We at Active Freight Worldwide Ltd, are committed to safeguarding the privacy of our website visitors and our customers; this policy sets out how we will treat your personal information. Throughout the policy, we refer to your personal information as your data.
- by email at: firstname.lastname@example.org
- by post to: Active Freight Worldwide Ltd, 2 Mariners House Copse Lane, Hamble-Le-Rice Southampton, Hampshire SO31 4QH
- by telephone on: 01489 232004
Our data protection registration number is ZA390142. Our company is registered in England and Wales.
We are a freight forwarding company and need to collect and use information on individuals such as customers, potential customers, suppliers and employees. We use this information to manage our business, meet our contractual obligations with the customer and meet our legislative requirements. However, we must ensure that we use and protect the information in accordance with current legislation. Failure to do so could lead to distress to individuals, financial sanctions from the Information Commissioners Office (ICO), reputation damage and impair our ability to attract new customers.
This policy, together with other documents including the data protection policy which describes how we will protect personal information to protect the individual and comply with the law.
The company is the data controller for the personal information we collect such as our employee information and business contact information. We are registered with the ICO, and we are responsible for protecting this information in accordance with this policy.
The company is the data processor for the personal information provided to deliver the contracted service. We are responsible for protecting this information in accordance with the relevant contracts.
The data subjects are the individuals whose personal information we deal with such as customers or suppliers, our customers’ or supplier’s employees, potential customers, suppliers and employees.
Personal information means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, from the information. The information includes name, address, date of birth, email, telephone number, national insurance number etc. Personal information also includes information associated with that individual such as telephone bills, call recordings, staff development, staff reviews and pay rates.
Special Category Information
Special category information is sensitive information, such as medical, race, religion, sexuality, political or trade union membership, that requires sensitive handling.
Processing means any action performed on personal information, which includes collection, recording, organising, storing, sharing and transmitting. This includes electronic and paper documents containing personal information. Many of our activities involve processing information and therefore we must comply with the law.
Every employee has a responsibility to ensure we protect the personal information we hold and comply with this policy.
The Managing Director is accountable for data privacy.
The Managing Director also has day-to-day responsibility for data privacy and is the main point of contact for any questions about data privacy.
All employees are responsible for complying with this policy.
When we are considering processing information in new way, using a new technology or processing sensitive information, the Managing Director will decide whether a Data Privacy Impact Assessment (DPIA) is required.
The Managing Director will maintain an Information Asset and Privacy Risk Register. The register will be reviewed annually by the Managing Director.
We should collect the minimum personal information we need to complete a task. We should not collect information just in case. If someone is making an enquiry about our services we should only collect initial contact details, there is no need to collect further information as these can be added later. To manage our service provision, we are only required to collect a user’s name, business email address and telephone number.
When we are planning to process information, we need to consider the legal reason for processing, and whether we need the individual’s consent to process. Much of our processing is for legitimate business reasons to run our business and deliver our contracted services to customers; we need to pay staff, monitor and report on services and invoice fees and therefore we do not require consent.
However, some activities may not be considered necessary to deliver the contracted services, such as marketing. Where we are marketing to business customers we do this as a legitimate business interest and do not need their consent but we must offer them the right to opt-out of further communications. Where a business customer opts-out we must record this and ensure we do not market to that customer again.
We must not send marketing material to an individual’s personal email address or home address without their consent.
We must protect the personal information we use whether in electronic or paper format.
- Documents containing customer, employee or supplier personal information should be stored securely when not required.
- Documents containing customer, employee or supplier personal information should only be removed from business premises where necessary. Documents must be protected while off premises and should not be left unattended.
- Electronic copies of customer, employees or supplier personal information must be stored on controlled devices or systems in accordance with this policy.
- Electronic documents containing customer or another employee’s personal information should not be emailed to home computers or personal mobile devices.
- Employees should not download electronic documents containing customer, employee or supplier personal information on their own devices.
em>Deleting data retention
When personal information is no longer required, and there is no legal requirement to retain the information, electronic data must be deleted and paper copies securely destroyed. Annex A contains a list of how long we need to retain the types of information we process.
