Alpine’s data protection policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.
Alpine: means the organisation Alpine Resourcing Limited which this policy refers to
DPA 1998: means the Data Protection Act of 1998
GDPR 2018: means the General Data Protection Regulation 2018
Personal data: means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Sensitive data: means any information that is of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
Data protection officer: means the Data Protection Office that Alpine has appointed
Achieve IT: means Alpine’s IT support supplier
Microdec: means Alpine’s recruitment management software provider
Profile: means the name of the recruitment management software provided by Microdec to Alpine
We are committed to:
- ensuring that we comply with the data protection principles
- meeting our legal obligations as laid down by the Data Protection Act 1998 and the General Data Protection Regulations 2018
- ensuring that data is collected and used fairly, lawfully and in a transparent manner
- processing personal data only in order to meet our operational needs or fulfil legal requirements, no data is passed on for commercial gain
- taking steps to ensure that personal data is up to date and accurate
- establishing appropriate retention periods for personal data
- ensuring that data subjects' rights can be appropriately exercised
- providing adequate security measures to protect personal data
- ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues
- ensuring that all staff are made aware of good practice in data protection
- providing adequate training for all staff responsible for personal data
- ensuring that everyone handling personal data knows where to find further guidance
- ensuring that queries about data protection, internal and external to Alpine, are dealt with effectively and promptly
- regularly reviewing data protection procedures and guidelines within Alpine.
Data protection principles:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- Personal data shall be accurate and, where necessary, kept up to date
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
- Personal data shall be processed in accordance with the rights of data subjects under the DPA 1998 and GDPR 2018
- Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
We will communicate to our candidates – both those seeking employment and those placed by us – that we will follow these data storage limitations rules from the 25th May 2018 onwards
- If we have processed an assignment, or payment(s) for the worker, we will retain their personal data for a period of seven years, at the end of which period it will be deleted from our systems. Unless we are required to retain their data and it cannot be deleted.
- We will retain candidate’s data for five years since the last contact. At the end of the five years, all data will be deleted from our records.
- All candidate contracts will be stored for a maximum of seven years. Unless we are required to retain their data and it cannot be deleted.
Where Data is Stored
Alpine stores and process data across different platforms
Email: Microsoft Office 365
All data: Profile
Files and Documents: Dropbox
Accounts: Sage Accounting
Signed Contracts: DocuSign
The basis for which Alpine processes data depends on the business ‘activity’. For each activity, Alpine has assessed and agreed on the following legal basis:
Recruitment and consultancy process: legitimate interest
Payment and accounts: legal obligation
HR/employee files: legal obligation
Subject Access Rights
For an individual to gain access to the data that Alpine holds on them, the individual must complete the Alpine Subject Access Request Form which can be obtained by calling, emailing or writing to us. Alpine will respond positively to subject access requests, replying as quickly as possible, and in any event within the 30-day time limit.
Right to be informed: Alpine will notify the individual when their data is to be stored on their CRM system (Profile); or their CV is sent to a Client.
Right of access: Individuals can request their data after completing Alpine Subject Access Request Form.
Right to correct data: Individuals can request changes after completing the Alpine Subject Access Request Form.
Right to erasure: Individuals can request their data is removed or deleted by completing the Alpine Subject Access Request Form
Right to data portability: Individuals can request their data be sent to them in either CSV file format or zip file (attachments) after completing the Alpine Subject Access Request Form.
Individuals data will be searched and located in the following means:
Profile: searched function within platform
Shared drives: searched by Achieve IT
Email and O365 suites: searched by Achieve IT
Contracts: searched by DocuSign account administrator
All requests made will be recorded on a restricted list indefinitely. This will be restricted to Alpine’s CEO, DPO and Achieve IT.
Fair Obtaining and Processing
Alpine will ensure that as far as practicable, all individuals whose details are processed by Alpine are aware of the way in which that information will be obtained, held, used and disclosed. Whenever possible, individuals will be informed of the potential recipients of the information. Processing of personal information by Alpine will be fair and lawful and, in addition, it is Alpine’s Policy that individuals will not be misled regarding the purposes to which Alpine will process the information.
Alpine will not use or process personal information in any way that contravenes its notified purposes, or in any way that would constitute a breach of the DPA or GDPR. When appropriate, Alpine will notify the Information Commissioner of any amendments to the existing Alpine’s notified purposes or of new purposes to be added to the Notification Register entry.
Information Quality and Integrity
Alpine will endeavour to process personal information, which is accurate, current and is of good quality. Information that is obtained by Alpine will be adequate and not excessive for the purpose for which it is processed. In addition, information will be kept by Alpine for no longer than is necessary for the purpose or purposes for which it was obtained.
Technical and Organisational Security
Alpine has in place appropriate security measures as required by the DPA and GDPR. Information systems are installed with adequate security controls and company employees who use these systems will be properly authorised to use them for company business.
Alpine has tightened physical access to data by restricting access to data by restricting this to employees needing to access specific data in order to carry out their jobs. Alpine takes steps to prevent accidental loss or theft of personal data by using server backup processes and increased security at our offices.
Alpine relies on computers to store data, so it was necessary to introduce the following electronic safeguards:
- we have up-to-date antivirus software to protect against viruses damaging our data and computers
- we protect our computer network from hackers with a firewall
- we have introduced housekeeping measures by regular backups and disabling people’s accounts as they leave the business
- we have introduced a clear strategy for managing all our computer security tools
Additional compliance obligations
Although not legal required for Alpine, it has appointed a Data Protection Officer: David Jones with FusionComply as the Independent Data Protection Officer.
Sensitive data will not be handled by Alpine for the a for the normal provision of its service. Alpine must be informed if sensitive Personal Data is required to be processed.
Alpine Resourcing, 20 Little Britain, London EC1A 7DH
0203 478 1340