Hank and Ginger
Document Name: Data Protection Policy
Document Version Number 01
Agreed and approved Peter Stanfield on: 01 May 2018
Review Schedule Every two years
Next review due May 2020
This document outlines our legal requirements under the General Data Protection Regulations and the processes for how Hank and ginger (H&G) meets them.
Implementation and Quality Assurance
Implementation is immediate and this Policy shall stay in force until any alterations are formally agreed.
The Policy will be reviewed every two years by the director of H&G sooner if legislation, best practice or other circumstances indicate this is necessary.
Data Protection Policy
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulationby which the European Parliament, the European Counciland the European Commissionintend to strengthen and unify data protection for individuals within the European Union(EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR takes effect from 25 May 2018.
The following guidance is not a definitive statement on the Regulations but seeks to interpret relevant points where they affect H&G.
The Regulations cover both written and computerised information and the individual’s right to see such records.
It is important to note that the Regulations also cover records relating to staff and tutors.
All H&G staff are required to follow this Data Protection Policy at all times.
The director has overall responsibility for data protection within H&G but each individual processing data is acting on the controller’s behalf and therefore has a legal obligation to adhere to the Regulations.
Processing of information– how information is held and managed.
Information Commissioner- formerly known as the Data Protection Commissioner.
Notification – formerly known as Registration.
Data Subject– used to denote an individual about whom data is held.
Data Controller – used to denote the entity with overall responsibility for data collection and management. Peter Stanfield is the Data Controller for the purposes of the Act.
Data Processor– an individual handling or processing data.
Personal data– any information which enables a person to be identified.
Special categories of personal data– information under the Regulations which requires the individual’s explicit consent for it to be held by the organistaion.
Data Protection Principles
As data controller, H&G is required to comply with the principles of good information handling.
These principles require the Data Controller to:
1. Process personal data fairly, lawfully and in a transparent manner.
2. Obtain personal data only for one or more specifiedand lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
3. Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
4. Ensure that personal data is accurate and, where necessary,kept up-to-date.
5. Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
6. Ensure that personal data is kept secure.
7. Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.
H&G must record students explicit consent to storing certain information (known as ‘personal data’ or ‘special categories of personal data’) on file. Please note H&G does not hold special categories of personal data.
For the purposes of the Regulations, personal data covers information relating to a student’s or suppliers:
1. Full name
2. Home address
4. Mobile and landline numbers
5. LinkedIn profile and social media profiles
6. Date of birth
7. Job title
8. Highest qualification achieved
9. Employers details
10. Employers authorising managers contact details
11. CIM membership number
12. Grades achieve
As a general rule H&G will always seek consent where personal or special categories of personal information is to be held.
It should also be noted that where it is not reasonable to obtain consent at the time data is first recorded and the case remains open, retrospective consent should be sought at the earliest appropriate opportunity.
Consent may be obtained in a number of ways depending on the nature of the enquiry, and consent must be recorded:
Consent obtained for one purpose cannot automatically be applied to all uses e.g. where consent has been obtained from a student in relation to information needed for the provision of training, separate consent would be required if, for example, direct marketing of other 3rdparty services to be undertaken.
Preliminary verbal consent should be sought at point of initial contact as personal data will need to be recorded either in an email or on a computerised record (e.g. CRM software). The verbal consent is to be recorded in the appropriate fields on the computer record or stated in the email for future reference. Although written consent is the optimum, verbal consent is the minimum requirement.
Specific consent for use of any photographs and/or videos taken should be obtained in writing. Such media could be used for, but not limited to, publicity material, press releases, social media, and website. Consent should also indicate whether agreement has been given to their name being published in any associated publicity.
Individuals have a right to withdraw consent at any time. If this affects the provision of training by H&G then the course advisor or administrator should discuss with the director at the earliest opportunity.
Ensuring the Security of Personal Information
1. It is an offence to disclose personal information ‘knowingly and recklessly’ to third parties.
2. It is a condition of receiving an enquiry or course enrolment that all students for whom we hold personal details agree to H&G holding such information.
3. A students individual consent to share information should always be checked before disclosing personal information to another party.
4. Personal information should only be communicated within H&G’s staff on a strict need to know basis. Care should be taken that conversations containing personal or special categories of personal information may not be overheard by people who should not have access to such information.
Use of Files and Paper Records
In order to prevent unauthorised access or accidental loss or damage to personal information, it is important that care is taken to protect personal data. Paper records should be kept in secure places overnight and care should be taken that personal and special categories of personal information is not left unattended and in clear view during the working the day. If your work involves you having personal / and/or special categories of personal data at home or in your car, the same care needs to be taken.
Disposal of Scrap Paper, Printing or Photocopying Overruns
Be aware that names/addresses/phone numbers and other information written on scrap paper are also considered to be confidential. Please do not keep or use any scrap paper that contains personal information but ensure that it is shredded.
If you are transferring papers from your home to the office for shredding this should be done as soon as possible and not left in a car for a period of time. When transporting documents they should be carried out of sight in the boot of your car.
Where computers are networked, access to personal and special categories of personal information is restricted by password to authorised personnel only.
Computer monitors in public areas should be positioned in such a way so that passers-by cannot see what is being displayed. If this is not possible then privacy screens should be used on the monitor to afford this level of protection. If working in a public area, you should lock your computer when leaving it unattended.
Firewalls and virus protection to be employed at all times to reduce the possibility of hackers accessing H&G systems and thereby obtaining access to confidential records.
