Data Protection Policy
In line with the Data Protection Act 2018 and the General Data Protection Regulation 2016 (GDPR) which became effective on 25 May 2018 AgriSearch’s Data Protection policy refers to our commitment to treat the information of employees, customers, stakeholders and other interested parties with the utmost care and confidentiality. Under this policy, we ensure that we gather, store and handle data fairly and transparently.
This is data, which by itself or with other data available to us can be used to identify you. AgriSearch is regarded as a data controller and staff are authorised to process data in relation to their job role on behalf of the Organisation in connection with running the business. This notice applies to current and former employees, workers, contractors, stakeholders, research partners and consultants.
Data Protection Principles:
We will comply with data protection law. This says that the personal information we hold about you must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.
Types of personal data we collect and use:
Depending on your connection with AgriSearch, we will use your personal data for the reasons set out below and if you become an employee, we will use it for management purposes. Most of the data is collected directly from you during the application journey (e.g. recruitment, employment and thereafter throughout the period of you working for us or associated with AgriSearch). The personal data we use may include but is not limited to:
- Full name and personal details including contact information (e.g. home address, email address, home and mobile telephone numbers – for general contact and communication)
- Education, employment details and references (to determine suitability for employment)
- Identification documents (e.g. copy driving licence / passport / birth certificate / bank statements – to verify your identity, or ensure a valid driving licence for your job role)
- Date of birth (e.g. legal requirement for Trustees; to meet National Minimum and Living wage requirements)
- Marital status and dependants
- Financial details (e.g. details of bank account – sort code and account number, tax, national insurance information - to pay you and make authorised deductions)
- Details of farms including location, land classification, size and performance (e.g. grass growth and quality, milk / meat yield) as relevant to particular projects
- Details in support of benefit / mortgage applications (e.g. reference requests that you may ask us for or to which you have given consent for processing)
- Details in support of claims (third party requests on your behalf in support of claims)
- Next of kin and emergency contact information
- Disciplinary and grievance information
- Information about performance
- Training records
- Professional membership
Types of “sensitive” personal data we collect and use:
We may also collect, store and use the following:
- Information about your health, including any medical condition, health and sickness absence records
- Information about your race, ethnicity, religious beliefs, sexual orientation and political opinions
- Trade union membership
- Information about criminal convictions and offences (where we are legally able to do so).
Providing your personal data
We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases you must provide your personal data so that we can process your initial application and subsequently perform our contract with you.
If you fail to provide certain information when requested, we may not be able to perform the contract with you e.g. paying you, or we may be prevented from complying with our legal obligations e.g ensuring the health and safety of our workers.
Monitoring of communications
Subject to applicable laws, we will monitor, log and audit employees’ use of company computers, laptops, tablets and electronic devices, including email, internet and other computer use.
Using your personal data: the legal basis and purposes
We will process your personal data:
- As necessary to perform our contract with you for employment purposes, including managing the contract and communicating with you.
- As necessary, for our own legitimate interests or those of other persons and organisations e.g. accounting and managing and auditing our business operations. This may also include marketing communications associated with the business.
- As necessary, to comply with a legal obligation e.g. when you exercise your rights under data protection law and make requests, for compliance with legal and regulatory requirements and related disclosures, to verify your identity.
- Based on your consent e.g. when you ask us to disclose your personal data to other people, such as a company handling a claim on your behalf, or requests for medical reports in accordance with legal obligations. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
We do not envisage that any decisions will be made about you using automated means, however we will notify you in writing if this position changes.
Data Protection Impact Assessments (DPIAs):
In accordance with the current Information Commissioner’s guidance AgriSearch has determined that Data Protection Impact Assessments (DPIAs) are not required as none of the following processing is carried out:
- Systematic and extensive profiling with significant effects
- Large scale use of sensitive data
- Public monitoring
However, should this change the policy will be updated accordingly.
We may have to share your data with third party service providers. We require such parties to respect the security of your data and treat it in accordance with data protection law. We do not allow them to use your personal data for their own purposes. We only allow them to process your personal data for specified purposes in accordance with our instructions.
- Sub-contractors and other persons who help us provide our services e.g. payroll, pension administration, IT services.
- Our legal and other professional advisors e.g. HR Consultant.
- Government bodies and agencies in the UK e.g. HMRC,
- Sharing data (e.g. CVs) with research funders
- In an emergency or to otherwise protect your vital interests
- To protect the security or integrity of our business operations
- Payment systems (e.g. VISA , Mastercard / Worldpay), as authorised by you
- Anyone else where we have your consent or as required by law.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. This includes measures such as limited authorised access, document shredding, secure storage, frequent backups and password authorisation. In addition, we limit access to your personal information to those employees, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality and have to keep the data secure. Details of these measures may be obtained from the General Manager.
Personal Data Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by staff;
- sending personal data to an incorrect recipient;
- electronic devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
If an employee or other connected party suspects a breach whether actual or not, it must be reported immediately to the General Manager to be registered and investigated. This will facilitate decision-making to ascertain if AgriSearch is required to notify the relevant supervisory authority and the affected individuals.
If it is considered necessary to report a breach, the following information must be provided;
- a description of the nature of the personal data breach;
- the categories and approximate number of individuals and personal data records concerned;
- the name and contact details of the person from whom more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
All breaches will be investigated to assess whether the breach was a result of human or systematic error and put measures in place to prevent such a breach in future.
We will only retain your personal information for as long as necessary to fulfil the purposes for which it was collected. Most personal data, unless otherwise stated in line with contractual obligations, will be kept for a period of 10 years after the relationship has ended.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship or connection with us.
Under Data Protection legislation you have several important rights free of charge. In summary, those include rights to:
- access to your personal information, by means of a Subject Access Request, made in writing
- require us to correct any mistakes in your information which we hold
- require the deletion of personal data where there is no good reason for us to continue processing it
- object at any time to processing of personal data concerning you for direct marketing
- object in certain other situations to our continued processing of your personal data
- request that we restrict our processing of your personal information e.g. to confirm accuracy or the reason for processing.
- Request the transfer of your personal data to another party.
For further information on each of those rights, including the circumstances in which they apply, contact the UK Information Commissioner’s Office (ICO) at https://ico.org.uk
If you wish to exercise these rights, please contact the General Manager in the first instance. No fee is usually required. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the General Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
How to complain
We hope that we can resolve any query or concern you have about our use of your information. If you have any queries or concern you should speak to your Branch Manager in the first instance.
The Data Protection legislation also gives you the right to lodge a complaint with the UK Information Commissioner who may be contacted at https://ico.org.uk
Breach of this policy
Any breach of this policy will be taken seriously and may lead to disciplinary action being taken against AgriSearch’s employees under the Company Disciplinary and Dismissal Procedures. Serious breaches will be regarded as gross misconduct and may lead to dismissal under our disciplinary procedure. Serious breaches would include (but are not limited to) the disclosure of confidential information, accidental or otherwise.
Staff Handbook: Processing of personal data