Privacy Policy

Overview

This Privacy Policy is set out to comply with General Data Protection Regulations (GDPR) 2016 which are in place as of 25th May 2018. This notice applies to, and is between, all Directors and Employees of Underhill Project Controls (MILESTONE), and Clients of MILESTONE. The Policy is relevant to our use of all data collected by us or provided by you in relation to your association with MILESTONE.

Scope

The Policy sets out information on how we collect and process information, the main principles as set out by the EU on GDPR, the responsibilities of our company, our staff and the compliance of our clients and companies we work with, and also the storage and monitoring of information.

Please read carefully.

Collection and Processing:

  • Any information that is submitted by email, print or written word to MILESTONE as a company is data. This Policy pertains to personal data which may include: name, e-mail address, CV, skills, certificates, age and date of birth, and more sensitive data which may include financial details, medical condition, job title, marital status, race/ethnicity, nationality, behavioural reports, commission of offences or any proceedings or outcomes pertaining to such offences. This does not include everything; however, it will only be limited to data required by law and in accordance with contractual agreements.

  • The Data Subject is the individual whose personal data is kept on file by the company, for reasons that are accessible, transparent and adherent to the law, to include contracts, staff details, current and past correspondence relating to work and the relationship between MILESTONE, the subject and contact details of the subject – be it personal or within the company they work for.

  • The Data Controller is the Senior or designated staff, public body, agency or legal person who are in control of what the data is used for, who receives what information, and what information needs to be collected for use or storage, as determined by law.

  • The Data Processor is the designated staff member, public body, agency, processing tool or legal person, chosen by the Data Controller, to process the personal data for assessment and research, and to analyse data usage, effect and impact, as determined by law.

  • Processing is the operation or series of operations performed on personal data, whether by an individual or automated means/third party, including collection, recording, organisation, structuring, storage, adaption, retrieval, consultation, use, disclosure by transmission or distribution and circulation or otherwise making it available, restriction, erasure and destruction.

  • This Policy applies to all employees, who must familiarise themselves with this policy and comply with the terms herein. This Policy is in support of our other policies which relate to personal data. We may further supplement or amend this policy, with additional policies or guidelines. Any new or modified policy will then be circulated to staff before being adopted. Mick Underhill and Sally Calverley, the Directors, act as Data Security Management, and have overall responsibility for the day-to-day implementation of this Policy and can be contacted for further information.

Principles

MILESTONE will comply with the main principles of data protection set out by European Union GDPR, and will make every effort to stay within the guidelines and adhere to the following principles:

  • Collection of Data must be fair, lawful and the company must be transparent about the data used

  • Data collected must be for a purpose

  • Data must be accurate and kept up to date

  • Data must be retained for the correct amount of time – 6 years is the legal requirement

  • Data must be stored securely and safely

Accountability and Transparency:

  • MILESTONE will ensure accountability and transparency in use of all personal data. We will closely adhere to the 6 lawful bases. This will be kept up to date, amended where needed, and approved by the Data Security Manager (DSM). MILESTONE will also comply with data protection laws and the accountancy and transparency principles of GDPR. MILESTONE understands our responsibilities to ensure that GDPR protection obligations are met by full implementation of all technical and organisational measures, maintenance of up to date and relevant documentation on all processing activities, and implementation of measures to ensure privacy by design and default. This will include data being kept to a minimum, transparency, accessibility upon request, monitoring of processes, creating and improving security, and privacy procedures being monitored, updated and adhered to on an ongoing basis.

Fair and Lawful Processing; Lawful Bases:

  • According to the first principle of fair and lawful processing, MILESTONE will not process data unless the individual whose details we are processing has given us consent to do so. We have a legal obligation under the new GDPR regulations to gain clear consent to comply. The processing of data must be necessary and legitimate to the interest of the business, except where the rights of the Data Subject are compromised and must pertain to a task regarding the business and assessed by the MILESTONE DSM as necessary to the business. The processing may take place for a specific purpose: To enter a contract, due to legal obligation, vital interest – protection of the Data Subject’s life or for medical reasons, Public Function – public interest or a function that has a clear lawful basis, or legitimate interest – although this can be overridden if there is a good reason for the protection of the subject’s data.

Responsibilities

Ours. MILESTONE as a Company:

  • The analysis and documentation of the type of personal data we hold. Checking of procedures to ensure they cover all the rights of the individual. Understand and comply with the lawful bases for processing data. Ensure that consent procedures are lawful. Implement and review procedures to detect, report and investigate personal data breaches. Store data safely and securely. Assess the risk of individual rights and freedoms should the data be compromised.

