Driver loginDATA PROTECTION POLICY INTRODUCTION AAA is fully committed to and compliant with the requirements of the General Data Protection Regulations and the Data Protection Act 2018 (DPA 2018) and in accordance with these regulations, AAA is committed to transparency with regards to how it collects and uses personal data and to meeting its data protection obligations. AAA regard the lawful and correct treatment of Personal Data as essential to its successful operations and to maintaining confidence between the company, its employees, clients and temporary workers. The company will therefore ensure that it treats Personal Data lawfully and correctly. To this end the company fully endorses and adheres to the Principles of the DPA 2018. AAA is registered in the register of data controllers with the Information Commissioner’s Office and this registration is renewed on an annual basis. This Data Protection policy sets out our commitment to data protection, and individual rights and obligations in relation to personal data. AAA has appointed Kenny Lang as its Data Protection Officer whose role it is to inform and advise the organisation on its data protection obligations. He can be contacted via the AAA head office. Any questions about this policy, or requests for further information, should be directed to the data protection officer. DEFINITIONS "Personal data" is any information that relates to a living individual who is able to be identified from that information. “Processing” is any use that is made of Personal Data, including collecting, storing, amending, disclosing or destroying/disposal. "Special categories of personal data" means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data used for ID purposes. "Criminal records data" means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings. SCOPE OF THE POLICY In order to operate efficiently, AAA has to collect and use information about the people with whom it works. 5 | Page DATA PROTECTION POLICY Personal Data must be handled and dealt with properly however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, and there are safeguards within the GDPR to ensure this. All employees are required to comply with this policy when dealing with other employees, temporary or agency staff, consultants, work seekers, clients, suppliers, customers and contacts of the Company, and anyone else with whom they come into contact during their employment. All employees are made fully aware of this policy and of their duties and responsibilities under the GDPR. In addition, we have a full GDPR Data Protection Policy which provides more detailed information relating to our obligations and controls to manage data in line with current legislation. RESPONSIBILITIES It is the direct responsibility of Kenny Lang to ensure the implementation of this policy on a day‐to‐day basis; however, all employees have a responsibility to accept their personal involvement in applying it and must be familiar with the policy and ensure that it is followed by both themselves and employees for whom they have a responsibility. Disciplinary action may be taken against any employee who acts in breach of this policy. Disciplinary action may include summary dismissal in the case of a serious breach of this policy or repeated breaches. In other cases, it may include a verbal or written warning. Such action will be taken in accordance with the Company’s disciplinary procedure. Breaches of this policy may also result in the employee responsible being held personally liable for compensation if legal action is taken in relation to data protection. THE PRINCIPLES OF DATA PROTECTION We adhere to the principles relating to Processing of Personal Data set out in the GDPR which require Personal Data to be: 1. Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency). 2. Collected only for specified, explicit and legitimate purposes (Purpose Limitation). 3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation). 4. Accurate and where necessary kept up to date (Accuracy). 5. Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation). 6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality). 7. Not transferred to another country without appropriate safeguards being in place (Transfer Limitation). 8. Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their Personal Data (Data Subject's Rights and Requests). We are responsible for and can demonstrate on request compliance with the data protection principles listed above. 6 | Page DATA PROTECTION POLICY AAA tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons. Where the organisation relies on its legitimate interests as the basis for processing data, it will carry out an impact assessment to ensure that those interests are not overridden by the rights and freedoms of individuals. Where AAA processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this will be done in accordance with the organisation’s absence policy or the requirements of the Disclosure and Barring Service checks. AAA is committed to updating HR‐RelatedPersonalDatapromptlywheneveranindividualadvises that their information has changed or is inaccurate. Personal data gathered during employment, worker, contractor, volunteer, or apprenticeship relationships will be held in the individual's personnel/contractor file (in hard copy, electronic format, or both), and on HR systems. The periods for which the organisation holds HR‐relatedpersonaldataarecontainedinitsprivacy notice below. AAA keeps a record of its processing activities in respect of HR‐RelatedPersonalDatainaccordance with the requirements of the General Data Protection Regulation (GDPR). CONSENT A Data Subject Consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre‐ticked boxes or inactivity are insufficient. Data Subjects can easily withdraw Consent to Processing at any time and withdrawal must be promptly honoured. Consent may need to be refreshed if we intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first Consented. We keep records of all Consents so that we can demonstrate compliance with Consent requirements if required to do so. PRIVACY NOTICE AAA collects and processes personal data relating to its employees