Data Protection Policy


Hutton + Rostron Environmental Investigations Ltd (H+R) needs to collect and use certain types of information on H+R staff, and about the individuals who engage H+R to carry out our work. This personal information must be collected and dealt with appropriately whether it is collected on paper, stored on computer, or recorded on other material and there are safeguards to ensure this under the General Data Protection Regulation (GDPR), UK Data Protection Laws and any other relevant data protection laws and codes of conduct (herein collectively referred to as “the data protection laws”).

H+R has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the data protection laws and principles, including staff training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and confidentiality of personal and/or special category data is one of our top priorities and we are proud to operate a ‘Privacy by Design’ approach, assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of our business.


H+R is the Data Controller under the Act, which means that it determines what purposes personal information held, will be used for. It is also responsible for notifying the Information Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for.


H+R may share data with other parties.

The individual will be made aware in most circumstances how and with whom their information will be shared.  There are circumstances where the law allows H+R to disclose data (including sensitive data) without the data subject’s consent.

These are:

  1. Carrying out a legal duty or as authorised by the Secretary of State
  2. Protecting vital interests of an Individual or other person
  3. The Individual has already made the information public
  4. Conducting any legal proceedings, obtaining legal advice or defending any legal rights
  5. Monitoring for equal opportunities purposes – i.e. race, disability or religion
  6. Providing a confidential service where the individual’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Individuals to provide consent signatures.

H+R regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

H+R intends to ensure that personal information is treated lawfully and correctly.

To this end, H+R will adhere to the Principles of Data Protection, as detailed in the document and these are based upon six privacy principals which are as follows:

1. Lawfulness, fairness and transparency

  • Transparency: Tell the subject what data processing will be done.
  • Fair: What is processed must match up with how it has been described.
  • Lawful: Processing must meet the tests described in GDPR.

2. Purpose limitations

Personal data can only be obtained for “specified, explicit and legitimate purposes”.  Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.

3. Data minimisation

Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. i.e. No more than the minimum amount of data should be kept for specific processing.

4. Accuracy

Data must be “accurate and where necessary kept up to date”. Baselining ensures good protection against identity theft. Data holders should build rectification processes into data management / archiving activities for subject data.

5. Storage limitations

The regulator expects personal data is “kept in a form which permits identification of data subjects for no longer than necessary”. i.e. Data no longer required should be removed.

6. Integrity and confidentiality

Requires processors to handle data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”.

H+R will, through appropriate management and strict application of criteria and controls:

  • Observe fully conditions regarding the fair collection and use of information
  • Meet its legal obligations to specify the purposes for which information is used
  • Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements
  • Ensure the quality of information used
  • Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:
    • The right to be informed that processing is being undertaken,
    • The right of access to one’s personal information
    • The right to prevent processing in certain circumstances and
    • The right to correct, rectify, block or erase information which is regarded as wrong information
  • Take appropriate technical and organisational security measures to safeguard personal information
  • Ensure that personal information is not transferred abroad without suitable safeguards
  • Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
  • Set out clear procedures for responding to requests for information


Informed consent is when:

  • An Individual clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data
  • And then gives their consent.

H+R will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.

When collecting data, H+R will ensure that the Individual:

  1. Clearly understands why the information is needed
  2. Understands what it will be used for and what the consequences are should the Individual decide not to give consent to processing
  3. As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
  4. Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
  5. Has received sufficient information on why their data is needed and how it will be used

5. Data Storage

Information and records relating to individuals will be stored securely and will only be accessible to authorised staff.

Information will be stored for only as long as it is needed or required by statute, and will be disposed of appropriately.

It is H+R responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.


Articles 37-39, and Recital 97 of the GDPR detail the obligations, requirements and responsibilities on companies to appoint a Data Protection Officer (DPO) and specifies the duties that the officer themselves must perform.

A Data Protection Officer (DPO) must be appointed by a company where the

  • processing is carried out by a public authority or body (except for courts acting in their judicial capacity).
  • core activities of the controller/processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
  • core activities of the controller/processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

H+R has appointed a Designated Protection Officer (DPO), in accordance with the GDPR requirements and have ensured that the assigned person has an adequate and expert knowledge of data protection law. They have been assessed as being fully capable of assisting the Company in monitoring our internal compliance with the Regulation and supporting and advising employees and associated third parties with regards to the data protection laws and requirements.


All Individuals have the right to access the information H+R holds about them. H+R will also take reasonable steps ensure that this information is kept up to date by asking data subjects whether there have been any changes.

In addition, H+R will ensure that:

  • It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection
  • Everyone processing personal information understands that they are contractually responsible for following good data protection practice
  • Everyone processing personal information is appropriately trained to do so
  • Everyone processing personal information is appropriately supervised
  • Anybody wanting to make enquiries about handling personal information knows what to do
  • It deals promptly and courteously with any enquiries about handling personal information
  • It describes clearly how it handles personal information
  • It will regularly review and audit the ways it holds, manage and use personal information
  • It regularly assesses and evaluates its methods and performance in relation to handling personal information
  • All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.

In case of any queries or questions in relation to this policy please contact the Data Protection Officer:  Tamsin Kirtley, Accounts Manager  

Glossary of Terms

Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data.

Binding Corporate Rule means personal data protection policies which are adhered to by the Company for transfers of personal data to a controller or processor in one or more third countries or to an international organisation.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Cross Border Processing means processing of personal data which: –

  • takes place in more than one Member State; or
  • which substantially affects or is likely to affect data subjects in more than one Member State

Data Controller means, the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data protection laws means for the purposes of this document, the collective description of the GDPR, Data Protection Bill and any other relevant data protection laws that the Company complies with.

Data Subject means an individual who is the subject of personal data

Explicit consent is a freely given, specific and informed agreement by an Individual in the processing of personal information about her/him. Explicit consent is needed for processing sensitive data.

GDPR means the General Data Protection Regulation (EU) (2016/679)

Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Individual is the person whose personal information is being held or processed by the Company for example: a client, an employee, or supporter.

Notification – Notifying the Information Commissioner about the data processing activities of the Company, as certain activities may be exempt from notification.

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Supervisory Authority means an independent public authority which is established by a Member State

Sensitive data – refers to data about:

  • Racial or ethnic origin
  • Political affiliations
  • Religion or similar beliefs
  • Trade union membership
  • Physical or mental health
  • Sexuality
  • Criminal record or proceedings

Third Party means a natural or legal person, public authority, agency or body other than the data subject, under our direct authority.