Yours. The Data User/Processor:

  • Fully understand your data protection obligations. Check that any data processing you are dealing with comply with the MILESTONE policy and the action justified. Use data ONLY in a lawful way. Store data correctly to protect from a breach to our policies and protection laws by your actions. Comply to the policy at all times. Show that we have been given consent by the individual to process and store their data. Report any concerns without hesitation.

The Data Security Management:

  • Keep the appropriate staff, users and processors up to date about data protection, responsibilities, risks and issues. Regular reviews. Arrange staff training for staff members and those included in this policy. Answering questions on data processing, storage and protection. Dealing with requests and questions from employees and clients on what data we hold on them. Checking any third parties, approval needed and agreements on data protection regularly.

IT, Marketing and making contact:

  • Ensure all systems, services, software, equipment and processing tools meet security standards. Checking security hardware and software to make sure it is functioning correctly and researching third party services and tools that the company is considering using for process or storage.

Marketing:

  • Approval of data protection statements attached to emails and other marketing copy. Addressing data protection queries from clients, target audiences or media outlets. Coordinating with the DSM to ensure all marketing initiatives adhere to data protection laws and the company’s Data Protection Policy. All data will be stored and secured safely and within the parameters of IT responsibilities.

The Client and the Rights of the Individual:

  • MILESTONE will ensure that when given consent, that any personal data we process is accurate, adequate, relevant and not excessive, and processed only in the way the consent has been given. We will only process data in another way and for another reason if the client has given us their express and clear consent to do so. An individual or client may ask us to correct personal data, which is inaccurate, and if it is believed to be the case, they can report it to the DSM.

  • The Client should have clarity on what their information is being used for and have access to the information held on or about them. The Client may put any restrictions in place on use of personal data, unless the data usage is determined by law. They have the right to portability of the data for their own usage, and the right to object to being processed and to receiving direct marketing.

  • Every individual on which MILESTONE holds data must have given clear consent for the data to be collected, stored, processed and used by a positive ‘opt in’ option. We may gather information via various methods, i.e. verbally email, telephone, data capture and enquiry forms on our website. We will not gather data from persons under the age of 16. Consent must be actively given and clearly understood and must be separate from entering into a contract; each area needing consent must be unbundled and presented separately. Every individual also has the right to be forgotten and the right to erasure, deletion and destruction of any personal data held and stored by MILESTONE.

Storage of Data

  • Personal and sensitive data will be stored in a secure place if printed on paper, where only authorised personnel can gain access. Data stored on computer will be protected by passwords. These are regularly updated. No personal data is stored on CDs or memory/USB sticks. Each employee has access to USB sticks; however, these are used for planning purposes only, such is the nature of the business.

  • Cloud and online storage is approved by the DSM, and administration files for employee information and contact purposes are accessible only by the Data Controllers/DSM and the Administrator. Data is not saved directly to any laptop or mobile device. We do not use external servers to store personal data. All data controllers and processors will operate a clear desk policy with all sensitive data stored securely to prevent unauthorised access. As a company we use 3rd party data processors for mailing and contact purposes. These lists are stored safely, and password protected, are for our use only, and cannot be used for any reason other than as a storage facility for MILESTONE. If we were to shut down or request our account be closed, all data would be erased as part of the right to erasure.

  • Data should be held for up to 6 years according to legal guidelines. Information held will be documented by what form it is in and where it is held. This also includes the portable laptops in the office. All individuals have the right to access data and information that MILESTONE hold on them. An individual can exercise the right to be forgotten, wherein all copies of data– hard and soft – must be destroyed, unless otherwise defined by law.

Acceptable Usage Policy:

  • MILESTONE Acceptable Use Policy covers the security of all MILESTONE information and IT equipment. It also includes the use of email, internet, voice and mobile IT equipment. This policy applies to all MILESTONE employees, contractors, agents and third parties.

Transferring Data Internationally:

  • There are restrictions on transference of data internationally. We will not transfer personal data abroad, or anywhere, outside of normal rules and procedures without the express permission of the DSM. The database is stored by a third-party processing tool. Sometimes, the database we have for marketing may be processed in the United States, which is fully compliant with the Privacy Shield Framework, and therefore protected.

Subject Access Requests:

  • An individual has the right to receive confirmation that MILESTONE is processing their data, and this information can be provided in a privacy note upon request and free of charge. The request will be provided in a commonly used electronic format and should be expedited by the end of one month after the request is made. If this needs to be extended it will be at the discretion of the DSM. We can refuse a request for access to personal data, and in some cases, where the request is unfounded, charge a nominal fee. If a request is made, we will provide the information as it is and not make any changes to the data stored; it is a criminal offence to do so.

Data Portability Requests:

  • We will provide data requested in a commonly used format, i.e. a CSV file or other similar, and will do so by the end of one month after the request is made. It can be provided to the individual or to the data controller to which they have requested it be sent. The permission of the Data Protection Officer (DPO) is needed to do this.

