Personal Data and GDPR Policy

 

1. The meaning of the key GDPR terms used in this policy

"data subject” means an identified individual.
"personal data” is any information about a data subject who is or could be identified in the information."
"using” or "processing” is any use of personal data, including collecting, recording, organising, storing, altering, retrieving, restricting, destroying or making it known to third parties.
"consent” means an indication of the data subject’s wishes, signifying their agreement to the use of their personal data.
"criminal records personal data” means personal data relating to criminal allegations, proceedings, convictions or offences.
"data protection legislation” means the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
"member of staff” is any director, employee, intern, volunteer, contractor or consultant employed or engaged by M3.
"special categories of personal data” reveal racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic/biometric information, physical/mental health and the sexual activities/orientation of a data subject.

2. The purpose and consequences of this policy

This policy sets out how M3 uses personal data of data subjects, including job applicants and current and former directors, employees, interns, volunteers, contractors, consultants, clients, customers, suppliers and other third parties. M3 is committed to being clear and transparent about how we use personal data and to protecting its confidentiality, security and integrity.

This policy applies to all members of staff when they use personal data and a breach of this policy will be misconduct and dealt with under M3’s disciplinary procedure. A significant or deliberate breach, such as accessing or disclosing personal data without authority, is gross misconduct and could lead to dismissal or a contract being terminated.

All members of staff must comply with six principles to ensure personal data is :

  • Processed lawfully, fairly and in a transparent manner;
  • Collected only for specified purposes and not used in a way incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary for the purposes;
  • Accurate and appropriately up to date, with every reasonable step taken to erase or rectify inaccuracies;
  • Not retained for longer than necessary for the purposes;
  • Kept appropriately secure and confidential against unauthorised use or accidental damage or destruction.

 

Members of staff should be aware they may be held criminally liable because it is a criminal offence to knowingly or recklessly :

  • obtain or disclose personal data or to enable disclosure to a third party without the consent of M3 or the data subjects, including taking clients’ or customers’ contact details or other personal data without M3’s consent, accessing other employees’ personal data without authority or otherwise misusing or stealing personal data;
  • re-identify personal data that has been anonymised without the consent of M3 or the data subjects;
  • alter, block, erase, destroy or conceal personal data with the intention of preventing their disclosure to a data subject following a data subject request – section 10 below.

 

Where unlawful activity is suspected, M3 will report the matter to the Information Commissioner’s Office for investigation.

3. The Data Protection Manager and seeking their assistance

The Company’s Data Protection Manager, Michael-John Saunders, mjsaunders@m3c.co.uk has responsibility for data protection compliance by M3 and should be consulted whenever there is :

  • any doubt about what, how and when personal data can be used – section 4 below, or
  • uncertainty about the basis being relied upon to use personal data lawfully – section 5 below, or
  • the need to issue a privacy notice when collecting personal data – see section 6 below, or
  • any doubt about the accuracy or currency of the personal data being used – section 7 below, and
  • uncertainty about the retention period for personal data – section 8 below, or
  • any doubt about the security of personal data – section 9 below, or
  • assistance required to address data rights invoked by a data subject – section 10 below, or
  • a suspicion a personal data or any other breach of this policy may have occurred or is at risk of occurring.

  

4. What how and when personal data can be used

Decisions about any use of personal data in accordance with this policy are the responsibility of the member of staff using them. This includes simple situations like using a data subject’s email address to invite them to a social event or to participate in a charitable sponsorship. When using any personal data for any purpose, members of staff must be confident :

  • there are no special categories of personal data or criminal records personal data involved in any way (see the definitions in section 1 above) and
  • the personal data does not relate to any M3 finance/accounting or human resources activities, unless the use has been approved in writing by Mike Ravenscroft or Liz Sayer respectively, and
  • they are clear about the lawful basis for the intended use (see section 5 below) and they are not in need of any guidance on this from Gavin Kieran or his nominee as regards marketing or business development activities or from Michael-John Saunders in any other regard, and
  • they are not sending content to or making requests of any data subjects who may be offended or irritated as a consequence, or who have indicated they do not wish their personal data to be used as intended, and
  • they are well acquainted with all of the data subjects to whom they send content or of whom they make requests, and
  • they give the data subjects the clear opportunity to inform the sending member of staff that they do not wish to receive any future content or requests from any M3 member of staff. If a data subject indicates they do not wish their personal data to be used, it is essential Liz Sayer is notified as soon as possible and this is then recorded in M3’s master record of the data subject’s contact details.

 

 5. Determining the basis relied upon to use personal data lawfully

Personal data must only be used by a member of staff where their job duties and responsibilities require it and when it is lawful on the basis of one or more of the following :

  • to perform a contract with the data subject or their business, including to deliver an M3 service to a client; or
  • at the data subject’s initiation to seek to enter into a contract with them, including as a new employee or client; or
  • the data subject has given consent for the specific purpose involved, provided a clear record is kept of the consent, what the data subject was told when they gave their consent and how and when the consent was given; or
  • to comply with M3’s legal obligations; or
  • to protect the data subject’s or someone else’s vital interests; or
  • to pursue M3’s legitimate interests, provided :
    • the data subject’s rights and freedoms do not override M3’s legitimate interests, and
    • the purpose for using or processing the personal data is set out in a privacy notice, and
    • a record is prepared and retained of why this is a lawful basis.

     

 The legitimacy of the basis should remain under review to ensure a repeated or continuing use remains appropriate.

When consent is the basis, the data subject needs to have given a clear positive indication their personal data can be used for the purpose. Pre-ticked boxes, inactivity or silence do not constitute consent. When consent was given, data subjects must also have been advised of an easy way to withdraw their consent at any time.

Personal data must be collected only for specified purposes. It must be adequate, relevant and limited to what is necessary for the purposes and must not be used for new, different or incompatible purposes unless the data subject has been informed.

Additional conditions apply to the use of special categories of personal data which have not manifestly been made public by the data subject and of criminal records personal data – see the definitions in section 1 above. Before using these types of data, members of staff must seek prior approval of the Data Protection Manager because :

  • the data subject must have given clear explicit consent to using their personal data for the specified purposes, or
  • the use is necessary to carry out obligations or exercising specific rights of either M3 or the data subject under employment law or social security law, or
  • the use is necessary in connection with legal claims.

  

6. Privacy notices

M3 will provide specific information to data subjects through privacy notices which are concise, transparent, intelligible, easily accessible and use clear and plain language. Whenever M3 collects personal data from data subjects, the following must be provided in a form and content approved by the Data Protection Manager :

  • the contact details of the member of staff managing or coordinating the specific use of the personal data or, if not a specific use, of the Data Protection Manager, and
  • the purpose for which the personal data will be used, and
  • the basis for the use (see section 5 above) and, where legitimate interests are the basis, the nature of them, and
  • the right to withdraw consent at any time, where consent is the basis for the use, and
  • if not obtained directly from the data subject, the nature of the personal data and its sources, and
  • the recipients or recipient groups with whom the personal data may be shared, including M3’s service providers, and
  • details of transfers of the personal data to be made to non-EEA countries and the safeguards to be applied, and
  • the retention period for the personal data or the criteria to be used to determine the retention period, and
  • the data subject’s rights to access, obtain, rectify, erase, restrict or object to the use of their personal data, and
  • the right to complain to the Information Commissioner’s Office, and
  • the existence of any automated decision-making, including profiling, and meaningful information about how decisions will be made using the personal data and the significance and consequences of the decisions to be made, and
  • whether the provision of personal data is part of a statutory or contractual requirement or obligation, or a requirement necessary to enter into a contract, and the possible consequences of failing to provide the personal data.

 

M3 must issue a privacy notice when a data subject’s personal data are first collected from by them. If the personal data have been obtained from third parties, M3 must provide the privacy notice within a reasonable period of obtaining the personal data and at the latest within one month. If the personal data are to be used to communicate with the data subject, the privacy notice must be provided before or when the first communication takes place. If disclosure of the personal data to a third party is envisaged, the privacy notice must be provided before or when the data are first disclosed.

7. Accuracy and currency of personal data

Personal data must be accurate and appropriately up to date, with every reasonable step taken to erase or rectify inaccuracies. Members of staff should keep Liz Sayer informed if their personal data changes because M3 cannot be held responsible for errors in their personal data unless the member of staff notified M3 of the relevant change. Members of staff must also ensure the personal data about other data subjects they hold or coordinate in connection with their M3 role is accurate and up to date. The accuracy and currency of personal data must be checked at the point of collection and at regular intervals thereafter and reasonable steps must be taken to destroy, erase or correct outdated personal data.

8. Retaining personal data

Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is used. M3 will only retain personal data for as long as is necessary for the purposes for which they were originally collected, including to satisfy legal, tax, health and safety, reporting or accounting requirements.

