0800 505 3236


0800 505 3236

100% Grants Available OIL Boilers , LPG BOILERS & HOME INSULATION

Enter your Postcode
to see if you qualify

Procedure for Data Protection


To ensure that Data Protection obligations are met.


Throughout the whole organisation, including Green Deal Assessors, Green Deal

Installers, Green Deal Suppliers and any person undertaking work on behalf of the



The person responsible for Data Protection is Muhammed Fiaz (Director) “the

nominated person”.

All documents are approved by the nominated person for use and regularly checked and

updated at the Quarterly meetings or earlier if required.

A weekly check is monitored by the director to see if there are any changes in policies or

documentation that requires action.

Corrections and changes are made whenever necessary and amended in the master

document list on the computer. The version or issue number is changed and allocated


This document is issued to:-

All Members of Staff including:-


Sales Staff

Green Deal Assessors

Green Deal Installers

Green Deal Suppliers

All documents and data are backed up separately at the end of each day and uploaded to

a server at a separate location by the nominated person.

Obsolete documents are removed from the Master List and replaced with updated

versions and version or issue number and the date changed accordingly.


It is a legal requirement under the Data Protection Act to ensure that personal

information is properly protected.

We must comply with the requirements of the Data Protection Act 1998 when

processing personal data in connection with the Green Deal and that protecting personal

information is a legal requirement under the Data Protection Act 1998.

All members of staff, including sub-contractors, sales staff, and Green Deal Assessors

and Green Deal Installers must pay sufficient attention to the way personal information

is handled and kept safe.

Issue Date 1/1/2015 Version 1 Revision 0 Page 1 of 8

Procedure for Data Protection

These policies and procedures are a response to these needs. They set out the steps that

every individual should take to monitor, control and to mitigate the risk should personal

information be lost or data protection systems fail.

The robust application of the guidelines coupled with the characteristic vigilance of staff

will help to reduce the risks associated with handling personal data.


This document sets out the protocols which govern our company’s compliance with the

Data Protection Act 1998.

Our firm will provide awareness sessions towards ensuring that all employees, sub-

contractors and any person/s working on behalf of the company comply with the

obligations under the Data Protection Act 1998.


Personal Data

The Data Protection Act 1998 regulates the use of “personal data”.

Personal data is data which relates to a living individual who can be identified from those

data, or from those data and other information which is in the possession of, or is likely

to come into the possession of, the Data Controller.

Personal Data includes any expression of opinion about the individual and any

indication of the intentions of the Data Controller or any other person in respect of the


Sensitive Personal Data

The following categories of data have been defined as ‘sensitive personal data’ under the

Data Protection Act 1998:

a. Racial or ethnic origin

b. Political affiliations and opinions

c. Religious or other beliefs of a similar nature

d. Trade union membership

e. Physical or mental health or condition

f. Sexual life

g. Offences (including alleged offences)

h. Criminal proceedings, outcomes and sentences

Data Controller

A Data Controller is the person who (either alone or jointly or in common with other

persons) determines the purposes for which and the manner in which any personal data

are, or are to be, processed.

Issue Date 1/1/2015 Version 1 Revision 0 Page 2 of 8

Procedure for Data Protection

Data Processor

A Data Processor, in relation to personal data, is any person (other than an employee of

the Data Controller) who processes personal data on behalf of the Data Controller.

Data Subject

A Data Subject is an individual who is the subject of personal information, e.g. Joe

Blogs’ was provided with the Green Deal Plan for a boiler. In this statement Joe Blogs is

the Data Subject.

Third Party

A Third party, in relation to personal data, is any person other than the Data

Subject, the Data Controller, Data Processor or any other person authorised to

process data for the Data Controller or Processor.

Privacy Notice

A Privacy Notice is the declaration of intent made by a Data Controller when they

collect personal information, this should detail how the information provided to

them will be processed.

Data Protection Principles

All individuals who process personal data held by our company (manual or electronic)

has an obligation to comply with the 8 Principles of the Data Protection Act 1998.

Principle 1: Obtain and process personal data fairly and lawfully.

The first data protection principle requires our company as a Data Controller to have

legitimate grounds for collecting the personal data we obtain and process.

The data obtained by our company should not be used in an unjustified manner which

could cause adverse effects on Data Subjects.

To comply with the first data protection principle our company should inform Data

Subjects of the intended use of their personal data; this can be undertaken in the form of

a privacy notice.

Principle 2: Obtain and process personal data only for one or more specified and

lawful purpose or purposes.

Before obtaining personal data our company must understand why it is collecting the

data and be clear about the reasons for the data collection.

On collecting the data our company should provide a clear and explanative privacy

notice informing data subjects of the intended use of their data.

Our company Information and Compliance Officer is to be informed to all new forms of

processing at the office. There is a legal obligation under the Act to ensure all processing

Issue Date 1/1/2015 Version 1 Revision 0 Page 3 of 8

Procedure for Data Protection

undertaken by a Data Controller is reflected in their Notification to the ICO

(Information Commissioner’s Office).

