Privacy, Data & Information Security Policy

PRIVACY, DATA & INFORMATION SECURITY POLICY 1. POLICY STATEMENT LIFE TASK (“The Company”) is committed to protecting the privacy, confidentiality, integrity, and availability of all personal data and business information processed through its operations. As a recruitment, workforce solutions, training, outsourced staffing and consultancy organisation operating within the United Kingdom, the Company recognises its legal and ethical obligations to process information lawfully, fairly, securely and transparently. The Company shall implement appropriate technical, organisational and administrative controls to protect personal information against unauthorised access, disclosure, alteration, destruction, loss or misuse. This Policy establishes the framework governing the collection, processing, storage, transfer, retention and disposal of personal data and confidential information across all Company activities. 2. PURPOSE The purpose of this Policy is to: • Protect personal data and confidential business information. • Ensure compliance with UK privacy and data protection legislation. • Define responsibilities for handling information securely. • Establish information security standards. • Minimise risks associated with data breaches. • Protect candidates, workers, clients, suppliers and employees. • Support business continuity and operational resilience. 3. SCOPE This Policy applies to: • Directors • Employees • Temporary Workers • Agency Workers • Contractors • Consultants • Trainers • Recruitment Personnel • Third-Party Service Providers • IT Providers • All individuals who process information on behalf of the Company The Policy applies to: • Paper records • Electronic records • Cloud-based systems • Databases • Recruitment software • Payroll systems • Training management systems • Email systems • Mobile devices • Company websites • Social media platform 4. LEGISLATIVE FRAMEWORK This Policy is governed by: Primary Legislation • UK General Data Protection Regulation (UK GDPR) • Data Protection Act 2018 • Privacy and Electronic Communications Regulations (PECR) • Human Rights Act 1998 • Freedom of Information Act 2000 (where applicable) • Information Security Standards • ISO 27001 Information Security Management Standard • National Cyber Security Centre (NCSC) Guidance • Cyber Essentials Scheme Employment and Recruitment Regulations • Employment Agencies Act 1973 • Conduct of Employment Agencies and Employment Businesses Regulations 2003 • Agency Workers Regulations 2010 5. DATA PROTECTION PRINCIPLES The Company shall ensure that all personal data is: Lawful, Fair and Transparent Data shall only be processed where a lawful basis exists. Purpose Limitation Information shall only be collected for specified legitimate purposes. Data Minimisation Only necessary information shall be collected. Accuracy Information shall be accurate and regularly updated. Storage Limitation Data shall not be retained longer than necessary. Integrity and Confidentiality Appropriate security measures shall be maintained. Accountability The Company shall demonstrate compliance with applicable legislation. 6. TYPES OF DATA PROCESSED The Company may process: Candidate Data • CVs • Employment history • Qualifications • References • Right to Work documentation • Contact information Worker Data • Payroll information • Bank details • Tax information • National Insurance numbers • Performance records Employee Data • HR records • Attendance records • Training records • Disciplinary records Client Data • Business contacts • Contract information • Billing information Special Category Data Where necessary and lawful: • Health information • Disability information • Diversity and equality data • Criminal record information (where legally permitted) 7. LAWFUL BASIS FOR PROCESSING The Company processes data under one or more of the following legal bases: • Consent • Contractual necessity • Legal obligation • Legitimate interests • Vital interests • Public task (where applicable) Special category data shall only be processed where a lawful condition under Article 9 UK GDPR applies. 8. INFORMATION SECURITY CONTROLS The Company shall implement: Physical Security • Controlled office access • Visitor management systems • Secure document storage • Locked filing cabinets • CCTV where appropriate Technical Security • Password management • Multi-factor authentication • Firewalls • Anti-malware protection • Data encryption • Endpoint protection • Secure cloud platforms • Regular patch management Administrative Controls • Security policies • Staff training • Access control procedures • Incident response procedures • Data protection impact assessments 9. ACCESS CONTROL Access to information shall be granted strictly on a need-to-know basis. The Company shall maintain: • User account management procedures • Role-based permissions • Access reviews • Immediate revocation of access following termination of employment 10. DATA RETENTION Information shall be retained only for legitimate business and legal purposes. Examples include: Recruitment Records: Up to 12 months after conclusion of recruitment process unless consent is obtained for longer retention. Employee Records: Up to 6 years after employment ends. Payroll Records: Minimum 6 years. Right to Work Documentation: At least 2 years after employment ends. Training Records: As required by law, client requirements or accreditation standards. 11. INTERNATIONAL DATA TRANSFERS Where personal data is transferred outside the United Kingdom, the Company shall ensure appropriate safeguards including: • UK International Data Transfer Agreements (IDTA) • Adequacy Regulations • Approved contractual safeguards 12. DATA SUBJECT RIGHTS Individuals have the right to: • Be informed • Access their information • Rectify inaccurate information • Erase information where applicable • Restrict processing • Object to processing • Data portability • Not be subject solely to automated decision-making Requests shall be handled within statutory timescales. 13. DATA BREACH MANAGEMENT All suspected breaches must be reported immediately. The Company shall: • Investigate incidents promptly • Assess risk to individuals • Implement corrective actions • Notify the Information Commissioner’s Office (ICO) within 72 hours where legally required • Notify affected individuals where necessary 14. CYBER SECURITY The Company shall maintain cyber security controls including: • Vulnerability management • Penetration testing • Secure backups • Incident response planning • Business continuity arrangements • Disaster recovery procedures 15. CONFIDENTIALITY All employees and workers shall: • Maintain confidentiality of information • Sign confidentiality agreements where required • Avoid unauthorised disclosures • Report suspected confidentiality breaches Confidential information shall not be disclosed without lawful authority. 16. MONITORING AND AUDIT The Company reserves the right to monitor systems for: • Security purposes • Regulatory compliance • Business continuity • Fraud prevention Monitoring shall be proportionate and lawful. 17. TRAINING All personnel shall receive: • Data Protection Training • Information Security Awareness Training • Cyber Security Awareness Training • Annual Refresher Training Training records shall be maintained. 18. RESPONSIBILITIES Directors Responsible for overall governance and compliance. Data Protection Lead Responsible for oversight of privacy compliance. Managers Responsible for implementation within their teams. Employees and Workers Responsible for compliance with this Policy. 19. BREACH OF POLICY Failure to comply with this Policy may result in: • Disciplinary action • Termination of employment • Contract termination • Legal proceedings • Regulatory penalties 20. REVIEW This Policy shall be reviewed: • Annually • Following legislative changes • Following major security incidents • Following significant operational changes Approved By: Board of Directors