Mail Workshop data policy

Mail Workshop Limited (“we”) holds personal data relating to its employees and clients, and also to business contacts for the purposes of marketing its business.

Introduction

 
Mail Workshop Limited (“we”) holds personal data relating to its employees and clients, and also to business contacts for the purposes of marketing its business. We are a Data Controller of this data, and this policy itemises the legitimate bases for our holding, processing and retention thereof, together with how it is used and protected.
 
In addition we use and transfer address data (including personal data), supplied by our clients, for the purpose of despatching items that we have stored and/or packed and prepared for despatch to given addresses. We are a Data Processor of this data, and this policy includes the details of how it is processed and retained, such that may be included in the policies of the ultimate Controllers of the data that is processed through our systems. The pertinent elements of those details are also included in the Contractual Agreements made available to our clients regarding our processing of their data.
 
Mail Workshop Limited is registered with the ICO, registration number ZA251735.
 

Our Personnel and Human Resources Data

 
We retain a record of the names, positions held, and dates of service of past and present employees. Consent is requested from the individual in question before these are provided to third parties.
 
We hold name and address details and pension details for employees during their employment and for a period of 2 months thereafter in order to fulfil their Contract of employment. Details necessary for the paying of staff are shared with our bank and accountants, and pensions details with our pensions provider. We validate the security processes of any company outside our own with which we share this data, and do not pass any personnel data outside the UK.
 
We hold the details of a nominated next-of-kin or other person for each member of staff by their Consent, as a point of emergency contact during the period of their employment only.
 
We hold financial records about employees (including pay, bank and tax details, expenses records, payslip copies and P60s), and also a copy of proof of their right to work in the UK, for a period of 7 years on the basis of Legal Obligation relating to the possible requirements of HMRC.
 
We hold records of employee performance, incapacity, and attendance (absence and sickness records, accident-book reports, disciplinary records, and performance appraisals) during their employment and for a period of 3 years thereafter on the basis of our Legitimate Interests of potentially defending a claim of unfair treatment in these areas from a past employee. These records, after employment, are stored in a protected form and not accessed except in such an event, therefore any risk to the rights of the individual in retaining them is strictly limited.
 
We hold details of any disability or other condition that an employee chooses to make us aware of as significant in the way their role is managed or in the way they may need to be treated by a first-aider on a Consent and possible Vital Interests basis. This sensitive personal data is held only during the period of employment and shared only according to the wishes of the employee.
 
We hold application details supplied by employees, including records of their employment history and qualifications, and also records of relevant qualifications obtained during their employment, for the period of their employment on the basis of our Legitimate Interests, and in some cases Legal Obligation, of being able to validate suitability for working tasks and the safety of our working areas. The risk to the rights of current employees of us retaining this information is considered negligible.
 
We retain the details of failed applicants for employment with us for a period of 6 months after application in the Legitimate Interests of potentially defending a claim of unfair treatment in the handling of the application. Sensitive personal information is not requested or held at the stage of application and these details are not used or made available for any other purpose, therefore the risk to the rights of the failed applicant of this retention is considered negligible.
 
Our personnel and human resources data is held in areas of restricted access – either in computer files accessible only to authorised parties or in the case of physical records in locked containers. Records that might cause risk if linked to associating information, such as proof of right-to-work or driving licences, are kept partitioned by type rather than with the remainder of an employee’s information.
 
The personal data of employees is not shared within the company beyond those with an immediate requirement.
 

Our Communications and Recordings

 
We retain CCTV recordings of activity within our warehouse and despatch areas, and the entrances and exits to all of our premises, for 6 weeks prior to deletion. Access to recordings is password-protected and available only on a highly restricted basis. These may contain identifiable images of our employees, of sub-contractors working on our premises, of visitors, and of individuals collecting or delivering goods. Recordings are retained for the Legitimate Interests of our business identifying criminal activity, identifying and remedying activity that may present risks to safety, and validating the nature, timing, and contents of disputed deliveries or collections. A longer-term recording may be kept of any such activity identified. The balancing risks to the rights of our employees are considered negligible in that they are aware of being recorded and should have no reason for concern about their working activities being seen, and in that the recordings are not used except as itemised above. While non-employees will not necessarily be aware that they are being recorded and this is to be considered in assessing their rights, the restricted use and short storage-period of the footage adequately limits any risk to those.
 
We retain recordings of all telephone communications for 4 weeks prior to deletion. These may contain information that personally identifies either a caller or others. A recorded message informs external callers that recordings are being made for “training and quality control” reasons. Access to recordings is restricted to administrators of the system and granted only by validated request. Recordings are retained in our Legitimate Interests of monitoring employee performance in this area and of investigating complaints over the verbal statements or manner of our employees, and are not used for other purposes. A longer-term recording may be kept of any such complaint validated or still under investigation. As all participants in the telephone communication are aware that it is recorded and for what purposes and the retention period is short, those purposes present no clear risk to anyone’s rights.
 
