Data Protection Policy

Aim and Scope of Policy

This policy applies to the processing of personal data in manual and electronic records kept by the Company in connection with its human resources function. It also covers the Company's response to any data breach and other rights under the General Data Protection Regulation.

This policy applies to the personal data of job applicants, existing and former employees, apprentices, volunteers, placement students, workers and self-employed contractors, and current or potential clients.

Definitions

• Personal data: information relating to an identifiable person (directly or indirectly).
• Special categories of personal data: data relating to health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership, and genetic/biometric data used for identification.
• Criminal offence data: data relating to criminal convictions and offences.
• Data processing: any operation performed on personal data (collection, use, storage, disclosure, restriction, erasure, destruction, etc).

Types of Data Held

Personal data is kept in personnel files or within the Company's CRM system (Evolve). As appropriate, this may include:

• Name, address, phone numbers (individual and next of kin)
• CVs and other recruitment information
• References from former employers
• National Insurance numbers
• Passport or driving licence
• Job title, job descriptions and pay grades
• Conduct issues and disciplinary records
• Holiday, sickness absence, and performance information
• Medical or health information
• Tax codes and terms/conditions of employment
• Training details

Data Protection Principles

• Processed fairly, lawfully, and transparently
• Collected for specific, explicit, and legitimate purposes
• Adequate, relevant, and limited to what is necessary
• Accurate and kept up to date; inaccurate data rectified or erased without delay
• Not kept for longer than necessary
• Processed securely to protect against unauthorised use, loss, destruction, or damage
• Compliant with GDPR procedures for international transfers

Processing also recognises individuals' rights: to be informed, access, rectification, erasure, restriction, portability, objection, and regulation of automated decision-making/profiling.

Procedures

• Employees are informed of their data protection rights and how data is used/protected.
• Employees receive training on confidentiality and correct data handling.
• The Company can account for data held, sources, and sharing arrangements.
• Consent processes are maintained and reviewed; consent is specific, informed, unambiguous, and withdrawable at any time.
• Mechanisms exist for detecting, reporting, and investigating suspected or actual data breaches.

Access to Data

Relevant individuals have the right to be informed whether data is processed and to access personal data held by the Company.

• Subject access requests can be made by emailing info@clear-er.com (to the Directors).
• No fee is charged unless a request is manifestly unfounded, excessive, repetitive, or for duplicate copies to third parties.
• Requests are handled without delay and, subject to exemptions, within one month (extendable by up to two additional months for complex or numerous requests).

Data Disclosures

Data may be disclosed where strictly necessary, including for:

• Employee benefits operated by third parties
• Reasonable adjustments for disabled individuals
• Health and safety, occupational health, and Statutory Sick Pay obligations
• HR management/administration and employee insurance or pension operations

Data Security

The Company applies procedures to maintain data security in storage and transport. Employees must securely store confidential files, restrict access, verify data accuracy, use passwords appropriately, and avoid exposing personal data on unattended screens.

Personal data should not be kept or transported on laptops, USB sticks, or similar devices unless authorised. Where used, encryption and password protection are required, and devices must not be left unattended where they could be stolen.

International Data Transfers

The Company does not transfer personal data to recipients outside of the EEA.

Breach Notification

Where a breach is likely to risk individuals' rights and freedoms, it will be reported to the Information Commissioner within 72 hours of awareness.

Individuals will be informed directly where a breach is likely to result in high risk, and public notification will be made without undue delay where warranted.

Training

New employees must read and understand data protection policies during induction. All employees receive training on confidentiality, data protection, breach identification, and consequences of policy lapses.

Records

The Company keeps records of processing activities, including processing purposes and retention periods, on its CRM system, and keeps records updated.