top of page

Data Protection Policy

INTRODUCTION

CANTERBURY SKY TAXIS   is  fully  committed  to  and  compliant  with  the  requirements  of  the  General  Data  Protection  Regulations and the Data Protection Act 2018 (DPA 2018) and in accordance with these regulations, CANTERBURY SKY TAXIS  is committed to transparency with regards to how it collects and uses personal data and to meeting  its data protection obligations.

CANTERBURY SKY TAXIS regard the lawful and correct treatment of Personal Data as essential to its successful operations  and to maintaining confidence between the company, its employees, clients and temporary workers.  The  company will therefore ensure that it treats Personal Data lawfully and correctly.  To this end the company  fully endorses and adheres to the Principles of the DPA 2018.  

CANTERBURY SKY TAXIS  has appointed Mahmut Kilic as its Data Protection Officer whose role it is to inform and advise the  organization on its data protection obligations. He can be contacted via the CANTERBURY SKY TAXIS head office.   Any  questions  about  this  policy,  or  requests  for  further  information,  should  be  directed  to  the  data  protection officer.  

 

DEFINITIONS  "Personal data"   is any information that relates to a living individual who is able to be  identified from that information.  “Processing”   is  any  use  that  is  made  of  Personal  Data,  including  collecting, storing, amending, disclosing or destroying/disposal.  "Special categories of personal data"  means  information  about  an  individual's  racial  or  ethnic  origin,  political  opinions,  religious  or  philosophical  beliefs,  trade  union  membership, health, sex life or sexual orientation and biometric  data used for ID purposes.  "Criminal records data"   means information about an individual's criminal convictions and  offences,  and  information  relating  to  criminal  allegations  and  proceedings.  

SCOPE OF THE POLICY In order to operate efficiently, CANTERBURY SKY TAXIS has to collect and use information about the people with whom it  works.    

 

DATA  PROTECTION  POLICY

Personal Data must be handled and dealt with properly however it is collected, recorded and used, and  whether it be on paper, in computer records or recorded by any other means, and there are safeguards  within the GDPR to ensure this.  All employees are required to comply with this policy when dealing with other employees, temporary or  agency staff, consultants, work seekers, clients, suppliers, customers and contacts of  the Company, and  anyone else with whom they come into contact during their employment.  All employees are made fully aware of this policy and of their duties and responsibilities under the GDPR.   In addition, we have a full GDPR Data Protection Policy which provides more detailed information relating  to our obligations and controls to manage data in line with current legislation.  

RESPONSIBILITIES It is  the direct  responsibility of Mahmut Kilic  to ensure  the implementation of  this policy on a day‐to‐day basis; however, all employees have a responsibility to accept their personal involvement in applying it and  must be familiar with the policy and ensure that it is followed by both themselves and employees for whom  they have a responsibility.  Disciplinary action may be taken against any employee who acts in breach of this policy.  Disciplinary action  may include summary dismissal in the case of a serious breach of this policy or repeated breaches. In other  cases,  it  may  include  a  verbal  or  written  warning.  Such  action  will  be  taken  in  accordance  with  the  Company’s disciplinary procedure.  Breaches  of  this  policy  may  also  result  in  the  employee  responsible  being  held  personally  liable  for  compensation if legal action is taken in relation to data protection.  

THE PRINCIPLES OF DATA PROTECTION

We adhere  to  the  principles  relating  to  Processing  of  Personal Data  set  out  in  the GDPR which  require  Personal Data to be:  

1. Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).  

2. Collected only for specified, explicit and legitimate purposes (Purpose Limitation).  

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed  (Data Minimisation).  

4. Accurate and where necessary kept up to date (Accuracy).  

5. Not kept in a form which permits identification of Data Subjects for longer than is necessary for the  purposes for which the data is Processed (Storage Limitation).  

6. Processed  in  a  manner  that  ensures  its  security  using  appropriate  technical  and  organisational  measures  to  protect  against  unauthorised  or  unlawful  Processing  and  against  accidental  loss,  destruction or damage (Security, Integrity and Confidentiality).  

