Data Protection Policy
This document sets out the obligations of British Gas Energy Trust (BGET) regarding data protection and the rights of customers, people with whom it works and employees in respect of their personal data under the United Kingdom General Data Protection Regulation (“GDPR”).
This Policy shall set out procedures which are to be followed when dealing with personal data. The procedures set out herein must be followed by BGET, its employees, contractors, agents, consultants, partners or other parties working on its behalf.
BGET views the correct and lawful handling of personal data as key to its success and dealings with third parties and its employees. The Trust shall ensure that it handles all personal data correctly and lawfully.
Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.
Data subjects for this policy include all living individuals about whom we hold personal data. A data subject need not be a UK national or resident.
Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (such as a name, address, IP address or date of birth) or it can be an opinion (such as a performance appraisal).
Data controllers are the people who or organisations which determine the purposes for which, and the way, any personal data is processed. They have a responsibility to establish practices and policies in line with the Act. We are the data controller of all personal data used in our business, jointly with Auriga Service Ltd.
Data users include consultants whose work involves using personal data. Data users have a duty to protect the information they handle by following our data protection and security policies always.
Data processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition, but it could include suppliers which handle personal data on our behalf.
Data processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Special category data means personal data relating to the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life; the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
BGET is committed to the proper processing of customer data and will endeavour to ensure the Trust and its team act in accordance with the GDPR together with expectations of the Information Commissioners Office.
It is the policy of BGET to ensure that:
- Information will only be processed where the conditions for doing so have been met, where this includes consent, consent will be informed and freely given through a positive action by the data subject or nominated third party
- Information will be protected against unauthorised access
- Confidentiality of information will be assured
- Integrity of information will be maintained
- Regulatory and legislative requirements will be met
- Citizens will be provided with timely and clear information about the processing of their data
- Data subjects will be provided with all rights applicable to them
- All breaches of Information Security, actual or suspected, will be reported and investigated
- Standards will be produced to support the policy. These include virus controls and passwords
- Business requirements for the availability of information and information systems will be met
- All Managers are directly responsible for implementing the policy within their business areas, and for adherence by their staff
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The GDPR tightened and streamlined the previous data protection laws, including issuing new principles that firms must abide by.
These principles say data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Data controllers will remain accountable for their actions
We will hold certain information on data subjects to fulfil our legal or contractual duty to our customers, to employ consultants or in relation to steps taken to enter into a contract.
The GDPR lays down conditions, at least one of which must be met, for any use of personal data to be fair. The Trust will meet at least one of the conditions in its use of personal data, which, in summary, are:
6(1)(a) – consent of the data subject6(1)(b) – necessary for the performance of a contract with the data subject or to take steps to enter into a contract
6(1)(c) – necessary for compliance with a legal obligation
6(1)(d) – necessary to protect the vital interests of a data subject or another person
6(1)(e) – necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6(1)(f) – necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
9(2)(a) – Explicit consent in relation to special category data
9(2)(b) – Processing is necessary for carrying out obligations under employment, social security or social protection law
9(2)(c) – Processing is necessary to protect the vital interests of a data subject or another person
9(2)(d) – Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim
9(2)(e) – Processing relates to personal data manifestly made public by the data subject
9(2)(f) – Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
9(2)(g) – Processing is necessary for reasons of substantial public interest based on Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards
BGET will usually be processing data under 6(1)(b), 6(1)(c) and 6(1)(f) / 9(2)(a) or 9(2)(g) which may be summarised as:
- 6(1)(b) It is necessary for the performance of a legal or contractual obligation involving the Data Subject is the basis for processing the data of Consultants and Trustees.
- 6(1)(c) It is necessary for a legal obligation is the basis for the following information processed:
- Information required by regulators in respect of applications for support
- Identification details of the customer
- All transaction records (customer, business to business, etc.)
- Accounting information
- 6(1)(f) Legitimate interests is the basis for the processing of:
- Customer details, including financial information, history of grant applications, ethnic origin and special category data of the applicant and/or third parties
- Details of persons who contact us
- Personal details, such as email addresses, of business contacts
- 9(2)(a) Explicit consent in respect of special category data will be the basis where customers,
applicants, or persons who contact us disclose special category data about themselves, such as health data or ethnic origin or where a Consultant or Trustee discloses such information about themselves
- 9(2)(f) Public Interest twinned with Economic well-being is the basis for processing special category data about third parties.
