Data controller: Alpaca Global Solutions limited
The organisation (Alpaca Global Solutions) collects and processes personal data relating its employees to manage the employment relationship. The organisation is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
What information does the organisation collect?
The organisation collects and processes a range of information about its staff. This includes:
Name, address and contact details, including email address and telephone number, date of birth and gender;
The terms and conditions of employment;
Details of qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
Information about remuneration, including entitlement to benefits such as pensions or insurance cover;
Bank account details and national insurance number;
Information about marital status, next of kin, dependants and emergency contacts;
Information about nationality and entitlement to work in the UK;
Information about criminal record;
Details of individual schedule (days of work and working hours) and attendance at work;
Details of periods of leave taken, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
Details of any disciplinary or grievance procedures in which the employee has been involved, including any warnings issued and related correspondence;
Assessments of performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
Information about medical or health conditions, including whether or not a disability is present for which the organisation needs to make reasonable adjustments; and
Equal opportunities monitoring information including information about ethnic origin, sexual orientation and religion or belief.
The organisation may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from passport or other identity documents such as a driving licence; from forms completed at the start of or during employment (such as benefit nomination forms); from correspondence; or through interviews, meetings or other assessments.
In some cases, the organisation may collect personal data from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.
Data will be stored in a range of different places, including in personnel files, in the organisation’s HR management systems and in other IT systems (including the organisation’s email system).
Why does the organisation process personal data?
The organisation needs to process data to enter into an employment contract with the employee and to meet its obligations under that employment contract. For example, it needs to process your to provide an employment contract, to pay in accordance with the employment contract and to administer benefit, pension and insurance entitlements.
In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee’s entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.
In other cases, the organisation has a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows the organisation to:
Run recruitment and promotion processes;
Maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
Operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
Operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
Operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
Obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
Operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
Ensure effective general HR and business administration;
Provide references on request for current or former employees; and
Respond to and defend against legal claims.
Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities).
Where the organisation processes other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring. This is to carry out its obligations and exercise specific rights in relation to employment.
Who has access to data?
Employee information may be shared internally, including with [members of the HR and recruitment team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles].
The organisation shares data with third parties in order to [obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. The organisation may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.]
How does the organisation protect data?
The organisation takes the security of employee data seriously. The organisation has internal policies and controls in place to try to ensure that employee data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. The company’s databases have restricted access and it is limited to those who have need to process data and is securely protected from general access.
Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
For how long does the organisation keep data?
The organisation will hold employee personal data for the duration of employment. The periods for which data is held after the end of employment is 12 months.
Tax Issues 6 years after last date of employment
HR information including personal data detailed above 12 months after the last date of employment
Personal Injury claims 6 years after date of claim
Job applications and CVs 12 months after unsuccessful application. For more information see our records retention policy
As a data subject, employees have a number of rights. Employees can:
access and obtain a copy of their data on request;
require the organisation to change incorrect or incomplete data;
require the organisation to delete or stop processing their data, for example where the data is no longer necessary for the purposes of processing; and
object to the processing of data where the organisation is relying on its legitimate interests as the legal ground for processing.
If employees would like to exercise any of these rights, please contact Carol Burton.
If it is believed that the organisation has not complied with data protection rights, a complaint can be made to the Information Commissioner.
What if you do not provide personal data?
Employees have some obligations under the employment contract to provide the organisation with data. In particular, employees are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. Employees may also have to provide the organisation with data in order to exercise the employees statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that the employee is unable to exercise their statutory rights.
Certain information, such as contact details, right to work in the UK and payment details, have to be provided to enable the organisation to enter a contract of employment with the employee. If the employee does not provide other information, this will hinder the organisation’s ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
2 – General Security
Are Policies, Standards & Procedures In Place That Are Aligned To A Recognised Standard (e.g. ISO27001):
As a business we do not currently hold ISO27001, however, we are making every effort to be aligned with its principles with the aim of achieving ISO27001 in the near future.
Any related policy and procedure documentation detailing how Alpaca Global Solutions will handle data is both regularly reviewed and approved by senior management.
Are Regular Audits Performed:
Alpaca Global Solutions follows the PDCA (Plan, Do, Check, Act) principles wherever a policy exists. Both internal and 3rd party audits are undertaken periodically. Any resulting actions are programmed and assigned to responsible persons.
Board Level Support:
Security governance process forms part of the monthly board meeting whereby matters relating to GDPR and Data security are discussed. Any resulting actions are programmed and assigned to responsible persons.
Policy Update and Maintenance:
All policies follow the PDCA principles wherever they exist. Policies are reviewed either annually or following a significant change of personnel or procedure. An early review may also be undertaken following a live event whereby the policy has been tested.
