MTR Data Protection

Introduction

MTR processes personal data in relation to its own staff, work-seekers and individual client contacts and is a data controller for the purposes of the Data Protection Laws. The Company is registered with the ICO and its registration number is Z1262934

Data Controller means an individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data;

Data Processor means an individual or organisation which processes personal data on behalf of the data controller;

The Company may hold personal data on individuals for the following purposes:

• Staff administration
• Advertising, marketing and public relations
• Accounts and records
• Administration and processing of work-seekers’ personal data for the purposes of providing work-finding services, including processing using software solution providers and back office support
• Administration and processing of clients’ personal data for the purposes of supplying/introducing work-seekers

The Company will only process personal data where it has a legal basis for doing so.

Company staff are permitted to add, amend or remove personal data from the Company’s database (‘database’ includes paper records or records stored electronically).

All Company staff are responsible for identifying where information is known to be old, inaccurate or out of date or a request for erasure, access, rectification or restriction of processing has been received from the individual. Company staff are also responsible for any request for data portability, objection to processing or where consent to process has been withdrawn and has been received from the individual.

In addition all Company staff should ensure that adequate security measures are in place to limit the risk of personal data breaches. For example:

• Staff should lock their computer screens when they are not in use.
• All devices, whether company or personal devices (including but not limited to computers, mobile phones, other hand-held devices) containing personal data relating to the services of the Company shall be encrypted and password protected. OR All personal data collected via a company or personal device for the purposes of providing the Company’s services, should be processed through the Company’s CRM.
• Staff should not disclose their passwords to anyone.
• Email should be used with care. Company staff must ensure that emails are sent only to the intended recipient/s. Where Company staff send an email in error then the email must be recalled immediately so that any risk of a personal data breach can be limited.
• Personnel files (whether for internal staff or work-seekers) and other personal data should be stored securely to prevent unauthorised access. They should not be removed from their usual place of storage without good reason.
• Personnel files (whether for internal staff or work-seekers) should always be locked away when not in use and when in use should not be left unattended.
• Personal data should only be stored for the periods set out in the Company’s data retention policy.
• Processing includes the destruction or disposal of personal data. Therefore staff should take care to destroy or dispose of personal data safely and securely. Such material should be shredded or stored as confidential waste awaiting safe destruction.

An individual has the following rights under the Data Protection Laws:

• The right to be informed of what information the Company holds on them
• The right of access to any personal data that the Company holds on them
• The right to rectification of personal data that the individual believes is either inaccurate or incomplete;
• The right to erasure of their personal data in certain circumstances;
• The right to restrict processing of their personal data;
• The right to data portability of their personal data in specific circumstances;
• The right to object to the processing of their personal data where it is based on either a legitimate interest or a public interest;
• The right not to be subjected to automated decision making and profiling; and
• The right to withdraw consent where it was relied upon to process their personal data.

The right to be informed

Any individual whose personal data is processed by the Company will have the right to be informed about such processing. They will have the right to be informed about who, what, where and why the data is processed.

The right to access (‘subject access request’)

Individuals are entitled to obtain access to their personal data on request, free of charge except in certain circumstances.

The right to rectification

An individual has the right to obtain from the Company, rectification of inaccurate or incomplete personal data concerning him or her. The Company must act on this request without undue delay.

The right to erasure (‘right to be forgotten’)

An individual shall have the right to obtain from the Company, acting as data controller, the erasure of personal data concerning him or her without undue delay. The Company will be obliged to erase the individual’s personal data without undue delay.

The right to restrict processing

An individual will have the right to obtain from the Company, acting as a data controller, the restriction of processing his or her personal data.

The right to data portability

An individual has the right to receive any personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller.

The right to object to processing

An individual, has the right to object to their personal data being processed or profiled based on a public interest or a legitimate interest.

Timing and information to be provided to the individual

The Company shall provide information on action taken or not taken with regards to the individual data protection rights without undue delay and in any event within one month of receipt of the request. Where the Company does take action, then it may, where necessary, extend this period by a further two months, taking into account the complexity and number of the requests.

Charges

Where requests from an individual the Company can demonstrate are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either:

• Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
• Refuse to act on the request.

The Company will need to act on any personal data protection breach it suspects or knows of when acting as either a data controller or a data processor.

Personal data breaches

The Company will take measures to establish whether or not a personal data breach has occurred. The Company will:

• Conduct a risk assessment as to what level of risk the personal data breach poses/has occurred;
• Conduct any relevant interviews or investigations of the Company’s practices and/or Company staff to assess how the personal data breach occurred
• Document the facts relating to the personal data breach and remedial action to take
• Implement measures and take steps to limit, contain and recover the breach

The Company will be responsible for alerting the ICO of any personal data breach without undue delay, but no later than 72 hours after having become aware of the Company’s personal data breach.

Where a personal data breach has been identified, The Company will be responsible for informing those individuals effected by the personal data breach without undue delay.

If you wish to get in touch please contact data@mtrp.co.uk

You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.