Introduction
In conducting its business, Jigowatt by necessity is required to collect and use personal data relating to its employees. Jigowatt also stores personal data files on behalf of its clients, and processes these in accordance only with its clients’ instructions.
The applicable Data Protection law is EU Regulation 2016/679 =, which is known as the EU General Data Protection Regulation – hereafter “the GDPR”. At the same time as the GDPR, in the UK, the Data Protection Act 2018 came into force. This defers entirely to the GDPR for all activity within the GDPR’s scope, but is necessary in order to implement the UK-specific aspects. For example, the 2018 Act updates provisions for the UK’s Data Protection Supervisory Authority, the Information Commissioner’s Office (ICO). It also extends a broadly equivalent regime in the UK to policy areas not within the GDPR’s scope e.g. law enforcement, intelligence services. For this Jigowatt Policy, the term ‘GDPR’ is used to apply to the entire body of applicable Data Protection law.
This GDPR lays down strict procedures for the collection, storage, dissemination and usage of personal data. Its aim is to safeguard an individual’s rights of privacy, by ensuring that the person about whom personal data is being collected is aware of the activity, what information is being gathered, and, where appropriate, consents to its collection and the purpose(s) of its use. The GDPR also lays down strict guidelines for the safeguarding of any data collected, as well as disclosure of the data to any third party, and for its subsequent disposal.
The types of business activities that Jigowatt engages in i.e. in relation to the collection, storage, dissemination and usage of personal data, mean that the Jigowatt is defined under the GDPR as a “Processor” (hereafter “Data Processor”). The GDPR makes it clear that a Data Processor carries out its functions in relation to personal data “only on documented instructions from the controller” (GDPR Article 28).
In the Jigowatt case, the “controller” (hereafter the “Data Controller”) is ‘the client’, because it is the client who defines the purpose and legal basis for collecting and processing personal data. The main caveat here is that Jigowatt may at some point(s) be obliged to act independently in order to comply with a separate applicable law. If such a case arises, Jigowatt is obliged to inform the respective Data Controller of its action(s).
As a Data Processor, Jigowatt can decide, within the terms of the agreement/contract with the Data Controller:
- what IT systems or other methods to use to collect personal data
- how to store the personal data
- the detail of the security surrounding the personal data
- the means used to transfer the personal data from one organisation to another
- the means used to retrieve personal data about certain individuals
- the method for ensuring a retention schedule is adhered to
- the means used to delete or dispose of the data
The Jigowatt Data Privacy Manager is responsible for the monitoring and implementation of this policy. If you have any questions about the content of this policy or other comments, you should contact John Conmy, Jigowatt Data Privacy Manager.
Email: john.conmy@jigowatt.co.uk
Address:
Jigowatt Ltd.
4 Office Village, Forder Way, Cygnet Park,
Peterborough,
Cambridgeshire
PE7 8GX.
Tel: 01733 267775
ICO Registration
Jigowatt is registered with the Information Commissioner’s Office ZA297127
Policy Statement
Jigowatt pledges to be GDPR-compliant, whilst recognising that GDPR-compliance is not a standard. Rather it is an ongoing process, which requires that Jigowatt be accountable for ensuring that ‘appropriate technical and organisational measures’ are implemented and maintained, and that policies and procedures are in place, up-to-date and embedded in the organisation. In all of its day-to-day operations where personal data is collected and processed, Jigowatt will ensure that it abides by the GDPR, notably in relation to the data privacy rights of individuals, as outlined in the GDPR, and overall in terms of adhering as closely as possible to the GDPR’s ‘Six Principles’.
Jigowatt expects all employees to adhere to this Data Protection policy and the procedures designed to ensure compliance with the GDPR. Given the potentially severe consequences to Jigowatt of non-compliance with the GDPR, it is Jigowatt’s policy to regard any willful breach of the organisation’s Data Protection Policy, and the procedures designed to comply with the GDPR, as an act of gross misconduct. If proved, this could result in instant dismissal for the employee(s) involved.