We retain records of all email communications for up to 2 years, prior to archiving in an encrypted form and removal to offsite storage for a further 5 years. These may contain personal data; our staff data policy stipulates that including such information in emails should be restricted wherever possible especially with regard to personnel matters, and our contractual agreements with customers make clear that submitting lists of addresses in this way is not advised. Emails are accessible to the sender and receiver, to an immediate line-manager in some cases, and to system administrators. After encrypted archiving, they are available only by the retrieval and decryption of offsite tapes with the authorisation of two senior employees. Emails are retained on a Legitimate Interests basis, primarily due to the importance of keeping supplier and client communication discussing and agreeing terms and costs of business that may not be otherwise available. The balancing risks to the rights of individuals are limited by the restriction of inclusion of personnel matters, and therefore significant personal data, in email communications; it is considered that the presence of the names of senders and recipients of business communications presents no obvious risk to their rights.
 

Our Client, Sales and Marketing Data

 
We hold contact details for nominated representatives of our clients in order to communicate with them regarding their account and our services, and in order to provide support and information about items stored and despatched by us. A line of communication is required for Contract reasons and additional contact details are added on a Consent basis.
 
Details of financial or contractual arrangements with our clients (contracts, sales agreements, and account set-up forms), which may contain personal data limited to contact names and signatures, are retained for a period of 7 years on the basis of Legal Obligation relating to the possible requirements of HMRC.
 
We may retain the contact details of former customers and of enquirers about our business services for up to 1 year after last communication on the basis of our Legitimate Interests of marketing our business by informing them of additions or improvements to the service they have previously used or enquired about. Named contacts within this category of data will only be contacted otherwise should they actively choose to do so by signing up to additional types of marketing and means of communication, and will not be contacted at all on their request. Restricted communication, targeted to a proven area of interest, to a business contact presents only a highly limited risk to their rights.
 
We retain a list of contacts that have made an active choice, without conditions, to subscribe to receive our company newsletter and contact them by email only with this information on a Consent basis until they choose to unsubscribe.
 
We may source lists of targeted business-contact data from other companies in the Legitimate Interests of marketing our business. Those lists will only be sourced from publicly-available contact information relating to limited companies, and will relate to companies likely to be interested in services related to ours. No subsequent contact will be made with any contact that has chosen at any previous time not to be contacted by us. Restricted communication, targeted to a likely area of interest, to a business contact presents only a highly limited risk to their rights.
 
Our email marketing communications are conducted using MailChimp, a US-based operation. MailChimp is certified as compliant with the EU-U.S. Privacy Shield Framework and with GDPR regulation.
 

Data Processed for our Clients

 
We process data on behalf of our clients by receiving and formatting supplied information such that it is suitable for entry into any relevant despatch systems, and by using that information to produce and print despatch documentation. This data may be submitted to us by clients for processing by file transfer, email or telephone communication, or by extraction from a website. We process the data for the purpose of enabling delivery to our client’s designated recipients.
 
These submissions may contain a number of types of personal data, frequently consisting of name and address information and sometimes also accompanying telephone numbers and/or email addresses. Those names may be connected with either business or home addresses, and their usage for both business and personal purposes. While it is conceivable there may be personal data relating to vulnerable persons, to children, and to other special categories of person within the data, this in current practice will not be identifiable therein, nor is the purpose of processing related to that status.
 
We retain files within which data is supplied for a period of 30 days following last processing, after which they are deleted.
 
In addition, data which is processed for courier or tracked postal despatch is retained for a period of 90 days following despatch within our central courier database, prior to its anonymisation by the removal of any identifiable personalising information.
 
In the case of courier or tracked postal despatch, we submit data to the supplier of the chosen despatch service for the purpose of conducting delivery, where it will then be stored by that supplier in line with their own processing terms. We have verified that the practices and policies of these suppliers are compliant with GDPR.
 
If data is processed using our stock/warehouse management system, it is stored therein for a period of 1 year prior to anonymisation by removal of personally-identifying name and address details.
 
Data supplied to us by couriers in support of their invoices to us will in some cases contain personal data. We anonymise this data by removing personalising elements on receipt and before processing or storing it otherwise.
 
Subsequent to courier or tracked postal despatch, our clients may raise queries about the delivery process, or our employees may notify clients of delivery problems. Communications resulting from this, which may contain personal data, are recorded within a ticketing system. This information is anonymised 30 days after the conclusion of the process. In cases of a claim being made for compensation over a delivery failing, clients may submit to us information from the parcel recipient in support of the claim containing personal data. This is passed to the courier in line with their stipulation and then anonymised in our records.
 
On request, we sometimes obtain and provide proofs of courier or tracked postal delivery for our clients, consisting of a recipient signature linked to a delivery address. We do not store this information after submission for longer than a period of 1 week.
 
