The purpose of this document is to set out the key requirements with which the Pennon Group Companies (Pennon) must comply in relation to data protection, as set out in applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). This policy is separate to our privacy notices, which are found on our websites and our employee privacy notice (available to employees).
This document will outline:
In this document, any reference to Pennon or the Pennon Group includes all subsidiary businesses which include:
If you have any questions about this Policy, please raise them with Pennon Group's Data Protection Officer (DPO) at dataprotection@pennon-group.co.uk.
This policy provides a framework to demonstrate how Pennon will comply with its obligations and responsibilities under the UK GDPR and DPA 2018 and relates to information covered by data protection legislation. This policy is supported by various internal policies and procedures.
The UK GDPR definition of "personal data" includes any information relating to an identified or identifiable natural living person. Pseudonymised personal data is covered by the legislation, however anonymised data is not regulated by the UK GDPR or DPA 2018, providing the anonymisation has not been done in a reversible way.
This policy is mandatory. It is managed by the Pennon Data Protection Team and applies to all the processing of personal data carried out by Pennon, including processing carried out by joint controllers, contractors, processors, and all individuals working for, or on behalf of Pennon. Failure to comply with this policy or any of the other processes or policies referred to within it could lead to appropriate and proportionate punitive action.
The sections below set out the principles and key requirements of the UK GDPR which guide all business areas to ensure that the processing of personal data is carried out fairly and lawfully, without adversely affecting the rights of individuals; the permitted use of company personal data is also detailed in this policy.
Pennon adheres to the seven principles of the UK GDPR as set out in Article 5. This means that:
To process personal data in compliance with all the principles of the UK GDPR, an appropriate lawful basis under Article 6 must be identified, an additional lawful basis, under Article 9, is also required if we are processing Special Category data.
Company Personal Data is: information relating to any company employee or customer data, or data of any other individuals we interact with, which is processed (any action involving that data including viewing, using, sharing
saving etc) on any HR, customer, business developed or procured systems, and any file shares, shared email inboxes, employee made spreadsheets, databases, third party systems, cloud-based systems, data shared with third parties and data stored in reporting or dashboarding applications etc.
Pennon collects and uses (processes) personal data for specific purposes, for employment purposes and to enable it to provide services to its customers as a water and sewage undertaker, which are detailed in our customer and employee privacy notices.
The UK GDPR requires that we process personal data in a manner that ensures appropriate security of personal data, including protection against unauthorised access, unlawful processing, accidental loss, destruction, or damage. Pennon has implemented technical safeguards, policies and procedures to protect against these risks.
Only individuals who have access to these records, as part of their job role, are authorised to use this data. Their authorisation is for official company business only. Individuals follow all established company policies and procedures when accessing personal data and company systems.
Individuals who require access to company databases containing personal data are authorised with the least level of permission to enable them to carry out their job role. Access and permissions to company systems and databases holding personal data are regularly reviewed.
Under the UK GDPR, individuals have several rights. We have a dedicated team and clear processes to handle all rights requests within the required timescales. These rights can be exercised via our web-form or by contacting Customer Services.
Misuse of personal data is the use of that personal data in ways it wasn’t intended for.
We collect employee and customer personal data for specific purposes and uses, which are set out in our privacy notices. Misuse of any of our company personal data violates these requirements. Individuals using any company held personal data are never permitted to use this data for their own purposes and must always follow official policy, processes, and procedures in relation to that data.
Pennon has zero tolerance of misuse of data, and any individual who accesses company personal data for their own purposes will be subject to disciplinary action and mandatory reporting to the Information Commissioner’s Office (ICO).
We have procedures and guidance to ensure that high risk processing activities are undertaken considering data protection by design and by default through the entire data life cycle. Data privacy is an integral part of the design of any product, project, processing activity, system, or service we offer. We implement appropriate measures to assess and protect personal data, such as undertaking Data Protection Impact Assessments (DPIAs), information security reviews and due diligence checks of suppliers and processors.
Where appropriate we use pseudonymisation (a way of Processing a person’s data without revealing their real identity) to further protect company personal data. Truly and irreversibly anonymised data are not subject to data protection law.
Pennon does not currently make use of automated decision-making processing activities.
Prior consent from data subjects (individuals) is required before sending any electronic direct marketing communications (for example, by email, text, social media direct messaging or automated calls). We have procedures to ensure the requirements of the Privacy Electronic Communications (EC Directive) Regulations 2003 (PECR) and Data Protection Legislation are met. PECR does not apply to non-electronic marketing (postal marketing) but our postal marketing activities do still meet with data protection requirements.
DPIAs are carried out for all processing activity that are likely to result in a high risk to individuals. However, as good practice, DPIAs are completed for lower risk processing activities too.
All company personnel have undergone adequate data protection awareness and refresher training to enable them to comply with data privacy laws. We regularly review our training provision and test our systems and processes to keep training relevant and up to date.
Pennon keeps a record of its data processing activities (ROPA) to meet the requirements of Article 30.
We provide privacy notices on our websites, and employee intranet, in line with the requirements of the UK GDPR and provide the necessary communications to new customers and employees; we make available any changes that are made to these notices.
Pennon only use data processors that provide sufficient guarantees to ensure that the requirements of UK data protection laws and the rights of individuals are met. Arrangements with data processors are documented in UK GDPR compliant contracts. Pennon also carry out information security checks on data processors to ensure that they are compliant with applicable requirements.
Sharing of personal data with third parties is only carried out where we have a lawful basis to do so, and when relevant safeguards and contractual arrangements have been put in place.
Personal data is not transferred outside the UK and the European Economic Area unless adequate safeguards, as set out in Article 46 are put in place and are assessed by the data protection team before the transfer takes place.
We record and consider all data breaches and near misses reported to us. We have breach management processes for responding to breaches and to help decide whether they should be reported to the ICO and data subjects.
The Pennon Board: The Board has ultimate responsibility for Pennon Group’s risk management, including setting risk culture and overseeing management’s implementation of our Group strategy. The Board sets risk appetite and delegates authority for risk management across the Pennon Group.
Data Governance Forum: The Data Governance Forum is made up of senior staff and the DPO, and is responsible for considering pertinent data protection matters, for making recommendations to the Board and implementing those recommendations.
Data Protection Officer: The data protection officer is primarily responsible for monitoring and assessing Pennon’s compliance with data protection laws, providing advice, and making recommendations to improve compliance. The
Pennon DPO can be contacted by email at dataprotection@pennon-group.co.uk
This Policy is periodically reviewed, and we will make any updates deemed necessary.
This section of the policy should be completed to detail changes made to the policy.