Is there security training and an active security awareness programme in place across all aspects of security?
Alpaca Global Solutions has a plan in place that covers all staff that access data so that regular reviews and internal data security training is undertaken. Where external stakeholders exist, formal external training may also be undertaken.
3 – Information Security
How are access security standards enforced, e.g. password complexity, password change management processes, any multi-factor or biometric processes:
As a cyber essentials certified business Alpaca Global Solutions employ a 3-month Password prompt change, ten characters with number, special character and uppercase Alpha Numeric.
Technical and operational anti-virus controls:
Alpaca Global Solutions uses ESET Endpoint Security which is a managed and monitored service providing daily reports.
Technical and operational security patch management processes:
Alpaca Global Solutions uses an MSP (Comodo) tool to manage security patches throughout the whole network from Servers down to Laptops.
The joiners, movers and leavers process:
The IT dept. are notified via email of new joiners including their required access and security needs. Relevant security groups are then applied. If staff are moved or leave, they are placed in a ‘leavers group’ which applies a policy to remove all access.
Are all user accounts reviewed on a regular basis to ensure that malicious, out-of-date, or unknown accounts do not exist?
Yes. This process is undertaken weekly (minimum).
Are records kept of all employees with access to client systems and information?
Yes, all users are kept on an internal system record. Disabled profiles are also kept on record.
Details of network separation from the internet (e.g. VLANs, firewalls, DMZ, NAT, etc.)
Alpaca Global Solutions utilises a VLAN to separate guest traffic from the network. Alpaca Global Solutions internally uses Dell Sonic Wall for content filtering
Cyber essentials certified business. Carried out 21st March 2022.
Certificate no: IASME-CE-038573
Technical and operational network monitoring controls:
Alpaca Global Solutions use Unify Advanced Network Monitoring to monitor network traffic.
Policy and procedures relating to logging and monitoring of information processing activities that would be used to provide services to all subjects, including system administrator monitoring, log data security controls, retention, and log reviews:
Alpaca Global Solutions use Office 365 for system usage monitoring, SharePoint and 3rd party software usage monitoring.
Sub-contractor / 3rd party services:
Where a subcontractor or 3rd party service is procured, confidentiality or non-disclosure agreements used will be detailed and inputted within this section of the GDPR document.
Security Incident Management Plan:
See the BCP (Business Continuity Plan) document.
4 – Data Protection
Details on all appropriate technical and organisational measures that ensure a level of security for the Personal Data which is appropriate to the risks to individuals that may result from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data:
All personnel and HR data is on its own security group and is separated from the main network infrastructure. Across all drives on the network a group security policy is employed to protect the data within.
Details of processes that provide all necessary assistance to Alpaca Global Solutions to enable it to deal with any communications from any Supervisory Authority relating to the Personal Data:
Alpaca Global Solutions has a policy in place that says no information would be shared unless it is supported by a legal document requesting that information or unless it is the data owner and originator of the information that has requested such assistance.
Assurance that Alpaca Global Solutions will not transfer any Personal Data to, or allow access to it from, outside the EEA without the data subjects explicit and prior written consent and subject to the implementation of such measures required to comply with Data Protection Laws in relation to such transfers:
Alpaca Global Solutions will not transfer any personal data, or will it allow access to it from outside of the EEA. Written consent along with any required measures will be sought from the data subject should the need arise.
Details of the processes of keeping records of all processing of Personal Data which are carried out as the data subjects data processor within Alpaca Global Solutions, required under Article 30 of the GDPR:
As an organisation employing less than 250 persons, Alpaca Global Solutions has typically adhered to Recital 13 under Article 30 of the GDPR.
The derogation provided by Article 30(5) is not absolute. There are three types of processing to which it does not apply. These are:
Processing that is likely to result in a risk to the rights and freedoms of data subjects.
Processing that is not occasional.
Processing that includes special categories of data or personal data relating to criminal convictions
Where personal data is concerned, Alpaca Global Solutions would not exceed the derogation exemption. In the interests of best practice, however, Alpaca Global Solutions is investing time into the requirements set out under Article 30 in order to bring all activities into alignment in order to meet or exceed the implied requirement.
Alpaca Global Solutions’ data protection officer and their contact details:
Hannah Smith – firstname.lastname@example.org – 01992 804460
Details of the processes that enable the notification of any actual or suspected personal data breach within 24 hours of becoming aware:
Although the source of discovery can be multiple, notification will be provided to either a senior member of staff, a company director or the data controller. If the information is passed to a senior member of staff or a director first, then that person will notify the data controller. The data controller is then obliged to notify a restricted group of internal parties to begin mitigation and recovery procedures while simultaneously notifying data subjects of the potential situation and resulting remedial actions.
