Privacy Policy

The Data Protection Principles

The DPA sets out 8 Principles of data protection. This Company fully endorses the 8 Principles and considers the lawful and correct treatment of personal information as important to the success of the business. We aim to ensure adherence to the DPA and the 8 Principles by the adoption of strict processes and controls which will be in place throughout the business.

The 8 Principles require that personal information shall:

• be processed fairly and lawfully;
• be obtained for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes;
• be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
• be accurate and, where necessary, kept up to date;
• not be kept for longer than is necessary for the specified purpose(s);
• be processed in accordance with the rights of data subjects under the Act;
• be subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data or the accidental loss, damage or destruction of, or damage to, personal data; and
• not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures that an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Scope

This policy applies to all personal information of individuals obtained, held, stored, processed, used or shared by the Company. All employees will be required to comply with the 8 Principles and the DPA including any applicable procedures or processes adopted by the Company in relation to personal data

Disclosure

Gr33n Group may share data with other agencies such as the Landmark Database and other approved participants within the Green Deal.

The customer will be made aware when personal details are collected that they may possibly be shared this is known as informed consent. Details of to whom and how their information will be shared with will be made clear within relevant documentation.

Gr33n Group regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

Sub-contactors, agents and vendors

Subcontractors agents and vendors may from time to time have to have access to personal information regarding Gr33n Group customers.

Non-disclosure agreements will be issued to and signed by these parties before they subcontract for Gr33n Group.

Sub-contractors agents and venders will be restricted from areas within the Gr33n Group offices where personal details are processed.

Data Storage and Access

Information and records relating to Green Deal Customers will be stored securely and will only be accessible to authorised staff using passwords and encryption.

Passwords will be changed regularly.

Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately.

Members of staff will have access to personal data only where it is required as part of their functional remit.

Gr33n Group will detect and investigate any breaches of security if they occur by producing audit trails that log access to personal data that can be attributed to a particular person.

A backup filing system will be utilised to protect personal data being lost through flood, fire or other catastrophe.

It is Gr33n GroupLtd responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.

In addition, Gr33n Group will ensure that:

• Staff processing personal information understands that they are contractually responsible for following good data protection practice
• Staff are made aware that the Data Coordinator and Directors have the right to and will monitor emails and other data and processes conducted by staff
• Everyone processing personal information is appropriately supervised
• Anybody wanting to make enquiries about handling personal information knows what to do
• It deals promptly and courteously with any enquiries about handling personal information
• It describes clearly how it handles personal information
• It will regularly review and audit the ways it hold, manage and use personal information
• It regularly assesses and evaluates its methods and performance in relation to handling personal information
• All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them. This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998

Roles and Responsibilities

Managing Director

The Managing Director shall have overall responsibility for data protection compliance across the business. Responsibilities include

• ensuring suitable resources and direction are given to data protection issues;
• monitor, via reporting from managers and the Data Protection Coordinator, the effectiveness of data protection systems within the business
• Working with the Data Protection Coordinator to ensure that Gr33n Group continues to be compliant with any Audit requirements as a Green Deal Provider

Managers

Managers shall have responsibility for ensuring that this policy and data protection procedures are adopted and communicated within their business area/department. Responsibilities include

• development of data protection procedures relevant to their business area/department;
• regular monitoring of data protection compliance; and
• ensuring effective communication to employees and training of employees in data protection guidelines and procedures of the business
• continued involvement within employee training program

Employees

All employees must

• familiarise themselves with the data protection policies and procedures affecting their business area/department;
• undergo training conducted by the data protection coordinator and be deemed to reach an adequate standard before being authorised to work unsupervised on the Landmark or other data base systems
• fully support the business and their managers in the implementation of data protection policies and procedures of the business; and
• report any data protection incidents to their line manager/supervisor.

Data Protection Coordinator

This is the person nominated by Gr33n Group from time to time and is currently Mark Baldwin who is deemed competent in the area of data protection. The Data Protection Coordinator shall be responsible for;

• communicating any changes in data protection legislation and requirements which the business must fulfill;
• provide advice and support to managers and the business on data protection requirements;
• maintain a log of all data protection incidents and reporting of such incidents to the Information Commissioner, the relevant individual and the Managing Director.
• orgainsing induction training to all new employees.
• monitoring, recording and reviewing regularly the training for all employees in line with the provisions of any relevant Green Deal code of practice, Data Protection Law or DECC guidance

Review

This policy and any underlining processes and procedures will be reviewed on a regular basis to ensure best practice and to take account of any changes in legislation. At a minimum, this review will be conducted on an annual basis.