Terms & Conditions
TBT Recruitment Ltd is committed to protecting and respecting your privacy. For the purposes of the General Data Protection Regulations (GDPR) and any subsequent UK legislation covering data protection, the Data Controller, and in some instances the Data Processor, is TBT Recruitment Ltd.
This Policy sets out why we collect personal information about individuals and how we use that information. It explains the legal basis for this and the rights you have over the way your information is used.
This Policy covers TBT Recruitment Ltd in relation to the collection and use of the information you give us. We may change this Policy from time to time. If we make any significant changes we will advertise this on the website or contact you directly with the information. Please check this page occasionally to make sure you are happy with any changes.
If you have any questions about this Policy or concerning your personal information, please contact the Human Resources team at [email protected] or by post to Human Resources, TBT Recruitment, K1 The Courtyard, Jenson Avenue, Commerce Park, Frome, Somerset, BA11 2FG.
What type of personal information we collect
The type and amount of information we collect depends on why you are providing it.
The information we collect when you make an enquiry includes:-
• First name
• Last name
• Job title
• Preferred pronoun
• Date of birth
• Email address for marketing and contact purposes
• Address (including billing address)
• Geo-location data (your geographical location based on your IP address)
• Nature of enquiry
• Feedback of services provided
• Billing details (banking/credit card details, billing address, billing contact if appropriate)
If you are a job applicant, the information you are asked to provide is as set out in the application and necessary for the purposes of our considering the application.
How we collect information
We may collect information from you whenever you contact us or have any involvement with us for example when you:
- visit our website
- enquire about our activities or services
- sign up to receive news about our activities
- post content onto our website/social media sites
- attend a meeting with us and provide us with information
- take part in our events
- contact us in any way including online, email, phone, SMS, social media or post
Where we collect information from
We collect information:
- from you when you give it to us directly: you may provide your details when you ask us for information, attend our events or contact us for any other reason. Your information may be collected by an organisation we are working with, but we are still responsible for your information.
- when you have given other organisations permission to share it: your information may be provided to us by other organisations if you have given them your permission. This might for example be a business working with us or when you buy a product or service from a third-party organisation. The information we receive from other organisations depends on your settings or the option responses you have given them.
- When it is in available on social media: depending on your settings or the privacy policies applying for social media and messaging services you use, like Facebook, Instagram, LinkedIn or Twitter, you might give us permission to access information from those accounts or services.
How we use your information
We will use your personal information in a number of ways which reflect the legal basis applying to processing of your data. These may include:
- providing you with the information or services you have asked for
- sending you communications with your consent that may be of interest, including marketing information about our services and activities
- when necessary, for carrying out your obligations under any contract between us
- seeking your views on the services or activities we carry on, so that we can make improvements
- maintaining our organisational records and ensuring we know how you prefer to be contacted
- analysing the operation of our website and analysing your website behaviour to improve the website and its usefulness
- processing job applications
Use of Aggregated Data
Where Data can be aggregated (and anonymised), we may use this for research purposes without restriction.
For example, we may monitor customer traffic patterns, Site and Services usage and related information in order to optimise users’ usage of the Site and Services and we may give aggregated statistics to a reputable third-party.
We are entitled to do this because the resulting data will not personally identify you and will therefore no longer constitute personal data for the purposes of data protection laws.
Our legal basis for processing your information
The use of your information for the purposes set out above is lawful because one or more of the following applies:
- where you have provided information to us for the purposes of requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent to us using the information for that purpose, based on the way that you provided the information to us. You may withdraw consent at any time by emailing us at [email protected] This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned;
- it is necessary for us to hold and use your information so that we can carry out our obligations under a contract entered into with you or to take steps you ask us to prior to entering into a contract;
- it is necessary to comply with our legal obligations.
- where the purpose of our processing is the provision of information or services to you, we may also rely on the fact that it is necessary for our legitimate interests in relation to providing the information or service requested, and given that you have made the request, would presume that there is no prejudice to you in our fulfilling your request;
If you want to contact us about your marketing preferences please contact [email protected] or call on 01373 469220.
