Purpose

This policy sets out how Whitehall collects, uses, stores, shares, and disposes of personal data to ensure compliance with the UK GDPR, the Data Protection Act 2018, and other applicable privacy laws.

The aim is to protect the rights and privacy of individuals and ensure personal data is handled lawfully and transparently.

Scope

This policy applies to:

• All employees, contractors, candidates, clients and third party partners.
• All personal data processed by Whitehall, regardless of the medium (electronic, paper, verbal).

Definitions

• Personal Data: Any information relating to an identified or identifiable individual.
• Special Category Data: Sensitive data (e.g., health, racial or ethnic origin, religious beliefs).
• Data Subject: The individual to whom the personal data relates.
• Data Controller: Whitehall, which determines the purpose and means of processing.
• Data Processor: Any party processing data on behalf of the controller.
• Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).

Principles of Data Protection

Whitehall commits to processing personal data in accordance with the following principles:

• Lawfulness, Fairness, and Transparency.
• Purpose Limitation.
• Data Minimisation.
•  
• Storage Limitation
• Integrity and Confidentiality
• Accountability

Lawful Basis for Processing

Whitehall processes personal data based on at least one of the following legal bases:

• Consent (such consent must be freely given, specific, informed, and unambiguous).
• Performance of a contract.
• Legal obligation.
• Vital interests.
• Public task.
• Legitimate interests.

Data Subject Rights

Individuals have the following rights:

• Right to be informed.
• Right of access.
• Right to rectification.
• Right to erasure (“right to be forgotten”).
• Right to restrict processing.
• Right to data portability.
• Right to object.
• Rights in relation to automated decision-making and profiling.

Requests to exercise these rights should be sent to dpo@whitehallresources.com

Data Security

Whitehall implements appropriate technical and organisational measures to secure personal data against unauthorised access, alteration, disclosure, or destruction, including:

• Access controls.
• Encryption and pseudonymisation.
• Secure storage.
• Regular risk assessments.
• Staff training.

Data Breach Management

All data breaches must be reported immediately to dpo@whitehallresources.com. Breaches will be investigated, and where necessary, reported to the Information Commissioner’s Office (ICO) within 72 hours.

Data Retention

Personal data will be retained only as long as necessary for its purpose and in line with Whitehall’s Data Retention Policy. After this, it will be securely destroyed or anonymised.

Third-Party Processors

Any third-party service providers that process data on Whitehall’s behalf must comply with data protection obligations. Contracts with these processors will include appropriate data protection clauses.

International Data Transfers

Where personal data is transferred outside the UK, Whitehall ensures adequate safeguards are in place, such as:

• Adequacy regulations.
• Standard Contractual Clauses (SCCs).
• Binding Corporate Rules (BCRs).

Roles and Responsibilities

• In-House Legal Counsel and IT Manager: Oversees compliance, advises on data protection issues, and is the point of contact for data subjects and the ICO.
• All employees, contractors, candidates, clients and third party partners: Must understand and comply with this policy and attend training.

Training and Awareness

All employees will receive regular data protection training and updates. New hires will be trained as part of onboarding.

Enforcement and Disciplinary Action

Non-compliance with this policy may result in disciplinary action, including dismissal, legal action, or termination of contracts.

This policy is reviewed annually and updated when needed.