7. Not  transferred  to  another  country  without  appropriate  safeguards  being  in  place  (Transfer  Limitation).  

8. Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their  Personal Data (Data Subject's Rights and Requests).  We are responsible  for and can demonstrate on request compliance with  the data protection principles  listed above.  

CANTERBURY SKY TAXIS tells individuals the reasons for processing their personal data, how it uses such data and the  legal basis  for processing in its privacy notices. It will not process personal data of individuals  for other  reasons. Where the organisation relies on its legitimate interests as the basis  for processing data, it will  carry  out  an  impact  assessment  to  ensure  that  those  interests  are  not  overridden  by  the  rights  and  freedoms of individuals.  Where  CANTERBURY SKY TAXIS  processes  special  categories  of  personal  data  or  criminal  records  data  to  perform  obligations or to exercise rights in employment law, this will be done in accordance with the organisation’s  absence policy or the requirements of the Disclosure and Barring Service checks.  

CANTERBURY SKY TAXIS is committed  to updating HR‐Related Personal Data promptly whenever an individual advises that their information has changed or is inaccurate.  Personal data gathered during employment, worker, contractor, volunteer, or apprenticeship relationships  will be held in the individual's personnel/contractor file (in hard copy, electronic format, or both), and on HR  systems. The periods for which the organisation holds HR‐relatedpersonaldataarecontainedinitsprivacy notice below.  

CANTERBURY SKY TAXIS keeps a record of its processing activities in respect of HR‐RelatedPersonalDatainaccordance with the requirements of the General Data Protection Regulation (GDPR).  

CONSENT A Data Subject Consents to Processing of their Personal Data if they indicate agreement clearly either by a  statement or positive action to the Processing.  Consent requires affirmative action so silence, pre‐ticked boxes or inactivity are insufficient.    Data Subjects can easily withdraw Consent  to Processing at any time and withdrawal must be promptly  honoured.  Consent may need to be refreshed if we intend to Process Personal Data for a different and  incompatible purpose which was not disclosed when the Data Subject first Consented.   We keep  records of all Consents  so  that we can  demonstrate  compliance with Consent  requirements if  required to do so.  

PRIVACY NOTICE CANTERBURY SKY TAXIS  collects  and  processes  personal  data  relating  to  its  employees  to  manage  the  employment  relationship and from its clients customers to manage its services.  The organisation is committed to transparency about how it collects and uses that data and to meeting its  data protection obligations. The organisation’s privacy notice is set out below.  

WHAT INFORMATION DOES THE ORGANISATION COLLECT?  

FROM EMPLOYEES CANTERBURY SKY TAXIS collects and processes a range of information about its employees. This includes:  name, address, and contact details, including email address and telephone number, date of birth and  gender;  

§ terms and conditions of employment;  § details of qualifications, skills, experience, and employment history, including start and end dates, with  previous employers and with the organisation;  

§ information about remuneration, including entitlement to any benefits such as pensions;  § details of bank account and national insurance number;  

§ information about marital status, next of kin, dependants, and emergency contacts;  § information about nationality and eligibility to work in the UK;  § information about criminal record;  

§ details of schedules (days of work and working hours) and attendance at work;  § details of periods of leave taken, including holiday, sickness absence, authorised leave, and the reasons  for the leave;  

§ details  of  any  disciplinary  or  grievance  procedures,  including  any  warnings  issued  and  related  correspondence;  

§ assessments of performance, including appraisals, performance reviews and ratings, training records,  performance improvement plans and related correspondence;  

§ information about medical or health conditions, including whether or not a person has a disability for  which the organisation needs to make reasonable adjustments;  

§ details of any trade union membership; and  § any equal opportunities monitoring information  CANTERBURY SKY TAXIS collects this information in a variety of ways, such as from application forms, CVs; passport or  other identity documents e.g. driving licence; forms completed at the start of or during employment (such  as  bank  details  forms/training agreements);  correspondence;  or through interviews, meetings,  or  other  assessments.  In some cases, the organisation collects personal data from third parties, such as references supplied by  former  employers,  information  from  employment  background  check  providers/DBS  checks,  where  appropriate and permitted by law.  Data may  be  stored in a  range  of  different  places, including in  personnel  files, in  the  organisation's HR  management systems and in other IT systems (including the organisation's email system).  

