BROSTER BUCHANAN DATA PRIVACY POLICY
-
Introduction, Aims and Scope
- The Broster Buchanan Group (“Broster Buchanan”) is committed to conducting its business in a manner that protects and values each individual’s personal data, and processes said personal data fairly, lawfully, and
- This policy (the “Policy”) sets out Broster Buchanan’s policy on data protection, and outlines an agreed set of standards by which Broster Buchanan, our employees, managers, agents and third parties contracting with Broster Buchanan, implement our commitment with regards to our processing personal
- The explicit aim of this Policy is to support the management of data protection within Broster Buchanan by providing this agreed set of standards. All employees, managers, agents and contractors in the relevant businesses should familiarise themselves with the processes and procedures set out herein and comply with them at all
- This Policy applies when Broster Buchanan processes (whether electronically or otherwise) Personal or Special Category Personal Data or when Personal or Special Category Personal Data is processed on behalf of Broster Buchanan. Subject to Paragraph 1.5, Broster Buchanan shall treat data concerning a natural person as personal data, irrespective of their nationality, citizenship, or
- This Policy further applies when Personal or Special Category Personal Data is processed (whether electronically or otherwise) in the United Kingdom, any EEA country or any country where the European Commission has made a finding of adequacy in accordance with Article 45 of the General Data Protection
- This Policy forms part of a framework governing Broster Buchanan’s practices in relation to data privacy and should be read in conjunction with such other policies and processes referenced within Linked policies and processes are identified at Paragraph 4 of this Policy (“Specific Policies”).
- This Policy shall apply subject to any Specific Policy, and in the event of direct conflict, the Specific Policy shall take precedence. In the event of ambiguity which falls short of conflict between this Policy and any Specific Policy, advice must be sought from Broster Buchanan’s CEO. Andrew Broster (“AB”), who will adjudicate on the ambiguity and update the policies and processes The guiding principle in such cases, absent specific advice from AB shall be to take the step that least infringes upon the data protection rights of the Data Subject, unless some other step is manifestly in their best interests.
- For operational purposes, there may be occasions where deviations to this Policy or any linked Policiesare Where this is necessary and justified, the deviations shall be provided in separate policy or policy documents.
-
Definitions
- This Policy, unless indicated otherwise, adopts the definitions contained in the General Data Protection Regulation. Specifically, this Policy relies on the below
- Personal Data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural ”
- Special Category Personal Data “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” and “personal data relating to criminal convictions and offences or related security ”
- Processing means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
- Data Controller means “the natural or legal person, public authority, agency or other body which processes personal data on behalf of the ”
- Data Processor means “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
- Data Subject means “an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural ”
- Third Party means “a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal ”
- Consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
- In addition, the Policy relies on the following further definitions:
- General Data Protection Regulation or GDPR means Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- GDPR Enforcement Date means 25 May
- Applicable Data Protection Law means the General Data Protection Regulation and/or the Data Protection Act 2018 (if and insofar when enacted), orders and regulations made pursuant to the Data Protection Act 2018, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any subsequent legal instrument which either amends or replaces Directive 2002/58/EC.
- Applicable Guidance means guidance and/or codes of practice and/or outcomes of any enforcement action issued and/or published by the Information Commissioner’s Office, the Article 29 Working Party and the European Data Protection Board, or any successor bodies to these organisations, as amended or updated by said organisations.
-
Our responsibilities and obligations under Applicable Data Protection Law
- The Applicable Data Protection Law provides for a framework of rights and duties that Broster Buchanan is, subject to the qualifications outlined in Paragraphs 4 to 1.7 above, legally bound to comply. The foundation of the Applicable Data Protection Law is the General Data Protection Regulation. This is based on six principles, that form the foundations of Broster Buchanan’s approach to data protection. These six principles are:
- Lawfulness, fairness and transparency: Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the Data
- Purpose limitation: Personal Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those
- Data minimisation: Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are
- Accuracy: Personal Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without
- Storage Limitation: Personal Data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data areprocessed.
- Integrity and Confidentiality: Personal Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Broster Buchanan accepts the importance of the above six principles, and understands that Broster Buchanan is responsible for demonstrating compliance with the above six principles. This Policy, along with the linked policies outlined in paragraph 4 below, and most importantly, the processes underpinning these policies, outline the scope and nature of our compliance with the above six principles.