How we keep your information safe
We understand the importance of keeping your personal information secure and take appropriate steps to safeguard it. It is listed below:
We always ensure only authorised persons have access to your information, which means only our employees, contractors and relevant suppliers, and that everyone who has access is appropriately trained to manage your information.
No data transmission over the internet can be guaranteed to be completely secure. So, whilst we strive to safeguard your information, we cannot guarantee the security of any information you provide online and you do this at your own risk.
Who has access to your information?
- Third parties who provide services for us, for example suppliers and contractors, collecting or processing data and sending mailings. We select our third-party service providers with care. We provide these third parties with the information that is necessary to provide the service and we will have an agreement in place that requires them to operate with the same care over data protection as we do
- Third parties if we run an event in conjunction with them. We will let you know how your data is used when you register for any event
- Analytics and search engine providers that help us to improve our website and its use
- Third parties in connection with restructuring or reorganisation of our operations, for example if we merge with another business. In such event, we will take steps to ensure your privacy rights will be protected by the third party
Owing to matters such as financial or technical considerations, the information you provide to us may be transferred to countries outside the European Economic Area (EEA), which are not subject to the same data protection regulations as apply in the UK. For example – a business event maybe planned to take place outside of the EEA region and we would use local suppliers to that area who store their data securely outside of the EEA. We meet our obligations under GDPR by ensuring that the information has equivalent protection as if it were being held within the EEA. We do this by ensuring that any third parties processing your data outside the EEA either benefits from an adequacy determination for GDPR purposes and/or, where appropriate, we have entered into a data processing agreement which contains model EU clauses.
We may also disclose your personal information if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction, or where doing so would not infringe your rights, but is necessary and in the public interest.
Other than this, we will not share your information with other organisations without your consent.
Keeping your information up to date
Please would you let us know if your contact details change. You can do so by contacting us at [email protected].
Cookies may be either “persistent” cookies or “session” cookies. A persistent cookie consists of a text file sent by a web server to a web browser, which will be stored by the browser and will remain valid until its set expiry date (unless deleted by the user before the expiry date). A session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
The law states that we can store cookies on your machine if they are essential to the operation of the Site, but that for all others we need your permission to do so.
The list below explains the cookies we use and why:
| Name|| Cookies description || Retention Period|
| Cloudflare session cookie Name: __cfduid|| Used by Cloudflare to provide user-specific security settings. It doesn’t store any personally identifiable information. More info|| One year |
| Google Analytics Timout cookie Name:_gat_UA-########-#|| Used by Google Analytics to limit the amount of requests made to the Doubleclick platform. Doesn’t store any personally identifiable information. More info || One minute|
| Accept website cookies cookie || Used to check if user has accepted cookies notice. Doesn’t store any personally identifiable information. || One year|
Opting out of cookies
If you do not wish to receive cookies from us or any other website, you should be able to turn cookies off on your web browser: please follow your browser provider’s instruction in order to do so. Unfortunately, we cannot accept liability for any malfunctioning of your PC or its installed web browser as a result of any attempt to turn off cookies.
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.
How long we keep your information for
We will hold your personal information for as long as it is necessary for the relevant activity. Please see our Records Retention Policy HERE.
Where we rely on your consent to contact you for direct marketing purposes, we will treat your consent as lasting only for as long as it is reasonable to do so. This will usually be for two years. We may periodically ask you to renew your consent.
If you ask us to stop contacting you with marketing materials, we will keep a record of your contact details and limited information needed to ensure we comply with your request.
You have the right to request details of the processing activities that we carry out with your personal information through making a subject access request. Such requests have to be made in writing. More details about how to make a request, and the procedure to be followed, can be found in our Data Protection Policy. To make a request, please contact us at [email protected].
You also have the following rights:
- the right to request rectification of information that is inaccurate or out of date;
- the right to erasure of your information (known as the “right to be forgotten”);
- the right to restrict the way in which we are dealing with and using your information; and
- the right to request that your information be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”);
- rights in relation to automated decision making and profiling including profiling for marketing purposes.