Documents should only be stored on cloud-based systems and not on individual computers.
Where computers or other mobile devices are taken for use off the premises the device must be password protected.
When commissioning cloud based systems, H&G will satisfy themselves as to the compliance of data protection principles and robustness of the cloud based providers.
H&G currently uses two cloud based data management systems to hold and manage information about its service users and donors/supporters.
Apptivo is a CRM platform that holds data about our students, tutors, staff and suppliers. Access is password protected and restricted to named users, with level of access to each user on a ‘need to know’ basis to be able to carry out their job. Although based in the USA, Apptivo follows the principles of EU Safe Harbor and other Privacy domains. Furthermore, follow accepted industry standards to protect the personal information submitted to Apptivo both during transmission and once received.
As such H&G is satisfied with the security levels in place to protect its data.
Dropbox is a cloud-based storage system to securely hold data. Dropbox Business is certified as being compliant with the most widely accepted security and privacy standards and regulations in the world, such as ISO 27001/2, ISO27018/17 and SOC 2. As such LMS is confident with Dropbox holding H&G data compliant with GDPR regulations.
Marketing is a communication that seeks to elicit a measurable response (such as an enquiry, a visit to a website, sign up to an Open Evening). The communication may be in any of a variety of formats including mail, telemarketing and email. The responses should be recorded to inform the next communication. H&G will not share or sell its database(s) with outside organisations.
H&G holds information on our students, staff, tutors, awarding bodies and other suppliers, to whom we will from time to time send details of our courses and events, including newsletters and details of other activities that may be of interest to them. Specific consent to contact will be sought from H&G staff, including which formats they prefer (eg mail, email, phone etc) before making any communications.
We recognise that clients students for whom we hold records have the right to unsubscribe from our mailing lists. This wish will be recorded on their records and will be excluded from future contacts.
The following statement is to be included on any forms used to obtain personal data:
We promise never to share or sell your information to other organisations or businesses and you can opt out of our communications at any time by telephoning 07701026947, writing to Hank and ginger 164-180 union street SE1 0LH
Any documentation which gathers personal and/or special categories of personal data should contain the following Privacy Statement information:
· Explain who we are
· What we will do with their data
· Who we will share it with
· Consent for marketing notice
· How long we will keep it for
· That their data will be treated securely
· How to opt out
· Where they can find a copy of the full notice
A fuller Privacy Statement will also be published on our website.
The Regulations apply equally to staff, tutor and supplier records. H&G may at times record special categories of personal data with the employee’s consent or as part of a staff member’s contract of employment.
When working from home, or from some other off-site location, all data protection and confidentiality principles still apply. All computer data, e.g. documents and programmes related to work for H&G should not be stored on any external hard disk or on a personal computer.
Workstations in areas accessible to the public, e.g. study centres, should operate a clear desk practice so that any paperwork, including paper diaries, containing personal data is not left out on the desk where passers-by could see it.
Retention of Records
Paper records should be retained for the following periods at the end of which they should be shredded:
· Student records – 6 years after ceasing to be a student.
· Staff records – 6 years after ceasing to be a member of staff.
· Unsuccessful staff application forms – 6 months after vacancy closing date.
· Internship records – 6 years after ceasing to be an intern.
· Financial documents – 7 years.
· Employer’s liability insurance – 40 years.
Archived records should clearly display the destruction date.
Computerised records e.g. Apptivo CRM records, to be anonymised 6 years after ceasing to have any training from us. (Anonymising will remove the personal and special categories of personal data but will not remove the statistical data.)
What to Do If There Is a Breach
If you discover, or suspect, a data protection breach you should report this to the systems providers immediately to prevent a reoccurrence. Action should be taken and outcomes to determine whether it needs to be reported to the Information Commissioner.
Any deliberate or reckless breach of this Data Protection Policy by an employee may result in disciplinary action which may result in dismissal.
The Rights of an Individual
Under the Regulations an individual has the following rights with regard to those who are processing his/her data:
· Personal data cannot be held without the individual’s consent (however, the consequences of not holding it can be explained and a services withheld).
· Data cannot be used for the purposes of direct marketing of any goods or services if the Data Subject has declined their consent to do so.
· Individuals have a right to have their data erased and to prevent processing in specific circumstances:
o Where data is no longer necessary in relation to the purpose for which it was originally collected
o When an individual withdraws consent
o When an individual objects to the processing and there is no overriding legitimate interest for continuing the processing
o Personal data was unlawfully processed
· An individual has a right to restrict processing – where processing is restricted, H&G is permitted to store the personal data but not further process it. H&G can retain just enough information about the individual to ensure that the restriction is respected in the future.
· An individual has a ‘right to be forgotten’.
Data Subjects can ask, in writing to the director, to see all personal data held on them, including e-mails and computer or paper files. The Data Processor (H&G) must comply with such requests within 30 days of receipt of the written request.
Powers of the Information Commissioner
The following are criminal offences, which could give rise to a fine and/or prison sentence
· The unlawful obtaining of personal data.
· The unlawful selling of personal data.
· The unlawful disclosure of personal data to unauthorised persons.
Further information is available at www.informationcommissioner.gov.uk
Details of the Information Commissioner
The Information Commissioner’s office is at:
Cheshire SK9 5AF
Switchboard:01625 545 700
Data Protection Help Line:01625 545 745
Notification Line:01625 545 740