CONFERO COLLECTIONS LTD
Data Protection Policy

Policy Statement

Confero Collections Ltd is committed to ensuring that it fully complies with all its legal obligations under the Data Protection Act 1998. Confero Collections Ltd processes a considerable amount of personal data and as such it has a number of legal responsibilities, failure to comply with which could result in legal action and substantial financial penalties not to mention the loss of clients.

The purpose of this document is to detail our approach to Data Protection so that both others and we can see that it is both adequate and appropriate.

Confero Collections Ltd is registered with the Information Commissioners Office under the Data Protection Act 1998.

Jon Dawkins
Chief Executive             1st April 2014


Management Commitment and Resources

This policy has the full support of senior management who are committed to providing the necessary resources to ensure that its objectives are achieved.

Responsibility

The person with ultimate responsibility for this policy is the Chief Executive but day- to- day responsibility is delegated to the Administration Manager who is also the Data Protection Manager.

This policy is applicable to all staff and failure to comply is a disciplinary offence that could in some instances constitute gross misconduct.

Communication and Training

The policy will be made available to all staff. All staff who handle personal data will receive data protection awareness and training and this will commence during induction. Particular emphasis will be placed on the eight data protection principles with specific examples provided on how these relate to the companies activities.

Audit and Review

Compliance with this policy will be audited annually and the results reviewed by Senior Management.

The policy will be reviewed annually or at more frequent interval as may be considered necessary due to changes in legislation, changes in the manner in which the company processes data or apparent deficiencies in the policy.

Relationship to Other Procedures

Confero Collections Ltd operates a quality management system (QMS) accredited to ISO 9001. This policy will be audited under our QMS audit procedure, documented and controlled under our document control procedure and training in the policy will be provided in accordance with our training procedure.

Data Protection will be taken into consideration in the design of all new business processes.

Use of Data

All data held by Confero Collections Ltd is held under a duty of confidentiality. It is held and processed for lawful purposes only and is not used in any way that is incompatible with the purposes for which it was obtained. No sensitive personal data is held.

Client Requests for Data

Clients have a right to be provided with any data pertaining to the service which we provide them and any requests for the provision of data should be complied with as fully and promptly as possible. However, care should be taken to ensure that the request does in fact emanate from a client and that the particular member of staff requesting the information is properly authorised to make such a request.

Complaints

Nearly all data held by Confero Collections Ltd has been supplied by our clients or government agencies e.g. DVLA and we are not therefore responsible for its accuracy in the first instance. Complainants should be referred to the appropriate client. However, if the complaint relates to the inaccuracy of data that has been obtained by Confero Collections Ltd, the complaint should be referred to the Data Protection Manager.

Data Security

Access to personal data is on a need to know basis.

Access to data is controlled by restricting physical access to our premises which are alarmed and through the use of locked filing cabinets.

Access to databases is controlled through the use of encrypted passwords that are regularly changed and the use of firewalls.

Hard copy data is removed for shredding and recycling by a contractor who issues a certificate of secure destruction.

Staff are required to ask appropriate questions in order to satisfy themselves as to the identity of the person to whom they talking, before discussing a case. As a general rule, staff are under instruction not to discuss cases with third parties unless and until we have received written authorisation from the data subject, so to do.

All PC’s that are disposed of have their hard drives erased prior to disposal.

Data is backed up daily and this is monitored by our software suppliers and our I.T. consultants. The majority of our data is cloud based under a fully hosted service.

Disaster Recovery

This is covered by our Business Continuity Plan.

Viruses, Trojans, Spyware etc.

All of the company’s systems are protected against malicious software by appropriate applications that are automatically updated on a daily basis.

In addition staff have no access rights to non-business related internet sites or personal e-mail systems.

Retention of Data

Data is retained for a maximum period of six years (Limitations Act) or such longer period as may be specified by our client local authority. Procedures are in place for the automatic erasure of data once the expiry date is reached.

Subject Access Requests

All subject access requests are immediately referred to the Data Protection Manager who will ensure that a response is provided as promptly as possible but in any event within the statutory time period. They will also ensure that the information is provided in a format that is intelligible.

DVLA

Confero Collections Ltd has established a file transfer link with the DVLA that enables us to obtain registered keeper information electronically. It is critical that this facility is not abused and that it is not used for any purpose other than that for which it was established e.g. to confirm whether or a not a vehicle in respect of which a PCN has been issued is still registered to the same keeper and address.

Under no circumstances may it be used in relation to any other type of debt than Road Traffic Debt. It may only be used to obtain confirmation in respect of vehicles for which we already hold a warrant and not to obtain keeper details for vehicles which may or may not be registered to the debtor.

Enforcement Agents may request a DVLA check for purposes other than outlined above but only in respect of an outstanding Liability Order and only when they believe that a vehicle parked on the drive belongs to the debtor. Office based staff responsible for processing requests must ensure that this is the case and the request to the DVLA must be processed manually using DVLA form VQ616.

Failure to comply, will constitute gross misconduct.

The Data Protection Principles
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Explanation: Data can only be processed for one of the purposes detailed in the Act. In our case we are processing data for the purposes of the administration of justice and for various statutory purposes and both of these are detailed in the Data Protection Act.
Sensitive personal data is data that relates to such matters as a person’s racial or ethnic origin, political or reigious beleifs etc. We do not hold sensitive personal data.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Explanation: All the personal data that we hold is for the lawful purposes of executing warrants and liability orders and the data is not used for any other purpose.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Explanation: We do not obtain the data ourselves. It is simply passed to us by our local authority clients and consequently we are not primarily responsible in the first instance for its adequacy and relevance etc. However, we may well go on to collect additional data in the course of trying to collect a debt and we then have to ensure that this data is adequate, relevant and not excessive.

4. Personal data shall be accurate and, where necessary, kept up to date.
Explanation: Information quickly becomes out of date and inaccurate. A registered keeper disposes of their vehicle and / or changes address and our data is inaccurate. . This is one of the reasons we make regular DVLA checks.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Explanation: It is in the nature of our business that from time to time people issue legal proceedings against us. Generally speaking legal actions must be commenced within 6 years so we usually retain data for this period. Sometimes clients specify that we retain data for a longer period. However, once this period has expired there is no necessary reason for retaining the data and it should be erased.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
Explanation: Data subjects have a right to be provided with a copy of any information about them that is held on a database. The term “database” refers to hard copy filing systems as well as computer records. The information must be provided in an intelligible format and within a statutory time period.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Explanation: We do not give information to anyone except the data subject unless the data subject has properly authorised us to do so. Our databases are protected by the physical security of the building (burglar alarm etc) and by passwords, firewalls etc. Backups are taken daily.