Geyser is fully committed to compliance with the requirements of the Data Protection Act 1998, which came into force on the 1st March 2000. Geyser will therefore follow procedures that aim to ensure that all employees, contractors, consultants, agents and partners of Geyser who have access to any personal data held by or on behalf of the Geyser, are fully aware of and abide by their duties and responsibilities under the Act.

Statement of Policy

In order to operate efficiently, Geyser has to collect and use information about people with whom it works. These may include members of the public; current, past and prospective employees (see ‘Processing and Use of Employee Data’ below) clients and customers; and suppliers. In addition, it may be required by law to collect and use information in order to comply with the requirements of central government and the EU. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, and there are safeguards within the Act to ensure this.

Geyser regards the lawful and correct treatment of personal information as very important to its successful operations and to maintaining confidence between the company and those with whom it carries out business. Geyser will ensure that it treats personal information lawfully and correctly.

To this end Geyser fully endorses and adheres to the Principles of Data Protection as set out in the Data Protection Act 1998.

The Principles
Employees, contractors, consultants, agents and partners of Geyser processing personal data must comply with Eight Principles of good practice. These Principles are legally enforceable.

  1. The Principles require that personal information:
    Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met;
  2. Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
  3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
  4. Shall be accurate and where necessary, kept up to date;
  5. Shall not be kept for longer than is necessary for that purpose or those purposes;
  6. Shall be processed in accordance with the rights of data subjects under the Act;
  7. Shall be kept secure i.e. protected by an appropriate degree of security;
  8. Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.

Personal data is data relating to a living individual who can be identified from:

  •  That data;
  •  That data and other information which is in the possession of, or is likely to come into the possession of the datacontroller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.

Sensitive personal data is personal data consisting of information as to:

  •  Racial or ethnic origin;
  •  Political opinion;
  •  Religious or other beliefs;
  •  Trade union membership;
  •  Physical or mental health or condition;
  •  Sexual life;
  •  Criminal proceedings or convictions.


Handling of Personal and/or Sensitive Information

Geyser will, through appropriate management and the use of strict criteria and controls:

  •  Observe fully, conditions regarding the fair collection and use of personal information;
  •  Meet its legal obligations to specify the purpose for which information is used;
  •  Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
  •  Ensure the quality of information used;
  •  Apply strict checks to determine the length of time information is held;
  •  Take appropriate technical and organisational security measures to safeguard personal information;
  •  Ensure that personal information is not transferred abroad without suitable safeguards;
  •  Ensure that the rights of people about whom the information is held can be fully exercised under the Act.


These include:

  •  The right to be informed that processing is being undertaken;
  •  The right of access to one’s personal information within the statutory 40 days;
  •  The right to prevent processing in certain circumstances;
  •  The right to correct, rectify, block or erase information regarded as wrong information.


All managers and staff within Geyser will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:

  •  Paper files and other records or documents containing personal/sensitive data are kept in a secure environment;
  •  Personal data held on computers and computer systems is protected by the use of secure passwords, which where

    possible have forced changes periodically;

  •  Individual passwords should be such that they are not easily compromised.


All suppliers, contractors, consultants and partners must:

  •  Ensure that they and all of their staff who have access to personal data held or processed for or on behalf of Geyser, are aware of this policy and are aware of their duties and responsibilities under the Act. Any breach of any provision of the Act will be deemed as being a breach of any contract between Geyser and that individual, company or partner;
  •  Allow data protection audits by Geyser of data held on its behalf (if requested);
  •  Indemnify Geyser against any prosecutions, claims, proceedings, actions or payments of compensation or damages,without limitation.

All suppliers, contractors, consultants and partners who are users of personal information supplied by Geyser will be required to confirm that they will abide by the requirements of the Act and any other requirements that may be specified with regard to information supplied by Geyser.

Processing and Use of Employee Data

Geyser (the ‘Company’) is a company whose main asset is its people. Customers buy the skills, experience and expertise of the Company’s employees. It is therefore important that the Company has access to and can use this on a day to day basis.


All employees are required to have their photo taken. The photo will be used for 2 purposes: a) The intranet – this is important for both security reasons and for improving communications b) On CVs/ pen pictures that are submitted for bids (see below)

The Company undertakes that photos will not be used for any other purpose without the employee’s permission. The photo is usually taken on the first day of employment as part of the induction process.

CVs and Pen Pictures

The Company is often required to submit CVs/ pen pictures of employees as part of the bid process for contracts. The contracting company reviews these CVs to confirm that Geyser does have the skills, experience and expertise that it is looking for from its supplier. The CVs/ pen pictures are in a standard format and do not include personal details such as date of birth, home address, contact details.

Employees will always be contacted if we are going to use their information in a bid. None of this information will be used in any form without prior permission of the employee. No changes will be made to the CV/ pen picture without the employee’s permission.

Data Sharing

Data sharing is carried out under a written agreement. Please contact the Legal Team to draft the appropriate agreement for you.

Want help creating a more sustainable future?
Call us for an initial discussion on +44 (0) 1707 830 600.

Contact us