Principle 3: Personal data should be adequate, relevant and not excessive in

relation to the purpose or purposes for which they are processed.

The amount of personal data held on a Data Subject should not exceed the amount

required to suffice its purpose. Therefore, our company should not continue to hold data

on an individual when it serves no purpose.

Principle 4: Personal data should be accurate and, where necessary, kept up to


Our company should take steps to ensure the personal data it holds is accurate; it should

also ensure that a clear record is kept noting the origins of the data, e.g. canvass, new

customer, existing customer.

All challenges made regarding the inaccuracy of data held are to be recorded,

carefully considered and rectified when and where appropriate.

Principle 5: Hold personal data for no longer than is necessary.

A regular assessment should be undertaken by our company to review the length of time

records are held.

Once personal data is no longer required by our company it must be destroyed, in an

appropriate and secure manner.

All data related to request for personal data received by our company under the Data

Protection Act 1998, should be destroyed after five years in which the request was


Principle 6: Process personal data in accordance with the rights of Data Subjects

under the Act.

The Data Protection Act 1998 sets out a number of rights for Data Subjects which

must be upheld by Data Controllers, these consist of:

• a right of access to a copy of the information comprised in their personal data;

• a right to object to processing that is likely to cause or is causing damage or distress;

• a right to prevent processing for direct marketing;

• a right to object to decisions being taken by automated means;

• a right in certain circumstances to have inaccurate personal data rectified, blocked,

erased or destroyed; and

• a right to claim compensation for damages caused by a breach of the Act. Data

Protection Procedures Revised Aug 2011

Principle 7: Take appropriate technical and organisational measures against

unauthorised or unlawful processing of personal data and against

accidental loss or destruction of, or damage to, personal data.

Our company should ensure that data security measures are organised and implemented

to reduce the potential harm of any data security breach, e.g. encryption of portal storage devices.

Issue Date 1/1/2015 Version 1 Revision 0 Page 4 of 8


Procedure for Data Protection

Our company will make available policies and procedures for all staff and sub-

contractors and Data Processors regarding the physical and technological security

measures to be undertaken by our company to protect the personal data held by our


Our company should be prepared to respond to a breach of data security promptly and


Principle 8: Do not transfer personal data to a country or territory outside the

European Economic Area, unless that country or territory ensures an

adequate level of protection for the rights and freedoms of Data Subjects

in relation to the processing of personal data.

The European Economic Area consists of the following countries:

Austria Greece Netherlands

Belgium Hungary Norway

Bulgaria Iceland Poland

Cyprus Ireland Portugal

Czech Republic Italy Romania

Denmark Latvia Slovakia

Estonia Liechtenstein Slovenia

Finland Lithuania Spain

France Luxembourg Sweden

Germany Malta

The following countries outside of the EEA are considered to have an adequate level of

protection in accordance with the Data Protection Act 1998.

Andorra Argentina Canada Faroe Islands

Israel Guernsey Isle of Man Jersey


It is extremely unlikely that we will have to transfer data outside of the United Kingdom

however Data can be transferred outside of the countries with adequate protection if a

valid exception can be justified. The following exceptions are available for application:

• Consent

• Contract Performance

• Substantial public interest

• Vital Interests

• Public Registers

• Legal Claims

Code of Practice

Our company employees and/or sub-contractors should be aware that all personal data

collected, held and processed manually or electronically as part of their employment

duties, are subject to the Data Protection Principles.

Employment duties may require the publishing of your name, contact details and job

title, when it relates to your professional capacity at our company.

Issue Date 1/1/2015 Version 1 Revision 0 Page 5 of 8

Procedure for Data Protection

Areas of Responsibility

The company correspondent with the Information Commissioner shall be the nominated


On a day-to-day basis, the nominated person shall review the policy when new

legislation, which has an impact on personal data, is brought into force. It is the

responsibility of the nominated person and all managers to ensure that their staff are

aware of the company Data Protection Policy, Procedures and relevant guidance

documents, as well as their personal obligations under the Data Protection Act 1998.

All members of staff and sub-contractors, as well as anyone processing data on behalf of

our company, such as suppliers, assessors, installers and other agents, have an individual

responsibility not only to the company but also to the UK Information Commissioner.

Therefore, all principles set out in the Act and our company procedures and guidance

documents must be adhered to.

Suppliers, Assessors, Installers, Agents

Suppliers, Green Deal Assessors, Green Deal Installers, Sales agents of our company are

deemed to be agents of the company and are expected to follow the

procedures/guidelines set out in our Data Protection Procedures and Guidance


Vendors, Contractors, Suppliers

Our company staff must restrict access to personal data by non-employees.

Access to data by Vendors, contractors and suppliers must be controlled and


Vendors, contractors and suppliers must be restricted from unnecessary admittance to

areas where personal data is held or processed.