All of these rights are subject to certain safeguards and limits or exemptions, further details of which can be found in our Data Protection Policy. To exercise any of these rights, you should contact Human Resources at the above address.
If you are not happy with the way in which we have processed or dealt with your information, you can complain to the Information Commissioner’s Office. Further details about how to complain can be found HERE.
Surveys and user groups
We always aim to improve the services we offer. As a result, we occasionally canvass our customers using surveys (where the customer has opted in for this). Participation in surveys is voluntary, and you are under no obligation to reply to any survey you might receive from us. Should you choose to do so, we will treat the information you provide with the same high standard of care as all other customer information.
- The main aim of this policy is to enable us to manage our records effectively and in compliance with data protection and other regulation. As an organisation we collect, hold, store and create significant amounts of data and information and this policy provides a framework of retention and disposal of categories of information and documents.
- We are committed to the principles of data protection including the principle that information is only to be retained for as long as necessary for the purpose concerned.
- The table below sets out the main categories of information that we hold, the length of time that we intend to hold them, and the reason for this.
- Please note that the Appendix sets out the legal requirements for certain categories of document. Where we have decided to keep information longer than the statutory requirement, this has been explained in the table at Section 2.
- Section 3 of this policy sets out the destruction procedure for documents at the end of their retention period. Human Resources shall be responsible for ensuring that this is carried out appropriately, and any questions regarding this policy should be referred to them.
- If a document or information is reaching the end of its stated retention period, but you are of the view that it should be kept longer, please refer to Human Resources, who will make a decision as to whether it should be kept, for how long, and note the new time limit and reasons for extension.
Document Retention Period
| Document type|| Legislation/reasons for retention|| Requirement|
| || || |
| Corporate/constitutional records|| || |
| Company Articles of Association, Rules/bylaws|| Companies Act 2006 || Permanent|
| Director minutes of meetings and written resolutions, Dividend certificates|| Companies Act 2006 || Recommended at least ten years|
| Shareholders’ meetings etc. Minutes/resolutions|| Companies Act 2006 || Recommended at least ten years|
| Documents of clear historical/archival significance|| General Data Protection Regulation (GDPR)|| Permanent if relevant GDPR provisions are met|
| Contracts e.g. service, agreements, confidentiality and non-disclosure agreements|| Limitation Act 1980|| Length of contract term plus six years|
| Contracts executed as deeds|| Limitation Act 1980|| Length of contract term plus twelve years|
| Intellectual property records and legal files re provision of service|| Limitation Act 1980|| Recommended: Life of service provision or IP plus six years|
| Tax and Finance|| || |
| Annual accounts and review (including transferred records on amalgamation)|| Companies Act 2006 || Minimum six years Recommended: permanent record|
| Tax and accounting records|| Finance Act 1998 Taxes Management Act 1970|| Six years from end of relevant tax year|
| Information relevant for VAT purposes|| Finance Act 1998 and HMRC Notice 700/21|| Minimum six years from end of relevant period|
| Banking records/receipts book/sales ledger/purchase ledger|| Companies Act 2006 || Six years from transaction|
| Employee/Administration|| || |
| Payroll/Employee/Income Tax and NI records: P45; P6; PIID; P60 etc|| Taxes Management Act 1970 /IT (PAYE) Regulations|| Six years from end of current year|
| Maternity pay|| Statutory Maternity Pay Regulations|| Three years after the end of the tax year|
| Sick pay|| Statutory Sick Pay (General) Regulations|| Three years after the end of the tax year|
| National Minimum wage records|| National Minimum Wage Act|| Three years after the end of the tax year|
| Foreign national ID documents|| Immigration (Restrictions on Employment) Order 2007|| Minimum two years from end of employment|
| HR files and training records|| Limitation Act 1970 and Data Protection regulation|| Maximum six years from end of employment|
| Records re working time|| Working Time Regulations 1998 as amended|| Two years|
| Job applications (CVs and related materials re unsuccessful applicants)|| ICO Employment Practices Code|| Twelve months from your notification of outcome of application|
| Insurance|| || |