-
Policies and processes
- In order to demonstrate our compliance with our responsibilities and obligations under the Applicable Data Protection Law, Broster Buchanan has a number of policy documents linked this Policy. These policy documents are as follows:
- Broster Buchanan Data Retention Policy: this policy document outlines the nature and length of the time- frames by which Broster Buchanan retains personal data, and the legal bases for this
- In addition, a number of further exercises have been undertaken, or are in the process of being undertaken, in order to comply with our responsibilities and obligations:
- Broster Buchanan Data Inventory: Broster Buchanan has undertaken work to map and audit the data used by Broster Buchanan, in particular:
- whether this data is Personal Data and/or Special Category Personal Data;
- in what manner is this data is processed by Broster Buchanan;
- where jurisdictionally such data is held; and
- under what legal bases such data is
- Data Protection Impact Assessments and Privacy Impact Assessments: these assessments have been undertaken or are in the process of being undertaken by Broster
- The above policy documents and exercises will be reviewed and updated regularly/annually, and in particular, Data Protection Impact Assessments and Privacy Impact Assessments will be undertaken when Broster Buchanan concludes that a new method of processing is likely to lead to a high risk to Data Subjects’ data protection and/or privacy
-
Governance Arrangements
- In order to demonstrate such compliance with the Applicable Data Protection Law, the Applicable Guidance, and the above policies, the below governance arrangements have been put in
- This Policy is directed by AB who also maintains data privacy principles on behalf of Broster Buchanan, along with policies, processes and AB will also keep copies of all data protection documentation, including data inventories, lawful bases of processing, and all registration documentation so as to provide the Information Commissioner with a single point of contact for all data protection relatedqueries.
- The GDPR Data Protection Officer is Kevin Moran (“KM”). KM is the nominated point of contact for data protection authorities.
- KM is also responsible for responding to requests from Data Subjects to exercise their rights, conducting initial Privacy Impact Assessments and escalating matters to Broster Buchanan’s board of directors as and when required and shall ensure that:
- a record of Processing operations conducted by Broster Buchanan which shall record the legal basisupon which processing operations are undertaken is duly
- notice is provided to Data Subjects detailing how their data is to be processed and who their data maybe shared with at all points of data
- an inventory detailing the various data sets held within Broster Buchanan and the legal basis under which data is processed is duly
- employees, managers, agents and contractors are made aware of this Policy and the other policies outlined in Appendix 1 below, and that the employees, managers, agents and contractors working receive suitable training in order to comply with aforementioned
5.1.3.5 the Data Inventory is up to date at all times and shall ensure that where new processes or systems are introduced that involve the processing of Personal Data, details of those systems are added to the Data Inventory.
-
The role of Employees, managers, agents and contractors
6.1 All of Broster Buchanan’s employees are required, as a part of their contract of employment, to confirm that they have read, understood and will comply with this Policy along with any associated policies and subsequent revisions. Any failure to comply with this Policy may constitute an act of misconduct which, following investigation, may result in termination of the employee contract.
6.2. All of Broster Buchanan’s managers, agents and contractors are required, as a part of their service agreements, to confirm that they have read, understood and will comply with this Policy along with any associated policies and subsequent revisions. Any failure to comply with this Policy may constitute breach of contract which may result in termination of their service agreements.
6.3. All employees, managers, agents and contractors are required, on receipt of a request from a Data Subject exercising their rights to immediately notify KM.
