Data Protection Policy

John Walne Workplace Investigations and Training Ltd.

Confidentiality and Data Protection Policy

1. Purpose.

The purpose of this Policy is to ensure that “John Walne Workplace Investigations and Training Ltd” ( “The Company”) complies with legal requirements regarding the processing* of personal information** and the protection of the individual’s right to privacy.

2. Legal Context.

The Human Rights Act (HRA) 1998 guarantees respect for a person’s private and family life, home and correspondence.

The Data Protection Act 2018 (“DPA”) has incorporated the principles and provisions of the EU General Data Protection Regulations, and ensures that personal information that might identify individuals must be protected from inappropriate use.

3. Principles.

All those with whom “The Company” comes into contact, within the course of its work, have the right to expect that personal information about them will be treated with respect, with confidentiality, and in accordance with principles of the DPA and the GDPR.

John Walne Workplace Investigations and Training will act as a Data Processor.

The UK GDPR defines a processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

All personal information provided to “The Company” will be stored and used in a manner as set out in the Terms of Business agreed between “The Company” and the Data Controller, who provide the information for the purposes as outlined in the Terms of Business.

4. Information likely to be held by “The Company”.

Personal information may be held by “The Company” for a variety of reasons.

Information held is likely to include :

• Contact details (name, role, phone number, organisation and e-mail address) for primary contacts within actual and potential client organisations.

• Information about individuals for the purposes of working toward the resolution of disputes (through investigation, etc.), as specified in the terms of reference for each case, agreed with the client.

• Information about individuals obtained during the course of an investigation that may not have been identified when the Terms of Reference was written.

• Information about individuals for the purpose of arranging and delivering training within the workplace or on-line.

5. Requirements.

The Policy requires that the Directors of “The Company”

• Understand the policy and how if affects their work for “The Company”.

• Fully apply the principles of the Policy.

• Immediately report any breach of personal information to the Data Controller.

6. Management and Retention of Personal Information.

Management.

Give access to the Data Controller of the personal information held, upon request.

Include the word “confidential” in all email communications and documents created as part of an investigation such as a Terms of Reference and Investigation Report.

Use password protection in the transmission of confidential information by electronic means when requested by a client.

Anonymise any information that is held and used for training purposes.

Confidentiality and Data Protection Policy

Information

Action required

All emails and documentation created during an investigation.

Delete all records held by “The Company” within 28 days of payment of invoice once the investigation is complete and submission of final report (unless requested not to by the client or if legal action is anticipated)

Training information and presentations.

To be securely held by “The Company” on an ongoing basis and deleted if requested by the client.

Contact details

Regularly review and keep up to date and accurate

Retention

7. Responding to Data Subject Access Requests

An individual has a right under the DPA to request a copy of their personal information held by “The Company”. This is called a Subject Access Request (SAR). If a SAR is received direct from an individual (rather than the client) then “The Company” will inform the client and a decision will be made as to whom shall respond. If “The Company” is to respond then a copy of the response will be sent to the client for review and comment prior to providing the relevant information requested.

“The Company” will have cognisance of the Information Commissioners Subject Access Request Code of Practice.

8. Action in the event of a Data Breach.

A personal data breach will arise whenever: 1) any personal data is lost, destroyed, corrupted or disclosed; 2) if someone accesses the data or passes it on without proper authorisation; or 3) if the data is made unavailable and this unavailability has a significant negative effect on a data subject.

In the event of a Data Breach then it will be reported to the relevant client(s) without delay and where relevant, reported to the ICO within the statutory 72 hours.

Date of Policy : September 2025

*Processing is any activity relating to personal data which can include collecting, recording, storing, amending, disclosing, transferring, retrieving, using or destruction.

**Personal Information is any information that identifies a living individual (data subject) either directly or indirectly. This also includes special categories of personal data. Personal data does not include data which is entirely anonymous or the identity has been permanently removed making it impossible to link back to the data subject.

Special categories of personal data includes any personal data which reveals a data subject’s, ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic, biometric or health data, sex life and sexual orientation.