Temporary and flexible T&Cs
TERMS & CONDITIONS OF TACTICAL ENGAGEMENT
Nature of Engagement
The Company engages workers on a tactical basis to work on behalf of various clients for specific activities over a specified period. Such work is offered on an ad-hoc basis as and when there is work to be done. There is no mutuality of obligation upon either party to offer or accept any further work at any stage in the future and tactical work is not deemed to form a Contract of Employment.
Breach of terms
If you fail to meet the requirements set out in this statement we will consider that you have breached these terms and your engagement will end without notice.
Acceptance of terms
Commencement of duties under this engagement will be deemed as acceptance of these terms and conditions.
JOB REQUIREMENTS AND ENTITLEMENTS
If as part of the activity you are working on you are required to attend a briefing, details will be sent to you by the Activity Manager and you will be expected to attend the briefing in full. Payment for any briefing will be made with your first wage claim once you have started work and the Company reserves the right to withhold payment for briefings if you subsequently fail to start work on an activity. Where appropriate bonus payments for briefings will be made subject to the following criteria:
- you report to the appointed Manager on arrival at least 15 minutes prior to start of the briefing you are appropriately dressed in smart business dress
- you conduct yourself in an appropriate professional manner throughout the briefing
You are required to work within the territory or store assigned to you, as detailed in your activity confirmation letter. Your location or hours of work may be adjusted in line with business requirements and the Company reserves the right to ask you to work within a reasonable travelling distance of your home. You may be required to travel further afield for briefings or team meetings if applicable.
If your standards of performance are to be measured by achievement of targets, these will be confirmed to you at the briefing stage. Whilst engaged by the Company you must at all times be punctual, polite and appropriately dressed as required by the Activity Manager. Under no circumstances are you permitted to subcontract your work or carry out the work at times other than those stipulated to you. The Company reserve the right to withhold pay and/or terminate your engagement if your performance standards, reporting and paperwork do not meet the requirements outlined to you in the briefing documents and indicated to you by the Activity Manager.
No notice period applies to workers engaged on a tactical basis.
The engagement may be terminated by either party at any time without notice. If this happens, you will be paid for the hours you have worked until the assignment is ended.
The holiday year runs from January to December.
For any tactical/casual work that you undertake, you will receive holiday pay at 12.07% of hours worked, (equivalent to 5.6 weeks annual leave, inclusive of bank holidays). This will be paid in addition to any of the following payments: Basic Pay; Basic Pay adjustment; Bonus; Overtime; Training Days; and Meetings / Briefings – Field. This holiday pay will appear the same month as these other payments and show clearly as a separate payment on your payslip.
It is your responsibility to manage this holiday pay and ensure that you take a minimum of 5.6 weeks annual leave from our business. As there is no mutuality of obligation you do not need to seek authorisation to take annual leave but you must inform the Company of any periods of holiday you have taken or will be taking so that accurate records can be maintained. However, once you have committed to a Tactical activity and are working on it, please ensure you agree any holidays in advance with the activity manager.
You are not permitted to carry over any outstanding holiday from one year to another, as holiday pay is paid throughout the year as you work.
Wages & expenses
Wages will be paid directly into your bank account on 25th of each month, or closest working day, subject to deductions for tax and national insurance as appropriate. The Company reserves the right to audit your wages and expense claims, to amend excessive claims and to deduct any excess amounts claimed from any sums owed to you by the Company. All Tactical workers are required to complete and return their wage claims within 4 weeks of completing an activity. Wage claims received after this period may be refused or subject to delayed payment. Business expenses will be paid at cost by evidence of VAT receipts only and only by prior agreement with the Activity Manager. Unless specifically detailed in the booking details sent to you, you will not be entitled to claim reimbursement for mileage. Where a half-day is worked, and payment is confirmed per day, this will be paid pro-rata.
In the event of you being provided with product stock, a cash float or any other company equipment or items to enable you to carry out an activity, all such assets must be returned to the Company in the condition it was issued, either upon instruction from the Activity Manager or at the end of the activity. Should you fail to return such assets or damage them as above we reserve the right to make deductions from pay and/or bonus to cover the cost of those assets.
