Aa

Purpose

The purpose of this document is to set out the key requirements with which the Pennon Group Companies (Pennon) must comply in relation to data protection, as set out in applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). This policy is separate to our privacy notices, which are found on our websites and our employee privacy notice (available to employees).

This document will outline:

  • How we will ensure compliance with the UK GDPR and DPA 2018.
  • Our roles and responsibilities that are relevant to internal compliance, and that all Business Areas understand their responsibilities in relation to data protection matters
  • How our compliance with this policy will be monitored.

In this document, any reference to Pennon or the Pennon Group includes all subsidiary businesses which include:

  • South West Water
  • South West Water Customer Services
  • Bournemouth Water
  • Bristol Water
  • Source for Business (Pennon Water Services)

If you have any questions about this Policy, please raise them with Pennon Group's Data Protection Officer (DPO) at dataprotection@pennon-group.co.uk.

Scope and Application

This policy provides a framework to demonstrate how Pennon will comply with its obligations and responsibilities under the UK GDPR and DPA 2018 and relates to information covered by data protection legislation. This policy is supported by various internal policies and procedures.

The UK GDPR definition of "personal data" includes any information relating to an identified or identifiable natural living person. Pseudonymised personal data is covered by the legislation, however anonymised data is not regulated by the UK GDPR or DPA 2018, providing the anonymisation has not been done in a reversible way.

This policy is mandatory. It is managed by the Pennon Data Protection Team and applies to all the processing of personal data carried out by Pennon, including processing carried out by joint controllers, contractors, processors, and all individuals working for, or on behalf of Pennon. Failure to comply with this policy or any of the other processes or policies referred to within it could lead to appropriate and proportionate punitive action.

Our Responsibilities

The sections below set out the principles and key requirements of the UK GDPR which guide all business areas to ensure that the processing of personal data is carried out fairly and lawfully, without adversely affecting the rights of individuals; the permitted use of company personal data is also detailed in this policy.

Pennon adheres to the seven principles of the UK GDPR as set out in Article 5. This means that:

  1. Personal data is processed lawfully, fairly and in a transparent manner. (Lawfulness, fairness and transparency principle)
  2. Personal data is used for specific, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. (Purpose limitation principle)
  3. Personal data is adequate, relevant, and limited to only what is necessary for the purpose for which it is being processed. (Data minimisation principle)
  4. Personal data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without undue delay. (Accuracy principle)
  5.  Personal data is kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data are processed. (Storage limitation principle)
  6. Personal data is kept in a manner that ensures appropriate security of personal data, including protection against unauthorised access or unlawful processing and against accidental loss, destruction, or damage,
    using appropriate technical or organisational measures. (Integrity and confidentiality principle)
  7. For Pennon to be able to evidence its responsibilities and demonstrate compliance with all the principles set out in 1 to 6 above (The Accountability principle) we have appropriate and effective measures to ensure the business complies with data protection law; failure to follow these could result in breaches of legislation, reputational damage, loss of confidence by data subjects and financial implications.

To process personal data in compliance with all the principles of the UK GDPR, an appropriate lawful basis under Article 6 must be identified, an additional lawful basis, under Article 9, is also required if we are processing Special Category data.

Information governed by UK Data Protection Legislation

Company Personal Data is: information relating to any company employee or customer data, or data of any other individuals we interact with, which is processed (any action involving that data including viewing, using, sharing
saving etc) on any HR, customer, business developed or procured systems, and any file shares, shared email inboxes, employee made spreadsheets, databases, third party systems, cloud-based systems, data shared with third parties and data stored in reporting or dashboarding applications etc.

Pennon collects and uses (processes) personal data for specific purposes, for employment purposes and to enable it to provide services to its customers as a water and sewage undertaker, which are detailed in our customer and employee privacy notices.

The UK GDPR requires that we process personal data in a manner that ensures appropriate security of personal data, including protection against unauthorised access, unlawful processing, accidental loss, destruction, or damage. Pennon has implemented technical safeguards, policies and procedures to protect against these risks.

Only individuals who have access to these records, as part of their job role, are authorised to use this data. Their authorisation is for official company business only. Individuals follow all established company policies and procedures when accessing personal data and company systems.

Access Permissions

Individuals who require access to company databases containing personal data are authorised with the least level of permission to enable them to carry out their job role. Access and permissions to company systems and databases holding personal data are regularly reviewed.

