GDPR & Privacy Policy

1. A) INTRODUCTION 

1) IT and Communication plays an essential role in the conduct of our business. The IT infrastructure including e-mail and internet access have therefore significantly improved business operations and efficiencies. 

2) How you communicate with people not only reflects on you as an individual but also on us as a business. As a result of this the company values your ability to communicate with colleagues, clients/customers and business contacts but we must also ensure that such systems and access are managed correctly, not abused in how they are used or what they are used for. 

3) This policy applies to all members of the Company who use our or our clients’ communications facilities, whether Directors/Consultants, full or part-time employees, contract staff or temporary staff. The parameters and restrictions are outlined below and you are required to read them carefully. 

4) GDPR and Google Cloud – All of BMS emails and online storage is supplied by Google. For details please follow this link: https://cloud.google.com/privacy/gdpr 

1. B) GENERAL PRINCIPLES 

1) You must use our and our clients’ information technology and communications facilities sensibly, professionally, lawfully, consistently with your duties and in accordance with this policy and other Company rules and procedures. 

2) At all times employees must behave with honesty and integrity and respect the rights and privacy of others in relation to electronic communication and information. The company reserves the right to maintain all electronic communication and files. 

3) Every employee will be given access to the Intranet and/or Internet as appropriate to their job needs. For those who do not have daily PC access occasional access will be arranged, as necessary, by Management, 

4) All PC/network access will be through passwords, and no individual is permitted onto the system using another employee’s password. Employees are not permitted to share their password with anyone inside or outside the company. Individuals will be allowed to set their own passwords, and must change them as frequently as requested by the system set-up requirements. Passwords must follow the principle of good password hygiene, such as not using obvious or repeated passwords, for all systems providing access to personal or confidential information.

5) All information relating to our clients/customers and our business operations is  confidential. You must treat our paper-based and electronic information with utmost care. 

6) Many aspects of communication are protected by intellectual property rights which can be  infringed in a number of ways. Downloading, copying, possessing and distributing material  from the internet may be an infringement of copyright or of other intellectual property  rights. 

7) Particular care must be taken when using e-mail as a means of communication because all  expressions of fact, intention and opinion in an e-mail may bind you and/or the Company  and can be produced in court in the same way as other kinds of written statements. 

8) If you are speaking with someone face to face, via the telephone, in writing via whatever  medium you are a representative of the Company. Whilst in this role you should not  express any personal opinion that you know or suspect might be contrary to the opinions  of the Directors or Company policy.  

9) You must not use any of our or our clients’ media to do or say anything which would be  subject to disciplinary or legal action in any other context such as sending any sexist, racist,  defamatory or other unlawful material. If you are in doubt about a course of action, take  advice from a member of management. 

1. C) USE OF ELECTRONIC MAIL 

1) Business use 

Always use the “Bcc” box when mailing to groups whenever the members of the group are  unaware of the identity of all the others (as in the case of marketing mailing lists), or where  you judge that the membership of the group of one or more individuals should perhaps not  be disclosed to the others (as in the case of members of a staff benefit scheme), because if  you use the “Cc” box each recipient is informed of the identity (and in the case of external  recipients, the address) of all the others. Such a disclosure may breach any duty of  confidence owed to each recipient, breach the Company’s obligations under the General  Data Protection Regulation and Data Protection Act or may inadvertently disclose  confidential business information such as a marketing list. This applies to both external and  internal e-mail. 

Expressly agree with the customer/client that the use of e-mail is an acceptable form of  communication bearing in mind that if the material is confidential, privileged or  commercially sensitive then un-encrypted e-mail is not secure. 

If you have sent an important document, always telephone to confirm that the e-mail has  been received and read. 

In light of the security risks inherent in web-based e-mail accounts, you must not e-mail  business documents to your personal web-based accounts. You may send documents to a  customer’s/client’s web-based account if you have the customer’s/client’s express written  permission to do so. However, under no circumstances should you send sensitive or highly  confidential documents to a customer’s/client’s personal web-based e-mail account (e.g.  Yahoo, or Hotmail), even if the customer/client asks you to do so. 