On some activities you may be required to wear a uniform. Whilst in uniform, you are representing the Company and the Client at all times, including breaks. Therefore whilst in uniform you should not consume alcohol, smoke or eat (except in the allocated areas) or behave in any manner which could adversely affect the reputation of the Company or Client. At the end of the activity, you will be required to return the uniform to us in a condition satisfactory to the Company. Failure to do so will result in deductions from your pay to cover the cost or repair of the uniform.
Cash & Carry
In the event you are required to obtain stock from a C&C, you are required to return all accurately reconciled stock to your C&C by Friday of each week throughout any activity. You must not keep any stock over a weekend. Failure to comply with this will result in deductions from your salary if subsequent theft or misplacement of stock occurs.
Should you be engaged on an activity for which you are required to provide a vehicle, you should ensure that it is properly maintained and in a fit and roadworthy condition. Should you be engaged on an activity where a vehicle is provided by the Company, your engagement will be subject to provision of your current valid driving licence and suitable confirmation of appropriate vehicle insurance. If you are required to carry stock or be engaged in commercial travelling activities in your own vehicle you may be required to take out additional cover. If you fail to arrange adequate cover, you will be liable for any loss of stock and this may result in deductions from your earnings. It is also a condition of any engagement requiring the use of a vehicle that your driving licence does not display convictions for road traffic offences (e.g. driving under the influence of drink or drugs, reckless or dangerous driving – this list is not exhaustive). Any conviction must be communicated to the Company as soon as possible. Rules regarding vehicle use will be confirmed to you in your briefing document and these must be adhered to at all times.
Sickness or other absence
You must inform your Activity Manager as soon as possible and no later than 9.15am on the first day of absence if you are unable to work. Thereafter it is important that you keep the Company regularly informed of your intended date of return.
Statutory Sick Pay (SSP) is only payable subject to meeting the SSP qualifying conditions.
Legal Right to work
This offer is made subject to your provision of evidence of your legal right to work in the United Kingdom on or before the proposed start date. Please be aware that if you are unable to provide adequate original documentation you cannot start working or attend any preliminary training and this offer may be withdrawn.
You are required to keep confidential, both during and after the termination of this engagement, without limit in point of time, all information that may be obtained in the course of your engagement. Confidential information concerning business and the affairs of the Company, and any associated company, the Company’s clients and their customers must not be divulged to unauthorised persons.
Processing of personal data and our policies
As a business, we hold and process a wide range of information, some of which relates to individuals. Information relating to an individual (or from which an individual may be identified) is called “personal data”.
Please find below your terms of engagement:
- The Workplace Privacy Notice. This Privacy Notice explains how your personal information is processed, why we are processing it and how that processing may affect you. The Workplace Privacy Notice is in support of the UK Data Protection Act
- The Data Protection Staff Responsibilities Policy is to make you fully aware of our businesses responsibilities in relation to data protection and what you need to do to ensure we meet these responsibilities. We are required to comply with the data protection principles, which are summarised in the Staff Responsibilities
We reserve the right to amend the policy and documents referred to above from time to time.
Disciplinary and Grievance Procedure
The Company’s formal disciplinary or grievance procedures do not apply to this engagement. However if you are dissatisfied with any issues relating to your engagement you should raise the matter as soon as possible with your Activity Manager.
Under the Working Time Regulations your total working hours should not exceed 48 hours per week averaged over a 17 week period (40 hours per week for workers younger than 18). Your hours with the Company fall within this limit, however if you work for any other company at the same time as working for the Company, it is your responsibility to ensure that your total average working hours do not exceed the 48-hour limit. If you have any concerns about this, please discuss the matter with your Manager. In addition, if you work more than 6 hours in one day, you are entitled to an unpaid rest break of 20 minutes (30 minutes after 4.5 hours worked for workers younger than 18). If you have any queries about this you should discuss this with your Manager.
Health & Safety
You are required to adhere to the Company’s Health & Safety at Work Policy, as outlined to you in the briefing document.
To ensure legal compliance with Working Time Regulations (see Working Time) and delivery of our service to our clients, you must provide full details of any additional work, including other tactical work for the Company, you intend to undertake and obtain permission from your Line Manager in advance of starting additional work.
Variation in Terms
The Company reserves the right to amend or add to the above terms in line with business needs at its discretion.