Processing of personal information by the Trust will be fair and lawful and in accordance with the privacy notice the customer consented to as part of the terms and conditions of their agreement or equivalent. In addition, it is Trust policy that individuals will not be misled as to the purposes to which the trust will process the information.
BGET will ensure that, as far as practicable, all individuals who have information processed by the trust are aware of the way in which that information will be obtained, held, used and disclosed.
The obtained data will only be used for servicing the agreement with that individual and/or exercising a contractual right under that agreement and will not be sent to any other third party, except:
- The customer
- The customer’s authorised representative such as somebody with power of attorney
- The data controller (where applicable)
- Required IT providers
- Selected third parties with the knowledge of the data subject
Article 30 Records of Processing
|Details of Data Controller||British Gas Energy Trust|
Trinity Court, Trinity Street, Peterborough. PE1 1DA
|Purposes for processing||Supply of energy grants|
|Categories of data subjects||Data subjects interested or who have obtained a grant.|
Individuals living with applicants
|Categories of personal data||Data subjects interested a grant / who have obtained a grant:|
Individuals living with applicants:
Person contacting us:
Third party business contact:
Consultants / Trustees:
|Transfers to third country||We do not transfer to third countries|
|Retention||See Data Retention Policy|
|Security measures||See Information Security section of this policy|
It is the policy of BGET to undertake a data mapping exercise to identify and record all fields of data processed by the trust, the legal basis for processing, identify whether it is necessary, security measures, where the data is stored / who it is sent to and which rights apply.
This data map must be reviewed and updated annually.
Data Subjects, under GDPR, have the following rights which, where they apply, are reflected under this policy:
- Right to be informed
- Right to access
- Right to erasure (to be forgotten)
- Right to object
- Right to rectification
- Right to restrict
- Rights in relation to automated decision making and/or profiling
- Right to portability
Compliance will be completed by the following steps:
|GDPR Right||BGET – Compliance|
|Informed||Data subjects are provided with a privacy notice at the point in time we begin to process their data, further notices are provided whenever the basis for processing changes. As a result we issue notices in the following manner:|
|Access||A Data Subject Access Request process is embedded within the organisation as part of the Eight Rights Process|
|Erasure||A process allowing data subjects to request that relevant data is deleted will be maintained as part of the Eight Rights Process|
|Object||A process allowing data subjects to object to processing where the basis of processing is legitimate interests will be maintained as part of the Eight Rights Process|
|Rectification||A process for handling such requests is embedded as part of the Eight Rights Process|
|Restrict||A process for handling such requests is embedded as part of the Eight Rights Process|
|Rights in relation to automated decision making and/or profiling||A process for handling such requests is embedded as part of the Eight Rights Process|
|Portability||A process for handling such requests is embedded as part of the Eight Rights Process|
Data will be maintained in accordance with the timescales in the Data Map and Data Retention Policy of BGET.
Where data is deleted this will be by:
- Confidential waste bins / shredding
- Deletion from internal system
- Deletion from external suppliers
INFORMATION COMMISSIONER’S OFFICE (ICO)
The Trust will notify the ICO and maintain its registration in accordance with the requirements of the ICO.
The Trust will not use or process personal information in any way that contravenes its notified purposes, or in any way that would constitute a breach of the GDPR. When appropriate, the trust will notify the Information Commissioner of any amendments to the existing trust’s notified purposes or of new purposes to be added to the Notification Register entry.