2) Personal use 

1. a) Although our e-mail facilities are provided for the purposes of our business, we accept  that you may occasionally want to use them for your own personal purposes. This is  permitted on condition that all the procedures and rules set out in this policy are  complied with. Be aware, however, that if you choose to make use of our facilities for  personal correspondence, the Company may need to monitor communications for the  reasons shown below.  
2. b) Under no circumstances may the Company’s facilities be used in connection with the  operation or management of any business other than that of the Company or a  customer/client of the Company unless express permission has been obtained from a  member of management.  
3. c) You must ensure that your personal e-mail use: 

• does not interfere with the performance of your duties; 
• does not take priority over your work responsibilities; 
• does not cause unwarranted expense or liability to be incurred by the Company  or our clients; 
• does not have a negative impact on our business in any way; and 
• is lawful and complies with this policy. 

1. d) The Company will not tolerate the use of the E-mail system for unofficial or  inappropriate purposes, including:

(i) any messages that could constitute bullying, harassment or other detriment; (ii) on-line gambling; 

(iii) accessing or transmitting pornography; 

(iv) transmitting copyright information and/or any software available to the user; or 

(v) posting confidential information about other employees, the Company or its  customers or suppliers. 

1. D) USE OF INTERNET AND INTRANET 

1) We trust you to use the internet sensibly. Although internet facilities are provided for the  purposes of our business, we accept that you may occasionally want to use them for your  own personal purposes. This is permitted on condition that all the procedures and rules set  out in this policy are complied with and your use of the internet does not interfere in any  way with the performance of your duties. 

2) Whenever you access a web site, you should always comply with the terms and conditions  governing its use. Care must be taken in the use of information accessed through the  Internet. Most information is unregulated, and as such there is no guarantee of accuracy. 

3) The use of the Internet to access and/or distribute any kind of offensive material, or  material that is not work-related, leaves an individual liable to disciplinary action which  could lead to dismissal. 

4) You must not: 

1. a) use any images, text or material which are copyright-protected, other than in  accordance with the terms of the license under which you were permitted to download  them;  
2. b) introduce packet-sniffing or password-detecting software; 
3. c) seek to gain access to restricted areas of the Company’s network; 

d) access or try to access data which you know or ought to know is confidential; e) introduce any form of computer virus; nor

f) carry out any hacking activities.

1. E) VIRUS PROTECTION PROCEDURES 

In order to prevent the introduction of virus contamination into the software system the  following must be observed: 

1. a) unauthorised software including public domain software, magazine cover disks/CDs or  Internet/World Wide Web downloads must not be used; and 
2. b) all software must be virus checked using standard testing procedures before being  used. 
3. F) USE OF COMPUTER EQUIPMENT 

In order to control the use of the Company’s computer equipment and reduce the risk of  contamination the following will apply: 

1. a) The introduction of new software must first of all be checked and authorised by a  member of management or a client’s nominated senior member of management before  general use will be permitted. 
2. b) Only authorised staff should have access to the Company’s computer equipment. c) Only authorised software may be used on any of the Company’s computer equipment. d) Only software that is used for business applications may be used. 
3. e) No software may be brought onto or taken from the Company’s premises without prior  authorisation. 
4. f) Unauthorised access to the computer facility will result in disciplinary action. 
5. g) Unauthorised copying and/or removal of computer equipment/software will result in  disciplinary action; such actions could lead to dismissal. 
6. G) SYSTEM SECURITY 

1) Security of our or our clients’ IT systems is of paramount importance. We owe a duty to all  of our customers/clients to ensure that all of our business transactions are kept  confidential. If at any time we need to rely in court on any information which has been

stored or processed using our IT systems, it is essential that we are able to demonstrate  the integrity of those systems. Every time you use the system you take responsibility for  the security implications of what you are doing. 

2) The Company’s system or equipment must not be used in any way which may cause  damage, or overloading or which may affect its performance or that of the internal or  external network. 

3) Keep all confidential information secure, use it only for the purposes intended and do not  disclose it to any unauthorised third party. 

1. H) W ORKING REMOTELY 

1) This part of the policy and the procedures in it apply to your use of our systems, to your  use of our laptops, and also to your use of your own computer equipment or other  computer equipment (e.g. client’s equipment) whenever you are working on Company  business away from our premises (working remotely). 

2) When you are working remotely you must: 

1. a) password protect any work which relates to our business so that no other person can  access your work; 
2. b) position yourself so that your work cannot be overlooked by any other person; 
3. c) take reasonable precautions to safeguard the security of our laptop computers and any  computer equipment on which you do Company business, and keep your passwords  secret; 
4. d) inform the police and the Company as soon as possible if either a Company laptop in  your possession or any computer equipment on which you do our work has been stolen;  and 
5. e) ensure that any work which you do remotely is saved on the Company system or is  transferred to our system as soon as reasonably practicable.  

