Revision 3 – March 2017
2 WHAT IS PERSONAL DATA?
3 WHAT IS PROCESSING?
4 THE RULES FOR PROCESSING PERSONAL DATA
4.1 Use of Personal Data must be Fair and Lawful
4.2 Personal Data must Only be Used for Specified Lawful Purposes
4.3 The Use of Personal Data must be Justified
4.4 Personal Data must be Accurate
4.5 Meggitt must Adhere to its Data Retention Policy
4.6 Appropriate Security must be Applied to all Personal Data
4.7 Personal Data must be Processed in Accordance with Individuals’ Rights
4.8 Transfers outside the European Economic Area
4.9 Direct marketing
5 DATA PROTECTION FOR EMPLOYEES
7 CONTACT INFORMATION
The aim of this policy is to set out the obligations of Meggitt (“Meggitt” means Meggitt PLC and any entity controlled by Meggitt PLC directly or indirectly) and its employees when processing personal information (or personal data) about individuals. It is important that all Meggitt employees understand the rules about personal data.
Meggitt is a global organisation operating in a number of different countries. Each country has its own laws governing data privacy. This policy sets out the minimum requirements for the processing of personal information but a country’s laws may impose different requirements so employees should seek advice from their local Ethics Coordinator if unsure. Country-specific supplements to this policy will be published over time setting out the additional requirements of a particular country’s privacy laws and these should be followed where available.
Meggitt collects, processes, and stores personal information for various purposes the main ones being:
Personal data is information which relates to a living individual (not companies although information about a named individual of a company will be personal data) who can be identified from that information, whether or not in conjunction with any other information. Common examples of personal data which may be used by Meggitt in its day to day business include names, addresses, telephone numbers and other contact details, resumés/CVs, performance reviews, salaries and statements of opinion or intention regarding individuals.
Meggitt will be processing personal data if it holds personal data and/or carries out any operation relating to that information such as altering or deleting it, accessing, downloading, reviewing or transferring it.
It is irrelevant whether the information is stored as a manual record or is automatically processed (i.e. computer or word processed).
Disclosure and use of personal data held by Meggitt is governed by the following rules in order to ensure compliance with data privacy legislation and in the interests of privacy, employee and customer confidence and good employee and customer relations.
Meggitt must ensure that:
If the details about the intended processing are known to the individual at the time the personal information is collected then, in the main, the individual will be deemed to have given consent when they gave their information. If the information is not received directly from the individual then Meggitt must ensure that the individual is given the relevant information above and Meggitt has authority to use this information.
If the purposes for which the data may be used or disclosed change, then the individual must be notified at that point.
Occasionally, specific business needs, can justify processing without consent. (See Section 220.127.116.11 below).
Some information in some countries (particularly those within Europe) is considered to be sensitive personal data (“Sensitive Personal Data”). This includes information relating to:
Meggitt will not generally seek to collect such data unless it has the explicit consent of the individual to process Sensitive Personal Data and in this circumstance consent cannot be deemed. If there is no explicit consent or the information has not been received directly from the individual, Meggitt will not process Sensitive Personal Data unless it obtains the relevant consents or is otherwise lawfully entitled to do so. Meggitt may in some exceptional circumstances rely on consent given on behalf of an individual, for example by a Meggitt employee on behalf of a family member.
Some countries may have additional rules about using Sensitive Personal Data. Employees should check with their local Ethics Coordinator if unsure or refer to the appropriate supplement for their country (if available).
Provided that the processing is for one of the purposes set out in section 4.2 below and the individual concerned has been notified in writing that the data may be processed by Meggitt for that purpose (see Section 4.1), then personal data (but not Sensitive Personal Data) may be processed without consent from the individual concerned as follows:
Meggitt will only use personal data for the purposes for which it was obtained, which should be the purposes specified in this policy or notified to the individual when the information was first obtained.
Provided that individuals cannot be identified, aggregate or statistical information may be used to respond to any legitimate internal or external requests for data, i.e. surveys, manpower figures.
The personal data processed by Meggitt will be adequate, relevant and not excessive for Meggitt’s legitimate business purposes. Methods of data capture will:
The best way to ensure that the information is accurate is to check this with the individual at the time it is collected. Some personal information collected may change from time to time, such as address and contact details, bank accounts and employment. If Meggitt takes a decision based on inaccurate information or forwards information to the wrong address it is conceivable that this may cause some harm to the individual. It is therefore important that, where necessary, information is kept up to date. Individuals whose personal data is being processed should be requested to inform Meggitt of any changes to the personal information they provided.