Individuals' rights

Under the UK GDPR, individuals have several rights. We have a dedicated team and clear processes to handle all rights requests within the required timescales. These rights can be exercised via our web-form or by contacting Customer Services.

Misuse of company personal data

Misuse of personal data is the use of that personal data in ways it wasn’t intended for. 

We collect employee and customer personal data for specific purposes and uses, which are set out in our privacy notices. Misuse of any of our company personal data violates these requirements. Individuals using any company held personal data are never permitted to use this data for their own purposes and must always follow official policy, processes, and procedures in relation to that data.

Pennon has zero tolerance of misuse of data, and any individual who accesses company personal data for their own purposes will be subject to disciplinary action and mandatory reporting to the Information Commissioner’s Office (ICO).

Data Protection by design and Data Protection by default

We have procedures and guidance to ensure that high risk processing activities are undertaken considering data protection by design and by default through the entire data life cycle. Data privacy is an integral part of the design of any product, project, processing activity, system, or service we offer. We implement appropriate measures to assess and protect personal data, such as undertaking Data Protection Impact Assessments (DPIAs), information security reviews and due diligence checks of suppliers and processors.

Psudonymisation and anonymisation

Where appropriate we use pseudonymisation (a way of Processing a person’s data without revealing their real identity) to further protect company personal data. Truly and irreversibly anonymised data are not subject to data protection law.

Automated processing (including profiling) and automated decision-making (ADM)

Pennon does not currently make use of automated decision-making processing activities.

Direct Marketing

Prior consent from data subjects (individuals) is required before sending any electronic direct marketing communications (for example, by email, text, social media direct messaging or automated calls). We have procedures to ensure the requirements of the Privacy Electronic Communications (EC Directive) Regulations 2003 (PECR) and Data Protection Legislation are met. PECR does not apply to non-electronic marketing (postal marketing) but our postal marketing activities do still meet with data protection requirements.

Data Protection impact assessments (DPIAs)

DPIAs are carried out for all processing activity that are likely to result in a high risk to individuals. However, as good practice, DPIAs are completed for lower risk processing activities too. 

Training and Audit

All company personnel have undergone adequate data protection awareness and refresher training to enable them to comply with data privacy laws. We regularly review our training provision and test our systems and processes to keep training relevant and up to date. 

Record keeping

Pennon keeps a record of its data processing activities (ROPA) to meet the requirements of Article 30. 

Privacy Notices

We provide privacy notices on our websites, and employee intranet, in line with the requirements of the UK GDPR and provide the necessary communications to new customers and employees; we make available any changes that are made to these notices.

Engagement of Data Processors

Pennon only use data processors that provide sufficient guarantees to ensure that the requirements of UK data protection laws and the rights of individuals are met. Arrangements with data processors are documented in UK GDPR compliant contracts. Pennon also carry out information security checks on data processors to ensure that they are compliant with applicable requirements.

Sharing Personal Data

Sharing of personal data with third parties is only carried out where we have a lawful basis to do so, and when relevant safeguards and contractual arrangements have been put in place. 

Transfers of data outside the European economic area

Personal data is not transferred outside the UK and the European Economic Area unless adequate safeguards, as set out in Article 46 are put in place and are assessed by the data protection team before the transfer takes place. 

Breach Notificaiton

We record and consider all data breaches and near misses reported to us. We have breach management processes for responding to breaches and to help decide whether they should be reported to the ICO and data subjects.

Accountabilities, responsibilities and governance

The Pennon Board: The Board has ultimate responsibility for Pennon Group’s risk management, including setting risk culture and overseeing management’s implementation of our Group strategy. The Board sets risk appetite and delegates authority for risk management across the Pennon Group. 

Data Governance Forum: The Data Governance Forum is made up of senior staff and the DPO, and is responsible for considering pertinent data protection matters, for making recommendations to the Board and implementing those recommendations.

Data Protection Officer: The data protection officer is primarily responsible for monitoring and assessing Pennon’s compliance with data protection laws, providing advice, and making recommendations to improve compliance. The
Pennon DPO can be contacted by email at dataprotection@pennon-group.co.uk

Policy Updates

This Policy is periodically reviewed, and we will make any updates deemed necessary.

Version History

This section of the policy should be completed to detail changes made to the policy.