| Employer’s Liability Insurance|| Employers’ Liability (Compulsory Insurance Regulation) 1998|| Forty years|
| Group Life Assurance|| Commercial|| Three years after lapse|
| Policies|| Commercial|| Three years after lapse|
| Claims correspondence|| Commercial|| Three years after settlement|
| Health & Safety/Medical|| || |
| General records|| Limitation Act 1970|| Minimum three years|
| Records re work with hazardous substances|| Control of Hazardous Substances to Health Regulations 2002|| Up to forty years. Recommended: permanent|
| Accident books/records and reports|| Reporting of Injuries Diseases and Dangerous Occurrences Regulations 1995|| Three years after last entry or end of investigation|
| Premises/Property|| || |
| Original title deeds|| || Permanent/to disposal of property|
| Leases|| Limitation Act 1980|| Twelve years after lease has expired|
| Building records, plans, consents and certification and warranties etc|| Limitation Act 1980|| Six years after disposal or permanent if of historical/archival interest. Carry out review re longer retention e.g. if possible actions against contractors|
| Pension Records|| For all categories see: Detailed Guidance for Employers: (April 2017) http://www.thepensionsregulator.gov.uk || |
| Records about employees and workers|| |
| Records re the Scheme|| |
| Records re active members and opt in/opt out|| |
| Trust Deed/Rules and HMRC approvals|| |
| Trustees’ Minutes and annual accounts|| |
| Policies including investment policies|| |
| Client Related Documents || || |
| Documentation & emails related to work completed on the behalf of client|| For future reference || Company policy is 2-years|
- When a document is at the end of its retention period, it should be dealt with in accordance with this policy.
- This should be made available for collection in the confidential waste bins located around the office and will be shredded by external supplier.
- Anything that contains personal information should be treated as confidential.
- Where deleting electronically, please refer to Human Resources to ensure that this is carried out effectively.
- Other documentation can be deleted or placed in recycling bins where appropriate.
- Certain information will be automatically archived by the computer systems, details of which are set out below. Should you want to retrieve any information, or prevent this happening in a particular circumstance, please contact Human Resources.
- Much of the retention and deletion of documents will be automatic, but when faced with a decision about an individual document, you should ask yourself the following:
- Has the information come to the end of its useful life?
- Is there a legal requirement to keep this information or document for a set period? (Refer to document retention periods for more information)
- Would the information be likely to be needed in the case of any legal proceedings? (Is the information contentious, does it relate to an incident that could potentially give rise to proceedings?)
- Would the document be useful for the organisation as a precedent, learning document, or for performance management processes?
- Is the document of historic or statistical significance?
- If the decision is made to keep the document, this should be referred to Human Resources and reasons given.
- TBT Recruitment Ltd, (“we/us”) is the Data Controller, and in some instances, we are the Data Processor, for the purposes of the EU General Data Protection Regulation and the Data Protection Act 2018.
- We collect and use certain types of personal information about the following categories of individuals:
- service users;
- client’s business partners & distributors
- directors and other officers;
and other individuals who come into contact with us.
- We will process this personal information in the following ways:
- Refer to Appendix 1
- to comply with statutory and contractual obligations relating to employment;
- to comply with statutory and other legal obligations relating to safeguarding, of any individual at TBT Recruitment Limited that comes into contact with children as part of his or her duties.
- This policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the EU General Data Protection Regulation (GDPR) and other related legislation. It will apply to information regardless of the way it is used or recorded and applies for as long as the information is held.
- PERSONAL DATA
- ‘Personal data’ is information that identifies an individual and includes information that would identify an individual to the person to whom it is disclosed because of any special knowledge that they have or can obtain. A sub-set of personal data is known as ‘special categories of personal data’. This special category data is information that relates to:
- religious or philosophical beliefs;
- physical or mental health;
- an individual’s sex life or sexual orientation;
- genetic or biometric data for the purpose of uniquely identifying a natural person.