FROM CLIENTS/CUSTOMERS Name, Address, Phone Number  

WHY DOES THE ORGANISATION PROCESS PERSONAL DATA?  CANTERBURY SKY TAXIS needs to process data to enter into an employment contract with employees and to meet its  obligations  under  an  employment  contract.  For  example,  it  needs  to  process  data  to  provide  an  employment contract, to pay in accordance with an employment contract and to administer any benefit,  pension, or insurance entitlements. It also processes personal data  to provide a legitimate service  to its  clients and customers.  In some cases, CANTERBURY SKY TAXIS needs to process data to ensure that it is complying with its legal obligations. For  example, it is required to check all employees’ entitlement to work in the UK, to deduct tax, to comply with

 DATA  PROTECTION  POLICY health and  safety laws and  to enable employees  to take  periods  of  leave  to  which  they  are  entitled.  If  regulatory requirements dictate, it will be necessary  to carry out criminal records checks  to ensure  that  individuals are permitted to undertake their role.  In other cases, CANTERBURY SKY TAXIS has a legitimate interest in processing personal data before, during and after the  end of the employment relationship. Processing employee data allows us to:  § operate recruitment and promotion processes;  § maintain accurate and up‐to‐date employment records and contact  details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;  § operate  and  keep  a  record  of  disciplinary  and  grievance  processes,  to  ensure  acceptable  conduct  within the workplace;  § operate  and  keep  a  record  of  employee  performance  and  related  processes,  to  plan  for  career  development, and for succession planning and workforce management purposes;  § operate  and  keep  a  record  of  absence  and  absence  management  procedures,  to  allow  effective  workforce management and ensure that employees are receiving the pay or other benefits to which  they are entitled;  § obtain medical and/or occupational health advice, to ensure that it complies with duties in relation to  individuals  with  disabilities,  meet  its  obligations  under  health  and  safety  law,  and  ensure  that  employees are receiving the pay or other benefits to which they are entitled;  § operate and keep a record of other types of leave (including maternity, paternity, adoption, parental  and  shared  parental  leave),  to  allow  effective  workforce  management,  to  ensure  that  CANTERBURY SKY TAXIS  complies with duties in relation to leave entitlement, and to ensure that employees are receiving the  pay or other benefits to which they are entitled;  § ensure effective general HR and business administration;  § provide references on request for current or former employees;  § respond to and defend against legal claims; and  § maintain and promote equality in the workplace.  Where CANTERBURY SKY TAXIS relies on legitimate interests as a reason for processing your data, it has considered, via  completion  of  an  impact  assessment  whether  or  not  those  interests  are  overridden  by  the  rights  and  freedoms of employees or workers and has concluded that they are not.  Some  special  categories  of  personal  data,  such  as  information  about  health  or  medical  conditions  is  processed to carry out employment law obligations (such as those in relation to employees with disabilities  and for health and safety purposes).  Where  the  organisation  processes  other  special  categories  of  personal  data,  such as  information about  ethnic  origin,  sexual  orientation,  health  or  religion  or  belief,  this  is  done  for  the  purposes  of  equal  opportunities monitoring. Data that the organisation uses for these purposes is anonymised or is collected  with the express consent of employees, which can be withdrawn at any time. Employees are entirely free to  decide whether or not to provide such data and there are no consequences of failing to do so.  

WHO HAS ACCESS TO DATA?

 Information  will  be  shared  internally,  including  with  members  of  the  HR/recruitment  team/payroll,  managers in the business area in which you work and staff if access to the data is necessary for performance  of their roles.

CANTERBURY SKY TAXIS shares employee personal data with third parties in order to obtain pre‐employmentreferences from  other  employers,  obtain  employment  background  checks  from  third‐party providers and, if appropriate, obtain necessary criminal records checks from the Disclosure and Barring Service.

