Data Protection Policy

Introduction

The Data Protection Act, 1998 (the “DPA”) governs the way in which we, as a business, are required to handle, manage and store data on individuals. Failure to comply with the DPA can result in serious consequences, including monetary fines of up to £500,000, for both the Company and certain individuals. Our Company is fully committed to compliance with the DPA. The aim of this policy is to describe how the Company will fulfil its obligations.

Green Deal Consortia Ltd needs to collect, utilise and have access to third party data for a number of purposes as part of the normal functions of our business.  In collecting and using this data we are committed to protecting an individual’s right to privacy with regard to the processing of personal data and this policy has been adopted to support this.

The Data Protection Principles

The DPA sets out 8 Principles of data protection. This Company fully endorses the 8 Principles and considers the lawful and correct treatment of personal information as important to the success of the business. We aim to ensure adherence to the DPA and the 8 Principles by the adoption of strict processes and controls which will be in place throughout the business.

The 8 Principles require that personal information shall:

  • be processed fairly and lawfully;
  • be obtained for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes;
  • be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
  • be accurate and, where necessary, kept up to date;
  • not be kept for longer than is necessary for the specified purpose(s);
  • be processed in accordance with the rights of data subjects under the Act;
  • be subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data or the accidental loss, damage or destruction of, or damage to, personal data; and
  • not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures that an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Scope

This policy applies to all personal information of individuals obtained, held, stored, processed, used or shared by the Company. All employees will be required to comply with the 8 Principles and the DPA including any applicable procedures or processes adopted by the Company in relation to personal data.

Disclosure

Green Deal Consortia Ltd may share data with other agencies such as the Landmark Database and our finance partners.

The customer will be made aware when personal details are collected that they may possibly be shared this is known as informed consent. Details of to whom and how their information will be shared with will be made clear within relevant documentation.

Green Deal Consortia Ltd regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

Sub-contactors, agents and vendors

Subcontractors agents and vendors may from time to time have to have access to personal information regarding Green Deal Consortia Ltd customers.

Non-disclosure agreements will be issued to and signed by these parties before they subcontract for Green Deal Consortia Ltd.

Sub-contractors agents and venders will be restricted from areas within the Green Deal Consortia Ltd offices where personal details are processed.

Data Storage and Access

Information and records relating to our customers will be stored securely and will only be accessible to authorised staff using passwords and encryption.

Passwords will be changed regularly.

Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately.

Members of staff will have access to personal data only where it is required as part of their functional remit.

Green Deal Consortia Ltd will detect and investigate any breaches of security if they occur by producing audit trails that log access to personal data that can be attributed to a particular person.

A backup filing system will be utilised to protect personal data being lost through flood, fire or other catastrophe.

It is Green Deal Consortia Ltd responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.

In addition, Green Deal Consortia Ltd will ensure that:

  • Staff processing personal information understands that they are contractually responsible for following good data protection practice
  • Staff are made aware that the Data Coordinator and Directors have the right to and will monitor emails and other data and processes conducted by staff
  • Everyone processing personal information is appropriately supervised
  • Anybody wanting to make enquiries about handling personal information knows what to do
  • It deals promptly and courteously with any enquiries about handling personal information
  • It describes clearly how it handles personal information
  • It will regularly review and audit the ways it hold, manage and use personal information
  • It regularly assesses and evaluates its methods and performance in relation to handling personal information
  • All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them. This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.

Roles and Responsibilities

Managing Director

The Managing Director shall have overall responsibility for data protection compliance across the business. Responsibilities include

  • ensuring suitable resources and direction are given to data protection issues;
  • monitor, via reporting from managers and the Data Protection Coordinator, the effectiveness of data protection systems within the business.
  • Working with the Data Protection Coordinator to ensure that Green Deal Consortia Ltd continues to be compliant with any Audit requirements as a finance broker.
Managers

Managers shall have responsibility for ensuring that this policy and data protection procedures are adopted and communicated within their business area/department. Responsibilities include

  • development of data protection procedures relevant to their business area/department;
  • regular monitoring of data protection compliance; and
  • ensuring effective communication to employees and training of employees in data protection guidelines and procedures of the business.
  • continued involvement within employee training program

Employees

All employees must

  • familiarise themselves with the data protection policies and procedures affecting their business area/department;
  • undergo training conducted by the data protection coordinator and be deemed to reach an adequate standard before being authorised to work unsupervised on the Landmark or other data base systems
  • fully support the business and their managers in the implementation of data protection policies and procedures of the business; and
  • report any data protection incidents to their line manager/supervisor.
Data Protection Coordinator

This is the person nominated by Green Deal Consortia Ltd from time to time and is currently Stuart Jackson who is deemed competent in the area of data protection. The Data Protection Coordinator shall be responsible for;

  • communicating any changes in data protection legislation and requirements which the business must fulfill;
  • provide advice and support to managers and the business on data protection requirements;
  • maintain a log of all data protection incidents and reporting of such incidents to the Information Commissioner, the relevant individual and the Managing Director.
  • organising induction training to all new employees.
  • monitoring, recording and reviewing regularly the training for all employees in line with the provisions of any relevant codes of practice, Data Protection Law and consumer credit regulations.

Review

This policy and any underlining processes and procedures will be reviewed on a regular basis to ensure best practice and to take account of any changes in legislation. At a minimum, this review will be conducted on an annual basis.