DATA PROTECTION POLICY

INTRODUCTION

The gathering, storing and processing of personal and financial data is a key part of Oncore Services business operations and we take our responsibilities to customers, suppliers, relevant authorities, and any other stake holders whose data we gather, very seriously.

This policy describes how all data must be collected, handled and stored to meet the company’s high data protection standards; and to comply with the law.

Why this policy exists:
This data protection policy ensures that Oncore:
Complies with data protection law and follows best practice;
Protects the rights of Staff and customers;
Is open about how we store and process individuals’ data; and
Protects ourselves from the risks of a data breach.

Policy scope
This policy applies to all Staff of Oncore Services.
It applies to all data that the company holds relating to individual.
This can include:
Names of individuals;
National insurance numbers;
Postal addresses;
Email addresses;
Telephone numbers;
Proof of identification;
Right to work documentation: work visas, permits and Home Office documents;
Next of kin details;
Bank statements and other financial information;
Utility bills and proofs of address;
Copies of qualifications, certificates or training; and
Any other personal, confidential or private information relating to individuals.

Data protection risks
This policy helps to protect Oncore from very real data security risks, including:
Breaches of confidentiality: For instance, information being given out inappropriately, inadvertently or stolen by a third party.
Failing to offer choice: For instance, all individuals should be free to choose how the company uses data relating to them, if the legal basis is consent.
Reputational damage: For instance, the company could suffer if we had a data breach e.g. hackers successfully gained access to sensitive data or information was given to the wrong person.

RESPONSIBILITIES

Everyone who works for or with Oncore Services has responsibility for ensuring data is collected, stored and handled appropriately. All Staff have personal responsibility for the practical application of this policy, and all must ensure that personal data handled and processed in line with this policy and the data protection principles.

The Directors are ultimately responsible for ensuring that Oncore Services
complies with the legal obligations.

The Directors are responsible for:
Keeping all updated about data protection responsibilities, risks and issues;
Reviewing all data protection procedures and related policies, in line with an agreed schedule;
Arranging data protection training and advice for the people covered by this policy;
Handling data protection questions from Staff and anyone else covered by this policy;
Dealing with requests from individuals to see the data the companies hold about them (known as ‘subject access requests’);
Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data;
Investigate, respond to and manage (including liaising with the ICO and any other relevant regulator or law enforcement agency) incidents and breaches or alleged breaches of applicable data protection and privacy legislation;
Approving any data protection statements attached to communications such as emails and letters;
Addressing any data protection queries from journalists or media outlets like newspapers;
Where necessary, working with other Staff to ensure marketing initiatives abide by data protection principles;
Logging and processing any relevant opt-out requests across all available communication media;
Ensuring all systems, services and equipment used for storing data meet appropriate security standards;
Performing regular checks and scans to ensure security hardware and software is fit for purpose and functioning properly;
Providing relevant user training to reduce risks of data protection breaches or cyber security threats;
Evaluating any third-party services, the company is considering using to store or process data. For instance, cloud computing and business enterprise services; and
Deleting or segregating data as and when required.

Data Protection Law

The Data Protection Act 2018 sets out how organisations must collect, handle and store personal information, in line with the General Data Protection Regulation (GDPR).

These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. This policy sets out how Oncore Services seeks to protect personal data and ensure that all understand the rules governing their use of personal data to which they have access to in the course of their work. All at Oncore Services must be familiar with this policy and comply with its terms.

DEFINITIONS

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Any use of special categories of personal data must be strictly controlled in accordance with this policy.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Staff means partners, Directors, consultants, employees, self-employed contractors, temporary or agency Staff, trainees, apprentices or anyone else who undertakes work for, or on behalf of Oncore Services.

Director means a relevant individual with suitable training, knowledge and experience to manage, update and inform on behalf of the Group, on aspects of Data Protection in respect of the Trading Companies.

GENERAL PRINCIPLES

Oncore Services policy is to process personal data in accordance with the applicable data protection laws and rights of individuals as set out below.

Lawfulness, fairness and transparency principle
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).

Purpose Limitation Principle
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’).

Staff should make sure data processed by them is accurate, adequate, relevant and proportionate for the purpose for which it was obtained. Personal data obtained for one purpose should generally not be used for unconnected purposes unless the individual has agreed to this or would otherwise reasonably expect the data to be used in this way.

Data Minimisation Principle
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).

Staff will ensure that they only process what personal data is required for their purpose and no more.

Accuracy
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).

It is the responsibility of all Staff who work with data to take reasonable steps to ensure it is kept as accurate and as up to date as possible.
Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets or duplication.
Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details are still correct when they call in.
Oncore Services provides tools and contacts to make it easy for data subjects to update the information held on any system or data platform.
Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
It is the Director’s responsibility to ensure marketing databases are checked against contact preference (e.g. telephone preference service) files at least every six months. Individuals may ask Oncore Services to correct personal data relating to them which they consider to be inaccurate. If a member of Staff receives such a request and does not agree that the personal data held is inaccurate, they should nevertheless record the fact that it is disputed and inform their line manager who will investigate the situation accordance with this policy.

