Additional protection is required for health or social service 'patient identifiable information' and for any government information which
is protectively marked.
Northgate, when acting as custodian of personal data, has a legal and moral duty to ensure that it is handled
properly and confidentially at all times, irrespective of whether it is held on paper, processor, memory stick or by any other electronic means.
This covers the whole lifecycle, including:
Northgate also has a responsibility to ensure that data subjects have appropriate access, upon written request to
the data controller, to details regarding personal information relating to them.
- The obtaining of personal data;
- The storage and security of personal data;
- The use of personal data; and
- The disposal / destruction of personal data.
Data Privacy terms
Data Privacy Principles
- Data Privacy relates only to living individuals and the most commonly used phrases are Personally Identifiable Information (in the US) (often written as PII) and Personal Data (in UK and EU).
- PII and Personal Data is information which can be used to identify an individual usually it is their name, date of birth, social security number, biometric records, etc.
- Sensitive Data goes a step further and is information that includes personal data relating to the data subject's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, alleged commission of any offence, or any criminal history.
- The Data Subject is an individual who is the subject of personal data.
- The Data Controller is the person/entity who owns and controls personal data, usually an employer. This person/entity is responsible for ensuring secure processing of the data, and must register with the Information Commissioner, or equivalent. Northgate is the data controller for any information we hold as a result of directly doing business (e.g. our own employee's HR and payroll records) and our clients are typically the data controller for any information we process on their behalf.
- The Data Processor is any person or entity (other than an employee of the data controller) who processes the data on behalf of the data controller. Northgate is a data processor in respect of its clients data where for example it processes payroll on their behalf.
- A Data Exporter is a data processor who transfers the data outside of the EEA. Northgate is a data exporter when it off-shores work, for example from UK to India or the Philippines.
- A Data Importer is a data processor who receives the data from the data exporter for further processing. For example, someone in Manila is the importer if receiving from Belgium.
Data being processed by Northgate should be:
It should also be noted that data can only be processed where one of the following conditions has been satisfied:
- Fairly and lawfully processed;
- Obtained and processed for specified and lawful purposes;
- Adequate, relevant and not excessive;
- Accurate and up to date;
- Held no longer than necessary;
- Processed in accordance with the rights of the data subjects;
- Kept secure; and
- Not transferred outside of the European Economic Area (the "EEA") without adequate data protection safeguards being in place in the country to which it is being transferred.
- The individual has given consent to the processing of his/her data;
- The processing is necessary for the performance of a contract with the individual;
- The processing is required under a legal obligation;
- The processing is necessary to protect the vital interests of an individual or to carry out public functions; and
- The processing is necessary to pursue the legitimate interests of the business (unless they are prejudicial to the interests of the individual).
Breaches of Data Privacy can result in significant fines, but most importantly for Northgate it could significantly damage its reputation resulting in loss of revenue or potential new customers.
If, despite the security measures we take to protect the personal data we hold, a breach of security occurs, it is important to deal with the breach effectively. The breach may arise from a theft, a deliberate attack on our systems, the unauthorised use of personal data by a member of staff, accidental loss, or equipment failure. In the event of a breach or suspected breach, please inform your manager, the Information Security Officer, or the Whistle-Blowing Hotline immediately, and log the breach.
However the breach occurs, management must respond to and manage the incident appropriately. We have a strategy for dealing with a breach that includes the following:
Northgate has a Data Protection Officer who is responsible for gathering and disseminating information and issues relating to information security, the Data Protection Act and other related legislation; currently this is John Richardson, Group Company Secretary.
- a recovery plan, including damage limitation;
- conducting an assessment of the risks associated with the breach;
- informing the appropriate people and organisations that the breach has occurred; and
- reviewing our response and updating our information security procedures.
Northgate has a Data Protection Steering Committee (DPSG) which consists of representatives from all divisions of the Group and legal representatives from each of the four geographical regions (UK, EMEA, US and APAC). The DPSG members act as the point of contact for all communications and issues relating to information security, Data Privacy, and other related legislation within their region.
How to raise a concern
- If you have any doubt or concern about any situation relating to the policy, seek guidance from your manager before doing or omitting to do anything that could compromise your position.
- You may also use the Whistle Blowing Hotline: email@example.com.
- If any manager should require further guidance on a specific case then this should be referred to a member of the DPSG.