Undelivered parcels or postal items may be returned to our premises by the despatch provider with personal data visible on the outer labelling. These are either returned to our clients or, if held on our premises otherwise or ultimately destroyed, the personalising element such as label or envelope is shredded and then recycled. If such items are returned to our clients we may obtain and store for 90 days a signature confirming receipt thereof.
 
Our stated policy is that there should be no reason for a client to supply definable “sensitive personal data” to us for the purposes of its processing. Should we become aware of such instances (such as indications within the data submitted that link a named recipient to a particular company or item sent in a way that defines their beliefs, health, race, or the like) the client will be advised on ways in which the data can be supplied that does not constitute qualification as “sensitive”. Should there be no alternative to a client supplying “sensitive personal data” to meet its processing deeds, we will agree a separate written arrangement regarding its safe usage and storage.
 
Information, which may include personal data, that is submitted to or by us by email is stored for a period of 2 years after submission prior to archiving in an encrypted form offsite for a further 5 years. Secure forms of information transmission other than email, deleted within 30 days of use, are alternatively available to clients that do not have their own such method in place.
 

Data Subject Requests

 
GDPR provides a number of specific rights to data subjects:
 
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling
 
We treat our responsibilities under the regulation with respect and comply fully with these rights.
 
If a data subject makes a request of us in relation to one of these rights, in the first instance we request supply of proof of identity in two forms: an identifying document such as a passport or driving licence, and a utility bill or similar proof of address. We also ask for an indication of why they believe we hold their data (e.g. the type of parcel or communication they have received) to assist with identification of where their data is held.
 
In cases where the data involved is processed on behalf of a client, we will communicate this to the data subject, comply with the request in relation to any data held by us, and also pass on the request to the client and ultimate Data Controller to take any necessary action.
 
We will comply with all such requests as soon as possible, and within one month of proof of identification. In most cases it will be possible to comply immediately.
 
We do not plan to charge for compliance with any such requests, nor to consider refusal or extension of the one month time period for compliance, but we reserve our right under GDPR to take such action of this type as is reasonable and proportionate in a case where a request is manifestly unfounded, excessive, or repetitive.
 
 

Personal Data Breaches

 
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
 
Should we become, or be made, aware of such a breach, it should be reported to our Data Protection Officer without delay.
 
In the case of a breach relating to data of which we are the Data Controller, an assessment will be made of the likely risks to the rights of the individuals involved. Based on that assessment, the required notifications will be made to either or both of the ICO and the data subject(s). The assessment and also, where possible, any notifications will be made within 72 hours of awareness of the breach.
 
In the case of a breach relating to a client’s data of which we are the Data Processor, the client will be made fully aware of the circumstances, nature and possible impact of the breach within 72 hours. If required, we will also advise on the level of the breach and the types of notifications the Data Controller is required to make.
 

Organisational Security Processes and Transfer Policies

 
We keep personal data secure against loss or misuse. If other organisations process personal data as a service on our behalf, we will verify their security arrangements and compliance with GDPR.
 
In cases where our personnel data is stored on printed paper, it is kept in a secure and locked container where unauthorised personnel cannot access it. Printed data is securely shredded when it is no longer needed.
 
Our computers are protected by strong passwords that are changed regularly – we enforce a 30 day password change and a minimum 8 characters with three of the four levels of complexity included. After 5 minutes without use screens are automatically locked requiring passwords to unlock, and our staff policy dictates that all screens should be locked when employees leave them unattended.
 
Servers containing personal data are kept in a secure location, locked and keycoded and accessible only to select authorised staff. All servers containing data are protected by security software and firewall.
 
Any NAS device used in conjunction with local PC backups is placed inside our locked server room. We restrict, via our application control and application control software, the use of external drives, flash drives, and the download of any software by staff members. Our policy restricts the saving of any data directly to mobile devices such as laptops, tablets or smartphones.
 
Data is regularly backed up, with encrypted backups written to tape and stored in a locked safe, accessible only to senior system administrators. Tapes are overwritten within 30 days.
 
There are restrictions on transfers of international data. The only transfer of our own data outside the EU is for the purpose of communicating to our marketing lists via the use of MailChimp, a US-based operation. MailChimp is certified as compliant with the EU-U.S. Privacy Shield Framework and with GDPR regulation. We do not transfer any of our personnel or HR data outside the EU. We do not transfer any of the data we process on behalf of our clients outside the EU with the two specific exceptions that: (a) if our client is based outside the EU there will be an exchange of data with them when we submit to them tracking and other communications, (b) if our client designates courier despatch to a location outside the EU, a transfer of some personal data may be required to the recipient country, specific only to details relating to that despatch.
 
A Data Protection Impact Assessment will be conducted before approval of any new procedure relating to the clouds or servers (or virtual servers) used to store or process data.
 

Contact Information

 
James Rhodes, Data Protection Officer, [email protected]
 
Mail Workshop Limited, Unit 6, Colwick Quays Business Park, Nottingham, NG4 2JY, United Kingdom