- Special category data is given special protection, and additional safeguards apply if this information is to be collected and used.
- Information relating to criminal convictions shall only be held and processed where there is legal authority to do so.
- THE DATA PROTECTION PRINCIPLES
- The six data protection principles as laid down in the GDPR must be followed at all times:
- personal data shall be processed fairly, lawfully and in a transparent manner, and processing shall not be lawful unless one of the processing conditions (see paragraph 4) can be met;
- personal data shall be collected for specific, explicit, and legitimate purposes, and shall not be further processed in a manner incompatible with those purposes;
- personal data shall be adequate, relevant, and limited to what is necessary for the purpose(s) for which they are being processed;
- personal data shall be accurate and, where necessary, kept up to date;
- personal data processed for any purpose(s) shall not be kept for longer than is necessary for that/those purpose(s);
- personal data shall be processed in such a way that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
- In addition to this, we are committed to ensuring that, at all times, anyone dealing with personal data shall be mindful of the individual’s rights under the law (as explained in more detail in paragraphs 7 and 8 below).
- We are committed to complying with the principles in paragraph 3.1 at all times. This means that we will:
- inform individuals as to the purpose of collecting any information from them, as and when we ask for it;
- be responsible for checking the quality and accuracy of the information;
- regularly review the records held to ensure that information is not held longer than is necessary, and that it has been held in accordance with our Records Retention Policy;
- ensure that when information is authorised for disposal it is done appropriately;
- ensure appropriate security measures to safeguard personal information, whether it is held in paper files or on our computer system, and follow the relevant security policy requirements at all times;
- share personal information with others only when it is necessary and legally appropriate to do so;
- set out clear procedures for responding to requests for access to personal information, known as subject access requests;
- report any breaches of the GDPR in accordance with the procedure in paragraph 0 below.
- The individual has given consent that is specific to the particular type of processing activity, and that consent is informed, unambiguous and freely given;
- The processing is necessary for the performance of a contract, to which the individual is a party, or is necessary for the purpose of taking steps with regard to entering into a contract with the individual, at their request;
- The processing is necessary for the performance of a legal obligation to which we are subject;
- The processing is necessary to protect the vital interests of the individual or another;
- , which can be found HERE.
- DISCLOSURE OF PERSONAL DATA
- The following list includes the most usual reasons that we will authorise disclosure of personal data to a third party:
- to give a confidential reference relating to a current or former employee;
- for the prevention or detection of crime;
- for the assessment of any tax or duty;
- where it is necessary to exercise a right or obligation conferred or imposed by law upon us (other than an obligation imposed by contract) e.g. regulatory obligations under the Money Laundering Regulations;
- for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings);
- for the purpose of obtaining legal advice;
- for research, historical and statistical purposes (so long as this neither supports decisions in relation to individuals, nor causes substantial damage or distress);
- We may receive requests from third parties (i.e. those other than the data subject, us, and our employees) to disclose personal data we hold about individuals. This information will not generally be disclosed unless one of the specific exemptions under the GDPR which allow disclosure applies, or where disclosure is necessary for the legitimate interests of us or the third party concerned.
- All requests for the disclosure of personal data must be sent to Human Resources, who will review and decide whether to make the disclosure, ensuring that reasonable steps are taken to verify the identity of the requesting third party before making any disclosure.
- SECURITY OF PERSONAL DATA
- We will take reasonable steps to ensure that members of staff will only have access to personal data where it is necessary for them to carry out their duties. All staff will be made aware of this Policy and their duties under the GDPR. We will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.
- For further details as regards security of IT systems, please refer to the ICT Policy.
- Anybody who makes a request to see any personal information held about them by us is making a subject access request. All information relating to the individual, including that held in electronic or manual files should be considered for disclosure, provided that they constitute a “filing system” (see paragraph 1.5).
- All requests should be sent to Human Resources within three working days of receipt and must be dealt with in full without delay and at the latest within one month of receipt.
