Be Fibre takes its responsibilities with regard to the management of the requirements of the General Data Protection Regulation (GDPR) very seriously. This policy sets out how Be Fibre manages those responsibilities.
Be Fibre obtains, uses, stores and otherwise processes personal data relating to potential staff, current staff, former staff and former workers, contractors, website users and contacts, collectively referred to in this policy as data subjects. When processing personal data, Be Fibre is obliged to fulfil individuals’ reasonable expectations of privacy by complying with GDPR and other relevant data protection legislation (data protection law).
This policy therefore seeks to ensure that we:
This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. on an employee’s own device) and regardless of the data subject. All staff and others processing personal data on Be Fibre’s behalf must read it. A failure to comply with this policy may result in disciplinary action. All Managers are responsible for ensuring that all Be Fibre’s staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.
Be Fibre’s Data Protection Officer (DPO) is Louise Elliott
When you process personal data, you should be guided by the following principles, which are set out in the GDPR. Be Fibre is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:
Those principles require personal data to be:
Data subjects have rights in relation to the way we handle their personal data. These include the following rights:
Requests (including for data subject access – see below) must be complied with, usually within one month of receipt. You must immediately forward any Data Subject Access Request you receive to the Information Compliance Team. A charge can be made for dealing with requests relating to these rights only if the request is excessive or burdensome.
Where external companies are used to process personal data on behalf of Be Fibre, responsibility for the security and appropriate use of that data remains with Be Fibre.
Where a third-party data processor is used:
Be Fibre is responsible for the use made of personal data by anyone working on its behalf. Managers who employ contractors, short term or voluntary staff must ensure that they are appropriately vetted for the data they will be processing. In addition managers should ensure that:
Data subjects have the right to receive copy of their personal data which is held by the Be Fibre. In addition, an individual is entitled to receive further information about Be Fibre’s processing of their personal data as follows:
You should not allow third parties to persuade you into disclosing personal data without proper authorisation. The entitlement is not to documents per se (which may however be accessible by means of the Freedom of Information Act, subject to any exemptions and the public interest), but to such personal data as is contained in the document. The right relates to personal data held electronically and to limited manual records.
You should not alter, conceal, block or destroy personal data once a request for access has been made.
The GDPR requires that we report to the Information Commissioner’s Office (ICO) any personal data breach where there is a risk to the rights and freedoms of the data subject. Where the Personal data breach results in a high risk to the data subject, he/she also has to be notified unless subsequent steps have been taken to ensure that the risk is unlikely to materialise, security measures were applied to render the personal data unintelligible (e.g. encryption) or it would amount to disproportionate effort to inform the data subject directly. In the latter circumstances, a public communication must be made or an equally effective alternative measure must be adopted to inform data subjects, so that they themselves can take any remedial action. We have put in place procedures to deal with any suspected personal data breach and will notify data subjects or the ICO where we are legally required to do so. If you know or suspect that a personal data breach has occurred, you should immediately contact Be Fibre and follow the instructions in the personal data breach procedure. You must retain all evidence relating to personal data breaches in particular to enable Be Fibre to maintain a record of such breaches, as required by the GDPR.
The GDPR requires us to keep full and accurate records of all our data processing activities. You must keep and maintain accurate corporate records reflecting our processing, including records of data subjects’ Consents and procedures for obtaining Consents, where Consent is the legal basis of processing.
These records should include, at a minimum, the name and contact details of Be Fibre as Data Controller and the DPO, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period and a description of the security measures in place.
Records of personal data breaches must also be kept, setting out:
We are required to ensure that all Be Fibre staff undergo adequate training to enable them to comply with data protection law. We must also regularly test our systems and processes to assess compliance.
We are required to implement privacy-by-design measures when processing personal data, by implementing appropriate technical and organisational measures (like pseudonymisation) in an effective manner, to ensure compliance with data-protection principles. Be Fibre must ensure therefore that by default only personal data which is necessary for each specific purpose is processed. The obligation applies to the volume of personal data collected, the extent of the processing, the period of storage and the accessibility of the personal data. In particular, by default, personal data should not be available to an indefinite number of persons. You should ensure that you adhere to those measures. As well as complying with Organisation-wide practices designed to fulfil reasonable expectations of privacy, you should also ensure that your own data-handling practices default to privacy to minimise unwarranted intrusions in privacy e.g. by disseminating personal data to those who need to receive it to discharge their duties. Be Fibre must also conduct DPIAs in respect of high-risk processing before that processing is undertaken.
You should conduct a DPIA (and discuss your findings with the DPO) in the following circumstances:
A DPIA must include:
A data subject’s prior Consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers (known as “soft opt in” allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar services (e.g. a post-graduate course or a professional qualification), and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message. The right to object to direct marketing must be explicitly offered to the data subject in an intelligible manner so that it is clearly distinguishable from other information.
A data subject’s objection to direct marketing must be promptly honoured. If a data subject opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
In the absence of Consent, a legal obligation or other legal basis of processing, personal data should not generally be disclosed to third parties unrelated to Be Fibre.
Be Fibre must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. Be Fibre is responsible for, and must be able to demonstrate compliance with, the data protection principles.
We must therefore apply adequate resources and controls to ensure and to document GDPR compliance including:
As the Data Controller, Be Fibre is responsible for establishing policies and procedures in order to comply with data protection law.
The DPO is responsible for:
The policy will be communicated at regular intervals, using a range of appropriate media, and providing opportunities for questions and concerns to be fully addressed. The policy will also be communicated to other stakeholders, including customers, suppliers, and joint venture partners, as opportunity or the need arise.
Chief Executive Officer