The more important it is that the personal data is accurate, the greater the effort Oncore Services needs to put into ensuring its accuracy.

Storage Limitation Principle
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving
purposes in the public interest, scientific or historical research purposes or statistical (‘storage limitation’).

Personal data should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances including the reasons why the personal data were obtained. Staff should follow Oncore Services data retention schedule.

Integrity and confidentiality principle
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and
confidentiality’).

Staff must keep personal data secure against unauthorised or unlawful processing and against accidental loss, destruction or damage in accordance with Oncore Services information security policy.

Where Oncore Services uses external organisations or individuals to process personal data on its behalf additional security arrangements need to be implemented in contracts with those organisations or individuals to safeguard the security of personal data. Staff should consult the relevant Directors to discuss the necessary steps to ensure compliance when setting up any new agreement or altering any existing agreement.

Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Oncore Services will disclose requested data. However, the relevantDirectors will ensure the request is legitimate before data is disclosed.

RIGHTS OF THE DATA SUBJECT

Right of access
All persons, including Staff, shall have the right to obtain from Oncore Services confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information regarding it.

If a person contacts the company requesting this information, this is referred to as a Subject Access Request (SAR).

Subject access requests from individuals should be made by email, addressed to dpo@oncoreservices.com which will be picked up and addressed by the
relevant Data Protection Controller. Oncore Services has a standard request form, although individuals do not have to use this.

The relevant Director will always verify the identity of anyone making a subject
access request before handing over any information.

All Subject Access Requests should follow Oncore Services Subject Access Request
policy and procedure.

Right of Rectification
All persons, including Staff, shall have the right to obtain from Oncore
Services without undue delay the rectification of inaccurate personal data
concerning him or her. Taking into account the purposes of the processing,
the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

All requests for rectification should follow Oncore Services rectification policy and procedure.

Right of Erasure (aka. ‘right to be forgotten’)
All persons, including Staff, shall have the right to obtain from Oncore Services the
erasure of personal data concerning him or her without undue delay and
Oncore Services shall have the obligation to erase personal data without undue delay
in certain circumstances.

All requests for erasure should follow Oncore Services erasure procedure.

Right to Restriction of Processing
All persons, including Staff, shall have the right to obtain from Oncore Services
restriction of processing in certain circumstances.

All requests for restriction of processing should follow Oncore Services restriction of
processing policy and procedure.

Notification obligation regarding rectification or erasure of personal data or
restriction of
processing
Oncore Services shall communicate any rectification or erasure of personal data or
restriction of processing to each recipient to whom the personal data have been
disclosed, unless this proves impossible or involves disproportionate effort.

Right to Data Portability
All persons shall have the right to receive the personal data concerning him or her,
which he or she has provided to a controller, in a structured, commonly used and
machine-readable format and have the right to transmit those data to another
controller without hindrance from the controller to which the personal data have
been provided, if the data is processed based on consent or contract and where
the processing is carried out by automated means.

Oncore Services do not process any personal data by automated means that meet
the criteria of Article 20 and, therefore, cannot satisfy the right to data portability.

Right to Object
All persons, including Staff, shall have the right to object to Oncore Services
processing his orher personal data if the processing is based on legitimate interest.
In this case, Oncore Services shall stop processing the personal data unless Oncore
Services demonstrates compelling legitimate grounds for the processing which
override the interests, rights and freedoms of the person or for the establishment,
exercise or defence of legal claims.

Persons have the right to object to Oncore Services processing their personal data
for direct marketing purposes. Where a person does object, Staff should notify the
Directors without delay.The person’s email address will be moved to a suppression
list so that they will not receive any further marketing material.

Staff should not send direct marketing material to a natural person (e.g. sole trader
or unincorporated partnership) electronically (e.g. by email) unless there is an existing
business relationship (i.e. the person has bought products/ services or has entered
into negotiations for products/ services) with them in relation to the services being
marketed. Staff can send marketing emails to business email addresses.

Staff should contact the relevant Director for advice on direct marketing, if required.

Automated Decision Making (including profiling)
All persons, including Staff, shall have the right not to be subject to a decision based
solely on automated processing, including profiling, which produces legal effects
concerning him or her or similarly significantly affects him or her.

Oncore Services does not use any automated decision making.

