Data Protection Policy
– Summary

Introduction

The primary purpose of current data protection legislation is to protect individuals against possible misuse of information about them held by others. It is the policy of Wyles Hardy & Co to ensure that all customers, clients and its staff are aware of the requirements of data protection legislation in relation to their individual responsibilities.

The Act covers personal data, whether held on computer or in certain manual files.

Wyles Hardy and Co is obliged to abide by the data protection principles embodied in the Act (The Data Protection Act 1998 to include General Data Protection Regulations (EU)2016/679. These principles require that personal data shall:

  1. Be processed fairly and lawfully;
  2. Be held only for the specified purposes and not used or disclosed in any way incompatible with those purposes;
  3. Be adequate, relevant and not excessive;
  4. Be accurate and kept up-to-date;
  5. Not be kept for longer than necessary for the particular purpose;
  6. Be processed in accordance with data subject’s rights;
  7. Be kept secure;
  8. Not be transferred outside of the European Economic Area unless the recipient country ensures an adequate level of protection.

The Act provides individuals with rights in connection with personal data held about them. It provides individuals with the right to access data concerning themselves (subject to the rights of third parties. It also includes the right to seek compensation through the courts for damages and distress suffered by reason of inaccuracy or the unauthorised destruction or wrongful disclosure of data. Information on how to make a request for access to personal data under the Act may be obtained from dpo@wyleshardy.com

Under the terms of the Act, the processing of data includes any activity to do with the data involved. All staff or other individuals who have access to, or who use, personal data, have a responsibility to exercise care the treatment of that data and to ensure that such information is not disclosed to any unauthorised person. Examples of data include but are not limited to:

  • Address lists
  • Contact details
  • Individual files

Any processing of such information must be done in accordance with the principles outlined above. In order to comply with the first principle (fair and lawful processing), at least one of the following conditions met:

  • The individual have given his or her consent to the processing;
  • The processing is necessary for the performance of a contract with the individual;
  • Processing is required under legal obligation;
  • Processing is necessary to protect the vital interests of the individual;
  • Processing is necessary to carry out public functions;
  • Processing is necessary in order to pursue the legitimate interests of the controller or third parties (unless it could prejudice the interests of the individual).

In the case of sensitive personal data, which includes information about racial or ethnic origins; political beliefs; religious or other beliefs; trade union membership; health; criminal allegations, proceedings or convictions, there are additional restrictions and explicit consent will normally be required.

In relation to security (Principle 7), the Data Controller (Wyles Hardy & Co) must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. Staff and other individuals should be aware that guidelines and regulations relating to the security of manual filing systems and the preservation of secure passwords for access to relevant data held on computer should be strictly observed.

Staff should also note that personal data should not normally be provided to parties external to the Company. Special arrangements apply to the exchange of data between the Company and Clients. For further guidance on this please contact Terry Madden.

Under Principle 8, which restricts the transfer of material outside the European Economic Area, personal data about an individual placed on the world wide web is likely to breach the provisions of the Act unless the individual whose data is used has given his or hers express consent. It is important that all those preparing web pages, address lists and the like, are aware of these provisions. If in doubt please speak to Terry Madden.

A failure to comply with the provisions of the Act may render the Company, or in certain circumstances the individuals involved, liable to prosecution as well as giving rise to civil liabilities. Individuals are encouraged to familiarise themselves with the general aspects of Data Protection, for further information please speak to Terry Madden.