APCOA DATA PROTECTION POLICY

Introduction

APCOA Parking (UK) Limited is the main operating company of the APCOA Parking group of companies in the UK. In addition to APCOA Parking (UK) Limited, these companies are APCOA Parking Holdings (UK) Limited, APCOA Parking Services (UK) Limited, APCOA Facilities Management (UK) Limited, APCOA Facilities Management (Harrow) Limited and Park & Control UK Limited. This policy applies to each of these companies. Therefore 'APCOA' and 'we' are used throughout to refer to all those companies and to each company individually when relevant.

In this policy we will use some terms that have been given specific meaning by the General Data Protection Regulation (GDPR) which is applied into law in the United Kingdom jurisdictions by the Data Protection Act 2018. In this Policy we will refer to these collectively as the 'Data Protection Legislation'. A list of the terms that have specific meanings under the Data Protection Legislation, together with what those meanings are is given later in this Policy Document, and you should refer to this list from time to time as you read through this Data Protection Policy.

 

The Data Protection Legislation (see the definition later in this policy) applies to everyone that is established in the UK and who processes the Personal Data of living identifiable individuals (Data Subjects). It applies whether they do so on their own behalf (Data Controllers) or on behalf of someone else (Data Processors)

The location, for the purposes of the Data Protection Legislation, of any Data Controller or Data Processor will be the place where the Data Controller makes the key decisions related to the data processing it undertakes. In APCOA’s case, this will be APCOA's offices in Uxbridge.

In order to operate its business, APCOA needs to collect and use certain types of information about staff, clients, customers, and other individuals with whom it comes into contact or with whom it interacts. In addition, it may be required by law to collect and use certain types of information to comply with statutory obligations of Central and Local Government Authorities, government agencies and other bodies.

 

This personal information must be dealt with properly no matter how it is collected, recorded, and used - whether on paper, in a computer, on a handheld device or recorded in some other manner. There are safeguards to ensure this within the Data Protection Legislation.

The correct and lawful treatment of personal information is very important to the success of our operations, and to maintaining confidence between APCOA and those with whom we deal. We must therefore make sure that APCOA treats personal information lawfully and correctly.

Most businesses hold personal information on their customers, employees, and business partners. The extensive use of the Internet and electronic communication in everyday business and personal life as well as the computerisation of business data have led to an increase in the importance of privacy. Breaches of data security and technological advances in the collection use and storage of personal information have prompted the need for legislation at both a national and European level.

 

These include:

  • Human Rights Act 1998
  • Freedom of Information Act 2000
  • Privacy and Electronic Communications Regulations 2003
  • Regulation of Investigatory Powers Act 2000
  • Telecommunications (Lawful Business Practice) Interception of Communications Regulations 2000
  • Computer Misuse Act 1990
  • General Data Protection Regulation (GDPR) of the European Union (now incorporated into UK law by the Data Protection Act 2018)
  • Data Protection Act 2018

 

The express purpose of the General Data Protection Regulation 2016 is to protect the "rights and freedoms" of living individuals. It aims to ensure that personal information about someone (the Data Subject) is not processed without the Data Subject knowing it is being processed, and that any processing that is done to that Personal Data is carried out in an open and transparent way.

APCOA Senior Management are strongly committed to the rights of individuals whose data is collected and processed by APCOA and so will make sure that APCOA complies with the Data Protection Legislation.

To achieve this, APCOA Senior Management have implemented a Data Protection System (DPS) which will be kept up-to-date and will be continuously improved to take account of developments in legislation, guidance and good practice over time.

APCOA's DPS applies to the whole organisation where it interacts with individuals and collects and uses their personal information. This will affect all colleagues as well as members of the public using car parks managed or owned by APCOA as well as those whose information is recorded as part of our provision of services to local authorities.

