Back to Policies

Data, Technology & Communications

Last updated: August 2025

Schedule 24: Fair Processing Policy (Employee Data)

About This Policy

During the course of our activities we will process personal data (which may be held on paper, electronically, or otherwise) about our staff and we recognise the need to treat it in an appropriate and lawful manner, in accordance with data protection legislation.

The purpose of this notice is to make you aware of how we will handle your personal data. This notice does not form part of any employee's contract of employment and we may amend it at any time.

Data Protection Principles

We will comply with the data protection principles, which say that personal data must be:

  • Processed fairly and lawfully
  • Processed for limited purposes and in an appropriate way
  • Adequate, relevant and not excessive for the purpose
  • Accurate
  • Not kept longer than necessary for the purpose
  • Processed in line with individuals' rights
  • Secure
  • Not transferred to people or organisations situated in countries without adequate protection

"Personal data" means recorded information we hold about you from which you can be identified. It may include contact details, other personal information, photographs, expressions of opinion about you or indications as to our intentions about you.

"Processing" means doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.

Fair and Lawful Processing

We will usually only process your personal data where you have given your consent or where the processing is necessary to comply with our legal obligations. In other cases, processing may be necessary for the protection of your vital interests, for our legitimate interests or the legitimate interests of others.

We will only process "sensitive personal data" about ethnic origin, political opinions, religious or similar beliefs, trade union membership, health, sex life, criminal proceedings or convictions, where a further condition is also met. Usually this will mean that you have given your explicit consent, or that the processing is legally required for employment purposes.

How We Are Likely to Use Your Personal Data

We will process data about staff for legal, personnel, administrative and management purposes and to enable us to meet our legal obligations as an employer, for example to pay you, monitor your performance and to confer benefits in connection with your employment.

We may process sensitive personal data relating to staff including, as appropriate:

  • Information about an employee's physical or mental health or condition in order to monitor sick leave and take decisions as to the employee's fitness for work
  • The employee's racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation
  • Information required in order to comply with legal requirements and obligations to third parties

Processing for Limited Purposes

We will only process your personal data for the specific purpose or purposes notified to you or for any other purposes specifically permitted by data protection legislation.

Adequate, Relevant and Non-Excessive Processing

Your personal data will only be processed to the extent that it is necessary for the specific purposes notified to you.

Accurate Data

We will keep the personal data we store about you accurate and up to date. Data that is inaccurate or out of date will be destroyed. Please notify us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you.

Data Retention

We will not keep your personal data for longer than is necessary for the purpose. This means that data will be destroyed or erased from our systems when it is no longer required.

Processing in Line With Your Rights

You have the right to:

  • Request access to any personal data we hold about you
  • Prevent the processing of your data for direct-marketing purposes
  • Ask to have inaccurate data held about you amended
  • Prevent processing that is likely to cause unwarranted substantial damage or distress to you or anyone else
  • Object to any decision that significantly affects you being taken solely by a computer or other automated process

Data Security

We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.

We will only transfer personal data to a third party if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves. Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.

Providing Information to Third Parties

We will not disclose your personal data to a third party without your consent unless we are satisfied that they are legally entitled to the data. Where we do disclose your personal data to a third party, we will have regard to the data protection principles.

Subject Access Requests

If you wish to know what personal data we hold about you, you must make the request in writing. A fee may be requested from you by us. All such written requests should be forwarded to HR.

Breaches of Data Protection Principles

If you consider that the data protection principles have not been followed in respect of personal data about yourself or others you should raise the matter with HR. Any breach will be taken seriously and may result in disciplinary action.

Schedule 25: IT and Communications Systems Policy

About This Policy

Our IT and communications systems are intended to promote effective communication and working practices. This policy outlines the standards you must observe when using these systems, when we will monitor their use, and the action we will take if you breach these standards.

Breach of this policy may be dealt with under our Disciplinary and Capability Procedure and, in serious cases, may be treated as gross misconduct leading to summary dismissal.

This policy does not form part of any employee's contract of employment and we may amend it at any time.

Equipment Security and Passwords

You are responsible for the security of the equipment allocated to or used by you, and you must not allow it to be used by anyone other than in accordance with this policy. You should use passwords on all IT equipment, particularly items that you take out of the office.

You should keep your passwords confidential and change them regularly. You must only log on to our systems using your own username and password. You must not use another person's username and password or allow anyone else to log on using your username and password.

If you are away from your desk you should log out or lock your computer. You must log out and shut down your computer at the end of each working day.

Systems and Data Security

You should not delete, destroy or modify existing systems, programs, information or data (except as authorised in the proper performance of your duties). You must not download or install software from external sources without authorisation from your Line Manager. Downloading unauthorised software may interfere with our systems and may introduce viruses or other malware.

You must not attach any device or equipment including mobile phones, tablet computers or USB storage devices to our systems without authorisation from your Line Manager.

We monitor all e-mails passing through our system for viruses. You should exercise particular caution when opening unsolicited e-mails from unknown sources. If an e-mail looks suspicious do not reply to it, open any attachments or click any links in it. Inform your Line Manager immediately if you suspect your computer may have a virus.

Email

Adopt a professional tone and observe appropriate etiquette when communicating with third parties by e-mail. You should also include our standard email signature and disclaimer.

