Chromatrap is a business unit of Porvair Sciences Ltd.
Porvair Sciences Ltd needs to collect and use information on individuals such as customers, potential customers, suppliers and staff members. We use this information to manage our business, meet our contractual obligations with the customer and meet our legislative requirements. However, we must ensure that we use and protect the information in accordance with current legislation. Failure to do so could lead to distress to individuals, financial sanctions from the Information Commissioners Office (ICO), reputational damage and impair our ability to attract new customers.
This policy, together with Porvair’s Security Standards, describes how we will safeguard personal information to protect the individual and comply with the law.
Porvair Sciences Ltd is the data controller for the personal information we collect such as our employee information and business contact information. We are registered with the ICO, and we are responsible for protecting this information in accordance with this policy.
The data subjects are the individuals whose personal information we deal with such as customers, potential customers, suppliers and staff members.
Personal information means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, from the information. The information includes name, address, date of birth, email, telephone number, national insurance number etc. Personal information also includes information associated with that individual such as telephone bills, call recordings, staff development, staff reviews and pay rates. Personal information also includes opinions on an individual and any intention that we may have towards that individual. We must therefore be cautious what we record on personnel files.
Sensitive information, such as medical, race, religion, sexuality, political or trade union membership, is a special category of data that requires sensitive handling.
Processing means any action performed on personal information, which includes collection, recording, organising, storing, sharing and transmitting. This includes electronic and paper documents containing personal information. Many of the activities within Porvair Sciences Ltd involves processing information and therefore we must comply with the law.
Porvair Sciences Ltd must comply with the Data Protection Act (DPA) 2018 and the EU General Data Protection Regulation (GDPR).
Everyone associated with Porvair Sciences Ltd has a responsibility to ensure we protect the personal information we hold and comply with this policy.
The Financial Controller is accountable for data privacy and will report to the board on data privacy every quarter.
The Financial Controller has day-to-day responsibility for data privacy and is the main point of contact for any questions about data privacy.
All staff are responsible for complying with this policy.
The Financial Controller will produce an annual report on data privacy for the board of directors.
When we are considering processing information in a new way, using a new technology or processing sensitive information, the Financial Controllerwill decide whether a Data Privacy Impact Assessment (DPIA) is required.
The Financial Controller will maintain the Porvair Sciences Ltd’s Privacy Risk Register. The register will be reviewed annually by the Board of Directors.
We should collect the minimum personal information we need to complete a task. We should not collect information just in case. If someone is making an enquiry about our services we should only collect initial contact details, there is no need to collect further information as these can be added later.
When we are planning to process information, we need to consider the legal reason for processing, and whether we need the individual’s consent to process. Much of our processing is for legitimate business reasons to run our business and deliver our contracted services to customers; we need to pay staff, monitor and report on services and invoice fees and therefore we do not require consent.
However, some activities may not be considered necessary to deliver the contracted services, such as marketing. Where we are marketing to business customers we do this as a legitimate business interest and do not need their consent, but we must offer them the right to opt-out of further communications. Where a business customer opts-out we mustrecord this and ensure we do not market to that customer again.
We must not send marketing material to an individual’s personal email address or home address without their consent.
The Financial Controller will maintain the Processing Register which will record the details of the customer, the category of data being processed, all processing activities and any enhanced security controls.
We must protect the personal information we use whether in electronic or paper format.
When personal information is no longer required, and there is no legal requirement to retain the information, electronic data must be deleted, and paper copies securely destroyed. Annex A contains a list of how long we need to retain the types of information we process.
Individuals have the right to know whether we store and process their personal information, this is known as a Subject Access Request. If the information we hold is inaccurate they have the right for that information to be corrected. In certain circumstances, they have the right to have the information deleted or to be given a copy of that information. We have to respond to any request within 30 days. The individual does not have to state they are making a subject access request, it can be a simple email asking what information we hold, and therefore, any request by an individual with regards to the information we hold must be forwarded to the Financial Controller.
Porvair Sciences Ltd is registered with the ICO as a data controller and data processor. The Financial Controller is responsible for maintaining our registration.
We will have a privacy notice which will clearly inform individuals how we collect their information, what we do with their information and their rights. A copy of the privacy notice will be displayed prominently on our website and a copy will be sent to individuals when we are requesting information from them.
Where we are delivering a service as a data processor the relevant privacy notices will be included in the terms and conditions of the contract.
The privacy notice for staff will be given to staff on induction.
The Financial Controller is responsible for maintaining the privacy notice.
All new joiners including temporary staff must read this data privacy policy as part of their induction process.
All staff will receive data privacy training as part of their ongoing staff development. The Financial Controller will periodically send emails to all staff highlighting key aspects of data privacy.
We have a legal responsibility to report certain data privacy incidents to the ICO within 72 hours or face a financial penalty. It is essential all staff follow the incident procedure. Example of privacy breaches are:
Not all the examples above are reportable to the ICO however it is essential that staff report any incident or potential incident to the Financial Controller. The Financial Controller will then discuss the incident with the board of directors and decide whether the incident requires reporting to the ICO and whether an action is required to manage the risks from the incident.
The Financial Controllerwill carry out periodic checks to monitor staff compliance with this policy.
The primary actors that inform decisions on retention are:
It is important that the retention schedule is kept up-to-date, to reflect changing business needs, new legislation, changing perceptions of risk management and new priorities for the organisation.
