GDPR Data Protection Policy

1. Context and Overview

1.1 Introduction

Mosaic needs to gather and use certain information about individuals. These can include customers, employees and other individuals the organization has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with good practice and current legislation.

1.2 Why this policy exists

This data protection policy ensures Mosaic:

Complies with General Data Protection Regulation (GDPR) and follows good practice
Protects the rights of staff, customers and partners
Is open about how it stores and processes individuals’ data
Protects itself from the risks of a data breach

1.3 The General Data Protection Regulation

Mosaic seeks to ensure that all personal data is processed in compliance with this Policy and the Principles of the Data Protection Act 1998, AND Data Protection Act 2018 (“UK GDPR). The Freedom of Information Act 2000 and the Protection of Freedoms Act 2012 are also relevant to parts of this policy. Mosaic shall so far as is reasonably practicable comply with the Data Protection Principles to ensure all data is:

Fairly and lawfully processed
Processed only for specific, lawful purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than necessary
Processed in accordance with the data subject’s rights
Secure
Not transferred to other countries, that is outside the European Economic Area (EEA), without adequate protection. See appendix 1.

2. Definitions

2.1 Business purposes

The purposes for which personal data may be used by us:

Personnel, administrative, financial, regulatory, payroll, routine business operations and business development.
Business purposes include the following:
Compliance with our legal, regulatory and corporate governance obligations and good practice
Ensuring business policies are adhered to (such as policies covering email and internet use)
Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting
Investigating complaints
Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
Monitoring staff conduct, disciplinary matters
Marketing our business
Improving services

2.2 Personal Data

Information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers, marketing and processors contacts. Personal data we gather may include: individuals’ contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, photos, passports, and CV.

2.3 Sensitive Personal Data

Personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings – any use of sensitive personal data should be strictly controlled in accordance with this policy.

2.4 Scope

The Policy applies to:

The Head Office of Mosaic
All branches of Mosaic
All staff and interns Mosaic
All contractors, suppliers and other people working on behalf of Mosaic

This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff once it has been adopted.

It applies to all data the company holds relating to identifiable individuals, even if that information technically falls outside the Data Protection Act 1998. This can include:

Names of individuals
Postal Addresses
Email addresses
Telephone numbers
Plus, any other information relating to individuals

3. Our procedures

3.1 Data Protection Risks

This policy helps to protect Mosaic from some very real data security risks, including:

Breaches of confidentiality. For instance, information being given out inappropriately
Failing to offer choice. For instance, all individuals should be free to choose how the company uses data related to them
Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data

3.2 Fair and lawful processing

We will process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we will not process personal data unless the individual whose details we are processing has consented to this happening, or processing is necessary for the performance of either their contract of employment or their agreement with Mosaic

3.3 Responsibilities

3.3.1 Everyone

who works for or with Mosaic has some responsibility for ensuring data is collected, stored and handled properly.

Each team and individual that handles personal data must ensure that is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

3.3.2 The board of directors

is ultimately responsible for ensuring that Mosaic meets its legal obligations.

3.3.3 Data Protection Officer (DPO)

will have overall responsibility for the day-to-day implementation of this policy and more specifically:

To keep the board updated about data protection responsibilities, risks and issues
To review all data protection procedures and policies on a regular basis
To arrange data protection training and advice for all staff members and those included in this policy
To answer questions on data protection from staff, board members and other stakeholders
To respond to individuals such as clients and employees who wish to know which data is being held on them by Mosaic
To check and approve with third parties that handle the company’s data any contracts or agreement regarding data processing

3.3.4 IT services provider

Ensures all systems, services, software and equipment meet acceptable security standards
Checks and scans security hardware and software regularly to ensure it is functioning properly
Researches third-party services, such as cloud services the company is considering using to store or process data

3.3.5 Marketing Manager

Approves data protection statements attached to emails and other marketing copy
Addresses data protection queries from clients, target audiences or media outlets
Coordinates with the DPO to ensure all marketing initiatives adhere to data protection laws and the company’s Data Protection Policy

3.4 Processing data

The processing of all data must be:

Necessary to deliver our services
In our legitimate interests and not unduly prejudice the individual’s privacy
In most cases this provision will apply to routine business data processing activities

Our Terms of Business contains a Privacy Notice to customers, members, employees, contractors and interns on how Mosaic will gather, use, disclose, and manage their personal data. The notice:

Sets out the purposes for which we hold personal data on customers, contractors, employees and interns
Highlights that our work may require us to give information to third parties such as expert witnesses and other professional advisers
Provides that customers have a right of access to the personal data that we hold about them

It can be seen at https://mosaicgroup.org.uk/privacy-policy/

3.5 Sensitive personal data

In most cases where we process sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply, or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

3.6 Accuracy and relevance

We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If any member of staff believes that information is inaccurate they should record the fact that the accuracy of the information is disputed and inform the DPO as soon as they are aware of it.

3.7 Your personal data

You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the relevant department so that they can update your records.

3.8 Data security

You must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the DPO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organisations.

3.9 General Staff Guidelines and Data Use

The only people able to access data covered by this policy should be those who need it for their work.
Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers
Mosaic will provide training to all employees to help them understand their responsibilities when handling data
Employees should keep all data secure, by taking sensible precautions and following the guidelines below
In particular, passwords must be used, and they should never be shared
Personal data should not be disclosed to unauthorized people, either within the company or externally
Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of
Employees should request help from their line manager or the DPO if they are unsure about any aspect of data protection
When working with personal data, employees should ensure the screens of their computer are always locked when left unattended
Data, when transferred electronically, must always be sent through our secure network and only from MOSAIC’ accounts
Personal data should never be transferred outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relations to the processing of personal data
Employees should not save copies of personal data to their own computers

3.10 Data Storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the DPO or COO.

In cases when data is stored on paper or printed paper, it should be kept in a secure place where unauthorised personnel cannot access it
Printed data should be shredded when it is no longer needed
Data stored on a computer should be protected by passwords.
Data must not be stored on CDs or memory sticks
Only store data on the Mosaic Cloud (SharePoint, etc.).
Should they be used, servers containing personal data must be kept in a secure location, away from general office space
Data should be regularly backed up in line with the company’s backup procedures.
Data should never be saved directly to mobile devices such as laptops, tablets or smartphones
Should they be used, servers containing data must be approved and protected by security software and strong firewall

3.11 Data retention

We must retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines. See Appendix 2

3.12 External Processors

Mosaic will ensure that data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation.

3.13 Secure Destruction

When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.

3.14 Enforcement

If an individual believes that Mosaic has not complied with this Policy or acted otherwise than in accordance with this policy and the GDPR, the member of staff should notify the DPO as soon as they are aware of this.

3.15 Transferring data internationally

There are restrictions on international transfers of personal data. You must not transfer personal data anywhere outside the European Economic Area unless that country or territory has an adequate level of protection for the rights and freedoms of data subjects in relations to the processing of personal data which is recognised by the ICO.

3.16 Data Accuracy

The law requires Mosaic to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets
Data should be updated as inaccuracies are discovered. For instance, if a freelancer can no longer be reached on their stored email, it should be removed from the database.
It is the marketing’s manager responsibility to ensure marketing databases are checked against industry suppression files every six months.

3.17 Subject Access Request

Please note that under the GDPR, individuals are entitled to:

Ask what information the company holds about them and why
Ask how to gain access to it
Be informed how to keep it up to date
Be informed how the company is meeting its data protection obligations

Any subject access request, must be referred immediately to the DPO.

Any data subject wishing to access their personal data should put their request in writing to the DPO by completing the contact form in our site: https://mosaicgroup.org.uk/contact/ Mosaic will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within at least 30 days of receiving the request. Where requests are complex or numerous, Mosaic will be able to extend the deadline for providing the information to three months. However, Mosaic will still respond to the request within a month, explaining why the extension is necessary.

Exemptions

Certain data is exempted from the provisions of the GDPR which includes the following:

National security and the prevention or detection of crime
The assessment of any tax or duty
Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon Mosaic, including Safeguarding and prevention of terrorism and radicalisation

The above are examples only of some of the exemptions under the Regulation. Please see Appendix 3 for the full list. Any further information on exemptions should be sought from the DPO.