We have a duty of confidentiality to our customers when processing their employees’ personal information. All employees must sign a confidentiality agreement before starting work.
Individuals have the right to know whether we store and process their personal information, this is known as a Subject Access Request. If the information we hold is inaccurate they have the right for that information to be corrected. In certain circumstances, they have the right to have the information deleted or to be given a copy of that information. We must respond to any request within 28 days. The individual does not have to state they are making a subject access request, it can be a simple email asking what information we hold, and therefore, any request by an individual with regards to the information we hold must be forwarded to the Managing Director.
Education and Awareness
All employees will receive annual data privacy update briefing/training as part of their ongoing development. The Managing Director will periodically send emails to all employees highlighting key aspects of data privacy.
We have a legal responsibility to report certain data privacy incidents to the ICO within 72 hours or face a financial penalty. It is essential all employees follow the incident procedure. Example of privacy breaches are:
- Revealing a customer’s or employee’s contact details to an unauthorised third party.
- Emailing a customer’s or employee’s sensitive personal information to another colleague.
- Losing a laptop containing the personal information of a large number of customers and employees.
- Compromise of a third-party service resulting in the loss of customers’ or employees contact information.
Not all the examples above are reportable to the ICO however it is essential that employees report any incident or potential incident to the Managing Director. The Managing Director will decide whether the incident requires reporting to the ICO and whether an action is required to manage the risks from the incident.
Assurance and compliance
The Managing Director will carry out periodic checks to monitor staff compliance with this policy.
Annex A – Retention Schedule
The primary factors that inform decisions on retention are:
- Business need – as agreed by the organisation.
- Legislative and regulatory requirements.
- National Archives requirements and guidelines.
It is important that the retention schedule is kept up-to-date, to reflect changing business needs, new legislation, changing perceptions of risk management and new priorities for the organisation.
It should be noted that personal data should not be kept longer than is necessary for the purpose or purposes for which it is being processed. So, this means you’ll need to apply some judgment and apply different holding times for different types of personal data. It is essential you ensure that manual records be shredded and electronic files permanently deleted from the system.
|Type of Record||Retention Period|
|Financial transaction records||6 years after account is closed|
|Contracts||6 years after account is closed|
|Letters||6 years after account is closed|
|Complaints||6 years after account is closed|
|Enquiries||3 years after account is closed|
|Investigations||10 years after account is closed|
|Telephone calls||3 years from date of creation|
|Job application and interview records||6 months following unsuccessful application|
|Personnel records||4 years after employment ceases|
|Training records/appraisals||4 years after employment ceases|
|Employment agreements||4 years after employment ceases|
|Payroll and wage records (including details of overtime, bonuses and expenses)||4 years after employment ceases|
|Salary records||4 years|
|Disciplinary warnings should be removed from employee’s personnel files once they have expired||Oral warning – 6 months
Written warning – 12 months
Final warning – 24 months
|Disciplinary action ever taken, in particular disciplinary hearings||2 years after employment ceases|
|Grievance issues||2 years from date of termination of employment|
|Termination: The process of termination of staff through voluntary redundancy, dismissal and retirement||4 years after termination of employment|
|Details of benefits in kind||4 years after employment ceases|
|Income tax records (P45/P60/P%*/P48 etc.)||10 years|
|Annual return of taxable pay and tax paid||10 years|
|Published accounts||10 years|
|Tax returns||10 years|
|Financial records held on general ledgers||10 years|
|Health & Safety|
|Accident/Incident Book||10 years|
|Legal/Accident/Incident Forms||4 years from date of accident|
|Risk Assessments||2 years|
|Health & Safety Policy||Until superseded but retain earlier versions up to 5 years and review as necessary|
|Policies||3 years from the date they cease to be relevant|
|Procedures||3 years from the date they cease to be relevant|
|Company Secretarial Records (e.g. board meeting minutes)||Permanently|