- Where a child or young person does not have sufficient understanding to make his or her own request (usually those under the age of twelve, or over twelve but with a special educational need which makes understanding their information rights more difficult), a person with parental responsibility can make a request on their behalf. Human Resources must, however, be satisfied that:
- the child or young person lacks sufficient understanding; and
- the request made on behalf of the child or young person is in their interests.
- Any individual, including a child or young person with ownership of their own information rights, may appoint another person to request access to their records. In such circumstances, we must have written evidence that the individual has authorised the person to make the application and Human Resources must be confident of the identity of the individual making the request and of the authorisation of the individual to whom the request relates.
- Access to records will be refused in instances where an exemption applies, for example, information sharing may place the individual at risk of significant harm or jeopardise police investigations into any alleged offence(s).
- A subject access request must be made in writing. We may ask for any further information reasonably required to locate the information.
- An individual only has the automatic right to access information about themselves, and care needs to be taken not to disclose the personal data of third parties where consent has not been given, or where seeking consent would not be reasonable, and it would not be appropriate to release the information. Particular care must be taken in the case of any complaint or dispute to ensure confidentiality is protected.
- All files must be reviewed by Human Resources before any disclosure takes place. Access will not be granted before this review has taken place.
- Where all the data in a document cannot be disclosed, a permanent copy should be made and the data obscured or retyped if this is more sensible. A copy of the full document and the altered document should be retained, with the reason why the document was altered.
Exemptions to Access by Data Subjects
Where a claim to legal professional privilege could be maintained in legal proceedings, the information is likely to be exempt from disclosure unless the privilege is waived.
- We have an obligation to comply with the rights of individuals under the law and take these rights seriously. The following section sets out how we will comply with the right to:
Right to object to processing
- 4.5 and 4.6 above) where they do not believe that those grounds are made out.
- Where such an objection is made, it must be sent to Human Resources within two working days of receipt, and Human Resources will assess whether there are compelling legitimate grounds to continue processing which override the interests, rights and freedoms of the individuals, or whether the information is required for the establishment, exercise or defence of legal proceedings.
- Human Resources shall be responsible for notifying the individual of the outcome of their assessment within 10 working days of receipt of the objection.
- Where personal data is being processed for direct marketing purposes, an individual has the right to object at any time to processing of personal data concerning him or her for such marketing (which includes profiling to the extent that it is related to such direct marketing) and his or her personal data shall no longer be processed by us for direct marketing purposes.
Right to rectification
- An individual has the right to request the rectification of inaccurate data without undue delay. Where any request for rectification is received, it should be sent to Human Resources within two working days of receipt, and where adequate proof of inaccuracy is given, the data shall be amended as soon as reasonably practicable, and the individual notified.
- Where there is a dispute as to the accuracy of the data, the request and reasons for refusal shall be noted alongside the data and communicated to the individual. The individual shall be given the option of a review under the complaints procedure, or an appeal direct to the Information Commissioner.
- An individual also has a right to have incomplete information completed by providing the missing data, and any information submitted in this way shall be updated without undue delay.
Right to erasure
- Individuals have a right, in certain circumstances, to have data permanently erased without undue delay. This right arises in the following circumstances:
- where the personal data is no longer necessary for the purpose or purposes for which it was collected and processed;
- where consent is withdrawn and there is no other legal basis for the processing;
- where an objection has been raised under the right to object, and found to be legitimate;
- where personal data is being unlawfully processed (usually where one of the conditions for processing cannot be met);
- where there is a legal obligation on us to delete.
- Human Resources will make a decision regarding any application for erasure of personal data and will balance the request against the exemptions provided for in the law. Where a decision is made to erase the data, and this data has been passed to other controllers, and/or has been made public, reasonable attempts to inform those controllers of the request shall be made.
Right to restrict processing
- In the following circumstances, processing of an individual’s personal data may be restricted:
- where the accuracy of data has been contested, during the period when we are attempting to verify the accuracy of the data;
- where processing has been found to be unlawful, and the individual has asked that there be a restriction on processing rather than erasure;
- where data would normally be deleted, but the individual has requested that their information be kept for the purpose of the establishment, exercise or defence of a legal claim;
- where there has been an objection made under paragraph 8.2, pending the outcome of any decision.