Workplace Privacy Notice
Scope of this Workplace Privacy Notice (“Privacy Notice”)
Like most businesses, we hold and process a wide range of information, some of which relates to individuals who work for us. This Privacy Notice explains the type of information we process, why we are processing it and how that processing may affect you.
This Privacy Notice focuses on individuals who work for us, whether they are employees or freelancers/contractors. It also covers information on those who apply to work for us, and former employees.
This Privacy Notice comprises this document (the Core Notice) and the Supplementary Information in the Annex to this document.
The Supplementary Information section contains a Glossary, in which we explain what we mean by “personal data”, “processing”, “sensitive personal data” and other terms used in this Privacy Notice.
In brief, this Privacy Notice explains:
- what personal data we hold and why we process it;
- the legal grounds that allow us to process your personal data;
- where the data comes from, who gets to see it and how long we keep it;
- how to access your personal data and other rights; and
- how to contact us.
Personal data – what we hold and why we process it
We hold various types of data about the individuals who work for us, including their personal details, information about the work they do for us, their salary and other contractual terms, and so on. Further examples of the types of data we hold are given in the Supplementary Information.
We process this data for the purposes of our business, including management, administrative, employment and legal purposes. The Supplementary Information provides more specific information on these purposes.
See Further information on the data we process and our purposes.
Legal grounds for processing personal data
Under data protection law, there are various grounds on which we can rely when processing your personal data. In some contexts, more than one ground applies. We have summarised these grounds as Contract, Legal Obligation, Legitimate Interests and Consent, and you can find further information on each in the Supplementary Information. See Legal grounds for processing personal data.
Where the personal data comes from and who gets to see it
Some of the personal data that we process about you comes from you. For example, you tell us your contact and banking details.
Other personal data about you is generated in the course of your work, for example, from your managers, colleagues and customers or others outside our organisation with whom you deal.
Your personal data will be seen internally by managers, HR and, in some circumstances, where appropriate, other colleagues. We may also pass your data outside the organisation, for example to people you are dealing with (e.g clients of third-party suppliers), to our group payroll service, employee benefits insurers and our group qualifying pension provider.
Further information on this is provided in the Supplementary Information. See “Where the personal data comes from” and “Who gets to see your personal data?”
How long do we keep your personal data?
We do not keep your personal data for any specific period, but we will not keep it for longer than is necessary for our purposes. In general, we will keep your personal data for the duration of your employment and for a period afterwards in compliance with applicable law.
See Retaining your personal data – more information in the Supplementary Information.
Transfers of personal data outside the EEA
We may transfer your personal data outside the EEA to members of our group and processors in the United States.
Further information on these transfers and the measures taken to safeguard your personal data are set out in the Supplementary Information under Transfers of personal data outside the EEA – more information.
Your personal data rights
You have a right to make a subject access request to receive information about the personal data that we process about you. Further information on this and on other rights is in the Supplementary Information under Access to your personal data and other rights. We also explain how to make a complaint about our processing of your data.
In processing your personal data, we act as a “data controller”. Our contact details are as follows:
CPM Field Marketing
47 Aylesbury Road, Thame, Oxon, OX9 3PG
The contact details of the CPM Group Data Compliance & Privacy Officer are as follows:
Status of this notice
This Privacy Notice does not form part of your contract of employment and does not create contractual rights or obligations. It may be amended by us at any time.
Annex To Core Notice
“Personal data” is information relating to you (or from which you may be identified) which is processed by automatic means or which is (or is intended to be) part of a structured manual filing system. It includes not only facts about you, but also intentions and opinions about you.
Personal data “processed automatically” includes information held on, or relating to use of, a computer, laptop, mobile phone or similar device. It covers data derived from equipment such as access passes within a building, data on use of vehicles and sound and image data such as CCTV or photographs.
“Processing” means doing anything with the data. For example, it includes collecting it, holding it, disclosing it and deleting it.
“Sensitive personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data. These types of data are subject to special protection under the law.
References in the Privacy Notice to “employment”, “work” and similar expressions include any arrangement under which an individual works for us or provides services to us. This includes individuals who are our employees and also those who provide services under a freelance or independent contractor arrangement. Similarly, when we mention an “employment contract”, this should be taken to include any contract with an employee, a freelancer or a contractor; and when we refer to ending your “employment”, that includes terminating a freelance engagement or a contract for services.
