PNC’s Data protection policy
A Partner will be designated to act as PNC’s data protection compliance officer.
Anyone who obtains personal information (“data”) about other individuals is a ‘data controller’ and is thus regulated by the Data Protection Act 1998. The Act controls what can lawfully be done with information and gives individuals certain rights to control how information about them is obtained, used, stored and distributed. These rights include the right to find out what information a data controller has about them, and ask for copies of data.
We are necessarily a data controller in relation to all the information that we obtain about clients and their employees as part of the process of providing clients with services. It is a requirement under the Act that we seek client’s consent to our processing data about them and/or their employees.
Without this consent it is not necessarily lawful for us to process data in order to keep the records about clients and their employees necessary for us to meet the needs of running our business.
The principles for processing of personal data are that data must be:
- Fairly and lawfully processed.
- Processed for limited purposes.
- Adequate, relevant and not excessive.
- Not kept longer than necessary.
- Processed in accordance with the data subject’s rights.
- Not transferred to countries without adequate protection.
We are committed to following these principles and that is why consent has to be obtained so that all our data processing is lawful.
Data will be retained as necessary during the course of engagement with a client and certain records will be retained for up to six years in case legal proceedings arise during that period. Otherwise irrelevant data or the data no longer required will be destroyed/deleted promptly after their use is no longer required.
Data will only be retained for a period of longer than six years if it is material to legal proceedings or should otherwise be retained in our interests after that period.
Data will be kept in a secure system whether manual or computerised to the best of our ability at all times.
The Act prohibits the transfer of data outside the European Economic Area to countries that do not have similar protection of data except in some circumstances or with the subject’s consent.
Our Policy On Access To Data.
A request for access to any personal data should be made by a written request using our Data Access Request form by request to the data protection compliance officer.
A fee of £10.00 or such higher amount as permitted by law from time to time must be paid before access can be granted. The completed form must be returned to the data protection compliance officer with the fee if applicable.
On receipt of a request it is our policy to provide copies of all data that we are obliged to disclose within 40 days of receipt of a request being received by the data protection compliance officer.
We consider that if a period of less than one year has elapsed since any previous request for access to data was complied with it is not reasonable to expect us to be obliged to comply with a further request before a year has elapsed unless there are exceptional circumstances.
It is our policy to ensure that all data is as accurate as possible and all necessary steps to ensure that this is the case and to rectify any inaccuracies will be taken.
With regards to the PNC Recruitment Service where we have requested a reference in confidence from a referee and that reference has been given on terms that it is confidential and that the person giving it wishes that it should not to be disclosed to an individual it is our policy that it would normally be unreasonable to disclose such a reference unless the consent of the person who gave the reference is obtained. This applies to any other information or opinion received in confidence from a third party.
PNC is registered with the Information Commissioners Office.
Privacy & Confidentiality
Our general policy is that we will not divulge any personal sensitive information to a third party without the person’s consent.
However, we are also bound by a legal duty of care, and in certain circumstances also a safeguarding obligation to disclose information to the police or a regulatory agency in the following situations:
- A person is at risk of causing harm to themselves or others
- Omission of information being shared with a third party puts them at risk of financial damage or legal action
- A criminal act has been or is about to be committed
- A criminal investigation is being undertaken and information is required by an enforcement agency
- Information or data is required to be disclosed by a court order
- A young person or vulnerable adult is suffering abuse or is at risk of abuse