 

The DPS is designed to outline how APCOA meets its requirements under the Data Protection Legislation for the management of personal information and how that management will be continuously maintained and improved. The DPS will help ensure that APCOA’s objectives are met in a way that is fully compliant with APCOA’s obligations under the Data Protection Legislations. It is designed to make sure that adequate and appropriate controls are in place throughout the organisation. The DPS is designed to make sure that APCOA is able to meet all the statutory, regulatory, and contractual obligations that apply to personal information collected by it as part of its business operations. Most importantly the DPS will help APCOA protect the interests of individuals and all other relevant stakeholders while carrying on its business.

Therefore, APCOA will:

  • process personal information only where this is strictly necessary for legitimate organisational purposes;
  • collect only the minimum personal information required for these purposes and not process excessive amounts of personal information;
  • provide clear information to individuals about how their personal information will be used and who will be using the information they provide or that is collected about them;
  • only process relevant and adequate personal information;
  • process personal information fairly and lawfully;
  • keep all personal information secure;
  • maintain an inventory of the categories of personal information that is processed;
  • ensure personal information is kept accurate and up to date;
  • retain personal information only for as long as is necessary for legal or regulatory reasons or, as is appropriate for legitimate organisational or operational purposes;
  • respect individuals' rights in relation to their personal information as set out in the Data Protection Legislation;
  • Minimise the possibility of transferring personal information outside the permitted area of one of the jurisdictions that makes up the United Kingdom or (where necessary) the European Economic Area (EEA) and where any such transfer is essential, APCOA will only permit it in circumstances where that personal information can be adequately protected in ways that are aligned with the Data Protection Legislation;
  • Only apply exemptions that are permitted by the Data Protection Legislation
  • Identify internal and external stakeholders and the degree to which these stakeholders are involved in the governance of APCOA's DPS;
  • Identify staff with specific responsibility and accountability for the ongoing maintenance and support of the DPS.

Notification to the Information Commissioners Office (ICO)

The relevant APCOA companies have notified the Information Commissioner as required under the Data Protection Legislation.

A record of each notification to the ICO is retained by the Company Secretary at APCOA's offices in Uxbridge.

Accountability

The Data Protection Legislation states that the Data Controller is not only responsible for ensuring compliance but for demonstrating that each processing operation complies with the requirements set out in it. This applies whether the processing is carried out by the Data Controller or a Data Processor acting on their instructions. As a result, Data Controllers are required to keep necessary documentation of all processing operations and implement appropriate security measures. They are also responsible for completing Data Processing Impact Assessments (DPIAs), complying with requirements for prior notifications, or approval from supervisory authorities and ensuring a DPO is appointed if required.

Application of this Policy

This policy applies to all colleagues and any others who process personal information on behalf of APCOA such as outsourced suppliers. Any breach of the Data Protection Legislation or the DPS will be considered as a breach of the disciplinary policy and could also be a criminal offence, potentially resulting in prosecution of the individual concerned.

All third parties working with or for APCOA, and who have or may have access to personal information, will be expected to comply with this Policy. All third parties who require access to Personal Data will be required to give a contractual undertaking to keep the information confidential before access is permitted. That undertaking will (as far as is possible) ensure that the third party has

 

the same legal obligations as APCOA. Where appropriate it will also include an agreement that APCOA can audit their compliance with the undertaking.

Key Definitions

Personal Data – (also known as personal information) this is any information that relates to an identified or identifiable natural, living person. In other words, a living individual rather than a company or other type of organisation. For these purposes, an identifiable natural person is one who can be identified, directly or indirectly from that information and other information that APCOA can access or obtain from its files or records or elsewhere. This includes by reference to an identifier such as a name, an identification number (such as a Vehicle Registration Mark or matter number), location data, an online identifier or to one or more factors specific to that person such as their physical, physiological, genetic, mental, economic, cultural or social identity.

Special Categories of Personal Data - (also known as 'Sensitive Personal Data') is Personal Data that shows or indicates (or could show or indicate) racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and includes the processing of genetic data and/or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. It also includes information about a person's criminal record and allegations of crimes.

Data Controller - the person (whether natural or legal), public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Processor - is any natural or legal person that processes personal information on behalf of a Data Controller but who does so only on their express instructions.

Data Subject - any living individual who is the subject of Personal Data held by a Data Controller.