We use the word “you” to refer to anyone within the scope of this Privacy Notice.
Legal grounds for processing personal data
What are the grounds for processing?
Under data protection law, there are various grounds on which we can rely when processing your personal data. In some contexts, more than one ground applies. We have summarised these grounds as Contract, Legal obligation, Legitimate Interests and Consent and outline what those terms mean in the following table.
||Ground for processing
||Processing necessary for performance of a contract with you or to take steps at your request to enter a contract
||This covers carrying out our contractual duties and exercising our contractual rights.
||Processing necessary to comply with our legal obligations
||Ensuring we perform our legal and regulatory obligations. For example, providing a safe place of work and avoiding unlawful discrimination
||Processing necessary for our or a third party’s legitimate interests
||We (and third parties) have legitimate interests in carrying out, managing and administering our respective businesses. Part of managing a business will involve the processing of your personal data.
Your data will not be processed if, in processing your data, your interests, rights and freedoms related to the data override the business’ interests in processing the data for business purposes.
||You have given specific consent to processing your data
||In general processing of your data in connection with employment is not conditional on your consent. But there may be occasions where we do specific things such as provide a reference, deduct union dues or obtain medical reports and rely on your consent to do so.
Processing sensitive personal data
If we process sensitive personal data about you, as well as ensuring that one of the grounds for processing mentioned above applies, we will make sure that one or more of the grounds for processing sensitive personal data applies. In outline, these include:
- Processing being necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorised by law or collective agreement (e.g. processing health data about you so we can comply with our duties to provide you with a healthy and safe work environment);
- Processing relating to data about you that you have made public (e.g. if you tell colleagues that you are ill);
- Processing being necessary for the purpose of establishing, making or defending legal claims (e.g. processing data about your race in relation to defending a race discrimination claim by another employee);
- Processing being necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity;
- Processing for equality and diversity purposes to the extent permitted by law.
Further information on the personal data we process and our purposes
The purposes for which we process your personal data, examples of the personal data that may be processed, and the grounds on which we process it, are set out in the table below.
The examples in the table cannot, of course, be exhaustive. For example, although the table does not mention personal data relating to criminal offences, if we were to find out that someone working for us was suspected of committing a criminal offence, we might process that information if relevant for our purposes.
||Examples of personal data that may be processed
||Grounds for processing
||Information concerning your application and our assessment of it, your references, any checks we may make to verify information provided or background checks and any information connected with your right to work in the Spain. If relevant, we may also process information concerning your health, any disability and in connection with any adjustments to working arrangements.
|Your employment contract including entering into it, performing it and changing it.
||Information on your terms of employment from time to time including your pay and benefits, such as your participation in pension arrangements, life and medical insurance; and any bonus or share schemes.
|Contacting you or others on your behalf
||Your address and phone number, emergency contact information and information on your next of kin
|Payroll administration and other financial benefits (including life assurance)
||Information on your bank account, pension contributions and on tax and national insurance
Information on attendance, holiday and other leave and sickness absence
|Supporting and managing your work and performance and any health concerns
||Information connected with your work, anything you do at work and your performance including records of documents and emails created by or relating to you and information on your use of our systems including computers, laptops or other device.
Management information regarding you including notes of meetings and appraisal records.
Information relating to your compliance with our policies.
Information concerning disciplinary allegations, investigations and processes and relating to grievances in which you are or may be directly or indirectly involved.
Information concerning your health, including self-certification forms, fit notes and medical and occupational health reports.
|Changing or ending your working arrangements
||Information connected with anything that may affect your continuing employment or the terms on which you work including any proposal to promote you, to change your pay or benefits, to change your working arrangements or to end your employment.
|Physical and system security
Records of use of swipe and similar entry cards.