The policy covers data stored on all data storage systems, including portable storage devices and all manual-filing systems, and all locations at which employees undertake work on behalf of Jigowatt e.g. when working from home or any other remote location.
This policy adheres to the ‘checklist’ set out by the ICO, and the proposals as detailed in the Jigowatt ICO Data Protection Register entry.
3.1 Responsibilities
This document outlines the policy and procedures adopted by Jigowatt to handle all personal data within the organisation. The dissemination and updating of the policy is the responsibility of the Data Privacy Manager, who will review the policy with respect to changes in Data Protection legislation. All employees will be expected to adhere to the policy and procedures and to seek advice and clarification on any issues that may arise.
Jigowatt accepts that Andy Donovan (Jigowatt Director) has ultimate accountability for implementing the policy, but all employees have an essential and individual responsibility in implementing and maintaining Jigowatt’s legal compliance with the GDPR. As a minimum, all employees must adhere to the policy, as set out in this document, and make known to Andy Donovan and/or the Data Privacy Manager any issues affecting the security of personal information.
Each employee is responsible for implementing the policy in their area, for ensuring that its principles and requirements are complied with at all times, and for delivering the following points:
- Ensuring Andy Donovan is aware of any risk management issues affecting data protection, and that all decisions where personal data is involved reflect the organisation’s Data Protection Policy and obligations
- Promoting data protection principles, compliance and best practice within the Jigowatt team
3.2 Terminology used in this document
Data Controller: The Data Controller determines the purpose(s) for collection and processing of personal data, the types of data and the legal basis (as listed under Article 6, GDPR) for that processing
Data Processor: A Data Processor is responsible for processing personal data, but only on the explicit written instructions of a Data Controller.
Data Processing: Any action relating to personal data held e.g. the electronic or manual ordering, storing, adding, amending, copying, manipulating, reporting, printing or retrieving personal information held electronically or in a manual paper filing system
Personal Data (Personal Information): any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. applicable to a single individual or can be linked either directly or indirectly to an individual
Data Subject: The individual (‘natural person’ is the legal term) whose personal data/information is being processed
ICO: UK Information Commissioners Office, the independent authority that acts as the Data protection ’supervisory authority’ in the UK, and advises on, upholds and issues guidance for the GDPR, the 2018 UK Data Protection Act, and all other applicable laws.
3.3 The GDPR Principles
Jigowatt shall, as far as reasonably practicable within its function as a Data Processor, ensure that it handles all personal data according to the GDPR’s ‘Six Principles’, as follows
All personal data held by Jigowatt is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up to date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security
Jigowatt will therefore ensure, as far as is possible in its role as Data Processor, that appropriate measures are taken through the management and strict application of criteria and controls by:
- Observing all conditions regarding the fair collection and use of personal data
- Understanding and recording the purposes for which all personal data is processed
- Processing personal data only to the extent that it is needed to fulfill the instructions of our clients or to comply with any legal requirements
- Ensuring the quality/accuracy of information used
- Ensuring that the information is held for no longer than is necessary, according to the time-limits instructions of our clients
- Ensuring that the rights of people about whom information is held can be fully exercised under the GDPR (i.e. the right to be informed that processing is being undertaken, to access one’s personal information; to prevent processing in certain circumstances, and to correct, rectify, block or erase certain information).
- Taking appropriate technical and organisational security measures to safeguard personal information.