Processing - includes any operation (or set of operations) which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. This mean doing something with or to the personal information such as its collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, reading, use, disclosure by transmission, dissemination or otherwise making it available to others, alignment or combination, restriction, erasure and destruction.

Profiling - any form of automated processing of Personal Data intended to evaluate certain personal aspects relating to a natural person, or to analyse, or predict that person's performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. A Data Subject can object to profiling and has a right to be informed about the existence of profiling, of measures based on profiling and of the envisaged effects of profiling on that individual.

Personal Data Breach - a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. APCOA must report Personal Data breaches to the supervisory authority in certain circumstance and where the breach is likely to adversely affect the Personal Data or privacy of the Data Subject. This obligation applies to both Data Controllers and Data Processors

Consent - means any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of their Personal Data.

Child - In the UK, the Data Protection Legislation defines a child as anyone under the age of 13 years old. The processing of Personal Data of a child under 13 years of age is only lawful if parental or custodian consent has been obtained.

Relevant Filing System - any structured set of Personal Data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

APCOA’s Responsibilities

APCOA is both a Data Controller and a Data Processor in respect of different personal information it processes. For example, for the Personal Data it processes in respect of colleagues, it is the Data Controller but in respect of information it processes on behalf of some of its clients it is a Data Processor.

Senior management and all those in managerial or supervisory roles throughout APCOA are responsible for developing, good information handling practices within the organisation and encouraging and enforcing their use; responsibilities are set out in individual job descriptions which will be kept under review and updated from time to time to reflect changes in the Data Protection Legislation.

APCOA has nominated a senior manager to undertake and act as a data protection officer (DPO). This is not yet a formal appointment in accordance with the provisions in the Data Protection Legislation, but that decision is reviewed regularly. That person is responsible for day-to-day compliance with this policy. The DPO (who is a member of the Senior Management team) is responsible for ensuring that APCOA complies with the Data Protection Legislation in relation to all aspects of data processing and for APCOA being able to evidence that good practice is in place and taken seriously. The DPO has direct responsibility for policy and procedures, including Subject Access Requests and keeping the DPS up to date. The DPO is also the person to whom all staff should go to seek guidance regarding the Data Protection Legislation compliance.

It is important that every colleague understands that compliance with the Data Protection Legislation remains the responsibility of each and every colleague, whether or not their job requires them to deal in any way with the personal information of others for APCOA.

All APCOA colleagues are personally responsible for making sure that their own Personal Data (whether it is information that they have given to APCOA or that they have asked someone else to give to APCOA) is and continues to be kept accurate and up to date.

APCOA's training policy establishes what training is required to be completed for all colleagues, including training that is relevant only to specific roles.

Risk Assessment in relation to the Data Protection Legislation

 

APCOA must make sure that it is aware of any risks associated with the processing of all types of personal information that it handles. A Risk Assessment procedure has been implemented and is used by APCOA to assess any risk to individuals and their information during the processing of their personal information. Assessments will also be completed by APCOA for any processing that is undertaken on APCOA’s behalf by any Data Processor that it appoints, even if this is a sub-processor for information that APCOA processes rather than controls. APCOA will also, through the application of the Risk Assessment procedure, ensure that any identified risks are managed appropriately to reduce the risk of non-compliance.

Where processing of personal information may result in a high risk to the "rights and freedoms" of living individuals, APCOA should complete a Data Protection Impact Assessment (DPIA). This should be done prior to carrying out the processing so as to ensure the personal information is protected. This assessment may also be used with reference to a number of similar processing scenarios with a similar level of risk.

Where, as a result of a DPIA, it is clear that APCOA will process personal information in a manner that may cause damage and/or distress to the Data Subjects, APCOA Senior Management must review the process before APCOA proceeds to process that personal information. If APCOA Senior Management decide that there are significant risks to a Data Subject, they can decide to escalate this assessment for final guidance. This can include asking the Information Commissioner’s Office (the ICO) for their view on the processing concerned.

In accordance with its responsibilities under the Data Protection Legislation, APCOA will seek to apply controls around the use of and access to its systems that are necessary and appropriate. It will also take other measures that it believes are appropriate and proportionate to safeguard the personal information that it processes.

