Data Protection Policy

Introductory Statement

Business Modelling Associates Ltd, trading as Business Modelling Applications has to collect and use information about people with whom they work, and recognise that this personal information must be handled and dealt with properly. This is irrespective of how it is collected, recorded and used, and whether it is held on paper, electronically or by other means.

Business Modelling Applications regard the lawful and correct treatment of personal information as being crucial to our success and to maintain confidence between the organisation and clients, and commit to ensuring that it is treated lawfully and correctly. To emphasise this commitment, the organisation has invested in obtaining UKAS accredited certification to ISO27001, and this policy should be read in conjunction with our Information Security Policy and the Information Security aspects of our Integrated Management System (IMS).

Business Modelling Applications fully endorse and commit to complying with the principles and requirements of the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) (2018). This policy applies to the processing of personal data in manual and electronic records maintained by the business.

This policy applies to the personal data of job applicants, existing and former employees, apprentices, volunteers, placement students, self-employed contractors and other workers. Such persons are referred to in this policy as ‘employees’ or ‘data owners’, as most appropriate, although other titles may be used.


  • Criminal Offence Data: Data which relates to an individual’s criminal convictions and offences.
  • Data Processing: Any activity or set of activities performed on personal data or on sets of personal data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Personal Data: Information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier.
  • Special Categories of Personal Data: Data which relates to an individual’s health, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership.

Data Protection Principles

Under GDPR, all personal data obtained and held by Business Modelling Applications shall be processed according to a set of core principles. In accordance with these principles, the organisation will ensure that data:

  • Processing is fair, lawful and transparent;
  • Is collected for specific, explicit, and legitimate purposes;
  • Collection is adequate, relevant and limited to what is necessary for the purposes of processing;
  • Shall be kept accurate and up to date, and any that is found to be inaccurate shall be rectified or erased without delay;
  • Is not kept for longer than is necessary for its given purpose;
  • Will be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or any other form of damage.


Types of Data Held

  • Business Modelling Applications keep several categories of personal data on employees, which is held within our computer systems. Specifically, Business Modelling Applications hold some or all of the following types of data:
  • Personal details such as name, address, phone numbers.
  • Information gathered via the recruitment process such as that entered into a CV or included in a CV cover letter, references from former employers, details of education and employment history etc.
  • Details relating to pay administration such as National Insurance numbers, bank account details and tax codes.
  • Medical or health information
  • Information relating to employment with Business Modelling Applications, including:
    • Job title and job description;
    • Salary information;
    • Terms and conditions of employment;
    • Disciplinary and/or grievance records;
    • Records of annual leave and other leave taken;
    • Performance management information;
    • Training undertaken.

All of the above information is required for internal processing activities; more details on these are available on request.

In addition, the organisation also holds data provided by its clients and other third parties, which enable it to perform its function with regards to producing analytics solutions, and the nature and extent of this depends on the nature of the project being performed.

Employee Rights

Employees have the following rights in relation to the personal data held by Business Modelling Applications:

  • To be informed about the data held by the organisation and what is done with it.
  • To access the data held.
  • To correct or request corrections to any inaccuracies in the data held.
  • To have data deleted in certain circumstances.
  • To restrict the processing of data.
  • To transfer the data held to another party.
  • To object to the inclusion of any information.
  • To regulate any automated processing of data.

The organisation has legal obligations to retain certain records and cannot delete these. The above records are kept for a minimum of 7 years after the employee leaves the organisation.


The Information Security Manager (and thereby Data Protection Officer) for Business Modelling Applications, and is responsible for ensuring:

  • The adequacy of this policy and for reviewing and verifying the mechanisms described within it.
  • Any other person within Business Modelling Applications, whose role require them to access or process data are also made aware of this policy.


Data Processing Procedures

Data Access

Data owners who wish to access the data Business Modelling Applications holds on them shall make such a request in writing (which includes email). Business Modelling Applications will comply with such a request without delay, and in any case within 28 days, unless any lawful reason exists that requires an extension. Business Modelling Applications shall keep the data owner who made the request fully informed of any requirements to extend the time limit.

Business Modelling Applications commit to not charging for any data access request, unless such a request is excessive, repetitive, unfounded or if duplicate copies are to be provided to third parties, which case a reasonable charge will be made.

Data Processing

Business Modelling Applications understand that data processing may only be carried out where a lawful basis for such processing exists. In the event of any processing being required, that does not have any lawful basis, the data owner’s consent shall be obtained prior to performing such processing.

Business Modelling Applications further understand that consent must be freely given, specific, informed and unambiguous, and in the event of consent being sought, this shall be done on a specific and individual basis, as required. Data owners will be given clear instructions on the proposed processing activity, informed of the consequences of their consent and of that they have a right to withdraw their consent at any time.

Data Security

Hard copies of personal data shall be kept in a secure manner, such as a locked receptacle, e.g. a safe, filing cabinet etc., so that they are only accessible by those who have a need and/or a right to access them.

Similarly, any computer etc. shall be locked when unattended, and data stored on such devices shall be password protected or encrypted on both local and network drives. In the event of a copy being held on a removable storage device (e.g. a USB stick), then such devices shall be held in a locked receptacle as previously referenced. Passwords must never be passed to persons who are not entitled to have them, and all reasonable measures taken to ensure any item containing personal data cannot be stolen.

Failure to follow Business Modelling Applications’ data security processes shall be dealt with via the organisation’s disciplinary procedures.

Disclosure of Data

Business Modelling Applications may be required to disclose certain data/information, under circumstances that include:

  • Employee benefits operated by third parties, e.g. pensions, insurance policies etc.;
  • For disabled individuals, to determine reasonable adjustments required to assist them at work;
  • Health Data, to enable the organisation to comply with applicable health, safety or occupational health obligations;
  • Statutory Sick Pay purposes;
  • To enable the organisation to assess how an individual’s health affects their ability to do their job;
  • Law enforcement or similarly relevant authority to prevent or detect crime, prosecute offenders or to assess or collect any tax or duty.

Such disclosures shall only be made when strictly necessary.

Third Party Data Processing

Business Modelling Applications utilise third parties to perform various tasks on their behalf, including data processing, and implement agreements to ensure that the appointed third party take all measures necessary to maintain the organisation’s commitments, policies, and procedures.

Business Modelling Applications do not transfer any personal data outside of the United Kingdom, EU or the agreed regional boundaries.

Breach Notification Requirements

Any data breach shall be recorded, and if required, Business Modelling Applications shall notify the Information Commissioner within 72 hours of the initial discovery, and where required, notify the data owner whose data was breached.

Training and Awareness

New employees shall be briefed on all aspects of information security and data protection at their induction and shall be required to confirm understanding. In addition, all employees who are required to perform activities that could impact on data protection shall be provided with appropriate training, where required, to enable them to perform their duties effectively and lawfully, and to understand the consequences of any potential lapses and breaches.