Right to Erasure:

  • An individual has the right to erasure and for processing to cease if the personal data is no longer relevant in relation to why it was first collected/processed, where consent is withdrawn, where the individual objects to processing, and there is no reason that overrides or is lawful to continue processing, the data was unlawfully processed or breached the data protection laws, or to comply with a legal obligation.

  • MILESTONE can refuse to comply due to the exercising of the right to freedom and information, to comply with a legal obligation, for public health purposes in the public interest, in the interest of health and safety, for archiving/research/historical purposes in the public interest, and the exercise or defence of legal claims.

The Right to object:

  • Individuals have the right to object to their data being used and MILESTONE shall cease to process unless we have legitimate grounds that override the rights, freedom and interests of an individual, or the processing relates to the establishment, exercise or defence of legal claims. Any individual we wish to collect and store data on will be informed at the first point of communication.

The Right to restrict automated profiling or decision making:

  • We may only carry out automated profiling or decision making on an individual if it is necessary for entry into or performance of a contract, we have the explicit consent of the individual, we are authorised by law. If this is the case, we shall give the individual detailed information about this process and offer advice on how to request human intervention or challenge any decisions made.

Use of Third-Party Controllers and Processors:

  • As a data controller and a data processor, the databases of client, colleague, business contacts and friends we hold, and use are storage, marketing and list tools. These storage tools are accessed only by MILESTONE and are password protected. As a data controller, we must only appoint processors who can provide sufficient guarantees under GDPR and that the rights of the subjects will be protected and respected. The marketing list/database we store are contacts that have been gathered over time, we have not bought or procured lists in any other way. We hold on file the Privacy Policies and Data Protection Regulation information of said companies, which clearly state their compliance with GDPR.

Website compliance:

  • The MILESTONE website includes a contact page where people can input their details to obtain information or a call back. The contact information collected is kept in the website platform and relayed to the Directors’ inbox. Dependent on what is required, we may then process the information and store it for future communication if appropriate. The platform providers are GDPR compliant.

Criminal Offence Data – Criminal Record Checks (DBS):

  • Any criminal record check is lawfully justified. A check cannot be carried out solely on the consent of the subject. To enter Military and Restricted areas the employees at MILESTONE are checked, and the outcome is kept on file by “The Military”. Our staff have previously consented, and consent is on file, for us as a company to share personal data with the Military for this express purpose. Data relating to criminal records is a separate and special category, and as such MILESTONE does not keep a list of criminal offence data on our employees.

Data Audits:

  • Where Data is held, how it is processed and how it continues to be stored will be regularly updated, passwords checked, and contacts added or deleted. Our mailing list has an unsubscribe option that can be used at any time and will be followed by their details being erased from the system entirely. Regular audits of this system will manage and reduce risk of any breaches.

Monitoring:

  • All employees must be observant of this policy. The DSM has overall responsibility for this policy and those who collect, handle and process the data must take great care to stay within Data Protection guidelines. The DSM must be notified of any breaches of this policy. MILESTONE will comply with this policy fully and always.

Training:

  • When training is required for understanding of GDPR legislation, data collection and processing, storage, equipment, breaches, erasure or any further facets of GDPR, it is understood that this training will be offered and undertaken by employees who have a role in Data Protection. A GAP analysis shall be carried out by the DSM to identify any areas in which individuals might need additional training.

Breaches:

  • Under the Data Protection Act 2018, we, as a small business, processing solely for accounts and record keeping, advertising, marketing and PR, and staff administration do not need to be registered with the Information Commissioners Office (ICO), however, we should notify them if a data breach happens – this is a duty introduced to comply with GDPR. If a breach happens, we have a legal obligation of between 24-72 hours in which to report it to the ICO. All employees have a duty to report actual or potential compliance failures; a register of any such failures should be kept. Any employee who fails to notify of a breach or is found to have known of or suspected a breach has occurred but has not followed the correct reporting procedures will be liable for disciplinary action. The maximum amount chargeable for a data breach is 20M Euros or 4% of the annual turnover of MILESTONE.

Failure to comply:

  • It is of the utmost importance to us that this policy is followed and fully complied with. Failure to comply puts MILESTONE as an organisation, our business contacts and clients at risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action, and under our procedures this may result in dismissal.

  • If you have any questions, concerns, or need further clarification on any of the above points in this policy, please do not hesitate to contact the DSM.

Company Name: Underhill Project Controls Limited Trading as MILESTONE 

Signature: 

Name:        Mick Underhill  Sally Calverley  

Position:       Director                           Director 

Issue:            Issue 07 

Date:             April 2024                        April 2024