CANTERBURY SKY TAXIS  will only use customer or client data in order to perform the agreed services and will only share data to the  individual performing the service and only for the purpose of completing the service.  CANTERBURY SKY TAXIS also shares personal data with third parties that process data on its behalf, in connection with  payroll  where  an  external  payroll  provider  is  engaged,  the  provision  of  benefits,  the  provision  of  occupational health, and the provision of HR/legal advisory services. All our providers abide by the same  stringent policies as CANTERBURY SKY TAXIS and abide by all principles of the DPA 2018. The licencing council officers may  at times request or require employee’s personal information  as  part  of  the  company’s  operator  licence  conditions.  HOW DOES THE ORGANISATION PROTECT DATA?  Following UKAS ISO 27001 guidelines CANTERBURY SKY TAXIS takes the security of data seriously and has internal policies  and controls in place to try to ensure that data is not lost, accidentally destroyed, misused, or disclosed, and  is not accessed except by its employees in the performance of their duties. Personal data collected/recorded  or  used  in  any  way  whether  held  on  paper/computer  or  other media  will  have  appropriate  safeguards  applied to it ensuring we comply with the GDPR/ Computer Misuse Act 1990.:  § All computers are password protected; passwords are changed on a regular basis to ensure that the  data is secure.  §

E‐MAILS: Our emails are secured and content is only accessible via a permission based password system   §

STORAGE: Hard copy records are stored in a secure location when not being used e.g. lockable filing  cabinets, cupboards, rooms (locked and alarmed outside of normal working hours) and only authorised  personnel have access. 24 hours CCTV outside the office. Electronic information is stored on a local  server in the office/ connected to a UK‐basedhostcloudandhasappropriatesecuritycontrols 

DESTRUCTION OF RECORDS: We carry out the irreversible destruction of records once the relevant  internal/client‐specified timescales have passed. At this point the records are securely shredded/disposed  of  by  our  appointed  Confidential  Waste  Disposal  Company  [insert  name  of  company if you have it]. The normal destruction methods used are:  - Shredding  - Pulping   - Incineration  - Destruction/wiping of hard drives/USB sticks.  

RECORDS  ACCESS  ‐ We ensure data security by ensuring different levels of access. Only necessary/authorised staff will have access to certain client information. Managers can view service  data for clients/accounts they are managing, ensuring they can monitor overall service delivery; and  our  Managing  Director  will  have  full  access  to  all  data.  Data  is  password  protected  and  changed  monthly and only authorised personnel will have the relevant passwords for appropriate access levels,  ensuring  that data cannot be modified without authorisation  from client or appointed person. This  controls and restricts unauthorised access to data by use of security mechanisms that restrict access  to authorised persons only.

CUSTOMER/CLIENT DATA VIA APP – Data from app users is entered by the customer and permission is  granted via a request for customer to accept the terms and conditions.  Any date stored on our dispatch  system provided is stored in line with all other data.  The customer may remove their details at any  time. 

DATA  PROTECTION  POLICY Where the organisation engages third parties to process personal data on its behalf, they do so on the basis  of written instructions, in performance of a contractual agreement, are under a duty of confidentiality and  are obliged to implement appropriate technical and organisational measures to ensure the security of data.      

FOR HOW LONG DOES THE ORGANISATION KEEP DATA?  CANTERBURY SKY TAXIS will hold personal data for as long as is necessary for the purposes for which the data is Processed.  The periods for which an employees data is held after the end of employment is 3 years.  Currently data is stored for one year.

INDIVIDUAL RIGHTS As a data subject, individuals have a number of rights in relation to their personal data. They are able  to:  § access and obtain a copy of your data on request; (see Subject access request).  § require the organisation to change incorrect or incomplete data;  § require the organisation to delete or stop processing your data, for example where the data is no  longer necessary for the purposes of processing;  § object to the processing of your data where the organisation is relying on its legitimate  interests as the legal ground for processing; and  § ask the organisation to stop processing data for a period if data is inaccurate or there is a dispute about  whether or not your interests override the organisation's legitimate grounds for processing data.  To exercise any of the above rights a data subject must make a request in writing by contacting:  Mahmut Kilic, DPO.  CANTERBURY SKY TAXIS  will ordinarily respond to a subject access request within a period of one month from the date it  is received. In some cases, such as where the organisation processes large amounts of the individual's data,  it may respond within three months of the date the request is received. CANTERBURY SKY TAXIS will write to the individual  within one month of receiving the original request to inform the individual if this is the case.  If a data subject believes that the organisation has not complied with thier data protection rights, they are  able to lodge a complaint complain with the Information Commissioner Office.  