Processing of Special Categories of Data
Processing of personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade union membership, and the processing
of genetic data, biometric data for the purpose of uniquely identifying a natural
person, data concerning health or data concerning a natural person’s sex life or
sexual orientation shall be prohibited unless:
1. The person has given explicit consent to the processing of those personal data
for one or more specified purposes;
2. Processing is necessary for the purposes of carrying out the obligations and
exercising specific rights of the controller or of the data subject in the field of
employment and social security and social protection law;
3. Processing is necessary to protect the vital interests of the data subject or of
another natural person where the data subject is physically or legally incapable of
giving consent;
4. Processing relates to personal data which are manifestly made public by the data
subject;
5. Processing is necessary for the establishment, exercise or defence of legal claims;
and
6. Processing is necessary for the purposes of preventive or occupational medicine,
for the assessment of the working capacity of the employee.
Staff should only process any special categories of data in accordance with Oncore
Services policy on Processing Special Categories of Data.

Processing of Personal Data Relating to Criminal Convictions and Offences
Oncore Services does not process personal data relating to criminal convictions.

Legal Basis for Processing
Oncore Services uses the following legal basis for the processing of personal data:
1. Consent – the person has consented to the processing of his or her personal
data for one or more specific purposes;
2. Contract – the processing is necessary for the performance of a contract to which
the person is party or in order to take steps at the request of the person prior to
entering into a contract;
3. Legal obligation – the processing is necessary in order for Oncore Services to
comply with a legal obligation;
4. Vital interests – the processing is necessary in order to protect the vital interests
of the person; and
5. Legitimate interests – the processing is necessary for the purposes of the
legitimate interests pursued by Oncore Services, or by a third party, except where
such interests are overridden by the interests or fundamental rights and freedoms
of a natural person.

Oncore Services explains the use of these legal bases in its Fair Processing Notices.

Consent
Where Oncore Services bases its processing on consent, Oncore Services shall be
able to demonstrate that the person has consented to processing of his or her
personal data.

Consent shall be presented in a manner which is clearly distinguishable from the
other matters, in an intelligible and easily accessible form, using clear and plain
language.

A person, including Staff, shall have the right to withdraw his or her consent at any
time. The withdrawal of consent shall not affect the lawfulness of processing based
on consent before its withdrawal. It shall be as easy to withdraw as to give consent.

Consent is not freely given if it is requested for a contract and the processing of that
personal data is not necessary for the performance of that contract.

Data Privacy Impact Assessment (DPIA)
Where a type of processing, in particular using new technologies, and taking into
account the nature, scope, context and purposes of the processing, is likely to result
in a high risk to the rights and freedoms of natural persons, Oncore Services shall,
prior to the processing, carry out an assessment of the impact of the envisaged
processing operations on the protection of personal data. A single assessment may
address a set of similar processing operations that present similar high risks.

The DPIA will be overseen by the relevant Directors.

International Transfer
Personal data shall not be transferred outside the EEA (which includes the EU
countries, Norway,Iceland and Liechtenstein) without appropriate safeguards.

Staff should not transfer personal data outside of the EU or the EEA without first
consulting their line manager or the relevant Directors, unless the transfer has
already been authorised.

Reporting Breaches
Staff have an obligation to report actual or potential data protection compliance
failures or breaches to the Data Protection Officer. This allows the Data Protection
Officer to investigate the breach and take appropriate steps, following the breach
notification policy.

Training
Oncore Services takes the protection of personal data very seriously and therefore,
all Staff that process personal data will be trained according to their role
requirements.

Staff with any questions about data protection training should contact the Data
Protection Officer.

Providing Information
Oncore Services aims to ensure that individuals are aware that their data is being
processed, and that they understand:
What data is being collected and why;
Our lawful basis of processing;
How the data is being used;
Who it might be shared with and why;
How long any personal data may be kept for; and
How to exercise their rights.

To these ends, the company has a Fair Processing Notice, setting out how data
relating to individuals is used by the companies (Schedule 1).

Consequences of Failing to Comply
Oncore Services takes compliance with this policy very seriously. Failure to comply
puts both Staff and Oncore Services at risk. The importance of this policy means that
failure to comply with any requirement may lead to disciplinary action, which may
result in dismissal.

Staff with any questions or concerns about anything in this policy should not hesitate
to discuss these with line managers, in the first instance, and then with the relevant
Director.

SCHEDULE 1

DATA PROTECTION: FAIR PROCESSING NOTICE

Oncore Services takes the protection and privacy of personal data seriously. This
Fair Processing Notice explains how we use, protect and store personal data before,
during and after being a customer of Oncore Services.

Our contact details
1 Long Lane London
SE1 4PG
Telephone: 0203 5985352

Our Data Protection Officer can be emailed at dpo@oncoreservices.com.

What personal data do we collect about you, how do we use that personal
data, and what is our legal
basis?
We need a legal basis in order to process your personal data. Any data we process is
because we either have a contract with you (or you wish to obtain a contract with
us), we have a legal obligation to do so, or because it is a legitimate activity. On
occasion, we will seek your consent to process your personal data, but you are free
to refuse.