All data collection methods (electronic or paper-based), including data collection requirements in new information systems, must be approved by APCOA Senior Management and that approval should be recorded.

APCOA Senior Management will ensure that all data collection methods are reviewed at least annually by internal audit or external experts to ensure that collection continues to be adequate, relevant, and not excessive.

Principles of Data Protection

Any processing of Personal Data must be done in accordance with the data protection principles set out in the Data Protection Legislation. APCOA's policies and procedures within the DPS are designed with a view to making sure that it will meet its obligations under the Data Protection Legislation.

Personal Data must be processed lawfully, fairly, and transparently.

The Data Protection Legislation introduces the requirement for transparency. This means that the Data Controller must have in place clear and easily accessible policies relating to the processing of Personal Data and the exercise of individuals' "rights and freedoms".

Information must be communicated to a Data Subject in an intelligible form using clear and plain language.

The Data Protection Legislation requires that some specific information must be provided to a Data Subject. As a minimum this must include:

  • the identity and the contact details of the controller and, if relevant of the controller's representative;
  • the contact details of the Data Protection Officer, where applicable;
  • the purposes for which their Personal Data will be processed as well as the legal basis for that processing;
  • the period for which their Personal Data will be kept;
  • that they have rights to request access, rectification, erasure or to object to the processing;
  • the types of Personal Data that will be processed;
  • who their personal information will be passed to or the types of people or organisations that may receive their Personal Data, where applicable;
  • if appropriate, that the controller intends to transfer their personal information to a recipient who or which is located in a country that is outside one of the jurisdictions that are comprised within the UK or the EEA and the level of protection afforded to the data in that country;
  • any further information necessary to ensure that the processing of the personal information can be considered to have been carried out fairly.

Personal Data can only be collected for specified, explicit and legitimate purposes.

Any Personal Data that is obtained for specified purposes must not be used for a purpose that differs from those that have been identified to the Data Subject.

Personal Data must be adequate, relevant, and limited to only what is necessary.

APCOA must ensure that information, which is not strictly necessary for the purpose for which it is obtained, is not collected and must make sure that the personal information that is collected is only processed to meet the purpose that the Data Subject has been told about.

All colleagues have a responsibility for telling their manager if they believe that more Personal Data than is necessary has been obtained, or is not specifically required by APCOA, or is not securely deleted or destroyed in line with the relevant APCOA procedure. It is the responsibility of the manager to whom any such report is made to either ensure that the information is securely deleted and to confirm that this has occurred, or to raise their concerns with APCOA Senior Management who will maintain a record of that deletion or escalation.

Personal Data must be accurate and kept up to date.

Data that is kept for a long time must be reviewed and updated as necessary. Any data that is considered to be inaccurate or likely to be inaccurate must be securely deleted.

APCOA Senior Management is responsible for ensuring that staff are trained in the importance of collecting accurate data and maintaining it.

All colleagues are responsible for ensuring that any data processed by APCOA is accurate and up to date. Any data that is given to APCOA by an individual, such as by filling in a registration form, will be considered to be accurate at the time of receipt.

Colleagues and/or other individuals have a personal responsibility to tell APCOA of any changes in personal information to ensure personal information is kept up to date. It is APCOA's responsibility to ensure that any notification of changes to personal information is recorded and where relevant implemented.

 

APCOA Senior Management is responsible for instructing the appropriate senior manager to take all necessary actions to ensure personal information is accurate and up to date. This should also take account of the volume of data collected, the speed with which it might change and any other relevant factors. It is the responsibility of the relevant senior manager to ensure that the information is securely updated and to confirm that this has occurred. APCOA Senior Management will maintain a record of that deletion. This applies to information collected in APCOA's capacity as a Data Controller, as well as to information processed on behalf of its clients where it is acting as a Data Processor.