to manage the employment relationship and from its clients customers to manage its services. The organisation is committed to transparency about how it collects and uses that data and to meeting its data protection obligations. The organisation’s privacy notice is set out below. WHAT INFORMATION DOES THE ORGANISATION COLLECT? FROM EMPLOYEES AAA collects and processes a range of information about its employees. This includes: 7 | Page DATA PROTECTION POLICY § name, address, and contact details, including email address and telephone number, date of birth and gender; § terms and conditions of employment; § details of qualifications, skills, experience, and employment history, including start and end dates, with previous employers and with the organisation; § information about remuneration, including entitlement to any benefits such as pensions; § details of bank account and national insurance number; § information about marital status, next of kin, dependants, and emergency contacts; § information about nationality and eligibility to work in the UK; § information about criminal record; § details of schedules (days of work and working hours) and attendance at work; § details of periods of leave taken, including holiday, sickness absence, authorised leave, and the reasons for the leave; § details of any disciplinary or grievance procedures, including any warnings issued and related correspondence; § assessments of performance, including appraisals, performance reviews and ratings, training records, performance improvement plans and related correspondence; § information about medical or health conditions, including whether or not a person has a disability for which the organisation needs to make reasonable adjustments; § details of any trade union membership; and § any equal opportunities monitoring information AAA collects this information in a variety of ways, such as from application forms, CVs; passport or other identity documents e.g. driving licence; forms completed at the start of or during employment (such as bank details forms/training agreements); correspondence; or through interviews, meetings, or other assessments. In some cases, the organisation collects personal data from third parties, such as references supplied by former employers, information from employment background check providers/DBS checks, where appropriate and permitted by law. Data may be stored in a range of different places, including in personnel files, in the organisation's HR management systems and in other IT systems (including the organisation's email system). FROM CLIENTS/CUSTOMERS Name, Address, Phone Number WHY DOES THE ORGANISATION PROCESS PERSONAL DATA? AAA needs to process data to enter into an employment contract with employees and to meet its obligations under an employment contract. For example, it needs to process data to provide an employment contract, to pay in accordance with an employment contract and to administer any benefit, pension, or insurance entitlements. It also processes personal data to provide a legitimate service to its clients and customers. In some cases, AAA needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check all employees’ entitlement to work in the UK, to deduct tax, to comply with 8 | Page DATA PROTECTION POLICY health and safety laws and to enable employees to take periods of leave to which they are entitled. If regulatory requirements dictate, it will be necessary to carry out criminal records checks to ensure that individuals are permitted to undertake their role. In other cases, AAA has a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows us to: § operate recruitment and promotion processes; § maintain accurate and up‐to‐dateemploymentrecordsandcontactdetails(includingdetailsofwhoto contact in the event of an emergency), and records of employee contractual and statutory rights; § operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace; § operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes; § operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled; § obtain medical and/or occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled; § operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that AAA complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled; § ensure effective general HR and business administration; § provide references on request for current or former employees; § respond to and defend against legal claims; and § maintain and promote equality in the workplace. Where AAA relies on legitimate interests as a reason for processing your data, it has considered, via completion of an impact assessment whether or not those interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not. Some special categories of personal data, such as information about health or medical conditions is processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). Where the organisation processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that the organisation uses for these purposes is anonymised or is collected with the express consent of employees, which can be withdrawn at any time. Employees are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so. WHO HAS ACCESS TO DATA? Information will be shared internally, including with members of the HR/recruitment team/payroll, managers in the business area in which you work and staff if access to the data is necessary for performance of their roles. 