Records of your use of our systems including computers, phones and other devices and passwords.
|Providing references in connection with your finding new employment
||Information on your work for us and on your performance.
|Providing information to third parties in connection with transactions that we contemplate or carry out
||Information on your contract and other employment data that may be required by a party to a transaction such as a prospective purchaser, seller or outsourcer.
|Monitoring of diversity and equal opportunities
||Information on your nationality, racial and ethnic origin, gender, sexual orientation, religion, disability and age.
|Monitoring and investigating compliance with policies and rules – both generally and specifically
||We expect our employees to comply with our policies and rules and may monitor our systems to check compliance (e.g. rules on accessing pornography at work). We may also have specific concerns about compliance and check system and other data to look into those concerns (e.g. log in records, records of usage and emails and documents, CCTV images).
|Disputes and legal proceedings
||Any information relevant or potentially relevant to a dispute or legal proceeding affecting us.
|Day to day business operations including marketing and client relations
||Information relating to the work you do for us, your role and contact details including relations with current or potential clients. This may include a picture of you for internal or external use or where we use a contact app such as Names & Faces.
|Maintaining appropriate business records during and after your employment
||Information relating to your work, anything you do at work and your performance relevant to such records.
|Operation of active directory/authentication
||Information on your name, job title, managers, contact details, and other information from time to time.
|IT technical support, back up and disaster recovery
||Any information required to notify you of and/or to resolve the technical difficulty experienced.
|Back office services, including staff passes, mailroom, catering, cashless vending, and reception
||Information including your name, job title, work location, contact details, and other information from time to time.
Where the personal data comes from
- When you start employment with us, the initial personal data about you that we process is likely to come from you: for example, contact details, bank details and information on your immigration status and whether you can lawfully work. We may also require references and information to carry out background checks.
- In the course of employment, you may be required to provide us with information for other purposes such as sick pay (and SSP) and family rights (e.g. maternity and paternity leave and pay). If you do not provide information that you are required by statute or contract to give us, you may lose benefits, or we may decide not to employ you or to end your contract. If you have concerns about this in a particular context, you should speak to HR.
- In the course of your work, we may receive personal data relating to you from others. Internally, personal data may be derived from your managers and other colleagues or our IT systems; externally, it may be derived from our clients or those with whom you communicate by email or other systems.
Who gets to see your personal data?
Your personal data may be disclosed to your managers, HR and administrators for employment, administrative and management purposes as mentioned in this document. We may also disclose this to other members of our group and to Omnicom for the same purposes.
We will only disclose your personal data outside our group if disclosure is consistent with one or more of our legal grounds for processing and if doing so is lawful and fair to you.
We may disclose your personal data if it is necessary for our legitimate interests as an organisation or the interests of a third party, such as when we provide you employment benefits we may need to use a third party to provide these which will involve disclosing your personal data to them (but we will not do this if these interests are over-ridden by your interests and rights in particular to privacy).
We may also disclose your personal data outside the group:
- if you consent to the disclosure;
- where we are required to do so by law; or
- in connection with criminal or regulatory investigations.
Specific circumstances in which your personal data may be disclosed include:
- Disclosure to organisations that process data on our behalf such as our payroll service, insurers and other benefit providers, our bank and organisations that host our IT systems and data;
- Disclosure to external recipients of electronic communications (such as emails) which contain your personal data;
- Disclosure on a confidential basis to a potential buyer of our business or company for the purposes of evaluation – but only if we were to contemplate selling;
- Disclosure to Omnicom owned internal shared services groups which administer people-related systems such as HRIS, payroll and benefits administration;
- Disclosure to parent companies for the purposes of managing the business (e.g. in connection with personal performance review including bonus or career development matters);
Retaining your personal data – more information
Although there is no specific period for which we will keep your personal data, we will not keep it for longer than is necessary for the purposes described in this Privacy Notice.
In general, we will keep your personal data for the duration of your employment and for a period afterwards, in compliance with applicable law. In considering how long to keep it, we will take into account its relevance to our business and your employment.
If your personal data is only useful for a short period (for example, CCTV footage or a record of a holiday request), we may delete it.
Personal data relating to job applicants (other than the person who is successful) will be deleted in compliance with applicable law.
Transfers of personal data outside the EEA – more information
In connection with our business and for employment, administrative, management and legal purposes, we may transfer your personal data outside the EEA to members of our group and processors in the United States. We will ensure that the transfer is lawful and that there are appropriate security arrangements.
Although there is no decision by the European Commission that the United States provides an adequate level of protection, we are drafting and will enter into an agreement ensuring appropriate and suitable safeguards with our group members in and processors in the United States. These will be on standard terms adopted by the Information Commissioner and approved by the Commission.Access to your personal data and other rights
We try to be as open as we reasonably can about personal data that we process. If you would like specific information about your data, just ask us.
