Data Protection Policy
Principal Mailing Solutions must hold and use certain information on living individuals to carry out its work and also to carry out various administrative functions both statutory and work related. The holding of this personal data, whether held on computers, paper or other media, is governed by the Data Protection Act 2018. Principal Mailing Solutions endorses and complies with the data protection principles of the Act:
Fair, lawful and transparent processing
We will process personal data fairly and lawfully and will fulfil our obligation to tell data subjects what their personal data will be used for. We will ensure that we have a lawful basis for the processing of all personal data.
We will only process the personal data that we need, in order to achieve our processing purposes. Personal data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which that data is processed.
There are obvious risks to data subjects if inaccurate data are processed. As a controller of certain data, we are responsible for taking all reasonable steps to ensure that personal data is accurate. Every reasonable step will be taken to ensure that if personal data is found to be inaccurate, it is either erased or rectified without delay.
Storage limitation (Data retention periods)
We will not retain personal data for longer than necessary in relation to the purposes for which it was collected.
Data security (Integrity and Confidentiality)
We will ensure we take all practicable measures to secure personal data, both against external threats (e.g., malicious hackers) and internal threats (e.g., poorly trained employees).
Personal data will be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We will ensure the enforcement of the Data Protection Principles. This means we must demonstrate that the six Data Protection Principles (outlined above) are met for all Personal Data for which we are responsible.
The company will observe the Data Protection Principles and expect all those who work for it either as staff or suppliers to observe these principles in obtaining, handling, processing, transporting and storing personal data.
The company will produce and maintain a data protection manual for staff incorporating instructions and guidance to ensure that they can comply with the Act. Any failure to comply with the instructions in the manual will be regarded as a disciplinary issue and any breach of the Data Protection Act, whether deliberate or through negligence may lead to disciplinary action and possibly criminal prosecution.
The company has identified under ICO guidance that we are not required to appoint a Data Protection Officer as we are not a pubic authority or body, our core activities do not include regular and systematic monitoring of individuals on a large scale, nor do we process any special categories of sensitive personal data.
The company will carry out an annual audit to ensure that the policy is being complied with and that the policy is updated when necessary. Other ad hoc audits may happen if any breach of the policy is discovered. Any breach of the policy will be reported immediately to the Managing Director Phil Brooks for immediate action.
The company will provide training on compliance with the Data Protection Policy to existing staff and to new staff within one month of their joining the company.
The company will ensure that personal data is physically protected against loss or damage whether it is machine readable or on paper or other media.
Staff members are responsible for ensuring that any personal data they hold is kept securely. They must also ensure that they do not disclose personal data either orally or in writing to any unauthorised third party. Staff members are responsible for checking that any personal data that they provide to the company is up to date and for informing the company of any changes to information that they have provided e.g. change of address. They are also responsible for checking any information that the company may send out from time to time, giving details of information that is being kept and processed. If, as part of their job, staff collect information about other people then they must comply with the Data Protection Policy and also follow the Data Protection Manual.
Data Subject Requests
The Company have an established system to enable and facilitate the exercise of Data Subject rights related to:
- Information access
- Objection to Processing
- Objection to automated decision-making and profiling
- Restriction of Processing
- Data portability
- Data rectification
- Data erasure
If an individual makes a request relating to any of the rights listed above, the Company will consider each such request in accordance with all applicable Data Protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature.
All requests received for access to, or rectification of Personal Data will be logged as each request is received. A response to each request will be provided within 30 days of the receipt of the written request from the Data Subject. Appropriate verification must confirm that the requestor is the Data Subject or their authorised legal representative. Data Subjects shall have the right to require the Company to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data.
If a data subject wishes to make a complaint or if they think their data has been misused or held without it being secure, they should contact Principal Mailing Solutions and tell them. If they are unhappy with the response they should contact the ICO.
Principal Mailing Solutions undertakes to securely shred any returned mail not required by a client.
Data is stored securely with limited access and only processed off-site or by a third party where specific approval is gained. Data transferred to a third party for the purposes of supporting the mailing job is protected through encryption; data is disposed of after 40 days by an automatic program on Principal Mailing Solutions sever. Industry leading firewall and antivirus software is used for network protection. All external remote access is blocked via a whitelist policy.
Law Enforcement Requests & Disclosures
In certain circumstances, it is permitted that Personal Data be shared without the knowledge or Consent of a Data Subject. This is the case where the disclosure of the Personal Data is necessary for any of the following purposes:
- The prevention or detection of crime
- The apprehension or prosecution of offenders
- The assessment or collection of a tax or duty
- By the order of a court or by any rule of law
Roles and responsibilities
Managing Director – significant role within the company. Maintains full responsibility over their respective departments such as Finance, Marketing and Sales. Also handles payroll and therefore sensitive employee information such as account details.
General Manager – senior role which involves overseeing the production of goods and/or provision of services. To make sure the organisation is running as well as it possibly can, with a smooth efficient service that meets the expectations and needs of customers and clients with regards to processing of data.
Data Processing Manager – to provide high standards of customer service, working with customer data, supplying live proofs to customers for approval.
Supplying data checks for clients, working closely with Royal Mail / for DSA providers to make sure all mailings mail sufficiently and smoothly.
Ensuring the correct checks are followed within the print room.
To manage all printers and staff within the print room. Data checks – as per company policies.
This policy is issued under the authority of Phil Brooks Company Director.
18th April 2018 Reviewed on April 16th 2020