opinions
are personal. If in doubt, consult your line manager;
Check your inbox at regular intervals during the working day.
Consider keeping your inbox fairly empty so that it just
contains items requiring your action. Try to decide what to do
with each email as you read it (e.g. delete it, reply to it,
save the whole email in a folder, or extract just the useful
information and save it somewhere logical)
Keep electronic files of electronic correspondence, only
retaining what you need to. Do not print it off and keep paper
files unless absolutely necessary;
Treat others with respect and in a way in which you would expect
to be treated yourself (e.g. do not send unconstructive
feedback, argue, or invite colleagues to make public their
displeasure at the actions / decisions of a colleague).
Do not forward emails warning about viruses as they are often
hoaxes. If in doubt, check with your manager.
Do not open an email unless you have a reasonably good
expectation of what it contains, and do not download files
unless they are from a trusted source. Look and check the email
address of the sender to check if it is similar but different to
what you expect e.g email@example.com instead of
firstname.lastname@example.org as this is a common trick used. Alert your
company’s IT Support and your manager if you are sent anything
like this unexpectedly - this is one of the most effective means
of protecting the Company against email virus attacks. Do not
forward such an email unless told to do so by your manager.
Email signatures: Keep these short e.g. include your name,
title, phone / fax number(s) and website address.
Use of the Internet
Use of the Internet by employees and volunteers is permitted and
encouraged where such use supports the goals and objectives of
However, when using the Internet, employees and volunteers must
ensure that they:
comply with current legislation; use the internet in an
acceptable way; do not create unnecessary business risk to the
organisation by their misuse of the internet.
In particular the following is deemed unacceptable use or
behaviour by employees and volunteers (this list is
Visiting internet sites that contain obscene, hateful,
pornographic or other illegal material; Using the computer to
perpetrate any form of fraud, or software, film or music piracy;
Using the internet to send offensive or harassing material to
other users or to send material that may be regarded as party
political campaigning; Downloading commercial software or any
copyrighted materials belonging to third parties, unless this
download is covered or permitted under a commercial agreement or
other such license; Hacking into unauthorised areas; Creating or
transmitting defamatory material; Undertaking deliberate
activities that waste employees’ effort or networked resources;
Deliberately or recklessly introducing any form of computer
virus into the Company’s network.
Chat rooms / instant messaging (IM): The use of chat rooms and
instant messaging is permitted for business use only. This use
must have been agreed with your manager.
Webmail: The use of webmail (e.g. Hotmail, msn, Google Mail) is
not permitted in the Company unless previously agreed with your
Obscenities/pornography: Do not write, publish, look for,
bookmark, access or download material that might be regarded as
obscene or pornographic.
Copyright: Take care to use software legally and in accordance
with both the letter and spirit of relevant licensing and
copyright agreements. Copying software for use outside these
agreements is illegal and may result in criminal charges. Be
aware of copyright law when using content, you have found on
other organisation’s websites. The law is the same as it is for
printed materials. Confidentiality: If you are dealing with
personal, sensitive and/or confidential information, then you
must ensure that extra care is taken to protect the information.
If sending personal, sensitive and/or confidential information
via email, then the following protocols should be used. If there
is any doubt as to the information being sent or the appropriate
level of protection required, please check with your manager.
Personal, sensitive and/or confidential information should be
contained in an attachment. In appropriate cases the attachment
should be encrypted, and/or password protected; Any password or
key must be sent separately. Before sending the email, verify
the recipient by checking the address, and if appropriate,
telephoning the recipient to check and inform them that the
email will be sent. Do not refer to the information in the
subject of the email.
The Company’s network
Keep master copies of important data on the Company’s network
server and not solely on your PC's local C: drive or portable
disks. Not storing data on the Company’s network server means it
will not be backed up and is therefore at risk.
Ask for advice from your manager if you need to store, transmit
or handle large quantities of data, particularly images or audio
and video. These large files use up disk space very quickly and
can bring the network to a standstill.
Be considerate about storing personal files on the Company's
network. Do not copy files that are accessible centrally into
your personal directory unless you have good reason (i.e. you
intend to amend them, or you need to reference them, and the
central copies are to be changed or deleted) since this uses up
disk space unnecessarily.
If storing or transferring personal, sensitive, confidential or
classified information using Removable Media you must first
contact your manager for permission but…
Always consider if an alternative solution already exists; Only
use recommended removable media; Encrypt and password protect;
Store all removable media securely; Removable media must be
disposed of securely - check with your manager to get help.
Personal use of ICT facilities
Social Media: For the purposes of this policy,
social media websites are web-based and mobile technologies which
allow parties to communicate instantly with each other or to share
data in a public forum. They include websites such as Facebook,
Twitter, Google+ and LinkedIn. They also cover blogs and image
sharing websites such as YouTube and Flickr. This is not an
exhaustive list and you should be aware that this is a constantly
Use of Social Media:
Inappropriate comments on social media websites can cause damage
to the reputation of the organisation if a person is recognised
as being an employee or volunteer. It is, therefore, imperative
that you are respectful of the organisation’s service as a whole
including client/customers/service users, members, supporters,
colleagues, partners and competitors.