You also have a legal right to make a “subject access request”. If you exercise this right and we hold personal data about you, we are required to provide you with information on it, including:
- Giving you a description and copy of the personal data; and
- Telling you why we are processing it.
If you make a subject access request and there is any question about who you are, we may require you to provide information from which we can satisfy ourselves as to your identity.
As well as your subject access right, you may have a legal right to have your personal data rectified or erased, to object to its processing or to have its processing restricted. If you have provided us with data about yourself (for example your address or bank details), and the ground for processing is Consent or Contract, you have the right to be given the personal data in machine readable format for transmitting to another data controller.
If we have relied on consent as a ground for processing, you may withdraw consent at any time – though if you do so that will not affect the lawfulness of what we have done before you withdraw consent.
If you choose to exercise your right to make a “subject access request”, we encourage you to do so by completing a webform at the following link: https://privacyportal-eu.onetrust.com/webform/12e0cd13-1eac-4cbd-8fbd-8e3ed7bc5769/b173013c-2df0-4ab8-b31e-5151ffe27a1a
If you have complaints relating to our processing of your personal data, you should raise these with HR in the first instance. You may also raise complaints with the Information Commissioner who is the statutory regulator. For contact and other details ask HR or see: https://ico.org.uk/
Staff Responsibilities Policy
In the course of our business, we process data for a wide range of purposes including sales and marketing, management, administration and employment. Some of this data relates to individuals such as our staff or those working for our clients and suppliers or to data relating to our client’s consumers. This is known as “personal data”. The Workplace Privacy Notice sets out more detail about this.
“Processing” of personal data covers anything done in relation to that data. For example, it includes storing it, sending it to someone else and amending or deleting it.
Working for the Company, it is essential that you are aware of your responsibilities in relation to data protection. We are required to comply with a number of data protection principles as explained in section 4.
2. Scope Of Policy
This policy applies to anyone working for or engaged by us and involved in the processing of personal data in the European Economic Area. This includes all employees, officers, consultants, contractors, freelancers, volunteers, interns, casual workers and agency workers. When we use the terms ‘employee’, ‘employment’ or ‘engagement’, we mean all of these categories of workers.
3. Management Responsibilities
Management has overall responsibility for data protection, compliance with data protection legislation and ensuring that we have management and other systems in place to meet our responsibilities. Your first point of contact for any Data Protection queries is your line manager, thereafter your business area has an appointed GDPR Representative whom you may also contact.
4. Data Protection Principles
In brief, as an organisation processing personal data, we must comply with the data protection principles. These state that when we process personal data:
- We must do so fairly, transparently and lawfully;
- We may only process it for specified and lawful purposes;
- It must be relevant for our purposes, accurate and kept for no longer than necessary;
- We must do so in a way that ensures appropriate security and must protect it from unauthorised and unlawful processing and against accidental loss or
- We must ensure that we uphold any rights that individuals may have in relation to their
In performing your role and carrying out your responsibilities, you must do your best to ensure that we comply with these principles. It is particularly important that staff do all they can to ensure that data is kept securely and safely and that procedures designed to achieve this are followed.
5. Compliance Requirements
Comply with policies
Along with this policy, you must comply will all policies that we establish relating to data and any guidance we give. This includes the following:
- Workplace Privacy Notice.
At all times, you must also follow all reasonable directions and instructions relating to data security and privacy.
Only use data processed in connection with your work for the purposes for which we created or obtained it. Do not use it in a different context. For example, if you receive information about a job applicant in relation to a specific job application, you should only use it for those purposes. You must not use it in relation to a different job unless we have made it clear to the applicant that we may hold the information on file and consider it in connection with other jobs.
You must not store sensitive or personally identifiable information on any company laptop, tablet, mobile device or external storage device unless required by your job function.
Keep data secure. Amongst other things, you must do the following:
Change your password regularly and keep them sufficiently long and complex. Do not disclose passwords or login details or give passes or key cards to anyone else.
Keep your screen locked when you are away from your desk to prevent unauthorised users from accessing data.
- Encryption and password protection
Ensure that all laptops, memory sticks, phones and other mobile devices are password protected and encrypted where possible. You must take care of these devices and keep them secure.
