Privacy Policy

We at Active Freight Worldwide Ltd, are committed to safeguarding the privacy of our website visitors and our customers; this policy sets out how we will treat your personal information. Throughout the policy, we refer to your personal information as your data.

If you have any questions about this privacy policy or our treatment of your personal data, please contact us:

  • by email at: john@activefreightworldwide.co.uk
  • by post to: Active Freight Worldwide Ltd, 2 Mariners House Copse Lane, Hamble-Le-Rice Southampton, Hampshire SO31 4QH
  • by telephone on: 01489 232004

Our data protection registration number is ZA390142. Our company is registered in England and Wales. 

Introduction

We are a freight forwarding company and need to collect and use information on individuals such as customers, potential customers, suppliers and employees.  We use this information to manage our business, meet our contractual obligations with the customer and meet our legislative requirements.  However, we must ensure that we use and protect the information in accordance with current legislation.  Failure to do so could lead to distress to individuals, financial sanctions from the Information Commissioners Office (ICO), reputation damage and impair our ability to attract new customers.

This policy, together with other documents including the data protection policy which describes how we will protect personal information to protect the individual and comply with the law.

Definitions

Data Controller

The company is the data controller for the personal information we collect such as our employee information and business contact information.  We are registered with the ICO, and we are responsible for protecting this information in accordance with this policy.

Data Processor

The company is the data processor for the personal information provided to deliver the contracted service. We are responsible for protecting this information in accordance with the relevant contracts.

Data Subject

The data subjects are the individuals whose personal information we deal with such as customers or suppliers, our customers’ or supplier’s employees, potential customers, suppliers and employees.

Personal Information

Personal information means any information relating to an identified or identifiable natural person.  An identifiable natural person is one who can be identified, directly or indirectly, from the information.  The information includes name, address, date of birth, email, telephone number, national insurance number etc.  Personal information also includes information associated with that individual such as telephone bills, call recordings, staff development, staff reviews and pay rates.

Special Category Information

Special category information is sensitive information, such as medical, race, religion, sexuality, political or trade union membership, that requires sensitive handling.

Data Processing:

Processing means any action performed on personal information, which includes collection, recording, organising, storing, sharing and transmitting.  This includes electronic and paper documents containing personal information.  Many of our activities involve processing information and therefore we must comply with the law.

Legislation

We must comply with the Data Protection Act (DPA) 2018 and the EU General Data Protection Regulation (GDPR). 

Governance

Roles and Responsibility

Every employee has a responsibility to ensure we protect the personal information we hold and comply with this policy.

Board Level

The Managing Director is accountable for data privacy.

Data Protection Officer

The Managing Director also has day-to-day responsibility for data privacy and is the main point of contact for any questions about data privacy.

Employee Responsibilities

All employees are responsible for complying with this policy.

 Risk Management

Data Privacy Impact Assessment (DPIA)

When we are considering processing information in new way, using a new technology or processing sensitive information, the Managing Director will decide whether a Data Privacy Impact Assessment (DPIA) is required.

Risk Register

The Managing Director will maintain an Information Asset and Privacy Risk Register.  The register will be reviewed annually by the Managing Director.

Privacy Principles

Collecting Information

We should collect the minimum personal information we need to complete a task.  We should not collect information just in case.  If someone is making an enquiry about our services we should only collect initial contact details, there is no need to collect further information as these can be added later. To manage our service provision, we are only required to collect a user’s name, business email address and telephone number.

Processing Information

When we are planning to process information, we need to consider the legal reason for processing, and whether we need the individual’s consent to process.  Much of our processing is for legitimate business reasons to run our business and deliver our contracted services to customers; we need to pay staff, monitor and report on services and invoice fees and therefore we do not require consent.

However, some activities may not be considered necessary to deliver the contracted services, such as marketing. Where we are marketing to business customers we do this as a legitimate business interest and do not need their consent but we must offer them the right to opt-out of further communications. Where a business customer opts-out we must record this and ensure we do not market to that customer again.

We must not send marketing material to an individual’s personal email address or home address without their consent.

Securing Information

We must protect the personal information we use whether in electronic or paper format.

  • Documents containing customer, employee or supplier personal information should be stored securely when not required.
  • Documents containing customer, employee or supplier personal information should only be removed from business premises where necessary.  Documents must be protected while off premises and should not be left unattended.
  • Electronic copies of customer, employees or supplier personal information must be stored on controlled devices or systems in accordance with this policy.
  • Electronic documents containing customer or another employee’s personal information should not be emailed to home computers or personal mobile devices.
  • Employees should not download electronic documents containing customer, employee or supplier personal information on their own devices.

em>Deleting data retention

When personal information is no longer required, and there is no legal requirement to retain the information, electronic data must be deleted and paper copies securely destroyed.  Annex A contains a list of how long we need to retain the types of information we process.