3) PDAs or similar hand-held devices are easily stolen and not very secure so you must  password-protect access to any such devices used by you on which is stored any personal  data of which the Company is a data controller or any information relating our business, our clients or their business.

1. I) PERSONAL TELEPHONE CALLS/ MOBILE PHONES 

1) Telephones are essential for our business. Incoming/outgoing personal telephone calls are  allowed at the Company’s head office but should be kept to a minimum. We reserve the  right to recharge for excessive personal use. When visiting or working on client premises  you should always seek permission before using our clients’ telephone facilities. 

2) Personal mobile phones should be switched off or ‘on silent’ during working hours and only  used during authorised breaks. 

1. J) MONITORING OF COMMUNICATIONS BY THE COMPANY 

1) The Company is ultimately responsible for all business communications but subject to that  will, so far as possible and appropriate, respect your privacy and autonomy. The Company  may monitor your business communications for reasons which include: 

1. a) providing evidence of business transactions; 
2. b) ensuring that our business procedures, policies and contracts with staff are adhered to; c) complying with any legal obligations; 
3. d) monitoring standards of service, staff performance, and for staff training; 
4. e) preventing or detecting unauthorised use of our communications systems or criminal  activities; and 
5. f) maintaining the effective operation of Company communication systems.  

2) From time to time the Company may monitor telephone, e-mail and internet traffic data  (i.e. sender, receiver, subject; non-business attachments to e-mail, numbers called and  duration of calls; domain names of web sites visited, duration of visits, and non-business  files downloaded from the internet) at a network level (but covering both personal and  business communications). This includes monitoring of any additional accounts you may be requested to set up for the purposes of performing your work tasks, which are subject to  the same rules as your work email account. Information acquired through such monitoring  may be used as evidence in disciplinary proceedings.

3) Sometimes it is necessary for us to access your business communications during your  absence, such as when you are away because you are ill or while you are on holiday.  

1. K) DATA PROTECTION 

1) As an employee using our communications facilities, you will inevitably be involved in  processing personal data for the Company as part of your job. Data protection is about the  privacy of individuals, and is governed by the General Data Protection Regulation and  current Data Protection Act.  

2) Whenever and wherever you are processing personal data for the Company you must keep  this secret, confidential and secure, and you must take particular care not to disclose such  data to any other person (whether inside or outside the Company) unless authorised to do  so. Do not use any such personal data except as authorised by us for the purposes of your  job. If in doubt, ask a member of management. 

3) The Act gives every individual the right to see all the information which any data controller  holds about them. Bear this in mind when recording personal opinions about someone,  whether in an e-mail or otherwise. It is another reason why personal remarks and opinions  made should be given responsibly, must be relevant and appropriate as well as accurate  and justifiable. 

4) For your information, the Act provides that it is a criminal offence to obtain or disclose  personal data without the consent of the data controller. “Obtaining” here includes the  gathering of personal data by employees at work without the authorisation of the  employer. You may be committing this offence if without authority of the Company: you  exceed your authority in collecting personal data; you access personal data held by us; or  you pass them on to someone else (whether inside or outside the Company).  

1. L) USE OF SOCIAL NETW ORKING SITES 

Any work related issue or material that could identify an individual who is a customer/client or  work colleague, which could adversely affect the company a customer/client or our  relationship with any customer/client must not be placed on a social networking site. This  means that work related matters must not be placed on any such site at any time either during  or outside of working hours and includes access via any computer equipment, mobile phone or  PDA.

1. M) CONFIDENTIALITY 

Employees are not permitted to register with sites or electronic services in the company’s  name without the prior permission of their manager. They are not permitted to reveal internal  company information to any sites, be it confidential or otherwise, or comment on company  matters, even if this is during after-hours or personal use. The company confidentiality policy  applies to all electronic communication and data. 

1. N) COMPLIANCE W ITH THIS POLICY 

1) Failure to comply with this policy may result in disciplinary action being taken against you.  If there is anything in this policy that you do not understand, please discuss it with a  member of management.  

2) Please note that the procedures and policies outlined in this policy, and in any related  policy, may be reviewed or changed at any time. 

Version: 4 

Author: Claire Oliver, Office Administrator 

Signature: C. Oliver 

Date: 01/08/2022 

Approval: Matt Ellis, Managing Director 

Signature:

Date: 01/08/2022