Data Protection Policy
DATA PROTECTION POLICY AND STATEMENT
1. G4S is fully committed to full compliance with the requirements of the General Data Protection Regulation. G4S will therefore follow procedures which aim to ensure that all employees, candidates, contractors, consultants, partners or other agents of G4S (collectively known as Data Users) who have access to any Personal Data held by or on behalf of G4S are fully aware of and abide by their duties under the General Data Protection Regulation.
2. G4S respects the privacy rights of any person, who’s Personal Data we are entrusted with and G4S complies with laws and regulations protecting Personal Data. We regard the lawful and appropriate treatment of Personal Data as very important to our successful operations and essential to maintaining confidence between G4S and those with whom we carry out business. This Policy covers all Personal Data collected, processed, shared or used by G4S.
3. G4S needs to collect and use information about people with whom it works in order to operate and carry out its functions. These may include members of the public, current, past and prospective employees, clients and customers and suppliers, and people who use the services that we provide. This Personal Data must be handled and dealt with properly however it is collected, recorded and used and whether it is on paper, in computer records or recorded by other means.
4. It is the responsibility of every G4S Manager to adhere to this Policy within his or her area of functional or business responsibility, to lead by example and to provide guidance to those Data Users reporting to him or her. All Data Users are responsible for adhering to the principles and rules set out in this Policy and are expected to recognise if they are collecting, processing, sharing or using Personal Data. Data Users must be aware of the general privacy requirements and principles that govern Personal Data and know when to escalate issues to the Data Protection Officer.
DATA PROTECTION PRINCIPLES – PRIVACY BY DESIGN AND DEFAULT
5. This Policy explains the relevant data privacy principles for the protection of Personal Data and how such principles are to be implemented.
6. The GDPR provides conditions for the processing of any Personal Data. It also makes a distinction between Personal Data and 'special category' data.
Personal Data is defined as any information relating to an identified or identifiable natural person
Special category data is defined as Personal Data consisting of information as to:
- Racial or ethnic origin
- Political opinion
- Religious/philosophical beliefs
- Trade union membership
- Physical or mental health or condition
- Sexual life or sexual orientation
- Biometric data
7. Any Data User processing Personal Data must comply with 6 principles of good practice. The principles require that Personal Data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in an manner that is incompatible with those purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed
- processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures, and acting in accordance with the rights of data subjects under the GDPR.
8. A fundamental principle of Data Privacy requires that G4S process Personal Data fairly and lawfully. When collecting and using Personal Data consider how you would like to be treated by a company who is collecting your Personal Data and apply relevant laws, regulations and this Policy.
9. All G4S Data Users must :
- Collect and use Personal Data only with a legal justification which may include the legitimate business interests of G4S. For example some G4S Guidelines or local laws may require explicit consent of the person concerned prior to collecting Personal Data.
- Notify people about how their Personal Data will be used prior to collecting the information (“Privacy Notice”). Note – this doesn’t mean you need to inform individuals personally, but you can refer people to a specific Privacy Notice that is relevant and applicable.
- Collect only the Personal Data required for a specific business purpose.
- Be aware of any contractual obligations with regard to the processing of Personal Data (including any specific methods of transfer or security requirements).
- Use Personal Data only for the specific business purpose described in the Privacy Notice or Consent Form or in a way that the person would reasonably expect. “Consent” means any freely given, unambiguous, revocable and informed indication of the person’s agreement to the processing of his/her Personal Data. A Privacy Notice means an oral or written statement that individuals are given when Personal Data about them is being collected. The Privacy Notice describes who is collecting Personal Data, why Personal Data is being collected, how it will be used shares, stored and any other relevant information of which the person should be aware.
- Use Personal Data in ways that do not have an adverse effect on the person concerned unless such use is justified by law.
- Anonymise Personal Data where possible and appropriate in a way that ensures the necessary safeguarding of Personal Data and Special Category Personal Data.
10. Responsible management of Personal Data is required to protect privacy rights and comply with Data Privacy laws.
11. Where we collect, use and/or maintain Personal Data G4S must take the appropriate steps to :
- Keep Personal Data accurate and up to date throughout the Information Lifecycle (from collection to destruction) and for only as long as necessary for the purpose or as required by law.
- Safeguard Personal Data so that is not shared with others who do not have a valid business reason to access the information.
