All employees of UNIVERSAL RELOCATIONS who process personal data must comply with the Data Protection Act of URS.
This Procedure & policy applies to:
- All branches of UNIVERSAL RELOCATIONS
- All employees of UNIVERSAL RELOCATIONS
- All contractors, suppliers and other people working on behalf of UNIVERSAL RELOCATIONS
It applies to all data that the UNIVERSAL RELOCATIONS holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- …plus any other information relating to individuals/customers
Everyone who works for or with UNIVERSAL RELOCATIONS has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
The Top Management is ultimately responsible for ensuring that UNIVERSAL RELOCATIONS meet its legal obligations.
All employees who deals with data are responsible for:
- Keeping the board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from employee and anyone else covered by this policy.
- Dealing with requests from individuals to see the data UNIVERSAL RELOCATIONS holds about them
- Checking and approving any contracts or agreements with third parties that may handle UNIVERSAL RELOCATIONS‘s sensitive data.
The IT personnel, is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services the UNIVERSAL RELOCATIONS is considering using to store or process data. For instance, cloud computing services.
The sales & marketing personnel, is responsible for:
- Approving any data protection statements attached to communications such as emails and letters.
- Is responsible for communicating the data protection policy to the customer and obtaining their consent
- Where necessary, working with other employee to ensure marketing initiatives abide by data protection principles.
TERMS AND DEFINITIONS
- Data Protection Officer – means a person in UNIVERSAL RELOCATIONS who decides the purposes for which and the way in which personal data is processed. The UNIVERSAL RELOCATIONS HR Dept is the Data Protection in respect of employee and Employee personal data.
- Personal Data – means information about a living person who can be identified by that information or by that information together with other information that the Data Protection Officer has or is likely to obtain.
- Data Subject – all employees of UNIVERSAL RELOCATIONS are data subjects under the Act. Other definitions are set out in the body of the text where appropriate
DATA PROTECTION PRINCIPLES
All personal data must be processed in accordance with the eight Data Protection Principles. The essence of these principles is set out below together with brief, nonexhaustive practical examples of when these principles may have relevance to you.
Personal data must:-
- Be processed fairly and lawfully;
- Be collected with the consent of the individual client after explaining the purpose and the necessity of the data. Example- collecting passports,PIO cards etc.,
- The individual will have the right to refuse the collection or processing of his personal data unless it is required by the Law.
- Be obtained only for one or more specified or lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes; Example – passports collected from clients should only be used for Customs clearance and not be misused .
- Be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- Be accurate and, where necessary, kept up-to-date;with reference to customer content details ,address, phone numbers etc.,
- Employee must notify changes of name, address, telephone number, bank and marital status to the HR Department soon as possible. The HR Department will endeavor, periodically, to ask employee to confirm that such personal data held by the UNIVERSAL RELOCATIONS is accurate. Employees should advise the UNIVERSAL RELOCATIONS of any changes to their contact details or to any other details that may be of relevance.
- Not be kept for longer than is necessary, passports or educational certificates to be returned after scan soon as the required task is completed
- As an example, as an Employee of the UNIVERSAL RELOCATIONS, some parts of your UNIVERSAL RELOCATIONS record may be deleted from computer or destroyed (if manually recorded) at the end of the sixth year following the year in which you leave the UNIVERSAL RELOCATIONS. The reason that the UNIVERSAL RELOCATIONS retains this information is to assist in establishing facts in the event of a dispute.
- For example, individuals have a right of access to the information that the UNIVERSAL RELOCATIONS holds about them. Upon receipt of a written subject access request UNIVERSAL RELOCATIONS shall disclose all the information that it is required to do so by law
- If any member of employee receives any letter from a customer, business contact, other employee, Employee or any other third party requesting any
- information about them then they must pass the letter to the Data Protection Officer immediately.
- Employees should, if they are making a subject access request of UNIVERSAL RELOCATIONS, send their access request to the Data Protection Officer
- Access to personal data must be restricted to authorised individuals for approved purposes
- Be protected by appropriate technical and organisational measures against unauthorised or unlawful processing, against accidental loss or damage.
- UNIVERSAL RELOCATIONS must take steps to put in place technical methods (i.e. firewalls, encryption, password protection, etc.) or organisational methods (hierarchy of access to personnel files, locking cabinets etc.) of protecting personal data where the importance of the personal data makes this appropriate.
- All Employees who have access to personal data controlled by the UNIVERSAL RELOCATIONS whether or not on computer, and whether in the office or at home or elsewhere, must take adequate precautions to ensure confidentiality so that neither the UNIVERSAL RELOCATIONS, nor any individual employed by the UNIVERSAL RELOCATIONS, becomes exposed to criminal or civil liability as a result of the loss, destruction or disclosure of personal data. All individuals must fully comply with all UNIVERSAL RELOCATIONS procedures and requirements in this regard.
- Laptops are particularly vulnerable to theft, especially when used outside of UNIVERSAL RELOCATIONS premises. In these circumstances, employee must keep laptops in their possession at all times unless they have been deposited in a secure location such as a locked closet or a hotel safe.
- Personal data should not be stored on laptops unless this is unavoidable and appropriate security measures have been implemented following a risk assessment. This will comprise an encryption and security system. These measures will apply to portable data storage media such as DVDs, mini hard disk drives and USB flash memory data sticks. • Personal data must not be transmitted over the Internet unless appropriate encryption methods are used.
- Personal data must not be sent to a third party on portable storage media or in paper form by conventional post. A secure delivery service must be used.
