Data Protection Policy
1. Marleton Cross Limited (“MX Group”) needs to collect, store and process personal information about its customers and employees (the “Users”) to allow it to continue to work to manufacture and distribute its bathroom products in relation to this, carry out ancillary activities such as advertising and monitoring its own performance, for example (the “Services”). Everyone has rights with regard to how their personal information is handled and we recognise the need to treat it an appropriate and lawful manner. It is also necessary to process information so that MX Group can comply with its legal obligations. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
2. The types of information that we may be required to handle includes details of current, past and prospective Users and those of external third parties we may deal with from time to time in relation to performing the Services. The information, which may be held on paper and other media, is subject to certain legal safeguards which are set out in the Data Protection Act 1998 and other regulations (the “Act”).
3. In summary these state that personal data shall:
- Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
- Be adequate, relevant and not excessive for that purpose.
- Be accurate and kept up to date.
- Not be kept for longer than is necessary for that purpose.
- Be processed in accordance with the data subject’s rights.
- Be kept safe from unauthorised access, accidental loss or destruction.
- Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
4. MX Group and all staff or others who process or use personal information must ensure that they follow these principles at all times.
Status of this Policy
6. This policy does not form part of the formal contract of sale or part of any offer to sell, it has no bearing on the employment of staff, but it is a condition of sales and of such employment that Users will abide by the rules and policies made by MX Group from time to time. If you do not agree with the way in which MX Group processes your information under the terms of this policy, please do not continue to use MX Group for any purpose.
The Data Controller and the Data Compliance Manager
7. MX Group as a body corporate is the Data Controller under the Act, and the directors of MX Group are therefore ultimately responsible for implementation. However, the Data Compliance Manager will deal with day-to-day matters.
8. MX Group has one Data Compliance Manager, namely Bernard Robinson Director of MX Group.
9. Any User or any individual who considers that the policy has not been followed in respect of personal data about himself or herself should raise the matter with the Data Compliance Manager.
Responsibilities of Users
10. All staff are responsible for checking that any information that they provide to MX Group in connection with their employment is accurate and up to date.
11. All staff must inform MX Group of any changes to information that they have provided, e.g. changes of address, either at the time of appointment or subsequently. MX Group cannot be held responsible for any errors unless the member of staff has informed MX Group of such changes.
12. If and when, as part of their responsibilities, staff collect information about other people (e.g. personal information about customers, staff opinions about either references, or details of any personal circumstances), they must comply with the guidelines for staff issued by MX Group from time to time.
13. Users must ensure that all personal data provided to MX Group is accurate and up to date. They must ensure that changes of any personal circumstances, address etc. are notified to the Data Compliance Manager. Inaccurate or out-of-date information will be destroyed.
14. All Users are responsible for ensuring that:
- Any personal data they process arising out of or in relation to the Services is held and kept securely; and
- not disclosed either orally or in writing or via Web pages or by any other means, accidentally or otherwise, to any unauthorised third party.
15. Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.
16. Staff should note that personal information should:
- Be kept in a locked filing cabinet, drawer, or safe; or
- If it is computerised, be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up; and
- If a copy is kept on a diskette or other removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.
Rights to Access Information
17. All Users are entitled to:
- Know what information MX Group holds and processes about them and why.
- Know how to gain access to it.
- Know how to keep it up to date.
- Know what MX Group is doing to comply with its obligations under the Act.
18. This policy document addresses, in particular, the last three points above. To address the first point, MX Group will, upon request, provide all Users with a statement regarding the personal data held about them. This will state all the types of data MX Group holds and processes about them, and the reasons for which they are processed.
19. All Users have a right under the Act to access certain personal data being kept about them either on computer or in certain files. Any person who wishes to exercise this right should submit a subject access request within the meaning of the Act to the appropriate Data Compliance Manager (see above).
20. MX Group will make a charge of £10 on each occasion that access is requested, although MX Group has discretion to waive this.
21. MX Group aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days, as required by the Act.
22. In some cases, MX Group can only process personal data with the consent of the individual. If the data is sensitive, as defined in the Act, express consent must be obtained. Agreement to MX Group processing some specified classes of personal data is a condition of acceptance of a sale which involves MX Group necessarily processing personal data and a condition of employment for staff. This includes information about previous criminal convictions.
23. MX Group may also ask for information about particular health needs, such as allergies to particular forms of medication, or any medical condition such as asthma or diabetes for example. MX Group will only use this information in the protection of the health and safety of the individual, but will need consent to process this data in the event of a medical emergency, for example.
24. Therefore, the application forms that all prospective Users are required to complete include a section requiring consent to process the applicant’s personal data. A refusal to sign such a form will prevent the application form being processed and we reserve the right to withdraw from performing the Services.
Processing Sensitive Information
25. Sometimes it is necessary to process information about a person’s health, criminal convictions, race, and trade union membership. Because this information is considered sensitive under the Act, Users will be asked to give their express consent for MX Group to process this data. An offer of employment or a place with a host family may be withdrawn if an individual refuses to consent to this without good reason. More information about this is available from the Data Compliance Managers.
Retention of Data
26. MX Group has a duty to retain Users’ personal data for a period of time following their departure from MX Group, mainly for legal reasons, but also for other purposes such as being able to provide references and where necessary medical information, or for financial reasons, for example relating to pensions and taxation. Different categories of data will be retained for different periods of time. The exact details of retention periods and purposes are set out in Appendix 1 of this policy.
27. Compliance with the Act is the responsibility of all of the staff of MX Group. Any deliberate breach of this policy may lead to disciplinary action being taken, access to MX Group’s facilities being withdrawn or even to a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Compliance Manager. MX Group will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.
Minimum Retention Periods for Records Containing Personal Data
|Type of Record||Minimum Retention Period||Reason for Length of Period|
|Personnel files including training records, notes of disciplinary and grievance hearings and appraisal forms||6 years for the end of employment||References and potential litigation|
|Certain personal data may be held in perpetuity||Selected material will form part of the official MX Group Archive|
|Letters of Reference||6 years from the end of employment, by the author of the reference letter||References and potential litigation|
|Application forms/interview notes||At least 6 months from the date of the interviews||Time limits on litigation|
|Accident books and records and reports of accidents||3 years after the date of the last entry||Social Security (Claims and Payments) Regulations 1979; RIDDOR 1985|
|Health Records||During placement||Management of Health and Safety at Work Regulations|
|Sales records - Customer records of those purchasing products/guarantees||Within one year of sale||Permits institution to handle delayed enrolments|
|Customer records of those claiming under guarantee or complaining or wanting a refund or replacement (whether given or not)||At least 6 years from the matter being concluded, in case of litigation for negligence||Limitation period for negligence|
|Certain personal data may be held in perpetuity||Upon the death of the data subject, data relating to him/her ceases to be personal data. Some selected material will form part of the official MX Group.|