When you are a client or wish to become a client of Oncore Services, we collect and
process your personal data:
in order to fulfil our contract for services with you;
to fulfil our legal obligations to prevent money laundering, fraud and terrorist
financing;
where the activity is a legitimate one for a business; and
with your consent for marketing.
We process your personal data because we have a contract with you, you would like
to enter into a contract with us or it is a legitimate business activity.

We process the following data as your employer and to provide services to clients.
Our legal basis to do so is because we have a contract with you.
your name
address
date of birth
NI number
home phone
mobile
email address
your financial data
your employment data

Once you become a client, we will assign you a client unique identifier number as
this is a legitimate activity in order to avoid any system errors or mistakes in
making payments.

In order to comply with our legal obligations as an employer, and to prevent
money laundering, fraud and terrorist financing, we may process some of the
following data:
Passport (name, DOB, facial biometrics, passport number, nationality, gender,
place of birth, signature);
Biometric Residents Permit (name, date and place of birth/ biometrics –
fingerprints and a photo of face/ immigration status / access to public funds);
Identity card issued by the Electoral Office for Northern Ireland (name, DOB,
photo);
Valid photo card driving license (name, DOB, signature);
Recent evidence of entitlement to a state- or local authority-funded benefit,
including housing benefit, council tax benefit, tax credits, state pension,
educational or other grant (name, address, DOB, NI number);
Current council tax letter or statement (name, address);
HMRC-issued tax notification (name, address, DOB, NI number);
Current bank statements or credit/debit card statements (name, address);
Current utility bill (name, address); and
Date of birth (for age verification and general identity).

We process your personal data with your consent and where it is a legitimate
business activity.

We will send you information pertaining to Oncore Services because you are an
employee of ours as this is a legitimate business activity. We will also send you
this information for one year after you have left Oncore Services as you may wish
to come back to us and this is a legitimate activity.

We will ask for feedback on our products or services in order to monitor and
improve our service delivery, and this is a legitimate activity for us. You can
complete these questionnaires if you wish to, however you are not obliged to
do so. These questionnaires are not anonymous.

You have the right to unsubscribe to marketing at any time. If you do choose to
unsubscribe, we will keep your name and email address on a suppression list so
that we don’t email you again by accident and this is a legitimate activity for us.

If you are on our suppression list, you will still receive communications that are
necessary to the performance of your chosen services, or notifications to avoid
you missing deadlines and/or incurring penalties.

How long do we hold your personal data?
We will hold the personal data that was collected in accordance with your
employment with us for a period of seven years. This is a legal requirement for
all employers.

If you have started the process to become an employee and then changed your
mind, we will hold your data for two years, after which it will be destroyed.
We hold it for two years in case it is required for by law enforcement agencies
or for legal reasons.

We will hold your name, email and phone number to send you marketing
information as long as you would like us to do so. If you withdraw your consent,
we will hold this data for five years in a suppression list so that we don’t market
to you against your wishes and this is a legitimate activity for us.

Do we use any automated decision making?
We do not use any automated decision making.

Who do we share your personal data with?
Depending on your chosen services and our requirements, we may share
your personal data with the following recipients:
HMRC for the purpose of providing your chosen services and responding
to requests for information;
National Crime Agency, Action Fraud and any other competent and
authorised body for the prevention, detection and investigation of money
laundering, fraud or  terrorist financing;
The Financial Ombudsman Service (FOS) to resolve any complaint or
dispute involving the FOS;
Our software, technology applications, database providers (Microsoft, My
Digital Account Ltd, Adobe Sign Ltd, Signable Ltd) necessary for recording,
securing and updating your personal details and administering services internally
as well as external communications;
HSBC Bank Plc for the purpose of making payments;

Companies that verify publicly available documents and information
(e.g.Home Office);
Legal advisors and consultants; and
Insurance companies.
Do we transfer your personal data outside of the EU or EEA?
Your data is kept in the EU or EEA.
Your Rights
You have a number of rights in respect of our processing of your personal data
which are:
To access to your personal data and information about our processing of it. You
also have the right to request a copy of your personal data (but we will need to
remove information about other people);
To rectify incorrect personal data that we are processing;
To request that we erase your personal data if:
we no longer need it;
if we are processing your personal data by consent and you withdraw that
consent;
if we no longer have a legitimate ground to process your personal data; or
we are processing your personal data unlawfully.
To object to our processing if it is by legitimate interest;
To restrict our processing if it was by legitimate interest; and
To request that your personal data be transferred from us to another company
if we were processing your data under a contract or with your consent and the
processing is carried out automated means.
If you want to exercise any of these rights, please contact us on 0203 5985352
or email us on dpo@oncoreservices.com.

You also have the right to lodge a complaint about our processing with the
UK’s Information Commissioner’s Office.