Employee should ensure security of employment or Employee records (whether paper records or computerised) at all times, including out with the UNIVERSAL RELOCATIONS premises. Employee must not leave personal data on screen or on desk tops when they are not at their desks. Paper records should be stored securely unless under active consideration. A clear desk policy should be observed
DATA PROTECTION RISKS
This policy helps to protect UNIVERSAL RELOCATIONS from some very real data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the UNIVERSAL RELOCATIONS uses data relating to them.
- Reputational damage. For instance, UNIVERSAL RELOCATIONS could suffer if hackers successfully gained access to sensitive data.
GENERAL EMPLOYEE GUIDELINES
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
- UNIVERSAL RELOCATIONS will provide training to all employees to help them understand their responsibilities when handling data.
- Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords must be used and they should never be shared.
- Personal data should not be disclosed to unauthorized people, either within the UNIVERSAL RELOCATIONS or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
- Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or Data Protection Officer. When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Employees should make sure paper and printouts are not left where unauthorized people could see them, like on a printer.
- Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the UNIVERSAL RELOCATIONS’s standard backup procedures.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All servers and computers containing data should be protected by approved security software and a firewall.
Personal data is of no value to UNIVERSAL RELOCATIONS unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
- Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorized external contacts.
- Personal data should never be transferred outside of the UNIVERSAL RELOCATIONS without permission of Top Management.
- Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
The law requires UNIVERSAL RELOCATIONS to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort UNIVERSAL RELOCATIONS should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Employee should not create any unnecessary additional data sets
- Employee should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
- UNIVERSAL RELOCATIONS will make it easy for data subjects to update the information UNIVERSAL RELOCATIONS holds about them. For instance, via the UNIVERSAL RELOCATIONS website.
- Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
SUBJECT ACCESS REQUESTS
All individuals who are the subject of personal data held by UNIVERSAL RELOCATIONS are entitled to:
- Ask what information the UNIVERSAL RELOCATIONS holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the UNIVERSAL RELOCATIONS is meeting its data protection obligations.
If an individual contact the UNIVERSAL RELOCATIONS requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by email, addressed to the Data Protection Officer at firstname.lastname@example.org The Data Protection Officer can supply a standard request form, although individuals do not have to use this.
The Data Protection Officer will always verify the identity of anyone making a subject access request before handing over any information.
DISCLOSING DATA FOR OTHER REASONS
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, UNIVERSAL RELOCATIONS will disclose requested data. However, the Data Protection Officer will ensure the request is legitimate, seeking assistance from the board and from the UNIVERSAL RELOCATIONS’s legal advisers where necessary.
PROVIDING INFORMATION ABOUT THE POLICY
UNIVERSAL RELOCATIONS aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights
To these ends, the UNIVERSAL RELOCATIONS will provide an individual with access to view this document by publishing this in our website.
Any breaches of this Procedure in relation to personal data security will result in disciplinary action and, in serious cases, may result in the dismissal or the expulsion of an Employee.
Employees will be authorized to gain access to certain computer systems, programs, and data. No employee must attempt, alone or with others, to gain access to data or programs to which they have not been authorized to gain access.
Employees must not disclose personal details of other employees or Employees to unauthorized third parties where this information is personal data in respect of which the UNIVERSAL RELOCATIONS is the Data Protection Officer.
SURVEILLANCE AT WORK
The UNIVERSAL RELOCATIONS has a legitimate interest in monitoring the behavior of its employee and Employees that attend the UNIVERSAL RELOCATIONS. For instance, UNIVERSAL RELOCATIONS may wish to carry out monitoring in order to:
- Detect harassment or other inappropriate behavior;
- Monitor performance of its employee or of Employees where this is appropriate;
- Monitor and detect the outward transmission of confidential information;
- Prevent and detect theft of UNIVERSAL RELOCATIONS property;
- Prevent or detect any unlawful act;
- Monitor adherence to this and other policies;
Monitoring can take several forms. It can involve monitoring by way of Closed Circuit Television (CCTV), e-mail and Internet monitoring or telephone monitoring. More detailed information about the monitoring of the Internet and e-mail activity can be found in the UNIVERSAL RELOCATIONS IT Policy. The UNIVERSAL RELOCATIONS holds information on the destination and duration of calls made from the UNIVERSAL RELOCATIONS telephone system and may use this information if misuse of the system is suspected. Below, the UNIVERSAL RELOCATIONS sets out its policy with regard to the use of CCTV cameras.
In carrying out such monitoring the UNIVERSAL RELOCATIONS may use CCTV cameras in what are considered to be “public” areas of the workplace. Generally, the use of such CCTV Cameras shall be notified by using suitable signage at obvious places at the entrance to the monitored areas, however, (even in the absence of such signage) Employees and employee should be aware that public space within UNIVERSAL RELOCATIONS premises may be monitored in this way.
The UNIVERSAL RELOCATIONS may also monitor through the use of covert CCTV but it shall only do so where specific criminal activity has been identified. Before starting any use of covert CCTV the UNIVERSAL RELOCATIONS will have made an impact assessment concluding that notifying employees of the use of such covert monitoring would prejudice the investigation and that the use of covert monitoring techniques is a proportionate response to the behavior in question. Where appropriate, (but at its absolute discretion) the UNIVERSAL RELOCATIONS may involve the law enforcement authorities in such monitoring.
A failure on the part of the UNIVERSAL RELOCATIONS to comply with the Data Protection Principles and the conditions for processing personal data stipulated by UAE Federal Law may result in a court order to correct, erase or destroy inaccurate or out of date personal data or to change the way we process personal data. In addition, the court may award compensation arising from a breach of the Law in some circumstances.
Where an individual suffers damage or loss because of unauthorized disclosure, inaccurate or missing data, or the loss or destruction of data in relation to him/her, he/she may seek compensation from the courts.