SUBJECT ACCESS REQUESTS Individuals  have  the  right  to access  their  personal  information  by  submitting  a ‘subject access  request’  (SAR).  Archiving  software  is  used  to  ensure  users  cannot  amend/delete  data  preventing  data  being  deleted/hidden in the event of a SAR.  Data is purged in relation to the data subject and all data is only used for the appropriate timescale based  on contract duration.  Should consent be withdrawn at any point, all personal data will be removed and destroyed.  Internal/client audits ensure data has been appropriately removed at contract conclusion.  

DATA  PROTECTION  POLICY If an individual makes a subject access request, CANTERBURY SKY TAXIS will inform the individual:  § whether or not their data is processed and if so why, the categories of personal data concerned  and the source of the data if it is not collected directly from the individual;  § to whom their data is or may be disclosed, including to recipients located outside the European  Economic Area (EEA) and the safeguards that apply to any such transfers;  § for how long their personal data is stored (or how that period is determined);  § their rights to rectification or erasure of data, or to restrict or object to processing;  § their right to complain to the Information Commissioner if the individual thinks the organisation  has failed to comply with their data protection rights; and  § whether or not the organisation carries out automated decision‐makingandthelogicinvolved in any such decision‐making. The organisation will also provide the individual with a copy of the personal data undergoing processing.  This  will  normally  be  in  electronic  form  if  the  individual  has  made  a  request  electronically,  unless  the  individual agrees otherwise.  DATA SECURITY The organisation takes the security of personal data seriously and will ensure that it has internal policies  and controls in place to protect personal data against loss, accidental destruction, misuse, or disclosure,  and to ensure that data is not accessed, except by employees in the proper performance of their duties.  The organisation will only disclose personal data to third parties where there is a need to do so, e.g. to give  information about your earnings to Her Majesty’s Revenue & Customs, or to seek advice from our HR or  legal advisors.  Where the organisation engages third parties to process personal data on its behalf, such parties do so on  the  basis  of  written  instructions,  are  under  a  duty  of  confidentiality  and  are  obliged  to  implement  appropriate technical and organisational measures to ensure the security of data.  

IMPACT ASSESSMENTS If  any  of  the  processing  that  CANTERBURY SKY TAXIS  carries  out  may  result  in  risks  to  privacy,  for  example,  CCTV  monitoring. Where such processing would result in a high risk to individual's rights and freedoms, CANTERBURY SKY TAXIS  will  carry  out  a  data  protection  impact  assessment  to  determine  the  necessity  and  proportionality  of  processing. This will  include  considering  the  purposes  for which  the activity is  carried  out,  the  risks  for  individuals and the measures that can be put in place to mitigate those risks.  DATA BREACHES If CANTERBURY SKY TAXIS discovers that there has been a breach of HR‐RelatedPersonalDatathatposesarisktothe rights and  freedoms of individuals, it will  report it  to  the Information Commissioner within 72  hours of  discovery. CANTERBURY SKY TAXIS will record all data breaches regardless of their severity and/or effect.  

DATA  PROTECTION  POLICY If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will inform affected  individuals that there has been a breach and provide them with information about its likely consequences  and also the mitigation measures taken.  Breaches of processes and procedures are dealt with in accordance with standard Disciplinary Procedures,  as defined in and communicated to all employees via our Staff Handbook and Confidentiality Agreement.  We escalate any such incidents to Mahmut Kilic DPO who will make immediate contact with the client and  the ICO if relevant.