Confidentiality

We have a duty of confidentiality to our customers when processing their employees’ personal information. All employees must sign a confidentiality agreement before starting work.

Subject Access Request and Data Transfer Request

Individuals have the right to know whether we store and process their personal information, this is known as a Subject Access Request.  If the information we hold is inaccurate they have the right for that information to be corrected.  In certain circumstances, they have the right to have the information deleted or to be given a copy of that information.  We must respond to any request within 28 days.  The individual does not have to state they are making a subject access request, it can be a simple email asking what information we hold, and therefore, any request by an individual with regards to the information we hold must be forwarded to the Managing Director.

Communication

Our privacy policy informs individuals how we collect their information, what we do with their information and their rights.  A copy of the privacy policy will be displayed on our website and a copy will be sent to individuals, if requested.

The privacy policy will be given to employees on induction.

The Managing Director is responsible for maintaining the privacy policy.

Education and Awareness

All new employees including any temporary appointments, must read this data privacy policy as part of their induction process.

All employees will receive annual data privacy update briefing/training as part of their ongoing development.  The Managing Director will periodically send emails to all employees highlighting key aspects of data privacy.

Incident Handling

We have a legal responsibility to report certain data privacy incidents to the ICO within 72 hours or face a financial penalty.  It is essential all employees follow the incident procedure.  Example of privacy breaches are:

  • Revealing a customer’s or employee’s contact details to an unauthorised third party.
  • Emailing a customer’s or employee’s sensitive personal information to another colleague.
  • Losing a laptop containing the personal information of a large number of customers and employees.
  • Compromise of a third-party service resulting in the loss of customers’ or employees contact information.

Not all the examples above are reportable to the ICO however it is essential that employees report any incident or potential incident to the Managing Director.  The Managing Director will decide whether the incident requires reporting to the ICO and whether an action is required to manage the risks from the incident.

Assurance and compliance

The Managing Director will carry out periodic checks to monitor staff compliance with this policy.

Annex A – Retention Schedule

The primary factors that inform decisions on retention are:

  • Business need – as agreed by the organisation.
  • Legislative and regulatory requirements.
  • National Archives requirements and guidelines.

It is important that the retention schedule is kept up-to-date, to reflect changing business needs, new legislation, changing perceptions of risk management and new priorities for the organisation.

It should be noted that personal data should not be kept longer than is necessary for the purpose or purposes for which it is being processed. So, this means you’ll need to apply some judgment and apply different holding times for different types of personal data.  It is essential you ensure that manual records be shredded and electronic files permanently deleted from the system.

 

Retention Schedule:

Type of Record Retention Period
Customer
Financial transaction records 6 years after account is closed
Contracts 6 years after account is closed
Letters 6 years after account is closed
Complaints 6 years after account is closed
Enquiries 3 years after account is closed
Investigations 10 years after account is closed
Telephone calls 3 years from date of creation
Employee
Job application and interview records 6 months following unsuccessful application
Personnel records 4 years after employment ceases
Training records/appraisals 4 years after employment ceases
Employment agreements 4 years after employment ceases
Payroll and wage records (including details of overtime, bonuses and expenses) 4 years after employment ceases
Salary records 4 years
Disciplinary warnings should be removed from employee’s personnel files once they have expired Oral warning – 6 months

Written warning – 12 months

Final warning – 24 months

Disciplinary action ever taken, in particular disciplinary hearings 2 years after employment ceases
Grievance issues 2 years from date of termination of employment
Termination: The process of termination of staff through voluntary redundancy, dismissal and retirement 4 years after termination of employment
Details of benefits in kind 4 years after employment ceases
Financial
Income tax records (P45/P60/P%*/P48 etc.) 10 years
Annual return of taxable pay and tax paid 10 years
Published accounts 10 years
Tax returns 10 years
Financial records held on general ledgers 10 years
Health & Safety
Accident/Incident Book 10 years
Legal/Accident/Incident Forms 4 years from date of accident
Risk Assessments 2 years
Health & Safety Policy Until superseded but retain earlier versions up to 5 years and review as necessary
Other
Policies 3 years from the date they cease to be relevant
Procedures 3 years from the date they cease to be relevant
Company Secretarial Records (e.g. board meeting minutes) Permanently

 

If you would like to know more of have an enquiry, please call +44 (0) 1489 232004

Terms & Conditions | Privacy Policy | Copyright © Active Freight Worldwide Ltd 2014