- Comply with G4S Information Security Policies and procedures when processing Personal Data
- Prevent the misuse of Personal Data for a purpose that is not compatible with the original purpose for which it was collected
- Ensure Traceability of Personal Data throughout its lifecycle. “Traceability” follows the lifecycle of Information to track all access and changes to Personal Data and locations of the Personal Data. It helps G4S demonstrate transparency, compliance and adherence to regulations
- Report any Data Privacy breach in accordance with the terms of the Data Breach Policy. Data Privacy Breach means any unauthorised disclosure, acquisition, access, destruction or alteration of, or any similar action involving Personal Data, or any other incident where the confidentiality, integrity or availability of Personal Data may have been compromised.
12. G4S has designated Regional and Sub Regional Data Protection Officers who are accountable on advising on regional/local data privacy matters and for implementing regional/local Data Privacy controls.
13. When in doubt whether Personal Data may be used for a purpose different from the purpose for which it has been collected, or in case of any other question related to the management of Personal Data, please review any local specific controls or contract your regional/local Data Protection Officer.
LAWFUL PROCESSING OF DATA
14. Under the GDPR (and under the current Data Protection rules), there needs to be a lawful basis for processing Personal Data. Data may not be processed unless there is at least one lawful basis to do so:
15. The key "lawful basis" grounds for processing data that will apply to G4S are that:
- Processing is necessary for the performance of a contract to which the data subject is party (such as an employment contract) or to take steps at the request of the data subject prior to entering into a contract - this will often be the case where this is HR data.
- Processing is necessary for us to comply with our legal obligations.
- Processing is necessary for the purposes of G4S' legitimate business interests.
- Consent has been given to us where we are Data Controller - by the person whose Personal Data is processed. Where we are relying on consent as the lawful basis for processing, that consent must be explicit in respect of the data collected and the purposes data is used for and a record kept of such consent.
16. Personal Data may necessarily be shared with other G4S affiliates, government agencies and third parties for legitimate business reasons or as otherwise allowed or required by law. Data Users who share Personal Data with third parties must obtain assurance that the third party has the ability and intention to protect Personal Data, consistent with the standards and principles contained in this Policy. This may be done through third party due diligence, risk assessment and/or a contract. If risks are identified then appropriate requirements (including technical safeguards and organisational measures) must be set out to ensure adequate protection of Personal Data. A processing agreement will usually be required whenever a third is provided access to Personal Data in order to process such Personal Data on behalf of G4S. If such agreement is not in place this should be reviewed with the Data Protection Officer for the business. In addition similar arrangements are required where G4S businesses process data to or on behalf of each other.
17. Questions regarding requirements for the disclosure of Personal Data to Third Parties should be addressed to your regional/local Data Protection Officer.
18. In many instances, the use of Third Parties will also involve the transfer of Personal Data across country borders. Also many business processes require the transfer of data within G4S Group of Companies.
19. When you transfer Personal Data across borders to Third Parties we need to:
- Determine that we have a legitimate justification for the Transfer of Personal Data ( e.g. valid business reason)
- Follow the instructions or any local legal requirements (e.g notice to the individual, notification to Data Protection Authority, use of contractual safeguards such as Model Contractual Clauses like the EU Model Clauses).
- The transfer of Personal Data from G4S Companies operating as Data Controllers within the EEA to other G4S Companies established outside the EEA are permitted only through the contractual safeguards of Model Contractual Clauses. “Third Party” is any person including a legal entity with whom G4S interacts and that is not a G4S Company or Associate.
INDIVIDUAL RIGHTS REGARDING PERSONAL DATA
20. We have in place arrangements for Data Subjects to exercise their individual rights with regard to Personal Data. These include Data Subject Access Requests, and other rights with regard to the Personal Data. In the event of a request made by a Data Subject then this should be actioned in accordance with the Data Subject Access process. In respect of other requests made – such as the right to portability or any requests to be forgotten – these should be referred to the relevant Data Protection Officer.
21. In the event of Data Breaches you must follow the Data Breach Management Policy without delay.
22. In respect of any concerns with regard to the appropriate management of Personal Data, any Associate, who learns of a potential violation of applicable laws and/or this Policy should notify the relevant Data Protection Officer immediately. Alternatively, they may report their suspicion (anonymously) in accordance with Speak Out Program and G4S Code of Ethics.