Employees and volunteers should not give the impression that
they are representing, giving opinions or otherwise making
statements on behalf of the Company unless appropriately
authorised to do so. Personal opinions must be acknowledged as
such and should not be represented in any way that might make
them appear to be those of the organisation. Where appropriate,
an explicit disclaimer should be included, for example: ‘These
statements and opinions are my own and not those of [Name of
Any communications that employees or volunteers make in a
personal capacity must not: bring the Company into disrepute,
for example by criticising clients, colleagues or partner
organisations; breach the Company’s policy on confidentiality or
any other relevant policy; breach copyright, for example by
using someone else’s images or written content without
permission; do anything which might be viewed as discriminatory
against, or harassment towards, any individual, for example, by
making offensive or derogatory comments relating to: age,
disability, gender reassignment, race, religion or belief, sex,
or sexual orientation; use social media to bully another
individual; post images that are discriminatory or offensive (or
links to such content).
The Company maintains the right to monitor usage of social media
sites where there is suspicion of improper use.
Other personal use
Any information contained within the Company in any form is for
use by the employee or volunteer for the duration of their period
of work and should not be used in any way other than for proper
business purposes or transferred into any other format (e.g.
loaded onto a memory stick / pen drive), unless necessary for
business use, and with prior agreement of your manager].
Portable and Mobile ICT Equipment
This section covers items such as laptops, mobile devices and
removable data storage devices provided by the Company. Further
information below for when considering storing or transferring
personal or sensitive data:
Use of any portable and mobile ICT equipment must be authorised
by your manager before use.
All activities carried out on the Company’s systems and hardware
will be monitored in accordance with the general policy.
Employees and volunteers must ensure that all data belonging to
the Company is stored on the Company’s network and not kept
solely on a laptop. Any equipment where personal data is likely
to be stored must be encrypted.
Equipment must be kept physically secure in accordance with this
policy to be covered for insurance purposes. When travelling by
car, best practice is to place the laptop in the boot of the car
before starting your journey.
Synchronise all locally stored data, including diary entries,
with the central organisation network server on a frequent
Ensure portable and mobile ICT equipment is made available as
necessary for anti-virus updates and software installations,
patches or upgrades.
The installation of any applications or software packages must
be authorised by your manager, fully licensed and only be
carried out by an employee nominated by your manager.
In areas where there are likely to be members of the general
public, portable or mobile ICT equipment must not be left
unattended and, wherever possible, must be kept out of sight.
Portable equipment must be transported in a protective case if
one is supplied.
If remote access is required, you must contact your manager to
set this up.
You are responsible for all activity via your remote access
Laptops and mobile devices must have appropriate access
protection, i.e. passwords and encryption and must not be left
unattended in public places.
To prevent unauthorised access to the Company’s systems, keep
all dial-up access information such as telephone numbers, logon
IDs and PINs confidential and do not disclose them to anyone.
Select PINs that are not easily guessed, e.g. do not use your
house or telephone number and do not choose consecutive or
Avoid writing down or otherwise recording any network access
information where possible. Any information that is written down
must be kept in a secure place and disguised so that no other
person is able to identify what it is.
Protect the Company’s information and data at all times,
including any printed material produced while using the remote
access facility. Take particular care when access is from a
Users of laptops and mobile devices are advised to check their
car and home insurance policies for the level of cover in the
event of equipment being stolen or damaged. Appropriate
precautions should be taken to minimise risk of theft or damage.
Care should be taken when working on laptops in public places
(e.g. trains) that any employee or client details are not
visible to other people.
You may find that you have access to electronic information about
the activity of colleagues. Any such information must not be used
by unauthorised individuals to monitor the activity of individual
employees in any way (e.g. to monitor their working activity,
working time, files accessed, internet sites accessed, reading of
their email or private files etc.) without their prior knowledge.
In the case of a specific allegation of misconduct, when your
manager can authorise accessing of such information when
investigating the allegation; When an employee cannot avoid
accessing such information while fixing a problem, but this will
only be carried out with the consent of the individual concerned.
Any users who place and pay for orders online using personal
details do so at their own risk and the Company accepts no
liability if details are fraudulently obtained whilst the user is
using the Company’s equipment.
Care of equipment
Do not rearrange the way in which equipment is plugged in
(computers, power supplies, phones, network cabling, modems etc.)
without first contacting your manager.
All employees, volunteers, contractors and temporary employees who
have been granted the right to use the Company’s ICT systems are
required to sign this agreement confirming their understanding and
acceptance of this policy.
If you have any questions about this policy, please contact us by
email@example.com), by telephone (to 01252 852100)
or by post (to Berkeley Home Health, Unit 5 Abbey Business Park,
Farnham, GU9 8HT).