Data Protection Policy

1. INTRODUCTION

1.1 Serco NorthLink Ferries (“SNF”) is required to collect and use personal information relating to customers, employees and others for the purposes of running their operations.
1.2 SNF recognises the importance of respecting the personal privacy or customers, employees and others and the need to put in place appropriate safeguards relating to the processing of personal information.
1.3 The type of personal information that SNF may require includes information about: customers; current, past and prospective employees; suppliers and others with whom it communicates. This personal information, whether it is held on paper, on computer or other media, will be subject to the appropriate safeguards in the Data Protection Act 1998 (the “Act”).
1.4 SNF is a Data Controller for the purposes of the Act and this policy sets out SNF’s approach to these matters and to compliance with the data protection laws. The policy applies to all employees or any other persons working for or on behalf of SNF.

2. POLICY

2.1 In order to comply with the Act SNF will:
2.11 Operate within the confines of its data protection registration;
2.12 Operate in compliance with the data protection principles in the Act;
2.13 Ensure any exemptions are applied consistently and accurately in accordance with the law;
2.14 Take note of the guidance and standards issued by the Information Commissioner from time to time;
2.15 Take note of applicable codes of practices; and
2.16 Provide appropriate data protection training to all staff.

3. COLLECTION AND RETENTION

3.1 SNF will only collect personal information that is relevant to the carrying out of its legitimate purposes and functions in a way that does not prejudice the interests of individuals. SNF will ensure that the information it holds is as accurate as possible, given the methods used in collection.
3.2 SNF will keep all personal information up to date, and when no longer required for SNF’s legitimate purposes, steps will be taken to archive or destroy it as appropriate.
3.3 Any personal information which is processed will have the appropriate safeguards applied to them to ensure compliance with the Act.
3.4 Sensitive personal information is personal information relating to an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental condition, sexual life, details of the commission or alleged commission of any offence and any court proceedings relating to the commission of an offence
3.5 SNF will handle sensitive personal information with particular care. Before collecting or processing sensitive personal information, SNF will ensure that the appropriate notifications have been given and any required consents obtained.

4. DATA PROCESSING

Data processing will be allowed where there is a clear purpose for the activity which meets the requirement of the Act. Any non-obvious purposes for processing will be notified to the individual.

5. DISCLOSURES

5.1 SNF will not allow information collected from individuals to be disclosed to third parties except where, for example:
5.11 The individual has consented to the disclosure; or
5.12 SNF is legally obliged to disclose the information; or
5.13 There is a business requirement to disclose the information which does not prejudice the interests of individuals or breach the Act.

6. THIRD PARTY DATA PROCESSING

Where information is passed to a third party for processing, SNF will ensure that a written contract is put in place that requires the processor to act only on SNF’s instructions, not to disclose personal information without specific authority, to provide appropriate operational and technical security and to allow SNF to check the contract is being complied with.
SNF will not send personal information to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal information.

7. RIGHTS TO ACCESS INFORMATION

7.1 Employees and other subjects of personal information held by SNF have a right to access their personal information subject to any exemptions under the Act. If personal details are inaccurate, they can be amended on request.
7.2 Any person who wishes to exercise this right should make the request in writing to SNF’s Customer Care Manager.
7.3 SNF reserves the right to charge the maximum fee payable for each access request.

8. SECURITY

SNF has put in place technical, physical and operational security measures to ensure the security of personal information against unauthorised or unlawful processing and against unauthorised or unlawful processing and against the accidental loss or destruction of, or damage to, personal information.

9. DESIGNATED DATA CONTROLLER

SNF’s Commercial Director is responsible for ensuring compliance with the Act and implementation of this policy and is assisted in this function by the Customer Care Manager. The Customer Care Manager can be contacted at  customerservices@northlinkferries.co.uk. Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the Customer Care Manager.

10. STATUS OF THIS POLICY

This policy has been approved by SNF’s Directors and any breach of this policy will be taken seriously. This policy may be varied, amended or updated at any time.

11. COMPLAINTS

Any employee, customer or other person who considers that the policy has not been followed in respect of their personal information should raise the matter with their line manager or the Customer Care Manager in the first instance. Any complaint will be taken seriously and investigated thoroughly.

Serco Northlink Ferries is also subject to The Freedom of Information (Scotland) Act 2002.