Skip Navigation

Data Protection Policy

1) Background

Data Protection is an important consideration within the business environment. Legislation has placed obligations on businesses that process personal data and created rights for people whose personal data is processed. The legislation applies to personal information that is processed by computer and also to personal information held in some types of paper files.

This Procedure aims to:

  • Set out practical guidelines on the Data Protection Act 1998 (“the Act”);
  • Indicate your responsibilities in relation to the processing of personal data;
  • Prevent unfair or unlawful processing of personal data by, for example, unauthorised retention, disclosure, modification or destruction.

This Procedure indicates how the group of companies will address data protection issues for both employees, apprentices and others.

The Caxton Group is committed to:

  • Protecting personal data of workers and staff from unintended loss, destruction, damage, modification, disclosure or other security risk, and
  • To processing personal data of workers and staff fairly and lawfully in accordance with current data protection

2) Definitions

  • Data Controller – A person or company who decides the purposes for which and the way in which personal data is processed. The Office Administrator is the Data Controller in respect of staff and worker personal data.
  • Personal Data – Information about a living person who can be identified by the information or by the information together with other information that the Data Controller has or is likely to obtain.
  • Data Subject – all workers and staff of the Caxton (Midlands) Group and relevant Contractors are data subjects under the Act.

The Caxton Midlands Group Ltd consists of various independent trading limited companies, namely;

  • Caxton Midlands Group Ltd
  • Caxton Builders (Midlands) Ltd
  • Caxton Joinery Ltd
  • Caxton Property Developments Ltd
  • Caxton Facades Ltd

3) Paper Files

The Act applies to personal information held on both computers and in certain paper filing systems.

The Act only applies to personal information held on paper records where the paper record is structured by reference to an individual (or by reference to criteria relating to an individual) such that specific information about a particular person is readily accessible. That means that most filing systems will contain personal data.

It should be assumed, as a rule, that personnel files and separate files relating to employer/ employee details are covered by this Act. However, when in receipt of a subject access request, the Company will assess whether the information in any particular file is information to which the Act applies before making any disclosure.

4) Data Protection Principles

All personal data must be processed in accordance with the eight Data Protection Principles. The essence of these principles is set out below;

Personal data must:

  • Be processed fairly and lawfully
  • Be obtained only for one or more specified or lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
  • Be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
  • Be accurate and, where necessary, kept up to date
  • Not be kept for longer than is necessary
  • Be processed in accordance with the rights of data subjects
  • Be protected by appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or damage
  • Not be transferred to a country or territory outside the European Economic Area unless there is a clear legal basis in the Act for making the transfer.

The Company has put in place technical methods (i.e. firewalls, encryption, password protection, etc.) and organisational methods (hierarchy of access to personnel files, locking cabinets etc.) of protecting personal data where the importance of the personal data makes this appropriate.

All staff who have access to personal data controlled by the Company whether or not on computer, and whether at the Head Office or on site, must take adequate precautions to ensure confidentiality so that neither Caxton (Midlands) Group, nor any individual employed by Caxton (Midlands) Group, becomes exposed to criminal or civil liability as a result of the loss, destruction or disclosure of personal data.

Therefore, the following principles should be followed;

  • Personal data should not be stored on laptops unless this is unavoidable and appropriate security measures have been implemented including password protection and encryption methods to ensure security
  • These measures will apply to portable data storage media such as DVDs and USB flash memory data sticks
  • Personal data must not be transmitted over the Internet unless appropriate encryption methods are used
  • Personal data must not be sent to a third party on portable storage media or in paper form by conventional A secure delivery service must be used
  • Staff should always ensure security of records (whether paper records or computerised)
  • Staff must not leave personal data on screen or on desktops when they are not at their desks
  • Paper records should be stored securely unless under active consideration
  • A clear desk policy should be observed

5) Statement Detailing the Meaning of Processing and The Purpose of Processing

Personal data provided by or about an individual to Caxton (Midlands) Group will be processed in accordance with the Act.

Data about an individual will only be processed for lawful and fair purposes. Caxton (Midlands) Group is the legal entity which determines the way and the purposes for which personal data may be used.

The Data Protection Officer who has the main responsibility for managing data protection issues and compliance.

The Data Protection Officer is responsible for ensuring the Caxton (Midlands) Group Data Protection Register entry is kept up to date.

It is the responsibility of all administration and construction staff to inform the Data Protection Officer (via their line manager) of any changes in the type of personal data being collected or in the method of processing the data. Personal data about an individual will be processed for various purposes which may include:

For Staff:

  • To assess his/her application to become an employee
  • To assess his/her application to become an apprentice
  • To facilitate management decisions
  • To detect fraud
  • To market or promote the Company For Construction employees and Contractors:
  • To assess any application for site wok
  • To manage the site administration requirements
  • To detect fraud
  • To address any health and safety issues
  • To ensure equal opportunities

There may be other purposes for which your information can be legally used.

6) Sensitive Personal Data

Certain personal data is given special status in data protection legislation. This personal data is called sensitive personal data.