-
Processing, storage, retention and destruction of data
- Broster Buchanan processes Personal and may have to process Special Category Personal Data for thefollowing broad purposes: the administration of the Broster Buchanan
Collection and use of Special Category Data
- Broster Buchanan may collect and process Special Category Personal Data from time
- Records of the processing of Special Category Personal Data shall be retained by Consent
- Where Broster Buchanan relies upon consent as a valid basis for processing, Broster Buchanan will ensure that systems are set up that allow Broster Buchanan to:
- demonstrate that a Data Subject has consented to processing of their personal data, via documenting the date, method and content of the disclosures
- demonstrate that Broster Buchanan’s requests for consent are presented in a manner which is clearly distinguishable from any other matters, is made in an intelligible and easily accessible form, and uses clear and plain
- To ensure that Broster Buchanan’s processing is complaint with the Applicable Data Protection Law, Personal and Special Category Personal Data will not be retained by Broster Buchanan for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further
Maintenance of Data Quality
- Broster Buchanan recognises the importance of keeping data up to date and accurate at all times. All employees are required to ensure that the Data they are processing is accurate, free from errors and updated as and when required or where expressly requested by the Data
Automated Processing
- Broster Buchanan will only engage in automatic processing activities, including profiling, where:
- it is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller;
- it is authorised by Union or Member State Law to which the Data Controller is subject and
which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests; or
- it is based on the Data Subject’s explicit
- In relation to such processing, Broster Buchanan shall implement suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Data Controller, to express his or her point of view and to contest the
Retention and Destruction
- The storage, retention and destruction of Personal and Special Category Personal Data is governed bya separate, specific policy, as set out in Appendix 1
-
Subject Rights
- Broster Buchanan will respect the rights of Data Subjects as provided for in Chapter 3 of the GeneralData Protection Regulation, and Article 8 of the EU Charter of Fundamental
This is governed by a separate, specific policy, as outlined in Appendix 1, which deals, in particular, with thesuite of rights provided for by the General Data Protection Regulation.
-
Incident Management
- Broster Buchanan is responsible for the creation and maintenance of an Incident Management Plandetailing what steps must be taken in the event of a Data Incident taking place within Broster
- The majority of Data Incidents shall be handled by AB, in cooperation with Broster Buchanan’s managers, the Charles Taylor group, acting as “joint-controller” with Broster Buchanan. Where an incident is particularly serious or may require notification to either the Regulator or to the Data Subject, AB must notify Broster Buchanan’s board of directors without delay.
- All involvement with the Regulator shall be undertaken by
- AB will maintain a register of all Data Incidents that have taken place within Broster Buchanan. Metricsrelating to Data Incidents shall be reported to Broster Buchanan’s board of directors on a regular
- AB is responsible for arranging periodic testing of Broster Buchana’s Incident Management Plan and proposing any amendments to the plan from time to time.
-
Data Transfer
- Where possible, Broster Buchanan shall rely on adequacy decisions made by the European Commission to legitimise transfers to third parties in other Notwithstanding the reliance on adequacy decisions, Broster Buchanan shall still enter into Data Processing or Data Sharing Agreements in relation to the passage of Personal Data.
- Where it is not possible to rely on an adequacy decision, AB is responsible for ensuring that, in the event data is, or may be, transferred to another jurisdiction, any processing or sharing agreement shall be approved by the board of directors of Broster
- AB shall retain records of transfer activity that is taking place within Broster Buchanan or by or to Broster
-
Security
- Broster Buchanan will adopt physical, technical, and organisational measures to ensure the appropriate security of processing in relation to Personal Data, and that unauthorised or unlawful processing does not occur. Please find below a non-exhaustive list of security measures:
- ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- restoring the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the
11.2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
-
Third Party Risk
Data Processing and Sharing Agreements
- Wherever Personal Data is shared with third parties or provided to third parties for processing, this shall occur in accordance with terms provided in either a Data Processing Agreement or a Data Sharing
- AB retains a record of all Processing and Sharing Agreements that are in
- Complying with Law Enforcement
- In certain circumstances, Broster Buchanan is able to share a Data Subject’s Personal Data
without the knowledge or consent of the Data Subject, in particular where:
- The disclosure is required by
- The disclosure is required in order to assist in the prevention or detection of
- The disclosure is required in order to assist in the apprehension or prosecution
- The disclosure is required in order to assist in the assessment or collection of any tax or duty or of any imposition of a similar
- Any processing of Personal Data relating to criminal convictions and offences or related security measures shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of Data
-
Audit and Review
- AB shall engage in ad hoc assessments of compliance with this Policy and the policies sitting under it from time to time to ensure that best practice is being maintained and that employees, managers, agents and contractors are complying with their obligations in relation to data Details of ad hoc assessments that have been conducted are reported to Broster Buchanan’s board of directors on a periodic basis.
- This Policy shall be periodically reviewed on an annual basis. Earlier review or amendment may take place in the event of changes to Regulation or Legislation or following any
Policy Version 1.0
Drafted: 8 May 2018 Presented to the Executive Committee: Approved by the Executive Committee:
Appendix 1 – Broster Buchanan Data Retention Policy
BROSTER BUCHANAN DATA RETENTION POLICY
-
ABOUT THIS POLICY
- The corporate information, records and data of Broster Buchanan Ltd and our subsidiaries is important to how we conduct business and manage There are legal and regulatory requirements for us to retain certain data, usually for a specified amount of time. We also retain data to help our business operate and to have information available when we need it. However, we do not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to our business.