BGET will endeavour to record all information accurately and rectify incorrect data to ensure high data quality, this will usually be conducted through:
- High level of staff training
- Double checking / quality assuring data imputing
- Allowing data subjects the right to rectification where it is identified data is incorrect
BGET has identified the following information security objectives:
- To ensure each member of the team has a proper awareness and concern for computer systems security and an adequate appreciation of their responsibility for information security
- To ensure all contractors and their employees have a proper awareness and concern for security of our information
- To provide a framework giving guidance for the establishment of standards, procedures and computer facilities for implementing computer systems security
- To ensure all consultants and trustees have an awareness of the GDPR and its implications
- To ensure that all staff have an awareness of other applicable legislation
- To ensure that all staff are aware of their accountability
Safeguarding means keeping data secure and not divulging it to any unauthorised third party. Consultants must safeguard data by completing the following data protection steps:
- Three pieces of customer information must be confirmed by the customer at the beginning of each telephone call; if the customer does not confirm these correctly then no account details may be given
- Before discussing account details with any third party we must hold authority from the customer and ensure the third party passes through the above data protection check
- The trust employs a ‘clear desk’ policy. This means that at the end of each day all paper records must be locked in a secure cabinet
- Consultants must dispose of all sensitive data using confidential waste bins
- Consultants are prohibited from discussing customer details with non-employees of the trust, accept where this is permissible and required in relation to authorised third parties, regulators and law enforcement agencies
- Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted
- Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data
- All electronic copies of personal data should be stored securely using passwords and suitable data encryption, where possible on a drive or server which cannot be accessed via the internet; and
- All passwords used to protect personal data should be changed monthly and should not use words or phrases which can be easily guessed or otherwise compromised
- Each department maintains an information security process detailing the steps it takes to keep data secure
The Trust ensures security of data by controlling access to records to only those employees who need specific access to specific data to carry out their jobs. The trust restricts access to records by people other than our employees and takes steps to prevent accidental loss or theft of personal data by using server backup processes and increased security at our offices.
The Trust has appropriate security measures in place as required by the GDPR and in accordance with robust data security practice. Information systems are installed with adequate security controls and trust employees who use these systems will be properly authorised and trained to use them for trust business. More detail regarding the information security systems and controls used by the trust can be found in the Data Security Process document and these include:
- A firewall which vets and scans all data passing into and out of the office network, stopping or rejecting identified threats and attacks
- Company emails are processed through ISP which provides anti-virus, anti-spam, anti- malware and reputation scanning of both inbound and outbound email, it also provides secure encrypted email, compliant email archiving and email storage in the event of business interruption
- Each server and workstation in the office has an antivirus and anti-malware product installed, protecting the end-user equipment
- Each server and workstation in the office is checked monthly and latest security updates appropriate for the operating system and application software are installed
- All Staff (including temporary staff) have their own logon and are required to change their password on a regular basis, the password requirement is set to 8 characters and must include numbers (to increase security). All new staff must change their password the first time they login
- Temporary staff are issued with temp (restricted access) logins to the network and to core applications
- All workstations are installed with Drivelock preventing and logging the attempt to transfer data to or from floppy drives, CD/DVD drives or any USB device
- Continual and restricted visitor supervision
Email and Internet Usage
The inappropriate use of email and the internet by employees, such as using the internet for non- work purposes, can have significant consequences for our trust, including:
- embarrassment and/or damage to the trust’s reputation
- loss of productivity
- increased risk of data protection breach
- increased virus risk
To mitigate against the risk of inappropriate usage, we have introduced security electronic safeguards such as, PGP encryption, a firewall, filtering software that searches emails for specific words or phrases, normally obscene, discriminatory, or card data, and a system which monitors which websites our employees are accessing, as well as controlling which types of websites our employees can access.
Personal internet use within the office is restricted during opening hours. The internet can be used by an employee but only for work purposes.
Business email addresses must not be used for any personal emails. Personal messages that are either sent or received to an employee’s business email may be subject to disciplinary action taken against the relevant employee(s).
All employees should also show due care when opening any attachment, especially if the email is from an unknown or suspicious source.
Employees must not send illegal, confidential or sensitive material or passwords by email or store inappropriate content.
PRIVACY BY DESIGN AND DEFAULT / DPIA
The concept of privacy be design is interpreted by BGET as “designing any new system or process with privacy, data security and minimisation in mind from the outset.” This must also be the case whenever the firm is carrying out new types of processing.
BGET will ensure privacy by design through the firm’s change management process which requires the person identifying a potential change to consider data protection requirements and best practice, ensuring it is built into the concept. Prior to any work starting on the suggested change, it must be authorised by Jessica Taplin, at the point of authorisation Jessica Taplin will conduct a Phase 1 DPIA and, depending on the result, a Phase 2.
The DPIA will be the method by which BGET ensures privacy by design through reviewing the risk of the processing in order to decide whether processing is appropriate and, where processing is appropriate, to identify safeguards which must be built into the new system or process.
BGET defines a data breach as “Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Breach Notification Process
BGET has in place a detailed “Data Breach Policy” which sets out the steps required whenever a data breach has been identified. This ensures BGET is compliant with GDPR notification requirements.