3.18 Processing data in accordance with the individual’s rights

You should abide by any request from an individual not to use their personal data for direct marketing purposes and notify the DPO about any such request.

Do not send direct marketing material to someone electronically (e.g. via email) unless you have an existing business relationship with them in relation to the services being marketed. Please note this applies to individuals only and not companies. Please contact the DPO for advice on direct marketing before starting any new direct marketing activity.

3.19 Training

All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.

Training is provided through an in-house seminar on a regular basis and will cover.

The law relating to data protection
Our data protection and related policies and procedures

Completion of training is compulsory.

4. GDPR Provisions

Where not specified previously in this policy, the following provisions will be in effect on or before 25 May 2018.

4.1 Privacy Notice – transparency of data protection

Being transparent and providing accessible information to individuals about how we will use their personal data and how to exercise their rights is important for Mosaic To these ends, the company has a privacy statement setting out how data relating to individuals is used by the company.

4.2 Conditions for processing

We will ensure any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.

4.2 Justification for personal data

We will process personal data in compliance with all relevant data protection principles. We will document the additional justification for the processing of sensitive data and will ensure any biometric and genetic data is considered sensitive.

4.3 Consent

The data that we collect to send newsletters by emails is subject to active consent by the data subject. This consent can be revoked at any time.

4.4 Criminal record checks

Any criminal record checks must be justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.

4.5 Data portability

Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within 30 days, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free.

4.6 Right to be forgotten

A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

4.7 Privacy by design and default

All data subject interactions and touch points have privacy designed right into them and their default mode is one of compliance. More specifically:

Processing activities will be planned, designed and performed with data security and, more generally, compliant with the GDPR in mind.
By default, only personal data which is necessary for each specific purpose of the processing will be processed.
By default, personal data is not made accessible without the individual’s intervention to an indefinite number of individuals.

4.8 International data transfers

No data may be transferred outside of the EEA without first discussing it with the DPO.

4.9 Reporting breaches

All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:

Investigate the failure and take remedial steps if necessary
Maintain a register of compliance failures
Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures

Please refer to our Information Security Incident Management Policy for our reporting procedure.

4.10 Monitoring

Everyone must abide by the terms of this Data Protection policy. The DPO has overall responsibility for this policy and will monitor it regularly to make sure it is being adhered to.

4.11 Consequences of failing to comply

We take compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action.

If you have any questions or concerns about anything in this policy, please raise them with the DPO by completing the contact form in our site: https://mosaicgroup.org.uk/contact/.

5. Specific information regarding Mosaic Employees

5.1 Introduction

At Mosaic, we are committed to protecting and respecting your privacy. This Policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and how we keep it secure. Please refer to Staff Squared for further details of our GDPR, Information Security & Data Protection policies.

We will ensure we process your data lawfully and fairly and in a transparent manner, data will only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with that purpose.

Data collected will be relevant and limited to what is necessary in relation to the purposes for which it is processed. We will keep your data accurate and, where necessary, kept up to date. We will make every reasonable step to ensure your personal data records are accurate, having regard to the purposes for which it is processed, and erased or rectified without delay.

Your data will be kept for no longer than is necessary for the purposes for which the personal data is processed. We will process this in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

5.2 How is your information collected and used?

The lawful basis for requesting your personal data is to comply with the Employment Contract, the processing is necessary for us to fulfil our contract with you. We have a legal obligation to provide some of this information to third parties to ensure compliance with the law, for example for auto enrolment and HMRC commitments. Prior to us releasing your personal data we will ensure processing is necessary for your legitimate interests or the legitimate interests of Mosaic.

We obtain information about you when you apply for a position with us, and ultimately when you are appointed. The personal information we collect may include your name, address, email address, employment history, banking, medical information etc.

We will use your information to:

Carry out our obligations arising from any contracts entered by you and Mosaic
Send you communications which you have requested; or
To review your suitability in relation to a job application.

When requesting information from you we will identify the reason for collection of the data and what third party, system or process it will be used for.

5.3 Third Parties

We will not sell or rent your information to third parties; we will not share your information with third parties for marketing purposes.

