7. Collecting personal data
7.1 Lawfulness, fairness and transparency
We will only process personal data where we have one of 6 ‘lawful bases’ (legal reasons) to do so under data protection law:
- The data needs to be processed so that AWH Holdings Ltd can fulfil a contract with the individual, or the individual has asked AWH Holdings Ltd to take specific steps before entering into a contract
- The data needs to be processed so that AWH Holdings Ltd can comply with a legal obligation
- The data needs to be processed to ensure the vital interests of the individual e.g. to protect someone’s life
- The data needs to be processed so that AWH Holdings Ltd can perform a task in the public interest, and carry out its official functions
- The data needs to be processed for the legitimate interests of AWH Holdings Ltd or a third party (provided the individual’s rights and freedoms are not overridden)
- The individual has freely given clear consent
For special categories of personal data, we will also meet one of the special category conditions for processing which are set out in the GDPR and Data Protection Act 2018.
7.2 Limitation, minimisation and accuracy
We will only collect personal data for specified, explicit and legitimate reasons. We will explain these reasons to the individuals when we first collect their data.
If we want to use personal data for reasons other than those given when we first obtained it, we will inform the individuals concerned before we do so, and seek consent where necessary.
Staff must only process personal data where it is necessary in order to do their jobs.
When employees no longer need the personal data they hold, they must ensure it is deleted or anonymised. This will be done in accordance with AWH Holdings Ltd’s Records Management Policy/Data Retention Schedule.
8. Sharing personal data
We will not normally share personal data with anyone else, but may do so where:
- There is an issue that puts the safety of our staff at risk
- We need to liaise with other agencies – we will seek consent as necessary before doing this
- Our suppliers or contractors need data to enable us to provide services to our staff – for example, IT companies. When doing this, we will:
- Only appoint suppliers or contractors which can provide sufficient guarantees that they comply with data protection law
- Establish a data sharing agreement with the supplier or contractor, either in the contract or as a standalone agreement, to ensure the fair and lawful processing of any personal data we share
- Only share data that the supplier or contractor needs to carry out their service, and information necessary to keep them safe while working with us
We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for:
- The prevention or detection of crime and/or fraud
- The apprehension or prosecution of offenders
- The assessment or collection of tax owed to HMRC
- In connection with legal proceedings
- Where the disclosure is required to satisfy any safeguarding obligations
- Research and statistical purposes, as long as personal data is sufficiently anonymised or consent has been provided
Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.