5 – Personnel Security
Details of background verification, reference and security checks of employees, contractors and third-party users:
Various ID, reference and eligibility checks are carried out.
The list below covers the items checked:
CSCS card (Y/N),
CSCS card number,
CSCS Expiry date,
DBS Checked (Y/N),
Date of disclosure and number,
Previously resident outside of the UK (Y/N),
If yes, Passport checked or right to work confirmed,
References required (Y/N),
Reference applied for by,
Reference request date,
Reference expected return
Description of the formal disciplinary process for employees, contractors and third parties who commit security breaches:
Alpaca Global Solutions employs an Informal to Formal/severity based multi stage disciplinary process. Matters of data security breaches will always be treated as misconduct. In serious cases of Gross Misconduct, Alpaca Global Solutions has a policy in place for summary dismissal. Notifications will be provided to the data subject(s) of any directly implicating instances in line with items mentioned elsewhere within this document.
6 – Physical Security
Security perimeters in place surrounding all sites: (e.g. walls, fences)
A combination of walls, fences and roller shutters are in place. Internal and external CCTV and Alarm assets are also in place.
Controlled entrance to the site:
As an accredited installer of access control systems, Alpaca Global Solutions has a range of Access control methods in place. Measures are regularly reviewed either in line with internal churn or annually (whichever comes first).
Are all secure areas (such as server rooms) protected by additional entry controls?
Yes, although as a business we are almost entirely cloud hosted, we do have a small server room which is situated in a protected internal location with restricted access.
The ID badge process for staff, contractors, 3rd parties, and visitors.
All new staff and contractors are issued with ID/Access cards. Visitors are escorted at all times. Where applicable, 3rd parties and visitors can be issued with either a full or temporary pass if approved by senior member of staff and if they are expected to be present on site for any extended periods.
Access points, such as delivery and loading areas and other points where unauthorised persons may enter the property are isolated from information processing facilities.
Information processing is carried out in the office areas only. These areas are isolated with access control.
Measures in place to protect assets and business activities against security threats and environmental hazards?
See the BCP document.
Measures in place to ensure that only authorised computer equipment is connected to supplier and client networks, including the use of portable media devices (e.g. USB devices, mobile phones, etc.).
Alpaca Global Solutions have separate networks for guest users. Only Alpaca Global Solutions equipment is connected to the Alpaca Global Solutions network.
Processes in place to securely remove sensitive data and licensed software from all computers and storage devices prior to disposal?
Alpaca Global Solutions remove all sensitive data via an MSP before any equipment is disposed of.
7 – Business Continuity and Data Protection
BC and DR plans for all sites and processes that would be involved in providing services to Alpaca Global Solutions including how these plans have been implemented.
See the BCP document.
Are BC and DR plans regularly updated and tested, and staff training is provided?
Yes, annually in line with typical policy review schedules
System back-up policy and implementation, including recoverability process.
Alpaca Global Solutions use Storage Craft which is internally monitored daily.
8 – What the Alpaca Global Solutions Employment Contract says (Extracted information within the context of this document)
”16.0 Confidential Information
As part of this Contract of Employment you have a duty to keep secret all information given to the employee or gained in confidence. You agree not, either during the appointment or after its termination, to disclose to anyone any confidential information concerning the clients business, accounts, affairs or finances of the Company or any of its secrets, dealings or transactions. You employee shall not use any such information or secrets for any purpose other than those at the business
17.0 Grievance Procedures
The formal grievance procedure policy is laid out in the Company handbook.
18.1 You will be expected to maintain a good standard of work performance and conduct at all times. If standards fall below the reasonable levels acceptable to the Company, you would be liable to disciplinary action which could ultimately result in dismissal if satisfactory improvements were not forthcoming.
18.2You will receive as part of the Company Handbook a copy of the Company’s Disciplinary Rules and Procedure. The Disciplinary Procedure will not form part of your contract of employment, and it does not otherwise have contractual effect.
22.0 Data Protection Policy
You agree to the Company holding and processing, both electronically and manually, personal data about you (including sensitive personal data as defined in the Data Protection Act 1998) for the operations, management, security or administration of the Company and for the purpose of complying with applicable laws, regulations and procedures. The company will comply with obligations under the GDPR regulations effective May 2018 and you will be asked to sign a declaration confirming your agreement to the company lawfully processing your personal data
23.0 Social Media
You are not permitted to make any comment about the company, its suppliers, employees or clients on any social media platform including but not limited to written press, emails, specialist websites, twitter, Facebook or Linked In without the prior written permission of the managing director. This restriction applies to both company and personal accounts”