The use of mobile devices in performing your work must be in accordance with your briefing.
If you send an email, make sure that it is addressed to the person to whom you intend to send it. Attachments containing personal data should be password protected where possible.
If you send a document with personal data to print, do not leave it on the printer where others may see it.
The above sets out only a selection of your data protection duties. In addition ensure that you adhere to any specific data protection duties covered in your briefing for this Tactical activity.
Never upload data to a cloud provider unless you know that we have approved its use.
Transferring data outside the EEA
We must not transfer data outside of the EEA unless appropriate protections are in place. Do not send data to organisations within our group without checking with your GDRP Representative.
Disclosure outside the organisation
Think carefully before sending data outside the organisation. Do not disclose it to persons outside unless you know that they are authorised to receive it and have a proper purpose. For example, do not disclose data about colleagues to consumers or external organisations – unless you know it is appropriate. If you are not sure how best to handle data, receive an unusual request from an unusual source or have any other queries about the handling of data, ask your GDPR Representative.
Third party service providers
From time to time we are likely to contract with service providers to process data on our behalf (e.g. with a payroll agency, or for cloud services or marketing analytics). If we do, we are required to impose obligations on the processor relating to matters such as confidentiality, security and inspection. If you are responsible for contracting for such services, you will need to consider data protection and should speak to your GDPR Representative.
Building data protection into our systems
We are required to take measures with a view to processing data only in so far as necessary for our specific purposes and seeking to minimise the data processed. In particular, when contracting for or implementing new systems we should, if practicable, seek to build in technical and organisational safeguards. If you are involved in commissioning or working on the specification for a new system, you should discuss our approach with your GDPR Representative.
Privacy impact assessments
A privacy impact assessment is a tool to identify, consider and, if practicable, reduce privacy risks. Although assessments can be used in many contexts, where there is likely to be a high risk to privacy, we are required to carry out an assessment. If you are involved in a project that may involve such risks, you should discuss our approach with your GDPR Representative.
Data subject rights
Data subjects (individuals in relation to whom we process personal data) have various rights including the right of subject access (to be told of data processed about them), to have inaccurate data corrected and to have processing restricted or data erased. Whether and how these rights apply depend on the circumstances. If you receive a request by an individual exercising a right (or think that he or she may be doing so), you should tell HR and your GDPR Representative immediately, to ensure the correct procedure is followed.
6. What To Do If Things Go Wrong – Data Breach
If a data breach occurs, it potentially puts individuals’ privacy at risk. This is treated seriously both by us and by the statutory regulator who has power to impose large fines.
A data breach occurs where there is destruction, loss, alteration or unauthorised disclosure of or access to personal data which is being held, stored, transmitted or processed in any way. For example, there is a data breach if you lose a laptop or a USB stick or if you send an email to the wrong person by mistake.
If you discover a data breach, you must notify your line manager and head of department immediately, who in turn must notify the GDPR Representative for your Department in accordance with our Data Breach Procedure immediately and within 3 hours.
Failure to notify a breach or to provide information as set out above will be treated seriously and disciplinary action may be taken.
No-one feels good if they leave a laptop on a train or if it is snatched from them in the street. Losing the data or exposing it to risk is much more important to us than losing the equipment. Do not delay – report it! As an organisation we may need to notify the data breach to the regulator – and must investigate and notify within a tight timeline: 72 hours. Therefore, if you identify a situation which may be a data breach you must report this to your Line Manager within 3 hours, and ideally immediately.
For more information on our Data Breach Procedure contact your GDPR Representative.
7. Training And Guidance
You must promptly undertake all training and e-learning that you are assigned. This is to ensure that you understand your responsibilities in relation to data privacy.
8. Enforcement Of This Policy
You must comply with this policy and do your best to ensure that it is followed in your day-to-day work. Breaches of this policy will be taken seriously. In serious cases, particularly when data is put at risk (e.g. a data breach) non- compliance may result in in no further tactical work being offered to you.
9. Status Of This Policy
This policy does not form part of your terms of Tactical engagement. Although you must comply with the policy, it does not in itself create contractual rights or obligations. We may amend it at any time but will make any amendments available to you. Nothing in this policy is intended to create an employment relationship between us and any non-employee providing services to us.