Right to portability
If an individual wants to send his or her personal data to another organisation, he or she has a right to request that you provide his/her information in a structured, commonly used, and machine-readable format. If a request for this is made, it should be forwarded to Human Resources within two working days of receipt, and Human Resources will review and revert as necessary.
- Any breach of the GDPR, including a breach of any of the data protection principles of the Data Protection Act 1998 (as amended or replaced from time to time) shall be reported as soon as it is discovered, to Human Resources.
- Once notified, the Human Resources shall assess:
- the extent of the breach;
- the risks to the data subjects as a consequence of the breach;
- any security measures in place that will protect the information;
- any measures that can be taken immediately to mitigate the risk to the individuals.
- Unless Human Resources concludes that there is unlikely to be any risk to individuals from the breach, it must be notified to the Information Commissioner’s Office within seventy-two hours of the breach having come to our attention, unless a delay can be justified.
- The Information Commissioner shall be told:
- details of the breach, including the volume of data at risk, and the number and categories of data subjects;
- the contact point for any enquiries (which shall usually be Human Resources);
- the likely consequences of the breach;
- measures proposed or already taken to address the breach.
- If the breach is likely to result in a high risk to the rights and freedoms of the affected individuals, Human Resources shall notify affected data subjects of the breach without undue delay, unless the data would be unintelligible to those not authorised to access it, or measures have been taken to mitigate any risk to the affected individuals.
- Data subjects shall be told:
- the nature of the breach;
- who to contact with any questions; and
- measures taken to mitigate any risks.
- Human Resources shall be responsible for instigating an investigation into the breach, including how it happened, and whether it could have been prevented. Any recommendations for further training or a change in procedure shall be reviewed by the Board and a decision made about implementation of those recommendations.
If anyone has any concerns or questions in relation to this policy they should contact Human Resources.
What personal information we might need and why
- Your name
- Your Job Title
- Contact information (eg address, telephone numbers, email addresses)
- Information about your age, ethnicity, gender, nationality, disability status
- ID documentation
- Biographical data
- Your bank details
- Your occupation
- Your place of work
- Information about your education and qualifications
- Information about your skills and expertise
- Information relevant to our HR function
- Marketing & communications data (includes your preferences in receiving marketing from us, our clients and your communication preference)
- Transaction data (includes details of services we have provided to you)
We may use/process this information to:
- Carry out our statutory functions
- Handle complaints
- Conduct investigations
- Conduct research
- Understand people’s views and opinions (eg through consultations)
- Improve our services
- Carry out administrative functions (eg HR)
- Share it with third parties for the purpose of obtaining advice and in complying with our contractual obligations
- Comply with our legal and regulatory obligations
- Enable payment to suppliers
- Enable payment to employees
- Arrange travel on your behalf
- Proof of right to work
- To register you as a new client
- To deliver relevant marketing content to you and measure or understand the effectiveness of the marketing we serve to you
- To make suggestions and recommendations to you about goods or services that may be of interest
Data Breach Incident Response Plan
The flow of actions following a Data Breach is classified in four main phases, following the guidelines of the Information Commissioner’s Office (ICO):
- Containment and recovery
- Assessment of ongoing risk
- Notification of breach
- Evaluation and response
1. Containment and recovery
- Data breaches and weaknesses which could lead to breaches need to be reported as soon as detected to Human Resources, who will lead the investigation.
- Following notification, Human Resources will open an incident log and make an initial assessment of the breach’s severity. This step will involve Netitude Limited (TBT Recruitment Limited’s outsourced IT provider), who will help identify the most effective course of action to contain the situation and, where possible, recover any losses.
- Once the first two steps are completed, Human Resources will inform a Legal TBT Recruitment Director and assess whether any other contacts outside the organisation need to be made aware of the breach, (in case directly involved), informing them of what TBT Recruitment is going to do to assist in the containment exercise.
