Data Protection Policy

Data Protection Policy

Last Reviewed: 11/05/2026

Next Review Date : 11/05/2027

1. Purpose

This policy explains how Highway Data Systems Ltd (“HDS”) manages data protection and complies with the UK General Data Protection Regulation, the Data Protection Act 2018 and other applicable data protection requirements.

HDS is committed to handling personal data lawfully, fairly, transparently and securely, and to protecting the rights and privacy of individuals.

This policy is supported by HDS’s privacy notices, Data Processing Register, Third-Party Supplier and Data Processor Register, data breach records, data subject request records and related data protection documents. These records are maintained internally and are made available to relevant personnel where required for their role. 

2. Scope

This policy applies to all employees and anyone acting on behalf of HDS who may access, use, store, share or otherwise process personal data.

It also applies where third-party suppliers, service providers or professional advisers process personal data for, or in connection with, HDS business activities.

3. Data Protection Principles

HDS will process personal data in line with the following principles:

• processed lawfully, fairly and transparently;

• collected for specified, explicit and legitimate purposes;

• adequate, relevant and limited to what is necessary;

• accurate and kept up to date where necessary;

• retained only for as long as necessary;

• processed securely to protect confidentiality, integrity and availability;

• managed in a way that allows HDS to demonstrate compliance.

4. Data Processing Register

HDS maintains a Data Processing Register to record the main types of personal data processed by the business.

The register records, where relevant:

• the processing activity;

• the categories of personal data;

• the categories of individuals affected;

• the purpose of processing;

• the lawful basis;

• special category or criminal offence data notes;

• supplier or third-party sharing;

• retention and destruction arrangements;

• relevant safeguards and controls.

The register will be reviewed annually, or sooner if there are significant changes to HDS’s systems, suppliers, services, legal requirements or data processing activities.

5. Privacy Notices

HDS maintains privacy notices to explain how personal data is collected, used, stored and shared.

These include:

• Business Privacy Notice;

• Employee Privacy Notice;

• HDS App Privacy Policy.

Employees will be provided with the Employee Privacy Notice. External individuals, including clients, suppliers, business contacts and app/platform users, will be provided with or directed to the relevant privacy notice where appropriate.

6. Special Category and Criminal Offence Data

HDS may process limited special category data where necessary, such as health, sickness, occupational health, equality or similar sensitive information.

HDS may also process criminal offence data where required for DBS, Disclosure Scotland or other authorised checks, where this is necessary, appropriate and legally permitted.

Special category and criminal offence data must be handled carefully, accessed only where necessary, protected by suitable safeguards, and retained only for as long as needed.

HDS maintains a Special Category and Criminal Offence Data Safeguards Statement to support this.

7. Data Protection Impact Assessment

HDS will complete a Data Protection Impact Assessment or DPIA screening where processing may involve higher risk to individuals.

HDS has completed a DPIA for GPS, vehicle tracking, lone working and location data. This covers Optrix/VISIR GPS, eLoad GPS/delivery data, vehicle tracking and lone working arrangements.

DPIAs will be reviewed annually, or sooner if systems, suppliers, tracking use, legal requirements, complaints, incidents, data breaches or business processes change.

8. Third Party Suppliers and Processors

HDS uses third-party suppliers and service providers to support its business operations.

HDS maintains a Third-Party Supplier and Data Processor Register to record key suppliers, systems and platforms, including:

• what personal data may be processed;

• the supplier’s likely role, such as processor or independent controller;

• evidence of privacy terms, data processing terms or security information;

• international transfer considerations where relevant;

• review status.

Where a supplier processes personal data on behalf of HDS, appropriate data protection terms or contractual arrangements should be in place where required.

9. Staff Responsibilities

All employees must handle personal data securely and only for authorised HDS business purposes.

Employees must:

• only access personal data needed for their role;

• keep personal data secure and confidential;

• avoid unnecessary sharing of personal data;

• check recipients before sending emails, documents or messages;

• use approved HDS systems where possible;

• keep passwords secure and not share login details;

• report suspected data breaches or mistakes immediately;

• pass any data subject request or privacy complaint to management promptly;

• avoid entering personal data, client confidential information or sensitive HDS information into AI tools unless approved.

Employees will receive a data protection briefing and may be asked to acknowledge that they have read and understood relevant privacy information.

10. Confidentiality

Employees are required to maintain confidentiality when handling HDS, client, supplier, employee or other personal/business information.

Confidentiality obligations apply during employment and continue after employment ends.

HDS may use confidentiality and impartiality agreements, staff briefings, access controls and other measures to reinforce these responsibilities.

11. Data Security

HDS uses appropriate technical and organisational measures to protect personal data. These may include:

• controlled access to systems and files;

• password protection, user permissions and access controls;

• secure cloud and software platforms;

• restricted access on a need-to-know basis;

• staff confidentiality obligations;

• data protection procedures, registers and security controls;

• secure storage, disposal and deletion of records;

• removal of access when staff leave or change role;

• return, wiping, reallocation or secure disposal of HDS equipment where required.

HDS maintains a Leaver, Equipment Return and Access Removal Checklist to help ensure equipment is returned and access is removed when employees leave or no longer need access.

12. Data Retention

HDS will not keep personal data longer than necessary.

Retention periods are recorded in the Data Processing Register and relevant privacy notices. Retention may vary depending on legal, contractual, accounting, employment, insurance, audit, health and safety, regulatory or dispute-related requirements.

Records should be securely deleted, archived, anonymised or destroyed when no longer required.

13. Data Subject Rights

Individuals may have rights under data protection law, including the right to:

• request access to their personal data;

• request correction of inaccurate or incomplete data;

• request deletion in certain circumstances;

• request restriction of processing in certain circumstances;

• object to processing in certain circumstances;

• request transfer of personal data in certain circumstances;

• withdraw consent where processing is based on consent.

Requests should be passed to management promptly.

HDS maintains a Data Subject Requests and Complaints Register to record requests, deadlines, action taken, outcomes and closure.

14. Data Breaches and Security Incidents

Any actual or suspected personal data breach, security incident or data mistake must be reported to management immediately.

This may include:

• sending personal data to the wrong person;

• losing a device, file or document;

• unauthorised access to a system;

• accidental deletion or alteration of personal data;

• sharing personal data without authorisation;

• cyber incidents or suspected system compromise.

HDS will assess and record breaches in the Data Breach Register. Where required, HDS will notify the Information Commissioner’s Office within 72 hours of becoming aware of a notifiable breach.

Where a breach is likely to result in a high risk to individuals, HDS will also consider whether affected individuals must be informed.

15. Training and Awareness

HDS will provide appropriate data protection awareness to employees. This may include induction information, staff briefings, email updates, acknowledgements, refresher reminders or other suitable communication.

Employees are expected to follow HDS’s data protection procedures and raise questions if they are unsure how personal data should be handled.

16. Review

This policy will be reviewed annually, or sooner if there are significant changes to HDS’s business activities, systems, suppliers, legal requirements or personal data processing.

The review will consider whether related documents and records remain accurate, including:

• privacy notices;

• Data Processing Register;

• Third-Party Supplier and Data Processor Register;

• DPIAs;

• data breach records;

• data subject request records;

• staff briefing records;

• leaver/access removal records.