It should be noted that personal data should not be kept longer than is necessary for the purpose or purposes for which it is being processed. So, this means you’ll need to apply some judgment and apply different holding times for different types of personal data. It is essential you ensure that manual records be shredded, and electronic files permanently deleted from the system.
Retention schedule:
Type of Record |
Retention Period |
|
Customer |
|
|
Financial transaction records |
6 years after end of financial year |
|
Contracts |
6 years after account is closed |
|
Letters |
6 years after account is closed |
|
Complaints |
6 years after account is closed |
|
Enquiries |
3 years after account is closed |
|
Investigations |
10 years after account is closed |
|
Staff |
|
|
Job application and interview records |
6 months following unsuccessful application |
|
Personnel records |
7 years after employment ceases |
|
Training records/appraisals |
7 years after employment ceases |
|
Employment agreements |
7 years after employment ceases |
|
Payroll and wage records (including details of overtime, bonuses and expenses) |
7 years after employment ceases |
|
Salary records |
7 years |
|
Disciplinary warnings should be removed from employee's personnel files once they have expired |
Oral warning – 6 months Written warning – 12 months Final warning – 18 months |
|
Disciplinary action ever taken, in particular disciplinary hearings |
7 years after employment ceases |
|
Grievance issues |
7 years after employment ceases |
|
Termination: The process of termination of staff through voluntary redundancy, dismissal and retirement |
7 years after employment ceases |
|
Details of benefits in kind |
7 years after employment ceases |
|
Financial |
|
|
Income tax records (P45/P60/P%*/P48 etc.) |
12 years |
|
Annual return of taxable pay and tax paid |
12 years |
|
Published accounts |
12 years |
|
Tax returns |
12 years |
|
Financial records held on general ledgers |
12 years |
|
Health & Safety |
|
|
Accident/Incident Book |
15 years |
|
Legal/Accident/Incident Forms |
4 years from date of accident |
|
Risk Assessments |
7 years |
|
Health & Safety Reports |
15 years |
|
Fire Procedure |
Until superseded but retain copies of earlier versions |
|
Health & Safety Policy |
Until superseded but retain earlier versions up to 15 years and review as necessary |
|
Records of monitoring areas where employees are likely to come into contact with asbestos. |
Retain for 40 years (refer to The Control of Substances Hazardous to Health Regulations 2002) |
|
Fire log books |
Retain for 7 years |
|
Legal |
|
|
Third party contracts |
6 years after date of termination (unless signed as a deed, in which case 12 years after date of termination) |
|
Other |
|
|
Policies |
6 years from the date they cease to be relevant |
|
Procedures |
6 years from the date they cease to be relevant |
|
Company Secretarial Records (eg board meeting minutes) |
Permanently |
|
CCTV |
30 days |
This document describes how Porvair Sciences Ltd, the data controller, collects, uses and protects your information.
The information we hold about you comes from the way you engage with us such as online through our website, via email, the post or over the telephone. We collect information supplied by you in the course of our business transactions and from our business development activities.
The information we hold includes your name, business address, email address, telephone number and possibly our transactional history.
We process your information to fulfil any contracts between us and for legitimate business interests such as direct marketing and sales activities.
We will not share personal information about you with third parties without your consent unless the law allows us to or they are our suppliers who are involved in delivering the supply chain and our contract to you.
Your personal information will be stored on systems owned or operated by Porvair Sciences Ltd and will only be stored inside the European Economic Area (EEA), or a country approved by the EU.
Within Porvair Sciences Ltd your information will be stored on our secured systems in accordance with Porvair Sciences Access Control Policy. Where your information is stored in countries outside the EEA we will ensure it is protected by encryption.
Retention
We will retain your personal information in accordance with legal and regulatory requirements. You can request your information be deleted and if we can we will, but sometimes we have to maintain records for legal reasons.
If you would like a copy of your information we hold about you, please email info.wrexham@porvairsciences.com
If you are not happy with how we are using your information or how we have responded to your request, you have the right to complain to the Information Commissioner’s Office at www.ico.org.co.uk.
Use of cookies [if you use cookies]
We may use cookies and similar technologies on our website. Cookies are small text files that may be stored on your computer or mobile device when you visit our website. Cookies do many different things, such as letting you navigate between web pages efficiently and remembering your preferences. We do not use cookies to track your use of our site, to make decisions about you or to send you marketing information electronically.
How we will tell you about future changes to this Privacy Notice
Any changes we make to our Privacy Notice will be put on our website. Please check for updates from time to time, so you are always fully aware of what information is collected and how it is used.
If you have any questions or concerns about our use of your personal information, please email info.wrexham@porvairsciences.com
We are happy to accept Purchase Orders as a method of payment from all institutions who have a credit account with us. If you have not yet set up an account, please visit to the account set up page and complete the online form where you can also upload your Purchase Order.
This will create a new account and enable us to grant you a credit limit, subject to status. Once your account is set up, our team will be able to process your order. If you are entitled to tax exemption in your territory, please also upload the documents confirming your status. In Europe this will be a valid VAT Exemption Certificate.
Depending on credit checks that we may carry out, this process may take a few days to complete. We will contact you by e-mail when the account is set up and ready to be used. You can then add items to the basket and at checkout, select the Pay with Purchase Order option.
