Whyte & Co

Policy Statement

Whyte & Co. is committed to ensuring that it fully complies with all its legal obligations under the Data Protection Act 1998. The company processes a considerable amount of personal data and as such it has a number of legal responsibilities, failure to comply with which could result in legal action and substantial financial penalties not to mention the loss of clients. The purpose of this document is to detail our approach to Data Protection so that both others and we can see that it is both adequate and appropriate.

Whyte & Co. is registered with the Information Commissioners Office under the Data Protection Act 1998.

Management Commitment and Resources

This policy has the full support of senior management who are committed to providing the necessary resources to ensure that its objectives are achieved.

Responsibility

The partners have ultimate responsibility for this policy but day- to- day responsibility is delegated to the Operations Manager who is also the Data Protection Manager.

This policy is applicable to all staff and failure to comply is a disciplinary offence that could in some instances constitute gross misconduct.

Communication and Training

The policy will be made available to all staff. All staff who handle personal data will receive data protection awareness and training and this will commence during induction. Particular emphasis will be placed on the eight data protection principles with specific examples provided of how these relate to the companies activities.

Audit and Review

Compliance with this policy will be audited annually using the pro-forma checklist provided by the Information Commissioners Office and the results documented and reviewed by Senior Management.

The policy will be reviewed annually or at such more frequent interval as may be considered necessary due to changes in legislation, changes in the manner in which the company processes data or apparent deficiencies in the policy.

Relationship to Other Procedures

Whyte & Co operates an integrated management system (IMS) comprising a quality management and an information security management system accredited to ISO 9001 and ISO 27001 respectively. This policy will be audited in accordance under our IMS audit procedure, documented and controlled under our document control procedure and training in the policy will be provided in accordance with our training procedure.

Data Protection will be taken into consideration in the design of all new business processes.

Use of Data

All data held by Whyte & Co. is held under a duty of confidentiality. It is held and processed for lawful purposes only and is not used in any way that is incompatible with the purposes for which it was obtained. No sensitive personal data is held.

Client Requests for Data

Clients have a right to be provided with any data pertaining to the service which we provide them and any requests for the provision of data should be complied with as fully and promptly as possible. However, care should be taken to ensure that the request does in fact emanate from a client and that the particular member of staff requesting the information is properly authorised to make such a request.

Complaints

Nearly all data held by Whyte & Co. has been supplied by our clients or government agencies e.g. DVLA and we are not therefore responsible for its accuracy in the first instance. Complainants should be referred to the appropriate client. However, if the complaint relates to the inaccuracy of data that has been obtained by Whyte & Co. the complaint should be referred to the Data Protection Manager.

Data Security

Access to personal data is on a need to know basis.

Access to data is controlled by restricting physical access to our premises which are alarmed and through the use of locked filing cabinets.

Access to databases is controlled through the use of encrypted passwords that are regularly changed and the use of firewalls.

Hard copy data is removed for shredding and recycling by a contractor who issues a certificate of secure destruction.

Staff are required to ask appropriate questions in order to satisfy themselves as to the identity of the person to whom they talking, before discussing a case. As a general rule, staff are under instruction not to discuss cases with third parties unless and until we have received written authorisation from the data subject, so to do.

All PC’s that are disposed of have their hard drives erased prior to disposal.

Data is backed up daily and back up tapes are stored off-site.

Disaster Recovery

This is covered by our Business Continuity Plan.

Viruses, Trojans, Spyware etc.

All of the company’s systems are protected against malicious software by appropriate applications that are automatically updated on a daily basis.

In addition staff have no access rights to non-business related internet sites or personal e-mail systems.

Retention of Data

Data is retained for a maximum period of six years (Limitations Act) or such longer period as may be specified by our client local authority. Procedures are in place for the automatic erasure of data once the expiry date is reached.

Subject Access Requests

All subject access requests (Section 7, DPA) are immediately referred to the Data Protection Manager who will ensure that a response is provided as promptly as possible but in any event within the statutory time period. They will also ensure that the information is provided in a format that is intelligible.

DVLA

Whyte & Co. has a file transfer link with the DVLA that enables us to obtain registered keeper information electronically. It is critical that this facility is not abused and that it is not used for any purpose other than that for which it was established e.g. to confirm whether or a not a vehicle in respect of which a PCN has been issued is still registered to the same keeper and address.

Under no circumstances may it be used in relation to any other type of debt than Road Traffic Debt. It may only be used to obtain confirmation in respect of vehicles for which we already hold a warrant and not to obtain keeper details for vehicles which may or may not be registered to the debtor.

Bailiffs must not request a DVLA check for purposes other than outlined above and office based staff responsible for processing requests must ensure that the vehicle is one for which we hold a warrant.

Failure to comply will constitute gross misconduct.