9 | Page DATA PROTECTION POLICY AAA shares employee personal data with third parties in order to obtain pre‐employmentreferences from other employers, obtain employment background checks from third‐party providers and, if appropriate, obtain necessary criminal records checks from the Disclosure and Barring Service. AAA will only use customer or client data in order to perform the agreed services and will only share data to the individual performing the service and only for the purpose of completing the service. AAA also shares personal data with third parties that process data on its behalf, in connection with payroll where an external payroll provider is engaged, the provision of benefits, the provision of occupational health, and the provision of HR/legal advisory services. All our providers abide by the same stringent policies as AAA and abide by all principles of the DPA 2018. The licencing council officers may at times request or require employee’s personal information as part of the company’s operator licence conditions. HOW DOES THE ORGANISATION PROTECT DATA? Following UKAS ISO 27001 guidelines AAA takes the security of data seriously and has internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by its employees in the performance of their duties. Personal data collected/recorded or used in any way whether held on paper/computer or other media will have appropriate safeguards applied to it ensuring we comply with the GDPR/ Computer Misuse Act 1990.: § All computers are password protected; passwords are changed on a regular basis to ensure that the data is secure. § E‐MAILS: Our emails are secured and content is only accessible via a permission based password system § STORAGE: Hard copy records are stored in a secure location when not being used e.g. lockable filing cabinets, cupboards, rooms (locked and alarmed outside of normal working hours) and only authorised personnel have access. 24 hours CCTV outside the office. Electronic information is stored on a local server in the office/ connected to a UK‐basedhostcloudandhasappropriatesecuritycontrols § DESTRUCTION OF RECORDS: We carry out the irreversible destruction of records once the relevant internal/client‐specified timescales have passed. At this point the records are securely shredded/disposed of by our appointed Confidential Waste Disposal Company [insert name of company if you have it]. The normal destruction methods used are: - Shredding - Pulping - Incineration - Destruction/wiping of hard drives/USB sticks. § RECORDS ACCESS ‐ We ensure data security by ensuring different levels of access. Only necessary/authorised staff will have access to certain client information. Managers can view service data for clients/accounts they are managing, ensuring they can monitor overall service delivery; and our Managing Director will have full access to all data. Data is password protected and changed monthly and only authorised personnel will have the relevant passwords for appropriate access levels, ensuring that data cannot be modified without authorisation from client or appointed person. This controls and restricts unauthorised access to data by use of security mechanisms that restrict access to authorised persons only. § CUSTOMER/CLIENT DATA VIA APP – Data from app users is entered by the customer and permission is granted via a request for customer to accept the terms and conditions. Any date stored on our dispatch system provided is stored in line with all other data. The customer may remove their details at any time. 10 | Page DATA PROTECTION POLICY Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, in performance of a contractual agreement, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. FOR HOW LONG DOES THE ORGANISATION KEEP DATA? AAA will hold personal data for as long as is necessary for the purposes for which the data is Processed. The periods for which an employees data is held after the end of employment is 3 years. Currently data is stored for one year. INDIVIDUAL RIGHTS As a data subject, individuals have a number of rights in relation to their personal data. They are able to: § access and obtain a copy of your data on request; (see Subject access request). § require the organisation to change incorrect or incomplete data; § require the organisation to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; § object to the processing of your data where the organisation is relying on its legitimate interests as the legal ground for processing; and § ask the organisation to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the organisation's legitimate grounds for processing data. To exercise any of the above rights a data subject must make a request in writing by contacting: Kenny Lang, DPO. AAA will ordinarily respond to a subject access request within a period of one month from the date it is received. In some cases, such as where the organisation processes large amounts of the individual's data, it may respond within three months of the date the request is received. AAA will write to the individual within one month of receiving the original request to inform the individual if this is the case. If a data subject believes that the organisation has not complied with thier data protection rights, they are able to lodge a complaint complain with the Information Commissioner Office. SUBJECT ACCESS REQUESTS Individuals have the right to access their personal information by submitting a ‘subject access request’ (SAR). Archiving software is used to ensure users cannot amend/delete data preventing data being deleted/hidden in the event of a SAR. Data is purged in relation to the data subject and all data is only used for the appropriate timescale based on contract duration. Should consent be withdrawn at any point, all personal data will be removed and destroyed. Internal/client audits ensure data has been appropriately removed at contract conclusion. 11 | Page DATA PROTECTION POLICY If an individual makes a subject access request, AAA will inform the individual: § whether or not their data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected directly from the individual; § to whom their data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to any such transfers; § for how long their personal data is stored (or how that period is determined); § their rights to rectification or erasure of data, or to restrict or object to processing; § their right to complain to the Information Commissioner if the individual thinks the organisation has failed to comply with their data protection rights; and § whether or not the organisation carries out automated decision‐makingandthelogicinvolved in any such decision‐making. The organisation will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless the individual agrees otherwise. DATA SECURITY The organisation takes the security of personal data seriously and will ensure that it has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse, or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. The organisation will only disclose personal data to third parties where there is a need to do so, e.g. to give information about your earnings to Her Majesty’s Revenue & Customs, or to seek advice from our HR or legal advisors. Where the organisation engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. IMPACT ASSESSMENTS If any of the processing that AAA carries out may result in risks to privacy, for example, CCTV monitoring. Where such processing would result in a high risk to individual's rights and freedoms, AAA will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks. DATA BREACHES If AAA discovers that there has been a breach of HR‐RelatedPersonalDatathatposesarisktothe rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. AAA will record all data breaches regardless of their severity and/or effect. 