Regular reviews of the information by Meggitt shall be carried out to ensure its accuracy. If a large volume of personal information or number of individuals is likely to be affected, the most cost effective method will be adopted by Meggitt to update this information.
Meggitt will observe retention policies and procedures designed so that Meggitt deletes personal information after a reasonable time and does not keep personal information for longer than is necessary for the purpose for which it is being held (except where the nature of that purpose is such that it is necessary to keep it indefinitely or the law requires the information to be kept for a certain time).
When Meggitt no longer needs to keep such personal information for such purposes it will take all reasonably steps to destroy or erase such information as soon as reasonably practicable.
Meggitt will have in place appropriate technical and organisational security measures to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal information. It will ensure that these measures are appropriate to the risks represented by the processing it carries out of those personal data.
Meggitt recognises the importance of appropriate security arrangements where any personal information is passed to third parties who process that information on behalf of Meggitt. Where Meggitt establishes such arrangements Meggitt will ensure that such service providers are bound by written contracts under which they agree to act only on Meggitt’s instructions and to have appropriate security arrangements in place to protect personal information. Note that third parties in this context include Meggitt Affiliates as well as outside service providers.
Personal information released to a third party for processing for that party’s own purposes, must only be released with the individual’s consent.
Personal data must only be disclosed to those authorised to see it.
Information must not be released about an individual to any person requesting this information by e-mail, phone, fax or post, unless Meggitt is sure of the identity of the person making the request and that they are entitled to receive the information requested. Please note that parents (unless in relation to children under 16), spouses, partners and children are not entitled to information about another individual.
Individuals whose personal data is being held in a country in the European Union have rights in relation to information processed about them.
These include the right to:
If a request for access to personal information is made by a person resident in the European Union, Meggitt will:
If, in order to comply with a disclosure request, Meggitt would need to disclose personal information relating to an identifiable third party then disclosure of that third party information is not permitted unless the third party has consented or it is reasonable to comply with the request without such consent. Failing these options, the data must be edited by Meggitt prior to disclosure so that the identity of third parties is not discernible.
Any requests received by employees for personal data must be passed immediately to the local Meggitt human resources manager, whether the request is from employees or external sources.
For Meggitt customers and suppliers wishing to make a personal information access request, please see Section 7 for relevant contact details.
Any personal data access request may be subject to a reasonable fee.
Where personal information is being handled by Meggitt within the European Union, Meggitt will not transfer that personal information outside the EEA or Switzerland (other than merely for processing on Meggitt’s behalf) unless:
Meggitt will not send unsolicited marketing communications by email, post or fax or telephone to any individuals (including business partnerships and named individuals in companies) unless it has obtained the prior consent of those individuals. This consent can be obtained at the time the information is provided by the individual.
Meggitt will comply with any request by an individual not to receive direct marketing information.
1 The countries currently deemed adequate include USA (those companies who have signed up to the EU Privacy Shield or Swiss U.S. Privacy Shield Framework only), Argentina, Switzerland, Canada, Guernsey and the Isle of Man.
Initial personal information relating to employees is ordinarily obtained from job application forms submitted to Meggitt and thereafter principally from employees themselves by way of annual appraisal. A copy of this policy should be issued to any employee who wishes to receive more in-depth information regarding the use for which the data is being collected.
All staff should endeavour to restrict disclosures requested from outside Meggitt to those required by law as much as possible.
Employees are entitled to have access to personal data held upon them which is not excluded data (see below). They are also entitled to be informed of the purpose for which the data is being or is intended to be used and the likely recipients (or class of recipients). The following information is excluded from this right to access:
Meggitt will process personal data in accordance with data protection legislation and principles. All Meggitt employees, temporary workers, visitors, voluntary and agency workers and third party suppliers are required to comply with this Group Data Protection Policy.
(a) have any questions relating to your personal data or our Data Protection Policy;
(b) would like to withdraw your consent to any use of your personal data as set out in this Data Protection Policy; or
(c) would like to obtain access and make corrections to your personal data records,
please contact our Data Protection Officer at firstname.lastname@example.org, telephone 01202 597597 or write to the Data Protection Officer, Meggitt PLC, Atlantic House, Aviation Park West, Bournemouth International Airport, Christchurch, Dorset, BH23 6EW.