Woodhart Group Privacy and GDPR Policy
Here at the Woodhart Group Limited including Woodhart Carpentry, Woodhart Construction and Woodhart Lofts & Extensions (WHG) we want you to be absolutely confident that we are treating your personal data responsibly and that we are doing everything we can to make sure that the only people who can access this data have a genuine need to do so.
This notice details why we collect your personal data and what we do with it in accordance with the General Data Protection Regulation (GDPR).
This document to divided up into the following sections.
- Your Data
- Data Retention Policy
- Data & Privacy Protection Policy
- Your Rights
- Data Breach Policy
Your Data
- We never divulge data to 3rd parties unless they are paid consultants used in the operations of this company and to provide the services requested.
- Before providing services, we will ensure all clients sign a Woodhart Group engagement agreement or have agreed through our website contact us form. In this document consent will be sought to hold your information which enables us to provide our service, along with permission to contact you for account management purposes. We will not provide any service without a signed consent form. For clients that we have engaged prior to the implementation of GDPR, we will seek consent from all current clients, although we accept this will take some time to complete.
- A digitally scanned copy of a signed agreement will be stored in the client project files on our secure server.
Website
- We do have a website with an enquiry form to gather basic contact information, with consent permissions included. This meets the legal requirements of GDPR in relation to consent and will be deleted after 90 days.
Sales & Marketing
- We will never use your data for sales and marketing.
Recruitment
- As part of our recruitment activities, we gather CVs from agencies or online portals. These include personal data and are used to identify potential candidates to interview. If we invite someone in for an interview, we also request a copy of any professional qualifications and relevant ID as proof of their entitlement to work in the UK. These are retained in line with the Data Retention Policy.
Data Retention Policy
- All data held and processed by the company can be divided into different categories and sub categories. This table breaks down where and how this data is stored and the relevant retention policy we hold:
| Data Catagory | Sub Category | Description | Stored Where | Who has access | Why do we store it | Retention Time Policy | Action to be take at the end of the period |
|---|---|---|---|---|---|---|---|
| HR | Job Applicants (Non Successful) | CV & Notes | Paper & Public Folder Email | Managers & Directors | Recruitment Purposes | 3 Months | Scheduled shredding of paper records and email archive. |
| HR | Job Applicants (Interviewed) | CVs, ID & Notes | Paper & Email | Managers & Directors | Recruitment Purposes | 6 Months | Scheduled shredding of paper records and email archive |
| HR | Employed Staff | CVs, Contact details, General HR Files, Payroll details, copy of driving licence, passport | Paper (Locked filing cabinet)m electronic files on server | Office admin Manager, Directors | Essential employment record keeping | 7 Years | Scheduled shredding of paper records and email archive. |
| HR | User Account | Network User | Computer server network | Admin, Managers, Directors | Encrypted active directory (Server) | 3 Months | Password is reset upon departure of the staff members |
| Accounts | Accounts | Trading accounts | Safe, safe backup on secure encrypted server | Admin Office Manager, Directors | HMRC requirements | 7 Years | Scheduled maintenance of Safe to clear older records, shredding of expired paper records |
| Accounts | Accounts | Supplier | Sage, sage backup on secure encrypted server Paper | Admin Office Manager, Directors | Suppliers often used again, Labour force can be seasonal. | 7 Years | Scheduled maintenance of Safe to clear older records, shredding of expired paper records |
| Misc Client Data | General Office | General Emails Letters, paperwork | Exchange Email, encrypted server | Mailbox owner, Directors | An audit trail for all company email communicati- ons, retained for legal reasons. | 10 Years | Automated Scheduled deletion of all company emails that are in excess of 10 years old. |
| Sales | Sales | Contact details, quote records | Email, encrypted server | All Staff | To track our sales progress. | 10 Years | Automated Scheduled deletion of all company emails that are in excess of 10 years old. |
| Client Data | Website | Contact Details | Contact Database in website | Website Design Company, Directors | To collate details of website enquiry forms | Maximum of 9 months. | Delete record from website history. |
Data & Privacy Protection Policy
We will take all reasonable steps to protect data that we hold, including backups, anti-virus, encryption, software security, complex passwords and physical access. Here is a breakdown of what how we protect the data we hold:
Local Backups
We make a daily backup onto our in-house local encrypted server.
Cloud Backups
We make a daily backup of all user and client data which is stored on our servers, and this is stored on a UK based cloud backup server. The backup is encrypted.
Anti-virus
We use MacAfee Internet security / Bitdefender which is on an annual rolling renewal. This also carries out a full network scan
Email Security
We use in the cloud via Microsoft / Giacom , when they hit our local pcs they are inspected via the anti-virus on the device
Passwords
All of our user network passwords must meet a minimum complex structure.
Mobile Devices
All mobile devices with access to our systems will have an enforced pin code protection policy (We can erase the content of any phone remotely)
Firewall
We have and maintain a have a hardware firewall on our router and also on you pcs /macs. All are turned on and enabled
Wireless network
Our company wireless network is secured with the current best encryption method with an encryption key.
Software updates
We will endeavour to install all software updates as soon as we are aware they exist. All Operating System updates are regularly installed as part of our Microsoft software management system.
Physical access
Our offices are protected by a intruder alarm, and access control is implemented and monitored to the main front/back doors as well as our internal sensitive areas. Members of staff have a unique alarm code.
Hardware security
When computers are decommissioned we employ a secure company to dispose of them responsibly
Data Transmission Policy
On occasions we have to transmit/share personal data information such as personal names, addresses in order to carry out our services or provide payroll solutions. Whenever possible these are done via our anti-virus email hosting system or authorised persons.
Your Rights
You have the right in respect of our processing of your personal data which are
- To access your personal data information about our processing of it. You also have the right to request a copy of your personal data.
- To rectify incorrect personal data what we are processing
- To request we erase your personal data if
We no longer need it
If we are processing your personal data by consent and you withdraw that consent
If we no longer have a legitimate ground to process your personal data or
We are processing your data unlawfully
If you want to exercise any of these rights please contact us on 01273 539124 or email reception@woodhart.co.uk
Data Breach Policy
In the event of a breach being detected, we will take the following action:
Level One: A virus infection
Definition – A virus or malicious software infection is detected.
Action – All computers will be scanned for viruses, and malicious software. If a computer cannot be cleaned to a satisfactory level, we will wipe the computer and rebuild from scratch. If no proof is found of personal data leaving our network, no further action will be taken.
Level Two: A breach of our AD security
Definition – Proof that our Active Directory (network username and password system) has been breached, either electronically or by a person.
Action – All user passwords will be reset. Reset all wireless passwords. Scan Entire Network with Trend. Scan all devices with our anti-malicious software tools. No further action will be taken if there is no evidence that data has been stolen.
Level Three: A breach has occurred and evidence exists that any of our data has been stolen.
Definition – Evidence has been found that suggests data has been stolen.
Action – Reset all passwords. Reset all wireless passwords. Scan entire network with Trend. Scan all devices with our anti-malicious software tools. Report the case to the Information Commissioners Office (ICO).
WHG is registered with the Information Commissionaire’s Office (iCO) Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF
Any queries from WHG staff, consultants/suppliers or customers should be directed to the Managing Director.
I consent to you holding my data in accordance with the above policy and GDPR.