APCOA Senior Management will periodically review all the Personal Data processed by APCOA. This will note any data that is no longer required in the context of the purpose disclosed to the Data Subject at the time of its collection. In such cases the appropriate senior manager will be instructed that it is to be appropriately removed and securely disposed of in line with the relevant APCOA procedure. It is the responsibility of the relevant senior manager to ensure that the information is securely updated. The senior manager must confirm that this has occurred and that a record of that deletion is made and retained. This applies not only to information collected in APCOA's capacity as a Data Controller, but also to information processed on behalf of its clients where it is acting as a Data Processor.

If a third-party organisation has provided inaccurate or out-of-date personal information, the relevant APCOA senior manager is responsible (once that fact has been made known to him) for informing the third-party organisation that the personal information is inaccurate and/or out-of-date and advising that the information should no longer be used.

Personal Data Considerations

Personal Data must only be kept in a form that allows the Data Subject to be identified for no longer than is necessary for processing that Personal Data for the purpose that was communicated to the Data Subject at the time of its collection.

Where Personal Data is retained beyond the processing date, it will be minimised, encrypted, anonymised and/or pseudonymised as appropriate to the type of data and the circumstances of its retention in order to protect the identity of the Data Subject in the event of a data breach.

Personal Data will be retained in line with the retention of records procedure and, once its retention date is passed, it must be securely destroyed in line with the relevant APCOA procedure that is included in the APCOA DPS.

 

APCOA Senior Management must specifically approve any data retention that exceeds the retention periods defined in the relevant APCOA procedure in the DPS and must ensure that the justification is clearly identified and in line with the requirements of the Data Protection Legislation. This approval must be written.

Personal Data must be processed in a manner that ensures its security.

Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. APCOA’s controls to ensure it meets this obligation have been selected based on identified risks to Personal Data, and the potential for damage or distress to individuals whose data is being processed. Security controls will be subject to audit and review.

APCOA's compliance with this principle is contained in the relevant APCOA procedure that is included in the DPS and which has been developed taking into account the requirements of the Data Protection Legislation.

Personal Data shall not be transferred to a country or territory outside one of the jurisdictions that comprise the United Kingdom or the EEA unless that country or territory ensures an adequate level of protection for the 'rights and freedoms' of Data Subjects in relation to the processing of Personal Data.

The transfer of Personal Data outside of the EEA Member States is prohibited unless one or more of the specified safeguards or exceptions apply. These are outlined in the Appendix to this Policy. It is not APCOA's policy to make such transfers. Where it is processing data on behalf of a Data Controller it will not make such transfers without the express instructions of the relevant Data Controller.

 

Data Subjects’ rights

Data Subjects have the following rights regarding data processing, and the Personal Data that is recorded about them:

  • To make requests regarding the information held about them and to whom it has been or may be disclosed, including a right to be given a copy of the Personal Data held on them (known as a Data Subject Access Request or DSAR).
  • To prevent processing likely to cause damage or distress.
  • To prevent processing for direct marketing.
  • To be informed about the mechanics of automated decision-taking process that will significantly affect them.
  • Not to have significant decisions that will affect them taken solely by automated process.
  • To seek compensation if they suffer damage as a result of contravention of the Data Protection Legislation.
  • To take action to rectify, block, erase (including the right to be forgotten), or destroy inaccurate data.
  • To request the ICO to assess whether any provision of the Data Protection Legislation has been contravened.
  • The right for Personal Data to be provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
  • The right to object to any automated profiling without consent

 

If a Data Subject makes a Data Subject Access Request or any request to make use of any of the other rights outlined above, this will be responded to in accordance with the relevant APCOA procedure as included in the DPS. This procedure also describes how APCOA will ensure that its response to the request complies with the requirements of the Data Protection Legislation. Where such disclosure will result in images being provided, APCOA’s procedure requires that necessary measures are taken to blur or remove images that could be Personal Data in respect of another Data Subject.

Complaints

A Data Subject has the right to complain at any time to APCOA if they have concerns about how their information is used. If they wish to lodge a complaint this should be directed to the appropriate senior manager following the complaints procedure using where possible a complaint form supplied by APCOA. Any complaints will be directed to the appropriate senior manager and their contact details will be made available through the Privacy Policy section of the APCOA website. Anyone telling us they wish to make a complaint should be directed to this part of the website. It is also signposted in the information provided at relevant locations for which APCOA is responsible.