INTERNATIONAL DATA TRANSFERS The organisation will not transfer Personal Data to countries outside the EEA.  INDIVIDUAL RESPONSIBILITIES Individuals are responsible for ensuring CANTERBURY SKY TAXIS is able to keep their personal data up to date. Individuals  should let CANTERBURY SKY TAXIS  know if any data provided changes, for example if an individual moves house, changes  their contact details, bank details or name.  Individuals may have access to the personal data of other individuals and/or our customers and clients in  the course of their employment. Where this is the case, the organisation relies on those individuals to meet  its data protection obligations.  Individuals who have access to personal data must:  § only access data that they have authority to access and access it only for authorised purposes;  § not disclose data to anyone, except to individuals, whether inside or outside the organisation,  who have appropriate authorisation;  § keep data secure, in particular by complying fully with security rules, including but not limited to  rules on access to our premises by non‐authorisedparties,computeraccess,includingpassword protection, and secure file storage and destruction;  § not remove personal data, or electronic devices which contain, or can be used to access personal  data, from the organisation's premises without prior authorisation and adopting appropriate  security measures (such as encryption or password protection) to secure the data and the device;  § not store personal data on local drives or on any personal electronic devices, including  mobile telephones, that are used for work purposes; and  § to report data breaches of which they become aware to Mahmut Kilic immediately.  Failing  to  observe  these  requirements  or  any  breach  of  this  Data  Protection  Policy  may  amount  to  a  disciplinary offence, which will be dealt with under the organisation's disciplinary procedure. Significant or  deliberate breaches of this policy, including, but not limited to, accessing any data without authorisation,  or a legitimate  reason  to  do  so, may  constitute gross misconduct and  could lead  to  summary  dismissal  without notice or pay in lieu of notice.  CONFIDENTIALITY AGREEMENTS All CANTERBURY SKY TAXIS  personnel, including drivers, have signed, and are bound by, confidentiality agreements  confirming they will preserve the confidentiality of all company and client data. drivers also have to be  13 | Page DATA  PROTECTION  POLICY registered and licenced, which includes undergoing police checks. Personnel must confirm understanding  of their responsibilities regarding maintaining confidentiality, and abide with company practices including: § Staff never leave customer details visible/live  § Bookings are managed through the username/password protected online portal. All information is  managed and stored securely online to UKAS ISO27001 standard.  § We  only  transfer  booking  data  via  our  online  portal/booking  app??[insert  details  and  security  details], which is secure and encrypted, to UKAS ISO27001 and Cyber Essentials standards. We protect  Service User’s data from unauthorised access, use and disclosure, securely managing this information  to industry standards of CyberSmart.

TRAINING CANTERBURY SKY TAXIS  provide training to all individuals about their data protection and data handling responsibilities  as part of the mandatory induction process and will provide any further relevant training as necessary. This  covers:  - The Data Protection Act   - GDPR Compliance  - Legal Obligations   - Good Practice  - Record Management   - Personal Data   - Right of Access   - Company Policy  Personnel  must  attend  mandatory  updates  every  6  months.  Managerial  staff  have  dissemination  and  implementation plans in place to ensure all personnel are familiar and adhere to all aspects of this policy.  This  includes  key  areas  such  as staff  responsibilities/access  rights  and  checks/security  measures  to  be  followed for different forms of information, what to do if a breach occurs, Security/Physical Security, Data  storage and Transfer, email security and retention/disposal of information. Individuals whose roles require regular access to personal data, or who are responsible for implementing  this policy or responding to subject access requests under this policy, will receive additional training to help  them understand their duties and how to comply with them.  Training will include ensuring that individuals are aware of their obligations in relation to keeping personal  information secure  

IMPLEMENTATION Mahmut Kilic  will be responsible for ensuring that the Policy is implemented.  Mahmut Kilic will have overall  responsibility for:  § The provision of cascade data protection training, for staff within the company.  § For the development of best practice guidelines.  § Carrying out compliance checks  to ensure adherence with  the General Data Protection Regulations  and Conduct of Employment Businesses and Employment Agencies Regulations.  REVIEW 14 | Page DATA  PROTECTION  POLICY This policy will be reviewed regularly and may be altered from time to time in light of legislative changes or  other prevailing circumstances.

bottom of page