Spinnaker Global Ltd and Spinnaker Global (Singapore) Pte Ltd (hereafter ‘Spinnaker’) needs to gather and use certain information about organisations and individuals including personal data.
These can include customers, jobseekers, suppliers, business contacts and employees – past, present and prospective – and other people the organisation has a relationship with or may need to contact.
This policy describes how this information and personal data is collected, handled and stored to meet Spinnaker’s data protection standards and to comply with the law.
Why this policy exists
This data protection policy ensures Spinnaker:
- Complies with data protection law and follows best practice
- Protects the rights of staff, jobseekers, customers, suppliers and partners
- Is open about how it stores and processes data
- Protects itself from and minimises data security risks and the risks of data breaches
Data Protection Law
Data protection regulations prescribe how organisations process, collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other media. To comply with the law, personal information must only be collected and used fairly, stored safely and not disclosed unlawfully.
The UK Data Protection Act (1998) has been superseded by the General Data Protection Regulation (GDPR) effective 25 May 2018 which prescribes new heightened standards for the personal data of EU and UK citizens. Full details of GDPR and its principles and requirements are set out by the Information Commissioner’s Office (ICO) – Refer: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Spinnaker’s processing of personal data is also subject to legislation in Singapore and other jurisdictions globally.
Key documents produced in accordance with this Policy (‘the Key Documents’)
- Client Data Processing and Sharing Policy
- Data Breach Management Procedure
- Legitimate Interest Assessment and Business to Business Marketing Policy
- Subject Access Request Form
Other documents impacted by this Policy and the Key Documents
- Workseeker terms and conditions
- Contingency Recruitment and Executive Search terms and conditions
- Terms and conditions for the various products and services of Spinnaker’s HR Consulting division
This policy applies to all Spinnaker employees, officers, contractors and sub-contractors and to all personal data that Spinnaker holds, which may include but is not limited to:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Curriculum vitae (CVs) and work histories
- Employments records
- Personality profiles
- References and opinions
- Proof of identification
- Salary and benefits data
Everyone who works for or with Spinnaker has responsibility for ensuring data is collected, stored and handled appropriately. Each person and team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
These people have key areas of responsibility:
- The board of directors is ultimately responsible for ensuring that Spinnaker meets its legal obligations.
- The Data Protection Lead is responsible for:
- Keeping the board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice.
- Handling data protection questions from staff and anyone else covered by this policy.
- Dealing with subject access requests.
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
- The Head of IT is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.
- The Head of Marketing is responsible for:
- Approving any data protection statements attached to communications such as emails and letters.
- Addressing any data protection queries from journalists or media outlets like newspapers.
- Ensuring marketing initiatives abide by data protection principles.
General Staff Guidelines
- The only people able to access and process data covered by this policy are those who need it to perform their duties.
- Personal data should not be shared informally.
- Spinnaker provide training to all employees to help them understand their responsibilities when handling data.
- Employees keep all data secure, by taking sensible precautions and following the guidelines below and observing the provisions of the Key Documents.
- In particular, strong passwords must be used and they should never be shared informally.
- Personal data, specifically including but not limited to CVs, references and salary data, should not be disclosed to unauthorised parties, either within the company or externally.
- Data should be regularly reviewed and updated if it is found to be outdated. If no longer required, it is deleted and disposed of.
- Employees should request help from their line manager or the Data Protection Lead if they are unsure about any aspect of data protection.
- Employees must notify the Data Protection Lead and Head of IT of any instance of suspected data breach without delay.
When data stored on paper, data should be kept in a secure location where unauthorised people cannot see or access it.
Data that is usually stored electronically but has been printed out for some reason:
- Should be kept safely stored when not in use.
- Should not be left where unauthorised people can see it, such as on a printer.
- Should be disposed of securely when no longer required.
When data is stored and used electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Computer screens should be locked when left unattended.
- Unless absolutely necessary, employees should only work on, amend and save the central copy of any data and should avoid making duplicates or saving multiple versions of data.
- When sending data by email, care must be taken to ensure it is sent to the correct recipient.
- Data should be protected by strong passwords that are never shared between employees unless necessary to enable them to perform the role for which they are employed.
- If data is stored on removable media (like a USB pen drive), these should be kept locked away securely when not being used and the data erased as soon as no longer required.
- Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing services.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently.
- Personal data should never be saved directly to employees’ personal PCs, laptops or other mobile devices like tablets or smart phones and only to their work devices when absolutely necessary to enable them to perform their duties and then should be deleted when no longer required.
- All servers and computers containing data should be protected by approved security software and a firewall.
Questions about storing data safely can be directed to the Head of IT
Spinnaker is required to take reasonable steps to ensure data is kept accurate and up to date.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
- Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
- Spinnaker makes it easy for data subjects to update the information Spinnaker holds about them. For instance, via the company website.
- Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
- It is the Head of Marketing’s responsibility to ensure marketing databases are pro-actively managed and updated, especially to ensure removal of the personal data of data subjects who object to the processing of their data.
Subject Access Requests
All individuals who are the subject of personal data held by Spinnaker are entitled to:
- Ask what information the company holds about them and why.
- Access their personal data and supplementary information.
- Have their personal data rectified if it is inaccurate or incomplete.
- Erasure, also known as the right to be forgotten.
- Block or suppress processing of their personal data.
- The right to data portability allowing them to obtain and reuse their personal data for their own purposes.
- The right to object to their data being processed e.g direct marketing.
Subject access requests from individuals should be made by email, addressed to, or forwarded on internally to, the Data Protection Lead (firstname.lastname@example.org). The Data Protection Lead will always verify the identity of anyone making a subject access request and subject to that will endeavour to service the request and provide the relevant data and/or confirmation/s within 30 days.
Disclosing data for other reasons
In certain circumstances, personal data may be disclosed without the consent of the data subject pursuant to a court order and / or to appropriate authorities where Spinnaker is legally obliged to do so.
Spinnaker aims to ensure that individuals are aware that their data is being held and processed, and that they understand:
- How the data is being used
- How to exercise their rights