This security policy is designed to ensure that BRITISH METALS RECYCLING ASSOCIATION (BMRA) complies with the security requirements of the General Data Protection Regulation (GDPR), and the rights to privacy of data subjects are protected.

In compliance with Article 32, BMRA has implemented appropriate physical, organisational and technical measures to ensure a level of security appropriate to the risk.

BMRA is based at: 5 Ramsay Court, Hinchingbrooke Business Park, Huntingdon, Cambridgeshire PE29 6FY. The premises can be described as: Office Buildings. BMRA employs 6 staff.

Physical security measures:

  • Office building is alarmed.
  • Visitors to premises are supervised at all times.
  • Areas of the premises where personal data are kept are secured by locks/ security codes.
  • Computer screens are arranged so that they cannot be viewed by casual passers-by, particularly visitors.
  • Hard copy material containing personal data is stored securely and locked away in filing cabinets at night.
  • Hard copy special category data, such as medical records, are kept separately from other personal data in locked and fire proof filing cabinets, with restricted access.
  • Where this information is stored electronically, it is encrypted with restricted access.
  • Electronic data is backed up off site.
  • Any server on the premises is kept in a locked room.
  • Shredding of confidential information is carried out securely on site.
  • Mobile equipment such as laptops are password protected.
  • Computers and other electronic equipment are disposed of in a safe manner by an outsourced and certificated provider.

 Managerial security measures:

  • This policy is regularly reviewed, and senior management is committed to ensuring it is implemented.
  • The Board ensures Data Protection Lead has sufficient resources to carry out his role effectively.
  • Senior manager/Data Protection Lead has powers to discipline staff for breaches of this and other data protection policies.
  • Staff are trained in data protection.
  • Only designated staff may delete data and they receive specific training in this regard.
  • There is a procedure in place for authenticating the identity of telephone callers, customers and contractors engaged by the company.

Technical security measures:

  • Anti-virus and anti-spyware tools are installed on all computers.
  • All on-site computers are encrypted, and password protected.
  • Computers are programmed to download patches automatically.
  • Computers have automatic locking mechanisms when not in use.
  • Staff cannot transfer data onto removable devices such as USB sticks and CDs without the authority of the Data Protection Lead.
  • USB sticks and CDs used to transfer personal data are encrypted.
  • Access rights are monitored and reviewed. They are deleted when a member of staff leaves.
  • Personal data shared by email are protected as appropriate.

Security measures are reviewed, tested and evaluated at least once a year. Whenever a new project, process or procedure is introduced that carries a high risk to data subjects, a Data Protection Impact Assessment is carried out, at the instigation of the Data Protection Lead.