DATA PROTECTION & SECURITY POLICY

A Data Protection Policy was first formally adopted by The Vetting Company (TVC) on 1st May 2004 and amended on 23rd July 2010 to take account of how data is physically handled and stored.

The Vetting Company has a requirement to collect and use certain types of information data about people with whom it deals in order to operate efficiently.

These people will include current and prospective employees and agents, suppliers, clients, customers and others with whom it communicates including the subjects of background enquiries.

In addition, it may occasionally be required by law to collect and use certain types of information of this kind to comply with the requirements of government departments.

The Vetting Company acknowledges that all personal information, however it is collected, recorded and used must be dealt with properly in accordance with the safeguards provided by the Data Protection Act 1998.

We regard the lawful and correct treatment of personal information as very important to successful business operations and to maintaining high levels of confidence between ourselves and those with whom we deal.

To this end The Vetting Company fully endorses and adhere to the principals of Data Protection as contained in the Data Protection Act 1998 that require personal information to be:-

• Processed fairly and lawfully
• Obtained only for specified and lawful purposes
• Adequate, relevant and not excessive
• Accurate and, where necessary kept up to date.
• Not kept for longer than is necessary
• Processed in accordance with the rights of data subjects
• Subject of appropriate technical and organisational measures to prevent unauthorised or unlawful processing and prevent against accidental loss or destruction of such data.

• Not transferred to any country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in the processing of personal data.

Therefore, The Vetting Company will, through appropriate management and placement of controls:

• Observe fully conditions regarding fair collection and use of personal information;
• Meet legal obligations to specify the purposes for which the information is used;
• Collect and process appropriate information, but only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
• Apply checks to determine the length of time information is held;
• Ensure that the rights of people about whom information is held, are able to be fully exercised under the act;
• Take appropriate technical and organisational security measures to safeguard personal information
• Not transfer personal information abroad without suitable safeguards.

Specifically, The Vetting Company will ensure that:

• Andrew Griffiths will have specific responsibility for all Data Protection issues.
• Everyone managing and handling personal information on behalf of The Vetting Company understands that they are individually responsible for following good data protection practice;
• Queries about handling of personal information are dealt with promptly and courteously;
• An annual review, assessment and audit will be made of the way personal information is managed and all unused data will not be retained for longer than 10 years.
• Stored computer data will be held separately in a secure encrypted manner (currently utilising Microsoft Bitlocker software).
• Any computer system used by TVC for storing personal data will be automatically password protected.
• Where appropriate, data storage will incorporate lockable Fireproof & Waterproof facilities.
• No personal data can be viewed from outside the office premises and when unattended all personal data will be securely stored away from view (commonly known as a clean desk policy).
• Articles obtained to facilitate personal identification will be promptly returned or securely deleted when no longer required.
• Paper waste containing personal or sensitive information will be crosscut shredded to Din 3 (Confidential) level or greater.

23rd July 2010