1: Introduction

1.1 Policy Overview
United Civils Limited is committed to protecting the privacy and personal data of all individuals it interacts with, including employees, subcontractors, clients, and suppliers. This Policy sets out how United Civils Limited complies with its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.2 Statement of Intent
This Policy outlines our approach to lawful, transparent, and secure data processing, ensuring data subjects’ rights are protected and personal data is handled with care, proportionality, and purpose.

2: Purpose

2.1 Objectives of the Policy
The aims of this Policy are to:

2.1.1 Ensure compliance with data protection legislation and good practice.
2.1.2 Establish clear responsibilities and practices for processing personal data.
2.1.3 Protect the privacy and rights of data subjects (employees, clients, contractors, etc.).
2.1.4 Safeguard the reputation of United Civils Limited by maintaining high standards of data protection.

3: Scope

3.1 Applicability
This Policy applies to all employees, contractors, and third parties acting on behalf of United Civils Limited who have access to or process personal data.

3.2 Data Covered
Personal data processed by United Civils Limited may include:

3.2.1 Employee records (e.g., contact details, emergency contacts, training records, bank details).
3.2.2 Subcontractor and supplier information (e.g., company names, contact details, certifications).
3.2.3 Client contact information, correspondence, and contractual details.
3.2.4 CCTV images (if installed at offices or sites).
3.2.5 Any other personal data collected in the course of business operations.

4: Data Protection Principles

United Civils Limited is committed to processing personal data in accordance with the following principles:

4.1 Lawfulness, Fairness and Transparency
Personal data will be processed lawfully, fairly, and in a transparent manner, with individuals informed about how their data will be used.

4.2 Purpose Limitation
Data will only be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

4.3 Data Minimisation
Only data that is adequate, relevant, and limited to what is necessary will be collected and processed.

4.4 Accuracy
Data will be kept accurate and up to date. Inaccurate or outdated data will be corrected or deleted promptly.

4.5 Storage Limitation
Personal data will be retained only for as long as necessary to fulfil its purpose or to meet legal requirements.

4.6 Integrity and Confidentiality
Appropriate technical and organisational measures will be in place to ensure data is secure, protected from unauthorised access, and not subject to loss or damage.

5: Responsibilities

5.1 Managing Director
Scott Bland is ultimately responsible for ensuring the company complies with its data protection obligations.

5.2 HSEQ Consultants and Competent Persons
SEHSS Limited is responsible for advising on data protection compliance, handling data breaches, and supporting policy implementation.

5.3 All Employees and Contractors
All staff and subcontractors must:

5.3.1 Handle personal data only as necessary for their work.
5.3.2 Follow security protocols and report any breaches or risks.
5.3.3 Attend any data protection training provided.

6: Data Subject Rights

Under UK GDPR, data subjects have the following rights:

6.1 Right to be Informed
Individuals must be informed of what data is being collected, why, and how it will be used.

6.2 Right of Access
Individuals may request access to their personal data held by United Civils Limited.

6.3 Right to Rectification
Individuals can request that inaccurate or incomplete data be corrected.

6.4 Right to Erasure
Also known as the “right to be forgotten”, this allows individuals to request deletion of their data in certain circumstances.

6.5 Right to Restrict Processing
Processing may be restricted where the accuracy or legality of data is in question.

6.6 Right to Data Portability
Individuals may request to receive their data in a commonly used format for use with other services.

6.7 Right to Object
Individuals can object to data processing based on legitimate interests or direct marketing.

7: Data Security Measures

7.1 Physical Security

7.1.1 Office files and records will be stored securely.
7.1.2 Access to sensitive data is limited to authorised personnel only.

7.2 Digital Security

7.2.1 Password protection and antivirus software will be used on company devices.
7.2.2 Personal data sent by email will be shared securely and only with authorised recipients.
7.2.3 Devices will be encrypted where feasible and protected by secure logins.

7.3 Subcontractor and Third-Party Security

7.3.1 Subcontractors processing personal data on behalf of United Civils Limited must adhere to this Policy.
7.3.2 Contracts will include data protection clauses where necessary.

8: Data Breaches

8.1 Any suspected or confirmed data breach must be reported immediately to SEHSS Limited.
8.2 All breaches will be recorded, investigated, and where required, reported to the Information Commissioner’s Office (ICO) within 72 hours.
8.3 Lessons learned will be used to improve controls and prevent recurrence.

9: Training and Awareness

9.1 All employees will receive data protection awareness as part of induction.
9.2 Refresher briefings or toolbox talks will be provided when legislation changes or risks are identified.
9.3 Subcontractors will be informed of their responsibilities when accessing or handling personal data.

10: Data Retention

10.1 Personal data will be retained in line with statutory requirements and operational needs, for example:

• Employee records: Up to 6 years after employment ends.

• Financial records: 6 years for tax and accounting purposes.

• Project and contract records: 12 years where required for warranty or liability purposes.

10.2 At the end of the retention period, data will be securely deleted or destroyed.

11: Policy Review

11.1 This Policy will be reviewed annually or sooner if legislation or operational practices change.
11.2 Reviews will be conducted by SEHSS Limited and approved by Scott Bland.
11.3 Changes will be communicated to all staff and relevant parties.

12: Legal and Regulatory Considerations

12.1 This Policy aligns with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
12.2 United Civils Limited remains committed to ongoing compliance with any future data protection obligations, including those arising from updated ICO guidance.