Remember that e-mails can be used in legal proceedings and that even deleted e-mails may remain on the system and be capable of being retrieved.

You must not send abusive, obscene, discriminatory, racist, harassing, derogatory, defamatory, pornographic or otherwise inappropriate e-mails.

You should not:

  • Send or forward private e-mails at work which you would not want a third party to read
  • Send or forward chain mail, junk mail, cartoons, jokes or gossip
  • Contribute to system congestion by sending trivial messages or unnecessarily copying or forwarding e-mails to others who do not have a real need to receive them
  • Send messages from another person's e-mail address (unless authorised) or under an assumed name

Do not use your own personal e-mail account to send or receive e-mail for the purposes of our business. Only use the e-mail account we have provided for you.

Using the Internet

Internet access is provided for business purposes. You should not access any web page or download any image or other file from the internet which could be regarded as illegal, offensive, discriminatory, in bad taste or immoral. Even web content that is legal in the UK may be in sufficient bad taste to fall within this prohibition.

As a general rule, viewing it will be a breach of this policy if:

  • Any person (whether intended to view the webpage or not) might be offended by its contents; or
  • The fact that our software has accessed the webpage or file might be a source of embarrassment if made public

We may block or restrict access to some websites at our discretion, including access to web-based personal email such as Gmail or Hotmail.

Monitoring

Our systems enable us to monitor telephone, e-mail, voicemail, internet and other communications. For business reasons, and in order to carry out legal obligations in our role as an employer, your use of our systems including the telephone and computer systems (including any personal use) may be continually monitored by automated software or otherwise.

We reserve the right to retrieve the contents of e-mail messages or check internet usage (including pages visited and searches made) as reasonably necessary in the interests of the business, including for the following purposes (this list is not exhaustive):

  • To monitor whether the use of the e-mail system or the internet is legitimate and in accordance with this policy
  • To find lost messages or to retrieve messages lost due to computer failure
  • To assist in the investigation of alleged wrongdoing
  • To comply with any legal obligation

Prohibited Use of Our Systems

Misuse or excessive personal use of our telephone or e-mail system or inappropriate internet use will be dealt with under our Disciplinary and Capability Procedure. Misuse of the internet can in some cases be a criminal offence.

Creating, viewing, accessing, transmitting or downloading any of the following material will usually amount to gross misconduct and is likely to result in summary dismissal (this list is not exhaustive):

  • Pornographic material (that is, writing, pictures, films and video clips of a sexually explicit or arousing nature)
  • Offensive, obscene, or criminal material or material which is liable to cause embarrassment to us or to our clients
  • A false and defamatory statement about any person or organisation
  • Material which is discriminatory, offensive, derogatory or may cause embarrassment to others (including material which breaches our Diversity, Equity and Inclusion Policy or our Anti-harassment and Bullying Policy)
  • Confidential information about us, our business or any of our staff or clients (except as authorised in the proper performance of your duties)
  • Unauthorised software
  • Any other statement which is likely to create any criminal or civil liability (for you or us)
  • Music or video files or other material in breach of copyright

Schedule 26: Social Media Policy

About This Policy

This policy is in place to minimise the risks to our business through use of social media. This policy deals with the use of all forms of social media, including Facebook, LinkedIn, X, Instagram and all other social networking sites, internet postings and blogs. It applies to use of social media for business purposes as well as personal use that may affect our business in any way.

This policy does not form part of any employee's contract of employment and we may amend it at any time.

Prohibited Use

You must avoid making any social media communications that could damage our business interests or reputation, even indirectly. You must not use social media to:

  • Defame or disparage us, our staff or any third party
  • Harass, bully or unlawfully discriminate against staff or third parties
  • Make false or misleading statements
  • Impersonate colleagues or third parties

You must not express opinions on our behalf via social media, unless expressly authorised to do so by your Line Manager. You may be required to undergo training in order to obtain such authorisation.

You must not comment on social media about sensitive business-related topics, such as our performance, or do anything to jeopardise our trade secrets, confidential information and intellectual property.

You must not include our logos or other trademarks in any social media posting or in your profile on any social media.

The contact details of business contacts made during the course of your employment are our confidential information. On termination of employment you must provide us with a copy of all such information, delete all such information from your personal social networking accounts and destroy any further copies of such information that you may have.

Any misuse of social media should be reported to your Line Manager.

Guidelines for Responsible Use of Social Media

You should make it clear in social media postings, or in your personal profile, that you are speaking on your own behalf. Write in the first person and use a personal e-mail address.

Be respectful to others when making any statement on social media and be aware that you are personally responsible for all communications which will be published on the internet for anyone to see.

If you disclose your affiliation with us on your profile or in any social media postings, you must state that your views do not represent those of your employer (unless you have been authorised to speak on our behalf). You should also ensure that your profile and any content you post are consistent with the professional image you present to clients and colleagues.

If you are uncertain or concerned about the appropriateness of any statement or posting, refrain from posting it until you have discussed it with your manager. If you see social media content that disparages or reflects poorly on us, you should contact your manager.

Breach of This Policy

Breach of this policy may result in disciplinary action up to and including dismissal. Any member of staff suspected of committing a breach of this policy will be required to co-operate with our investigation, which may involve handing over relevant passwords and login details.

You may be required to remove any social media content that we consider to constitute a breach of this policy. Failure to comply with such a request may in itself result in disciplinary action.