1. POLICY STATEMENT

Midcore Security and Facility Management is committed to protecting personal data and handling it lawfully, fairly, and securely. We will comply with the UK GDPR, the Data Protection Act 2018, and any applicable guidance issued by the Information Commissioner’s Office (ICO). This policy sets out how personal data is managed within the business and what is expected of all staff and representatives.

2. SCOPE

This policy applies to all employees, agency workers, contractors, subcontractors, and anyone processing personal data on behalf of Midcore. It covers personal data held in any format, including paper records, emails, systems, apps, photographs, CCTV images (where applicable), and voice recordings. This policy applies to all Midcore locations and operations

3. DEFINITIONS
4. Personal data: Information that identifies a person directly or indirectly (name, address, phone, NI number, ID documents, etc.).
5. Special category data: More sensitive data (health, biometrics, religion, etc.).
6. Processing: Any action on data (collecting, storing, using, sharing, deleting).
7. Data subject: The person the data relates to.
8. DATA PROTECTION PRINCIPLES

Midcore will follow the core principles of UK GDPR:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality (security)
7. Accountability (we must be able to evidence compliance)
8. LAWFUL BASIS FOR PROCESSING

Midcore will only process personal data where a lawful basis applies. Common bases include:

1. Contract: e.g., employment contracts, service agreements
2. Legal obligation: e.g., right to work checks, payroll, HMRC, SIA-related obligations
3. Legitimate interests: e.g., operational management, site safety, service delivery
4. Consent: used only where appropriate and where it can be freely withdrawn

Special category data will only be processed where an additional condition applies under the Data Protection Act 2018.

6. ROLES AND RESPONSIBILITIES
7. Managing Director
8. Overall accountability for data protection compliance
9. Ensures resources, controls, and reviews are in place
10. Approves this policy and ensures annual review
11. Data Protection Lead (DPL) (HR Officer / Admin Officer)
12. Oversees day-to-day compliance
13. Maintains the data breach log, SAR log, retention schedule, and training records
14. Provides guidance to managers and staff
15. Managers and Supervisors
16. Ensure site and office processes follow this policy
17. Report any suspected breach immediately
18. Ensure only authorized people access data
19. All Staff / Contractors
20. Must follow this policy and complete required training
21. Must use data only for authorized business purposes
22. Must report concerns or incidents immediately
23. DATA WE HOLD (EXAMPLES)

Midcore may process the following categories of data where necessary:

1. Staff records (contact details, next of kin, payroll, bank details, NI numbers)
2. Recruitment and screening records (BS7858 files, references, vetting outcomes)
3. Right to work and identity documents
4. Training and competency records
5. Incident reports, statements, and investigation notes
6. Client contact details and contract records
7. Visitor logs and access records
8. CCTV data (where Midcore controls or processes it)
9. INFORMATION SECURITY CONTROLS

Midcore will apply appropriate security measures, including:

1. Role-based access to systems and folders
2. Strong passwords and device security
3. Secure storage for paper records (locked cabinets, controlled access)
4. Clear desk approach in office areas
5. Secure disposal (shredding or approved disposal service)
6. Restricted sharing of data via email or messaging apps
7. Use of encrypted or password-protected files where required
8. Regular backups and anti-malware protections (where systems are managed)
9. DATA SHARING AND THIRD PARTIES

Personal data will only be shared when necessary and authorised. This may include sharing with:

1. Clients (only relevant operational information)
2. Payroll providers, accountants, pension providers
3. Vetting/screening partners
4. Insurers, legal advisors, regulators
5. Police or authorities where lawful and necessary

Where third parties process data on Midcore’s behalf, Midcore will ensure appropriate contractual controls are in place (confidentiality, security expectations, and deletion requirements).

10. RETENTION AND DISPOSAL

Midcore will keep personal data only for as long as required for business and legal purposes. A retention schedule will be maintained and applied. When data is no longer required it will be securely deleted or destroyed.

11. DATA SUBJECT RIGHTS (UK GDPR)

Individuals have rights including:

1. Access (Subject Access Request)
2. Rectification
3. Erasure (where applicable)
4. Restriction
5. Data portability (where applicable)
6. Objection
7. Rights relating to automated decisions (if used)

Requests must be passed to the Data Protection Lead immediately. Midcore will respond within one month unless an extension is permitted by law.

12. DATA BREACHES AND INCIDENT REPORTING

Any actual or suspected data breach must be reported immediately to the Managing Director and/or Data Protection Lead.

Midcore will:

1. Contain and assess the breach
2. Record it in the breach log
3. Notify the ICO and affected individuals where legally required
4. Implement corrective actions to prevent recurrence
5. TRAINING AND AWARENESS

All staff with access to personal data will receive data protection training during induction and refresher training as required. Training records will be retained as evidence of compliance.

14. POLICY REVIEW

This policy will be reviewed annually or sooner if there are changes in legislation, working practices, or business operations.

The Managing Director shall approve this policy annually.

Muhammad Imran
Midcore Security & FM
This policy is reviewed on 01 – 09 – 2025