A Data Subject also has the option to complain directly to the ICO. Details of the options for contacting the ICO are provided in the Privacy Policy section of the APCOA website to which people will be directed should they tell us in advance that they wish to make a complaint. It is also signposted in the information provided at relevant locations for which APCOA is responsible.

Consent

APCOA understands 'consent' to mean that it has been explicitly and freely given, is specific, informed, and unambiguous and indicates the Data Subject's wishes. It is a clear statement, or clear affirmative action, by which the Data Subject signifies agreement to the processing of Personal Data relating to him or her. The consent of the Data Subject can be withdrawn at any time.

In addition, APCOA understands 'consent' to include a requirement that the Data Subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing personal information. There must be some active communication between the parties which demonstrates active consent. Consent cannot be inferred from non-response to a communication.

Where Sensitive Personal Data is concerned, explicit written consent is required unless an alternative legitimate basis for processing exists.

In addition to any other legitimate purpose allowing APCOA to process Personal Data it may, on occasion, also seek consent to process Personal Data and Sensitive Personal Data. This may be in respect of a contract of employment or during induction. Such consent will be obtained in line with the relevant APCOA procedure included in the DPS.

APCOA does not allow its services to be taken by anyone under the age for driving a motor vehicle and therefore does not expect to process Personal Data for a child under the age of 13. Its online application forms include a definitive statement and acceptance of this requirement by every applicant.

On some occasions APCOA may employee trainees or apprentices or allow young adults under the age of 18 to attend the workplace. No one under the age of 13 will allowed such access or employment and therefore they are able to provide consent in their own right to APCOA’s processing of their Personal Data.

Data Security

All APCOA Staff that are responsible for any Personal Data which APCOA holds or processes on behalf of anyone else (such as one of its clients) must keep it secure and ensure that it is not disclosed under any circumstances to anyone else unless that person has been specifically authorised by APCOA (or the Data Subject) to receive that information. Where appropriate, this recipient may be required to give an undertaking to hold that information under a duty of confidentiality.

All Personal Data should be accessible only to those who need to use it, and access will only be granted in line with the relevant APCOA procedure contained with the DPS. Depending upon the sensitivity and value (both to APCOA and to the Data Subjects concerned) of the information in question, Personal Data must be kept:

  • in a lockable room with controlled access; and/or
  • in a locked drawer or filing cabinet; and/or
  • if computerised, it must be password protected in line with the relevant APCOA procedure within the DPS.

Personal Data may only be stored on removable media with special permission granted by APCOA Senior Management and this permission can be revoked at any time. If that permission has been granted the removeable media device as well as the Personal Data must be encrypted and stored at all times in line with the relevant APCOA procedure within the DPS.

Colleagues must take care to make sure that screens and terminals are not visible except to APCOA colleagues who are authorised to view that information. All Colleagues and any consultants and temporary workers must sign up to the Communications Policy before they are given access to organisational information of any sort which includes for the purposes of this Policy, Personal Data.

Manual records must not be left where they can be seen by people who are not authorised to do so and may not be removed from business premises without explicit written authorisation from an APCOA manager. As soon as manual records are no longer required for day-to-day operational reasons, they must be removed to secure archiving in line with the relevant APCOA procedure that forms part of the DPS.

The deletion and destruction of Personal Data is one of the activities classed as processing that information. Therefore, Personal Data may only be deleted or disposed of in line with the relevant APCOA procedure that is included in the DPS. Manual records that have reached their retention date must be shredded and disposed of as 'confidential waste'. Hard drives of redundant PCs are to be removed and immediately destroyed as required by the relevant APCOA procedure within the DPS before disposal.

Due to the increased risks involved with such processing, APCOA colleagues must be specifically authorised by an APCOA manager to access any personal information outside an APCOA office location.

Rights of access to Personal Data

As mentioned previously, Data Subjects have the right to access any Personal Data (i.e. data about them) which is held by APCOA in electronic format and manual records which form part of a Relevant Filing System.