- This Data Retention Policy explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal. Failure to comply with this policy can expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it and in running our
- This policy does not form part of any employee’s contract of employment, and we may amend it at any
2. SCOPE OF POLICY
- This policy covers all data that we hold or have control This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to both personal data and non-personal data. In this policy we refer to this information and these records collectively as “data”. This policy covers data that is held by third parties on our behalf, for example cloud storage providers or offsite records storage. It also covers data that belongs to us but is held by employees on personal devices.
- This policy explains the differences between our formal or official records, disposable information, confidential information belonging to others, personal data and non-personal It also gives guidance on how we classify our data.
3. GUIDING PRINCIPLES
- Through this policy, and our data retention practices, we aim to meet the following commitments:
- We comply with legal and regulatory requirements to retain
- We comply with our data protection obligations, in particular to keep personal data no longer than is necessary for the purposes for which it is processed (storage limitation principle).
- We handle, store and dispose of data responsibly and
- We create and retain data where we need this to operate our business effectively, but we do not create or retain data without good business
- We allocate appropriate resources, roles and responsibilities to data
- We regularly remind employees of their data retention
- We regularly monitor and audit compliance with this policy and update this policy when
4. ROLES AND RESPONSIBILITIES
- Responsibility of all employees. We aim to comply with the laws, rules, and regulations that govern our organisation and with recognised compliance good All employees must comply with this policy. Failure to do so may subject us, our employees, and contractors to serious civil and/or criminal liability. An employee’s failure to comply with this policy may result in disciplinary sanctions, including suspension or termination. It is therefore the responsibility of everyone to understand and comply with this policy.
- Data Protection Our Data Protection Officer (DPO) is responsible for advising on and monitoring our compliance with data protection laws which regulate personal data.
5. TYPES OF DATA AND DATA CLASSIFICATIONS
- Formal or official Certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. Please see paragraph 6.1 below for more information on retention periods for this type of data.
- Disposable information. Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule. Examples may include:
- Duplicates of originals that have not been
- Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official
- Books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of the Broster Buchanan group and retained primarily for reference purposes.
- Spam and junk
Please see paragraph 6.2 below for more information on how to determine retention periods for this type of data.
- Personal Both formal or official records and disposable information may contain personal data; that is, data that identifies living individuals. Data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). See paragraph 6.3 below for more information on this.
- Confidential information belonging to others. Any confidential information that an employee may have obtained from a source outside of the Broster Buchanan group such as a previous employer, must not, so long as such information remains confidential, be disclosed to or used by us. Unsolicited confidential information submitted to us should be refused, returned to the sender where possible, and deleted, if received via the
6. RETENTION PERIODS
- Formal or official Any data that is part of any of the categories listed in the Record Retention Schedule contained in the Annex to this policy, must be retained for the amount of time indicated in the Record Retention Schedule. A record must not be retained beyond the period indicated in the Record Retention Schedule, unless a valid business reason (or notice to preserve documents for contemplated litigation or other special situation) calls for its continued retention.
- Disposable The Record Retention Schedule will not set out retention periods for disposable information. This type of data should only be retained as long as it is needed for business purposes. Once it no longer has any business purpose or value it should be securely disposed of.
- Personal As explained above, data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). Where data is listed in the Record Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the data. Where data is disposable information, you must take into account the principle of storage limitation when deciding whether to retain this data.
- What to do if data is not listed in the Record Retention If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information.
7. STORAGE, BACK-UP AND DISPOSAL OF DATA
- Our data must be stored in a safe, secure, and accessible manner. Any documents and financial files that are essential to our business operations during an emergency must be duplicated and/or backed up at least once per week and maintained off site.
- Destruction. Our DPO is responsible for the continuing process of identifying the data that has met its required retention period and supervising its The destruction of confidential, financial, and employee-related hard copy data must be conducted by shredding if possible. Non- confidential data may be destroyed by recycling. The destruction of electronic data must be co- ordinated with the IT Department.