Vendors, contractors and suppliers will be required to sign non-disclosure

agreements as part of a contract, where access to personal data is unavoidable.

Data Security Breach

If you suspect or have proof that there has been a breach of data securities in our

company please notify the nominated person, in the first instance. Where a breach of

data has been deliberate, the company may consider instituting disciplinary procedures

against such individuals.


The Information and Compliance Officer, under the management of the nominated

person, shall ensure that notification under the Data Protection Act 1998, appropriate to

all aspects of our company’s business, is filed with the Office of the Information

Commissioner annually. The Notification is to be annually maintained and reviewed, via

an annual audit co-ordinated by the Information and Compliance Officer.

Issue Date 1/1/2015 Version 1 Revision 0 Page 6 of 8

Procedure for Data Protection

Documents should be held in accordance with Principle 5 of the Data Protection Act 1998.

Handling of sensitive & financial personal data

Explicit consent from the Data subject is required for the processing of sensitive

personal data. The categories of data which have been designated as sensitive

personal data under the Data Protection Act 1998 are listed in paragraph 5 of the


Our company also recommends that financial information be handled with the same care

as sensitive personal data. For example, credit card details should be recorded separately

to non-sensitive personal data and only transferred to areas of the company that are

involved in financial processing.

Similarly, staff payroll details to be disseminated via e-mail must be encrypted and

should never be held on unprotected servers.

On enrolment, all contractors, sub-contractors, Green Deal Assessors, Green Deal

Installers are asked to sign a Data Protection declaration form with a general declaration

giving consent to have their data used for promotional purposes,

followed by sections pertaining to references and finance.

Publishing Staff Data

It is the responsibility of all members of staff who produce material for release into the

public domain (e.g. installation references) to check the level of permission granted by

Data Protection Procedures.

Data Protection Training

Data Protection training will be provided as part of the initial induction training course

that all members of staff are obligated to attend which will be held at our head office by

the nominated person initially.

Ongoing training and external training courses will also be held and made available to

everyone, and may be highlighted during individual appraisals of staff and contractors.

The frequency of training courses will be every six months.

Data Protection Policy Audit

An audit is important as it provides an assessment of whether our organisation is

following good data protection practice and any staff member that holds, controls or

uses personal data are bound by the Data Protection laws and need to be aware of their


An on-site audit is carried out by a Data Protection Officer who will go around the

offices and questions staff members using a self-assessment checklist/audit form to

enable staff to demonstrate their compliance and understanding, including the eight data

protection principles.

Issue Date 1/1/2015 Version 1 Revision 0 Page 7 of 8

Procedure for Data Protection

Additionally the Data Protection Officer will check training records and courses to

understand the awareness of staff and identify potential areas where action needs to be


The Officer will also check computers to see if they have password access and check

how the data is backed up and see first-hand the processes for handling both electronic

and manual records containing personal data.

The Data Protection Officer will provide a report with a follow up review every six


Non Compliance

Non-compliance matters will be resolved by informing the staff member within 24 hours

of discovering the non-compliance both verbally and in writing clearly outlining the non-

compliance and reasons giving the staff member a reasonable period of time to correct

the issue. A face to face meeting will take place and be encouraged and if necessary it

may be necessary to contact a relevant Certification Body. Our policy is always to work

with the staff member to resolve the issue however if non-compliance is of such a

serious nature that we cannot reach a suitable resolution then as a last resort Disciplinary

Action may have to be taken.

Where applicable our firm will also notify and inform the relevant Green Deal

Certification Body.


Contacts and Further Information

Any queries regarding the content of these procedures should be referred to the

nominated person and/or the Information and Compliance Officer.

Further information about Data Protection matters can be found on the Information

Commissioner’s Website at www.ico.gov.uk.

Issue Date 1/1/2015 Version 1 Revision 0 Page 8 of 8

How Can I Check Grant Eligibility?

Please follow the following 4 step below to check your eligibility and claim your Grants.

A Complete Form

Takes only 55 second to enter your details into the online form to calculate your grant.

B Application Processed

We will inform you once your application form has been processed.

C Free Assessment

A free no obligation assessment will ensure your property is suitable.

D Get Installation

A convenient date & time will be arranged measure to be installed at no cost.


achillesx100 hics logo bba logo TM
Contact Us | About Us | Terms and Condition | Privacy Policy | Site Map | Work |

Installer's No:BBAI8186    ::     Assessors's No:QUIA00009    ::     Company Registration No :08335815    ::     VAT Registration No :164222237    ::     Data Protection Entry No:23453456

Apex Green is a trading style of Apex Green Limited. Our registered office can be found at 52 Stirling Road, London E17 6BT We are registered in England No. 08335815 and are authorised and regulated by the Financial Conduct Authority. FCA registration number FRN: 726986 We are a credit broker and not a lender. We offer credit facilities from a panel of lenders.