3.4 Responsibilities of Jigowatt employees
It is the responsibility of Andy Donovan (Jigowatt Director) to:
- Ensure the monitoring of Jigowatt’s compliance with the GDPR, and to ensure that Jigowatt Data Protection Policy and procedures are revised as and when necessary
- Identify non-compliance issues where they arise, inform relevant Data Controllers and oversee the development and implementation of suitable corrective measures
- Ensure all data is secure on network server systems, liaising with IT Supplier(s)
- Ensure the education of all employees in the handling of data in compliance with the GDPR, and inform of any changes in Data Protection Policy and relevant procedures
- Ensure this document is available to all employees, Data Subjects upon request, and relevant third parties where required
- Ensure all employees are aware of the provisions of the GDPR, as outlined in the six principles
It is the responsibility of employees to:
- Ensure all the data is accurate and stored for the minimum length of time, as specified by the client and to service the reason for collection
- Delete or amend information upon request from Data Subjects
- Ensure that no information is transported in file or electronic form unless it complies with the principle of fair processing and is securely protected by strong password and encryption methods
- Notify Andy Donovan of changes in the notification purposes of data held vis-à-vis the ICO register, and any non-compliance or risks to data security that may have been discovered
- Request guidance from Andy Donovan on any aspect of the GDPR that is not clearly understood
All the above applies to all work carried out for Jigowatt i.e. be it from a Jigowatt office, from the employee’s home or from any other location remote from colleagues, infrastructure or other Jigowatt IT or other assets or systems.
3.5 Rights of Access to Information
Individuals have a right of access to information held about them by Jigowatt. As Jigowatt acts only on behalf of its clients, any request should be passed on to the client (as Data Controller) who, in conjunction with Jigowatt, will check the validity of the claim and initiate the data collection process.
Upon receipt of a request and/or instruction from a Data Controller, or direct from a Data Subject or their legal representative, Jigowatt will contact the individual making the request to clarify the following:
- The identity of the person requesting the information and, if not the Data Subject, the legal right they may have to the information
- The information required (if it falls within the scope of the GDPR)
- The format the information is to be sent in and how the information is to be delivered
- In cases where there might be disproportionate effort required, the amount of the fee payable for supply of the requested data
- Time period for completion of request; the GDPR stipulates up to one month, and can only be extended with the written agreement of the Data Subject or legal guardian.
The one-month working period will start on the agreement date, or when fee paid, if such a fee is required.
3.6 External Services Compliance: Third Party
Any vendor performing updates, maintenance, installation or reviews of the computer network system, either internally or through a remote connection, must demonstrate to the Data Controller and to Jigowatt, as the Data Processor, that they adhere to the Data Protection principles set out in this document. The Data Controller or Jigowatt may request a copy of the vendor’s Data Protection policy before any work is carried out, and may refuse access to the network if the vendor does not satisfy the requirements of this policy and its procedures.
3.7 Data Accuracy
In conjunction with the Data Controller, Jigowatt will take all reasonable steps to ensure that all personal data held in relation to clients, clients’ own customers and Jigowatt’s employees is accurate and up to date.
Individuals must notify the Data Controller and/or Jigowatt of any changes to information held about them; individuals have the right to request that inaccurate information be corrected or deleted.
3.8. General Data Storage/Information Security
Jigowatt outsources IT services to a company that ensures all data is backed up appropriately, passwords are changed regularly and systems are securely managed.
When data is stored electronically, it must be protected from unauthorised access and accidental deletion.
When data is stored on paper, it should be stored in a secure place where unauthorised people cannot access or see it.
When not required, the paper or files should be kept in a locked drawer or filing cabinet and should be shredded when no longer needed.
Only those individual employees and/or third parties with a need to access personal data will be authorised to have access. Employees should always make sure paper and printouts are not left where unauthorised people could see them. Access to personal information should be regularly reviewed to ensure that information is accessible to authorised employees only.
Personal data will only be kept as long as it is necessary for the stated purpose(s), and all data will be safely and securely destroyed when it is no longer needed. Employees should follow Jigowatt’s data retention policy.
Personal data is not currently passed on to any other organisation for them to undertake direct marketing. As a Data Processor, Jigowatt only acts on the instructions of its clients.
For further information on UK Data Protection/Privacy law, notably the implementation and guidance on the GDPR, see the website of the UK Information Commissioner (ICO).