- The destruction of data must stop immediately upon notification that preservation of documents for contemplated litigation is required (sometimes referred to as a litigation hold). This is because we may be involved in a legal claim or an official investigation (see next paragraph). Destruction may begin again once the requirement for preservation is
8. SPECIAL CIRCUMSTANCES
- Preservation of documents for contemplated litigation and other special situations. We require all employees to comply fully with our Record Retention Schedule and procedures as provided in this All employees should note the following general exception to any stated destruction schedule: If you believe or are informed that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, you must preserve and not delete, dispose, destroy, or change those records, including emails and other electronic documents, until those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.
9. WHERE TO GO FOR ADVICE AND QUESTIONS
- Questions about the Any questions about retention periods relevant to you should be referred to Kevin Moran (kevinmoran@brosterbuchanan.com) who is in charge of administering, enforcing, and updating this policy.
10. BREACH REPORTING AND AUDIT
- Reporting policy We are committed to enforcing this policy as it applies to all forms of data. The effectiveness of our efforts, however, depend largely on employees. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor. If you are not comfortable bringing the matter up with your immediate supervisor, or do not believe the supervisor has dealt with the matter properly, you should raise the matter with the DPO. If employees do not report inappropriate conduct, we may not become aware of a possible breach of this policy and may not be able to take appropriate corrective action.
- No one will be subject to and we do not allow, any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or co-operating in related investigations.
- Audits. The DPO will periodically review this policy and its procedures (including where appropriate by taking outside legal or auditor advice to ensure we are in compliance with relevant new or amended laws, regulations or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out
ANNEX A DEFINITIONS
Data: all data that we hold or have control over and therefore to which this policy applies. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to both personal data and non-personal data. In this policy we refer to this information and these records collectively as “data”.
Data Protection Officer: our Data Protection Officer who is responsible for advising on and monitoring compliance with data protection laws.
Data Retention Policy: this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
Disposable information: disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule.
Formal or official record: certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. We refer to this as formal or official records or data.
Non-personal data: data which does not identify living individuals, either because it is not about living individuals (for example financial records) or because it has been fully anonymised.
Personal data: any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special categories of personal data such as health data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Record Retention Schedule: the schedule attached to this policy which sets out retention periods for our formal or official records.
Storage limitation principle: data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed. This is referred to in the UK GDPR as the principle of storage limitation.
ANNEX B RECORD RETENTION SCHEDULE
Broster Buchanan establishes retention or destruction schedules or procedures for specific categories of data. This is done to ensure legal compliance (for example with our data protection obligations) and accomplish other objectives, such as protecting intellectual property and controlling costs.
Employees should comply with the retention periods listed in the record retention schedule below.
TYPE OF DATA |
RETENTION PERIOD |
REASON / COMMENTS |
Candidate records (personal data, applications) |
Unsuccessful candidates (non- placed)
Successful candidates |
Up to two years following last interaction
Duration of employment and up to six years after employment ends |
Best practise
To align with Limitation Act 1980 |
Client/Supplier records (communications, billings information, contracts) |
Active clients
Former Clients |
For as long as the business relationship is active
Up to six years following the end of the business relationship |
To ensure the fulfilment of contracts, managing accounts and upholding services
To align with Limitation Act 1980 |
Our contact details
Name: Broster Buchanan
Email Address: info@brosterbuchanan.com
Phone Number: 0330 2050288
Address: 65 High Street, Harpenden, Hertfordshire, AL5 2SL
The type of personal information we collect
We currently collect and process the following information:
- Personal identifiers, contacts and characteristics (for example, name and contact details)
- Email addresses
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- To respond to your enquiry.
- To action your request.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
- Your consent. You are able to remove your consent at any time. You can do this by emailing Broster Buchanan at info@brosterbuchanan.com .
- We have a contractual obligation.
How we store your personal information
Your information is securely stored.
We keep your contact details and email addresses until prior notice if given for it to be removed. We will then dispose your information by deleting all documents containing your contact details and email addresses.
Your data protection rights
Under data protection law, you have rights including:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please email us at info@brosterbuchanan.com , phone us on 0330 2050288 and / or by post at 65 High Street, Harpenden, Hertfordshire, AL5 2SL if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to info@brosterbuchanan.com and/or 0330 2050288 and/or 65 High Street, Harpenden, Hertfordshire, AL5 2SL .
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk