Data Protection Policy
lifetask.co.uk
PURPOSE
The Company is committed to protecting the privacy, confidentiality, integrity, and availability of personal data. This Policy establishes the standards and procedures that all employees, workers, contractors, consultants, and third parties must follow when processing personal information.
The Company shall comply with:
• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Information Commissioner’s Office (ICO) guidance
SCOPE
This Policy applies to:
• Directors
• Employees
• Temporary workers
• Contractors
• Consultants
• Recruitment personnel
• Training personnel
• Third-party service providers
The Policy applies to all personal data processed in electronic, paper, verbal, visual, or digital form.
DEFINITIONS
Personal Data
Any information relating to an identified or identifiable individual.
Special Category Data
Personal information requiring enhanced protection, including:
• Health information
• Ethnic origin
• Religious beliefs
• Biometric data
• Trade union membership
• Sexual orientation
Processing
Any activity involving personal data including:
• Collection
• Recording
• Storage
• Use
• Sharing
• Modification
• Deletion
DATA PROTECTION PRINCIPLES
The Company shall ensure personal data is:
Lawful, Fair and Transparent
Personal information must be processed lawfully and individuals must understand how their data is used.
Purpose Limitation
Data shall only be collected for specified, explicit, and legitimate purposes.
Data Minimisation
Only information necessary for business purposes shall be collected.
Accuracy
Reasonable steps shall be taken to ensure information remains accurate and up to date.
Storage Limitation
Information shall not be retained longer than necessary.
Integrity and Confidentiality
Appropriate security measures shall be implemented to prevent unauthorised access, disclosure, or loss.
Accountability
The Company shall demonstrate compliance with data protection laws through documented policies, procedures, training, and monitoring.
RESPONSIBILITIES
Board of Directors
The Board is ultimately responsible for ensuring compliance with data protection legislation.
Management
Managers must:
• Promote compliance
• Monitor staff adherence
• Report data breaches
• Ensure appropriate training
Employees and Workers
All personnel must:
• Follow this Policy
• Protect personal information
• Report breaches immediately
• Complete required training
• Use information only for authorised purposes
COLLECTION OF PERSONAL DATA
The Company may collect information from:
• Job applications
• CVs and résumés
• Recruitment interviews
• Client engagements
• Training enrolments
• Employment records
• Website forms
• Electronic communications
Collection must always be relevant and necessary.
SPECIAL CATEGORY DATA
Special Category Data shall only be processed where:
• Explicit consent has been obtained;
• A legal obligation exists;
• Employment law requirements apply;
• Health and safety obligations require processing;
• Other lawful exemptions apply under UK GDPR.
Additional security measures shall be applied to such information.
RECRUITMENT DATA
Recruitment teams shall ensure:
• Candidate data is collected fairly.
• Applicants are informed of processing activities.
• Information is only shared with authorised client organisations.
• Candidate records are stored securely.
• Unsuccessful candidate data is retained only for approved retention periods.
RIGHT-TO-WORK INFORMATION
The Company may process:
• Passports
• Immigration documents
• Visa records
• Share Code verification results
Such information shall only be used for compliance with immigration and employment legislation.
TRAINING RECORDS
Training records may include:
• Attendance records
• Assessment results
• Qualification records
• Certification records
These records shall be protected and retained in accordance with legal and contractual requirements.
DATA SHARING
Personal information may only be disclosed where:
• The individual has consented;
• A contractual requirement exists;
• A legal obligation applies;
• A legitimate business interest exists.
Recipients may include:
• Client organisations
• Government agencies
• Professional advisers
• Payroll providers
• Pension providers
• Regulatory authorities
• Approved training partners
INTERNATIONAL DATA TRANSFERS
Where personal data is transferred outside the United Kingdom, appropriate safeguards shall be implemented, including:
• Adequacy regulations;
• International Data Transfer Agreements (IDTAs);
• Other approved safeguards.
DATA SECURITY REQUIREMENTS
The Company shall implement:
£Physical Security*
• Secure offices
• Locked storage
• Visitor controls
Technical Security
• Password controls
• Multi-factor authentication
• Antivirus protection
• Encryption
• Secure backups
Administrative Security
• Staff training
• Access controls
• Security monitoring
• Confidentiality obligations
ACCESS CONTROL
Access to personal data shall be restricted according to business need.
Personnel must:
• Access only information necessary for their role;
• Never share passwords;
• Lock devices when unattended;
• Protect confidential records.
DATA BREACH MANAGEMENT
A personal data breach may include:
• Loss of documents;
• Unauthorised disclosure;
• Hacking incidents;
• Misdirected emails;
• Theft of devices.
Any suspected breach must be reported immediately to management.
The Company shall:
• Investigate the incident;
• Assess risks;
• Mitigate harm;
• Notify the ICO where legally required;
• Notify affected individuals where appropriate.
INDIVIDUAL RIGHTS
Individuals may exercise the following rights:
• Right of Access
• Right to Rectification
• Right to Erasure
• Right to Restrict Processing
• Right to Data Portability
• Right to Object
• Rights relating to Automated Decision-Making
Requests shall be handled within statutory timescales.
TRAINING AND AWARENESS
All personnel shall receive:
• Data protection induction training;
• Refresher training;
• Role-specific guidance where necessary.
Training records shall be maintained.
MONITORING AND COMPLIANCE
The Company may conduct:
• Internal audits;
• Compliance reviews;
• Security assessments;
• Record inspections.
Failure to comply with this Policy may result in disciplinary action.
POLICY BREACHES
Any deliberate misuse of personal data may result in:
• Disciplinary action;
• Contract termination;
• Legal action;
• Regulatory reporting.
POLICY REVIEW
This Policy shall be reviewed annually or sooner where:
• Legislation changes;
• ICO guidance changes;
• Business activities change;
• Significant incidents occur.
RELATED DOCUMENTS
• Privacy Notice
• Information Security Policy
• Data Retention Policy
• Cookies Policy
• Incident Management Procedure
• Employee Handbook