All personal data must be reviewed before destruction or erasure to determine whether special factors mean this should be delayed. Otherwise, they must be destroyed or erased at the end of the retention periods below. In some circumstances, M3 may anonymise personal data so they no longer permit a data subject’s identification and they are then retained for a longer period.

job applicants :

If a job applicant’s application for employment or engagement is unsuccessful, M3 will generally hold their personal data for one year after the end of the relevant recruitment exercise, but this is subject to minimum statutory or other legal, tax, health and safety, reporting or accounting requirements and retention for up to six years to protect against legal risks. If the job applicant has consented to M3 keeping their personal data for future employment opportunities, M3 will hold their personal data for a further six months after the end of the relevant recruitment exercise or until they withdraw their consent if earlier.

members of staff :

M3 will generally hold personal data for the duration of a member of staff’s employment or engagement, except disciplinary, grievance and capability records will only be retained until the expiry of any warning given and then only a summary record will be maintained. Once a member of staff has left employment or their engagement has been terminated, M3 will generally hold their personal data for six years except where the personal data forms part of the records of services provided by M3 or is subject to minimum statutory or other legal, tax, health and safety, reporting or accounting requirements.

other third parties including clients customers and suppliers :

M3 will generally hold personal data belonging to clients, customers and suppliers for the duration of M3’s business relationship with them. Once M3’s business relationship with a client, customer or supplier has been terminated, M3 will generally hold their personal data for six years after the termination of the relationship except where the personal data forms part of the documentation or records of the services provided by M3 or is subject to minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for particular data or records.

9. Security of personal data

Appropriate security of personal data must be maintained, including protection against unauthorised or unlawful use or accidental loss, destruction or damage. M3 takes the security of personal data seriously and have implemented and maintain safeguards which are appropriate to the size and scope of the business, the amount of personal data held and identified risks. This includes encryption of personal data where appropriate. M3 also takes steps to ensure the ongoing confidentiality, integrity, availability and resilience of its processing systems and to ensure, in the event of a physical or technical incident, availability and access to personal data can be restored in a timely manner. M3 regularly tests and evaluates the effectiveness of our technical and organisational safeguards to ensure the security of its processing activities.

Members of staff are responsible for protecting personal data and must comply with all procedures and policies to maintain the security of personal data from the point of collection to the point of destruction.

Where M3 uses third-party service providers to process personal data, additional security arrangements safeguard the security of personal data, which is only accessible to third-party service providers where the third party :

  • has a business need to know the personal data for the purpose of providing the contracted services; and
  • was identified in the privacy notice provided to the data subject; and
  • has agreed to comply with M3’s data security procedures with adequate measures to secure processing; and
  • has a written contract and related instructions with M3 containing specific approved terms and requirements; and
  • will assist M3 to allow data subjects to exercise their data protection rights and in meeting M3’s obligations in relation to the security of processing, the notification of data breaches and data protection impact assessments; and
  • will delete or return all personal data to M3 at the end of the contract; and
  • will submit to audits.

 

The approval of the Data Protection Manager is required before an agreement involving the processing of personal data by a third-party service provider is entered into or amended.

Personal data accessed or acquired by members of staff in connection with their M3 role must not be stored on local computer drives or on personal devices. They may only share personal data they access or acquire in connection with their M3 role with other members of staff if they have a business need to properly perform their job duties and responsibilities.

Hard copy personnel files and removable storage media, which hold personal data about members of staff, are confidential and must be stored in locked filing cabinets. Only authorised members of staff, who have a business need to properly perform their job duties and responsibilities, have access to these files and media. Personal data about members of staff held in electronic format will be stored confidentially with password protection and only authorised members of staff will have access.

M3 has network backup procedures in place to ensure personal data held in electronic format cannot be accidentally lost, destroyed or damaged.

The data protection legislation requires M3 to notify any personal data breach to the Information Commissioner’s Office within 72 hours after becoming aware of the breach and, where there is a high risk to the rights and freedoms of data subjects, to the data subject themselves. A personal data breach is any breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and includes any act or omission that compromises the confidentiality, integrity or availability of personal data or the safeguards that M3, or our third-party service providers, have put in place to protect them. Anyone knowing or suspecting that a personal data breach has occurred should immediately contact our Data Protection Manager, Michael-John Saunders, mjsaunders@m3c.co.uk and retain any evidence they have in relation to the breach.

10. Data subject rights

If someone wishes to exercise their data subject access rights, they should please put the request in an e-mail and send it to the Data Protection Manager, Michael-John Saunders at mjsaunders@m3c.co.uk or at M3 Consulting, Dashwood House, 69 Old Broad Street, London, EC2M 1QS. Any member of staff receiving such a request must immediately forward it to the Data Protection Manager.

Data subjects have the right to request and obtain a copy of the personal data M3 holds about them and to receive :

  • confirmation as to whether or not their personal data are being used or processed;
  • access to copies of their specified personal data;
  • the purposes of the use or processing and the categories of personal data concerned;
  • the recipients or recipient groups to whom the personal data have been or will be disclosed;
  • where the personal data are not collected from them, any available information as to their source;
  • where the personal data are transferred to a non-EEA country, what safeguards are in place relating to the transfer;
  • the period for which the personal data will be stored or the criteria used to determine that period;
  • the existence of any automated decision-making, including profiling, and meaningful information about how decisions will be made using the personal data and the significance and consequences of the decisions to be made;
  • confirmation of the data subject’s rights to request rectification or erasure of their personal data or restriction of use or processing of their personal data or to object to the use or processing;
  • information about their right to lodge a complaint with the Information Commissioner’s Office if they think M3 has failed to comply with their data protection rights.