12 | Page DATA PROTECTION POLICY If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will inform affected individuals that there has been a breach and provide them with information about its likely consequences and also the mitigation measures taken. Breaches of processes and procedures are dealt with in accordance with standard Disciplinary Procedures, as defined in and communicated to all employees via our Staff Handbook and Confidentiality Agreement. We escalate any such incidents to Kenny Lang DPO who will make immediate contact with the client and the ICO if relevant. INTERNATIONAL DATA TRANSFERS The organisation will not transfer Personal Data to countries outside the EEA. INDIVIDUAL RESPONSIBILITIES Individuals are responsible for ensuring AAA is able to keep their personal data up to date. Individuals should let AAA know if any data provided changes, for example if an individual moves house, changes their contact details, bank details or name. Individuals may have access to the personal data of other individuals and/or our customers and clients in the course of their employment. Where this is the case, the organisation relies on those individuals to meet its data protection obligations. Individuals who have access to personal data must: § only access data that they have authority to access and access it only for authorised purposes; § not disclose data to anyone, except to individuals, whether inside or outside the organisation, who have appropriate authorisation; § keep data secure, in particular by complying fully with security rules, including but not limited to rules on access to our premises by non‐authorisedparties,computeraccess,includingpassword protection, and secure file storage and destruction; § not remove personal data, or electronic devices which contain, or can be used to access personal data, from the organisation's premises without prior authorisation and adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; § not store personal data on local drives or on any personal electronic devices, including mobile telephones, that are used for work purposes; and § to report data breaches of which they become aware to Kenny Lang immediately. Failing to observe these requirements or any breach of this Data Protection Policy may amount to a disciplinary offence, which will be dealt with under the organisation's disciplinary procedure. Significant or deliberate breaches of this policy, including, but not limited to, accessing any data without authorisation, or a legitimate reason to do so, may constitute gross misconduct and could lead to summary dismissal without notice or pay in lieu of notice. CONFIDENTIALITY AGREEMENTS All AAA personnel, including drivers, have signed, and are bound by, confidentiality agreements confirming they will preserve the confidentiality of all company and client data. drivers also have to be 13 | Page DATA PROTECTION POLICY registered and licenced, which includes undergoing police checks. Personnel must confirm understanding of their responsibilities regarding maintaining confidentiality, and abide with company practices including: § Staff never leave customer details visible/live § Bookings are managed through the username/password protected online portal. All information is managed and stored securely online to UKAS ISO27001 standard. § We only transfer booking data via our online portal/booking app??[insert details and security details], which is secure and encrypted, to UKAS ISO27001 and Cyber Essentials standards. We protect Service User’s data from unauthorised access, use and disclosure, securely managing this information to industry standards of CyberSmart. TRAINING AAA provide training to all individuals about their data protection and data handling responsibilities as part of the mandatory induction process and will provide any further relevant training as necessary. This covers: - The Data Protection Act - GDPR Compliance - Legal Obligations - Good Practice - Record Management - Personal Data - Right of Access - Company Policy Personnel must attend mandatory updates every 6 months. Managerial staff have dissemination and implementation plans in place to ensure all personnel are familiar and adhere to all aspects of this policy. This includes key areas such as staff responsibilities/access rights and checks/security measures to be followed for different forms of information, what to do if a breach occurs, Security/Physical Security, Data storage and Transfer, email security and retention/disposal of information. Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them. Training will include ensuring that individuals are aware of their obligations in relation to keeping personal information secure IMPLEMENTATION Kenny Lang will be responsible for ensuring that the Policy is implemented. Kenny Lang will have overall responsibility for: § The provision of cascade data protection training, for staff within the company. § For the development of best practice guidelines. § Carrying out compliance checks to ensure adherence with the General Data Protection Regulations and Conduct of Employment Businesses and Employment Agencies Regulations. REVIEW 14 | Page DATA PROTECTION POLICY This policy will be reviewed regularly and may be altered from time to time in light of legislative changes or other prevailing circumstances.