Sensitive personal data is personal data consisting of information as to:

  • Racial or ethnic
  • Political
  • Religious beliefs (or other beliefs of a similar nature).
  • Trade union membership
  • Physical or mental health
  • Sexual orientation
  • Commission or the alleged commission of an
  • Proceedings for any offence, the disposal of such proceedings or the sentence of any Court in such

Subject to the exceptions set out below and elsewhere in this procedure, sensitive personal data shall generally only be processed after the employee or student has given express consent. Caxton (Midlands) Group may in certain situations process the data without the individual’s consent if it is necessary for processing to take place for one of the following purposes:

  • Ensuring health and safety of staff
  • Ensuring a safe working environment
  • Protecting the person and property of people entering on to Company premises or sites
  • Participating in legal proceedings or obtaining legal advice
  • For the administration of justice

Sensitive personal data relating to racial or ethnic origin may be processed without express consent in order to monitor

the effectiveness of the Company’s Equality Policy.

7) Requests for Information

An individual which Caxton (Midlands) Group holds personal data has the right to be:

  • Told whether their personal data is being processed by or on behalf of the Company and, if so, to be given a description of:
    • The personal data held
    • The purposes for which it is being processed
    • The recipients of the personal data
  • Given a copy of the personal data
  • Given any information available regarding the source of the personal data

Written requests should be directed to the Office Administrator. The request for information will be dealt with promptly and in any event within one calendar month from receiving:

  • The written request for the personal data
  • Sufficient details to allow Caxton (Midlands) Group to respond to it
  • Sufficient details to confirm the identity of the person making the request

Where the provision of information would reveal the identity of a third party, the information may not be provided unless either the consent of that third party is obtained or it is reasonable to proceed without their consent. All requests for access to personal data must be made in writing, including emails.

Personal information relating to staff and Contractors cannot normally be disclosed to an unauthorised third party. These include family members, friends, local authorities, government bodies and the police. There are only certain circumstances when personal information can be given to such third parties and these include:

  • Prevention or detection of a crime
  • Apprehension or prosecution of offenders
  • Prevention of serious harm to a third party
  • Protection of the vital interests of the data subject, g. release of medical data where failure could result in serious harm or death
  • Ensuring health and safety

Caxton (Midlands) Group have the right to expect documentary evidence to support such requests.

8) Social Media

This refers to the use of all forms of social media, including Facebook, LinkedIn, Twitter, all other social networking sites, and all other internet postings, including forum postings and blogs.

It applies to the use of social media for both business and personal purposes, whether during working hours or otherwise. The policy applies regardless of whether the social media is accessed using our IT facilities and equipment or equipment belonging to members of staff.

Social media should never be used in a way that breaches;

  • Any obligations they may have relating to confidentiality
  • The Company Equal Opportunities Policy
  • This Data Protection Policy (for example, by disclosing personal information about a colleague online);
  • Breach of any other laws or ethical standards (for example, by making misleading statements). Staff and candidates must not:
  • Post any comment or information that directly or indirectly discloses any confidential information in relation to any;
    • Staff member
    • Contractor
    • Client;
  • Post disparaging or defamatory statements about:
    • The Company;
    • The Company’s Clients
    • Company staff;
    • Other business
  • Post any comment or information in relation to business sensitive information such as financial or other performance, or any other statement about Caxton (Midlands) Group that could be construed as damaging the Company’s reputation.
  • Other than in relation to authorised business use, post any comment or information, or represent themselves in such a way, as to imply that they are acting on behalf of, or representing the views of the Company.
  • Post any content that has the intention or may reasonably be expected to have the effect of causing offence, distress or upset to your fellow employees or our clients, customers or partners on discriminatory grounds.

9) Security

Any breaches of this Policy in relation to personal data security will result in disciplinary action and, in serious cases, may result in the dismissal of an employee or the removal of a contractor.

No employee or contractor must attempt, alone or with others, to gain access to data or programs to which they have not been authorised to gain access.

Staff and / or employees must not disclose personal details of other staff or contractors to unauthorised third parties where this information is personal data in respect of which the Company is the data controller.

Caxton (Midlands) Group reserve the right to monitor, intercept and review, without further notice, staff and candidate activities using our IT resources and communications systems, including but not limited to social media postings and activities, to ensure that our rules are being complied with and for legitimate purposes. In doing so you consent to such monitoring by your acknowledgement of this policy and your use of such resources and systems.

10) Penalties

A failure on the part of Caxton (Midlands) Group to comply with the eight Data Protection Principles and the conditions for processing may result in a court order to correct, erase or destroy inaccurate or out of date personal data or to change the way Caxton (Midlands) Group process personal data.

Use or disclosure of personal data outside the terms notified to the Information Commissioner is a criminal offence, as is the unlawful obtaining or disclosure of personal data. On conviction, both Caxton (Midlands) Group and / or individuals responsible may be liable for a fine of up to £5,000.

Signed for and on behalf of Caxton Midlands Group Ltd

Andrew Townshend

Managing Director