Privacy Statement

Perrett Laver Ltd – Public Facing Privacy and Data Protection Statement

January 2022

1) Introduction

Perrett Laver needs to keep, process and store certain personal data and sensitive personal data, for example about staff, clients and candidates, in order to fulfil its purpose. Under the provisions of the Data Protection Act 2018, which came into force on 1 March 2000, Perrett Laver has a legal duty to ensure that this personal information is collected and used fairly, stored safely and not disclosed to any other person or organisation unlawfully. The purpose of the Act is ‘to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy’ and in doing so it also provides data subjects (i.e. individuals about whom personal data/sensitive personal data is processed) increased protection through express new rights.

2) Scope

The aim of this policy is both to ensure that all staff are aware of their particular responsibilities in relation to the Data Protection Act 2018 and its associated codes of practices; and to inform relevant parties how Perrett Laver complies with the legislation. It is also to minimise the risk of Perrett Laver breaching the Act; thereby potentially damaging valued relationships with staff, clients and candidates as well as its reputation. 

This policy covers all personal data and sensitive personal data held in electronic format or in relevant manual filing systems that are processed by Perrett Laver. 

It applies to all individuals working for Perrett Laver in whatever role. This includes permanent and contracted staff, as well as temporary employees; interns etc.

The security of information held by Perrett Laver is governed by Perrett Laver’s Information Security Policy, to which you should also refer.

This policy does not form part of any employee’s contract of employment and it may be amended at
any time.

3) Definitions

Under the terms of the Act:

• “Data” is information which is stored electronically or in relevant manual filing systems.
• “Electronic” format means data held as Word documents, e-mails, in databases etc.
• “Relevant manual filing systems” means a filing system in which information about individuals is readily available. For example, files ordered alphabetically by name or by which there is another point of access (reference number system etc.). It does not apply to incidental references to individuals in files structured by reference to topics not relating to those individuals.
• “Personal data” means information about a living person who can be identified from that information. Personal data can be factual (such as a name or address) or it can be an opinion (such as contained in an appraisal).
• “Sensitive personal data” is a subset of personal data and subject to tighter controls on its processing. It includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission or, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings.
• “Data controllers” are the people or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to establish practices and policies in line with the Data Protection Act 2018. Perrett Laver and the Directors are joint Data Controller of all personal data used in our business.
• “Data processors” include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include any suppliers which handle personal data on our behalf.
• “Data subject” means the individual about whom the personal data/sensitive personal data is held.
• “Data users” include employees whose work involves using personal data. Data users have a duty to protect the information they handle by following our Data Protection and Information Security policies at all times.
• “Processing” means obtaining, holding, organising, retrieving, altering, erasing, destroying, transferring to third parties etc. In fact any activity concerned with the data constitutes processing.

4) Legal Basis

The Company’s responsibilities in relation to data protection are determined by the Data Protection
Act (2018).

5) Statement of Principles

Perrett Laver is committed to the eight Data Protection Principles contained in the Data Protection Act 2018. These represent the minimum standards of practice for any organisation with respect to personal data/sensitive personal data and state that it must be:

1. processed fairly and lawfully:
• For lawful processing, certain conditions have to be met. These may include requirements that the data subject has consented to the processing or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, more than one condition must be met. In most cases, the data subject’s explicit consent to the processing of such data will be

2. obtained only for the purposes specified and shall only be processed for those purposes:
• Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Data Protection Act 2018. If it becomes necessary to change the purpose for which the data is processed, the data subject should be informed of the new purpose;

3. adequate, relevant and not excessive for the purpose for which they are processed:
• Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject. Any data which is not necessary for that purpose should not be collected;

4. accurate and kept up to date:
• Steps should be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterward. Inaccurate or out-of-date data should be destroyed;

5. kept for no longer than is necessary:
• Personal data should not be kept for longer than is necessary for the purpose. This means that data should be destroyed or erased from our systems when it is no longer required;

6. processed in accordance with the rights of data subjects under the Data Protection Act 2018:
• Data subjects have the rights as set out in paragraph 6 below;

7. protected against unauthorised or unlawful processing of personal data/sensitive personal data and against accidental loss or destruction of, or damage to, personal data/sensitive personal data:
• We must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. We have put in place procedures and technologies to maintain the security of all personal data and these are set out in the Information Security Policy. All data users should ensure they are fully aware of these procedures and comply with them at all times;

8. not transferred outside the European Economic Area without adequate protection:
• Personal data may only be transferred outside the EEA if certain requirements are satisfied to ensure that the personal data is protected. In these circumstances, please refer to the Data Protection Officer for additional guidance,

6) Rights of Data Subjects

• Any individual data subject has the right to ask what personal data/sensitive personal data Perrett Laver holds about them and why this is being held.
• If any such information is held, an individual data subject also has the right, on request:
a) to see any personal data/sensitive personal data that is being kept about them on computer, and
also to have access to paper-based data held in relevant manual filing systems;

b) to be informed of the purposes for which the personal data/sensitive personal data is processed by

(c) to be informed as to how to get the information updated or amended;

(d) to be informed as to any regular or possible recipients of the information.

• Any person who wishes to exercise this right should make the request in writing to the Data Protection Officer. If a subject access request is received by any other member of staff it should be forwarded to the Data Protection Officer. A fee is payable by the data subject for provision of this information.
• Perrett Laver will comply with requests for access to personal information as quickly as possible. In compliance with the law, this will always be within 40 calendar days of receipt of a request.
• As well as a right of subject access, individual data subjects may, in certain circumstances, have other rights under the Data Protection Act 2018, including the right to have inaccurate information corrected. The Data Protection Officer should be informed if a request to exercise this right is received.

7) Responsibilities

• The Directors of Perrett Laver (as well as Perrett Laver itself) are joint Data Controllers.
• The Chief Operations Officer is the Company’s Data Protection Officer. The Data Protection Officer is accountable and responsible for overseeing all Data Protection activities and promoting compliance throughout the Company.
• The Heads of Functions in conjunction with the Chief Operations Officer will ensure that appropriate guidance and training on compliance with the Data Protection Act 2018 is made available to all staff engaged in the processing of personal data/sensitive personal data.
• All staff who process personal data/sensitive personal data in the course of their work are responsible for ensuring compliance with the legislation and this policy document in their area. It is their responsibility to be aware of the terms of the Data Protection Act 2018 and to raise any concerns about how personal data/sensitive personal data is collected and managed in their area with their Head of Function. Perrett Laver will ensure they are given appropriate training to fulfil this responsibility.

8) Procedures

Perrett Laver provides training for all new members of staff. This policy and the Information Security Policy are available on Perrett Laver’s staff network drive, and available in hard copy at all times from the Chief Operations Officer.