We may pass your information to our third-party service providers, agents’, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes.

5.4 Right to rectification & Right of access

The accuracy of your information is important to us. You have the right to have inaccurate personal data rectified. If at any point you believe the information we process on you is incorrect or you wish to verify the lawfulness of the processing of your data you can request to see this information, have it corrected or deleted in compliance to our retention guidelines and/or legal obligations.

If you think the information we hold about you is incorrect we encourage you to allow us to correct it. In the first instance we encourage you to review your personal data held about you. You will be provided with a username and password to our online HR Software Staff Squared giving you access to review and update your records.

The right of access, commonly referred to as subject access request, gives you the right to obtain a copy of your personal data as well as other supplementary information. It helps you to understand how and why you are using your data, and check we are doing it lawfully.

5.5 The Right to Erasure & Retention of Data

Although you have the right to be forgotten, known as the right to erasure, as an employer we have a legal obligation to retain personnel records for a period of 6 years from the ending of your employment. Therefore, we will review your request in its entirety but may not be able to honour the request due to our legal retention period guidelines.

We review our retention periods for data collected and held on a regular basis and in line with Government guidelines. We will hold your personal information on our systems for as long as is necessary for the relevant activity. We will only keep the information for as long as we have a clear business need for it, or to comply with our legal obligation. Once used, it will be disposed of securely.

Information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.

5.6 Data Subject Access Requests (DSAR’s)

Should you submit a DSAR, the Data Protection Act places an obligation on Mosaic to remove information that could identify others within any requested data. It also provides exemptions where the right of access doesn’t apply to requests. An example of what you might receive, should you submit a DSAR, is below:

5.7 Data Breaches

The general data protection regulations require us to secure your personal data. We will protect it against unauthorised or unlawful processing and against accidental loss, destruction or damage. Where we do not comply, and a data breach occurs, we will keep a record of the personal data breach, and where necessary will declare this to the Information Commissioners Office within 72 hours of becoming aware of the breach (where feasible).

If the breach is likely to result in a high risk to your rights and freedoms, we will inform you and all parties without undue delay. We will describe, in clear and plain language, the nature of the personal data breach and, the name and contact details of your Data Protection Officer, a description of the likely consequences of the personal data breach; and a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

6. Further Information

Further information on the general data protection regulations can be obtained through the ICO website at https://ico.org.uk/.

Our privacy policy can be found at https://www.Mosaic.co.uk/privacy-policy/.

This policy is reviewed annually at Management Review, or where circumstances require it.

Appendix 1

Transfers Abroad – Adequate Standard of Data Protection

No restriction	Restriction
European Economic Area (EEA): All EU members plus Norway, Iceland and Liechtenstein.	Third Countries (a country outside of the European Economic Area) – with exemptions
Third countries in EU’s approved list: Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay, Canada (for organisations that are subject to Canada’s PIPEDA law), the US-EU Safe Harbour is no longer deemed adequate. It has effectively been replaced by the EU-US Privacy Shield.

Appendix 2

Data Retention policy – see separate policy

Appendix 3

Exemptions and restrictions to the Right of Access

Individuals have a right of access to see their personal data. However, the Data Protection Act provides that individuals do not have a right to see information relating to them where any of the following circumstances apply.

If the information is kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing / collecting any taxes or duties: but only in cases where allowing the right of access would be likely to impede any such activities)
If granting the right of access would be likely to impair the security or the maintenance of good order in a prison or other place of detention.
If the information is kept for certain anti-fraud functions: but only in cases where allowing the right of access would be likely to impede any such functions.
If granting the right of access would be likely to harm the international relations of the State.
If the information concerns an estimate of damages or compensation in respect of a claim against the organisation, where granting the right of access would be likely to harm the interests of the organisation.
If the information would be subject to legal professional privilege in court.
If the information is kept only for the purpose of statistics or carrying out research, but only where the information is not disclosed to anyone else, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
If the information is back-up data.

Comment: It would be unreasonable to expect an organisation to retrieve back-up copies of its personal information in responding to an access request. However, it should be noted that back-up data is not necessarily the same as old or archived data.