As such, this includes the right for colleagues to inspect confidential personal references about them that have been received by APCOA. It also includes information obtained from third-party organisations about that colleague.

All Subject Access Requests (whether from a member of the public or from a colleague) will be dealt with as described in the relevant APCOA procedure within the DPS.

Disclosure of Personal Data

APCOA must ensure that Personal Data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police and other local and central government bodies. All colleagues should exercise caution when asked to disclose Personal Data held on another individual to a third party. When dealing with such a request it is essential that the identity of the person making the request is confirmed and that they are able to establish a clear right for them to receive the Personal Data that APCOA holds about the Data Subject. Colleagues may be required to attend specific training that enables them to deal effectively with any such risk

It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of APCOA's business.

If any APCOA colleague has concerns about the disclosure of any Personal Data (including about the identity of the person seeking the disclosure or the information that is being requested by them) they should, in the first instance, raise the matter with their manager. They may also raise it directly with any member of APCOA Senior Management.

The Data Protection Legislation permits disclosure without consent in certain situations, as long as the information is requested for one or more of the following purposes by someone who can establish that they have the right to request it for that purpose:

  • to safeguard national security;
  • the prevention or detection of crime including the apprehension and/or prosecution of offenders;
  • assessment or collection of tax duty;
  • discharge of regulatory functions (includes health, safety and welfare of persons at work);
  • to prevent serious harm to a third party;
  • to protect the vital interests of the individual, this refers to life and death situations.

All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by APCOA Senior Management.

Retention and disposal or Personal Data

Personal Data may not be retained for longer than it is required. The way in which this is managed in respect of Personal Data about a member of the public is set out earlier in this Policy.

In respect of Personal Data concerning colleagues, once they have left APCOA, it may not be necessary to retain all the information held on them. Some Personal Data will be kept for longer periods than others. The relevant APCOA procedure on retention of personnel records that is included in the DPS will apply in all such cases.

Disposal of records

As has already been mentioned disposal of Personal Data is one of the Processing activities in respect of Personal Data. Personal Data must be disposed of in a way that protects the "rights and freedoms" of Data Subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and in line with the secure disposal process in the relevant APCOA procedure within the DPS.

Email and Internet privacy

The inappropriate use of e-mail and the Internet by employees, e.g. using the Internet for non-work purposes, can have significant consequences for APCOA. This can be in terms of:

  • embarrassment/damage to APCOA's reputation;
  • loss of productivity;
  • increased risk of liability and legal action, e.g. for e-mails that could be considered to be sexist or racist;
  • increased risk of introducing a virus or other malware into APCOA’s IT systems.

To avoid inappropriate use, we have electronic security safeguards. A firewall checks, examines and manages e-mail attachments. APCOA has installed filtering software that searches e-mails for specific words or phrases, (normally those that can be considered to be obscene or discriminatory), and monitors which websites our colleagues are accessing as well as filtering which types of websites APCOA colleagues can access.

Acceptable use of E-mail and the Internet

Please see Communications Policy that is available on Sharepoint or can be obtained from your APCOA manager.

In addition, APCOA's colleagues will be kept fully informed about overall information security procedures and the importance of their role within these procedures. Similarly, manual filing systems are held in secure locations and only authorised colleagues can access them.

Responsibilities and Review

APCOA Senior Management has overall responsibility for the administration and implementation of APCOA's Data Protection Policy.

Each manager will assume authority and responsibility for the compliance by the colleagues within their department.

This Policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Legislation.

This Data Protection Policy will, under normal circumstances, be managed and reviewed annually. The reviews of the Policy will be subject to scrutiny and may, from time to time, result in the circulation of updates and re-issues.

However, the Policy will be reviewed sooner in the event of any one or more of the following affect its content:

  • a weakness in the Policy is highlighted
  • any weaknesses in hardware and software controls are identified
  • where new threat(s) or changed risks are identified
  • there are changes in the legislative requirements
  • there are changes in Government, company or other directives and requirements