This policy applies to:

  1. Guardian Edge Ltd.
  2. All regional staff or home workers operating on behalf of Guardian Edge Ltd.

The purpose of this policy is to enable Guardian Edge Ltd. to:

  1. Comply with our legal, regulatory, and corporate governance obligations and good practice
  2. Gather information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
  3. Ensure business policies are adhered to (such as policies covering email and internet use)
  4. Fulfil operational reasons, such as recording transactions, training, and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
  5. Investigate complaints
  6. Check references, ensure safe working practices, monitor, and manage staff access to systems and facilities and staff absences, administration, and assessments
  7. Monitor staff conduct, disciplinary matters
  8. Market our business
  9. Improve services

This policy applies to information relating to identifiable individuals e.g., staff, applicants, former staff, clients, suppliers, and other third-party contacts.

Guardian Edge Ltd. will:

  1. Comply with both the law and good practice
  2. Respect individuals’ rights
  3. Be open and honest with individuals whose data is held
  4. Provide training and support for staff who handle personal data, so that they can act confidently and consistently

Guardian Edge Ltd. recognises that its priority under the GDPR is to avoid causing harm to individuals. In the main this means:

  1. Complying with your rights,
  2. Keep you informed about the data we hold, why we hold it and what we are doing with it,
  3. Keeping information securely in the right hands, and
  4. Holding good quality information.

Secondly, GDPR aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are considered.

In addition to being open and transparent, Guardian Edge Ltd. will seek to give individuals as much choice as possible and reasonable over what data is held and how it is used.

This includes the right to erasure where data is no longer necessary and the right to rectification where the data is incorrect. Full details are available in the Privacy Notice issued at the point of gathering the data.

Guardian Edge Ltd. has identified the following potential key risks, which this policy is designed to address:

  1. Breach of confidentiality (information being given out inappropriately).
  2. Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed
  3. Failure to offer choice about data use when appropriate
  4. Breach of security by allowing unauthorised access.
  5. Failure to establish efficient systems of managing changes, leads to personal data being not up to date.
  6. Harm to individuals if personal data is not up to date
  7. Insufficient clarity about the way personal data is being used e.g., given out to the public.
  8. Failure to offer choices about the use of contact details for staff, client’s workers, or employees.

To address these concerns, to accompany this policy, we have an accompanying Information Security policy, and we will issue Privacy Notices to explain what data we have, why we have it and what we will do with it. The Privacy Notice will also explain the data subjects’ rights.

We will offer training to staff where this is necessary and appropriate in the circumstances to ensure compliance with GDPR. Such training will vary according to the role, responsibilities, and seniority of those being trained.

Guardian Edge Ltd aims to keep data only for as long as necessary which will vary according to the circumstances.

Guardian Edge Ltd has no intention to transfer data internationally.

The person responsible for Data Protection is currently Company Director with the following responsibilities:

  1. Briefing the board on Data Protection responsibilities
  2. Reviewing Data Protection and related policies
  3. Advising other staff on Data Protection issues
  4. Ensuring that Data Protection induction and training take place
  5. Notification
  6. Handling subject access requests
  7. Approving unusual or controversial disclosures of personal data
  8. Approving contracts with Data Processors
  9. Ensuring Data is stored securely
  10. Maintain a Data Audit and keep this up to date

Reporting breaches to the Information Commissioners Office and the relevant Data Subject(s)

Significant breaches of this policy will be handled under Guardian Edge Ltd.’s disciplinary procedures which may amount to gross misconduct.

Subject Access Request

Any subject access requests will be handled by Company Director.

Subject access requests must be in writing. All staff are required to pass on anything, which might be a subject access request to Company Director without delay.

The applicant will be given their data within 1 month unless there are complexities in the case which justify extending this to 2 months. You will be notified of any extensions to the deadline for response and the reasons as soon as possible.

Guardian Edge Ltd has the right to refuse a subject access request where data is requested at unreasonable intervals, manifestly unfounded or excessive. You will be notified of the reasons as soon as possible.

Where the individual making the subject access, the request is not personally known to Company Director their identity will be verified before handing over any information.

The required information will be provided in a permanent and portable form unless the applicant makes a specific request to be given supervised access in person.

You have the right to request the information we hold be rectified if it is inaccurate or incomplete. You should contact Company Director and provide the details of any inaccurate or incomplete data. We will then ensure that this is amended within one month. We may, in complex cases, extend this period to two months.

You have the right to erasure in the form of deletion or removal of personal data where there is no compelling reason for its continued processing. We have the right to refuse to erase data where this is necessary for the right of freedom of expression and information, to comply with a legal obligation for the performance of a public interest task, exercise of official authority, for public health purposes in the public interest, for archiving purposes in the public interest, scientific research, historical research, statistical purposes or the exercise or defence of legal claims. You will be advised of the grounds for our refusal should any such request be refused.