 

When a data subject makes such a request, M3 will log the date on which the request was received and confirm their identity. Where M3 has reasonable doubts about the data subject’s identity, additional information will be requested to confirm their identity. M3 will then search databases, systems and other places where the personal data may be held. Where M3 processes a large quantity of personal data about a data subject, M3 may ask them to first specify the information to which their request relates, to help expedite a response.

If the data subject makes their request electronically, M3 must provide a copy of the personal data in a commonly used electronic format, unless the data subject specifically requests otherwise. If the data subject wants additional copies of the personal data, M3 will charge a reasonable fee based on the administrative costs of providing the additional copies.

M3 will normally respond to a request and provide copies of the personal data within one month of the request. However, M3 may extend this time limit by a further two months if the request is complex or there are a number of requests from the data subject. If M3 intend to extend the time limit, M3 will contact the data subject within one month of receiving the request to inform them of the extension and explain why it is necessary.

Before providing the personal data to the data subject making the request, M3 will review them to see if they contain personal data of other data subjects. M3 may redact personal data of other data subjects unless they have consented to the disclosure of their personal data. M3 will also check for relevant statutory exemptions which may mean the personal data is not disclosed.

Whilst M3 will normally provide a copy of the personal data in response to a request free of charge, M3 reserves the right to refuse to respond or to charge a reasonable fee, based on the administrative costs of providing the personal data, when a request is manifestly unfounded or excessive or if it repeats a request to which M3 has already responded. Where M3 refuses to respond, the data subject will be given written reasons why within one month of the request. M3 will also inform them of their right to complain to the Information Commissioner’s Office or to seek a judicial remedy in the courts.

Subject to certain conditions, and in certain circumstances, data subjects also have the right to :

  • be informed, normally by an appropriate privacy notice;
  • request rectification of inaccurate or incomplete personal data :
    • unless there is an applicable exemption, M3 should rectify the personal data without undue delay and also communicate the rectification of the personal data to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort;
  • request the erasure of their personal data :
    • M3 should erase the personal data without undue delay (provided one of the grounds set out in the data protection legislation applies and there is no applicable exemption) and communicate the erasure to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort;
  • restrict the use or processing of their personal data, including to send them marketing, invitations or other requests :
    • where processing has been restricted in accordance with the grounds set out in the data protection legislation, M3 should only process the personal data (excluding storing them) with the data subject’s consent, in connection with legal claims, to protect the rights of another person or for reasons of important public interest and then M3 should communicate the restriction of processing the personal data to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort and, prior to lifting the restriction, inform the data subject that it is to be lifted;
  • object to the processing of their personal data, including to ask M3 to stop processing their personal data where M3 is relying on the legitimate interests of the business as the basis for processing and there is something relating to their particular situation which makes them decide to object to processing on this ground :
    • where such an objection is made in accordance with the data protection legislation and there is no applicable exemption, M3 should no longer process the data subject’s personal data unless M3 can show compelling legitimate grounds for the processing which overrides the data subject’s interests, rights and freedoms or M3 is processing the personal data in connection with legal claims;
  • request the transfer of their personal data to another party so they can reuse them for their own purposes :
    • unless there is an applicable exemption, M3 should provide the personal data if the basis for the processing of the personal data is consent or pursuant to a contract and M3’s processing of those data is carried out by automated means;
  • not be subject to automated decision-making, including profiling :
    • unless there is an applicable exemption, M3 should no longer make related decisions unless the data subject is given the right to express their point of view and contest the decisions and either :
      • it is necessary for entering into or to perform a contract between M3 and the data subject, or
      • is authorised by applicable law which lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, or
      • is based on the data subject’s explicit consent;
  • be notified of a data breach which is likely to result in a high risk to their rights and freedoms.

 

Where someone has consented to the use of their personal data for a specific purpose, they have the right to withdraw their consent for that specific purpose at any time, but without affecting the legitimacy of use based on consent before its withdrawal. Someone wishing to withdraw their consent to the processing of their personal data for a specific purpose should notify the Data Protection Manager. Once notified, M3 will no longer process the personal data for the purpose previously consented, unless M3 has another lawful basis for processing.

11. Changes to this policy

M3 will review this policy at regular intervals and we reserve the right to update or amend it at any time and from time to time. M3 will circulate any modified policy to members of staff and, where appropriate, may notify changes by e-mail.

It is intended that this policy is fully compliant with the data protection legislation. However, if any conflict arises between the data protection legislation and this policy, M3 will comply with the data protection legislation