2. Assessing the risks
- After the initial assessment of the breach’s severity, Human Resources, Netitude Limited and a Legal TBT Recruitment Director will assess the risks which may be associated with the breach. The purpose of this is to identify potential adverse consequences for individuals, how serious and substantial these are and how likely they are to reoccur.
- Once the scope of the breach has been ascertained, there may be a need to obtain additional information about how and why this happened, the assets affected, the type of incident, its category and priority before putting together a dedicated team to manage the incident, (if appropriate).
- The above is achieved by interviewing the key personnel involved in the breach and their Line Managers, collecting all available information to help determine how the breach occurred, what actions have to be taken, whether outside parties are involved and whether the data subjects have been notified.
3. Notification of breaches
- The objective of any breach investigation is to identify what actions the organisation needs to take to first prevent a recurrence of the incident and second to determine whether the incident needs to be reported to appropriate regulatory bodies. The purpose of the report is to document the circumstances of the breach, what actions have been and will be taken, what recommendations have been made and whether the disciplinary procedure needs to be followed. Not all data protection breaches will result in formal action – this will be assessed on a case-by-case basis.
- In case a large number of people are affected or there are very serious consequences relating to a personal data breach, the ICO will be informed within 72 hours from detection.
- When notifying individuals, TBT Recruitment will give specific and clear advice on the additional steps they can take to protect themselves, also providing all necessary information to ensure that they can contact TBT Recruitment for any further information that might be needed.
4. Evaluation and response
- Key to preventing further incidents is ensuring the organisation learns from it. Following an incident, all stakeholders involved in investigating a data breach will attend a dedicated meeting chaired by Human Resources to evaluate the effectiveness of the response to it.
- Regular review meetings chaired by Human Resources will also take place to discuss “what if” scenarios, put forward recommendations, review and possibly update policies in the light of experience. These recurrent meetings will be attended by key stakeholders across the organisation and outsourced IT provider to consider trends and identify opportunities for improvement.
- Human Resources will be in charge to monitor staff awareness of security issues and look to fill any gaps through dedicated training or tailored advice.
Outline Procedure for Data Breach Incidents
Once a breach has been reported the following actions must be followed by Human Resources, as soon as possible:
- Create an entry in the Incident Log using the information provided by the Reporter
- Create a folder under Data Breaches in the T-Drive
- Start an investigation report and save it in this folder together with any emails/documents relating to the breach
- Prepare report for Breach Review meeting if required
- If required, notification to the ICO must take place
- An initial report for the ICO should also be prepared
- Consideration must be given to notifying the individual(s) affected by the breach. Factors to be considered include:
- Sensitivity of Information
- Volume of Information
- Likelihood of unauthorised use
- Impact on individual(s)
- Feasibility of contacting individual(s)
- Any notification must be agreed by stakeholders connected with the breach, including Legal TBT Recruitment Directors
- Begin investigation and complete report as soon as possible
Regardless of the type and severity of incidents, there will always be recommendations to be made even if it is only to reinforce existing procedures. There are two categories of recommendation that can be made:
- Local – these apply purely to a department affected by the incident and will usually reflect measures that need to be taken to restrict the chances of the same type of incident occurring
- Corporate – some incidents will be caused by factors that are not unique to one department but can be found right across the organisation. Issues such as training, information handling and physical security affect all departments and it is essential that the organisation identifies such risks and puts in place measures to prevent the incident occurring elsewhere.
All recommendations will be assigned an owner and have a timescale by when they should be implemented which has a dual purpose. The first is to ensure that the organisation puts in place whatever measures have been identified and that there is an individual that can report back on progress. The second is that where incidents are reported to the ICO, TBT Recruitment can demonstrate that the measures have either put in place or that there is a documented plan to do so.
This is a recurrent theme of ICO enforcement and it’s important that the organisation’s procedures reflect this. Identifying recommendations is more than just damage control – the knowledge of what has happened together with the impact is a fundamental part of learning which can then be disseminated throughout the organisation.