Back to Earth (SW) Ltd- DATA PROTECTION POLICY
1 ABOUT THIS POLICY
(1) Why do we have a policy?
(a) As an Organisation we store and use information, including personal information (“data”), about clients and others such as employees, workers (staff), job applicants, contractors, suppliers and others with whom we deal or have contact with according to our business obligations. In this Policy, which applies to everyone in the organisation, we will explain how we
(b) Our policy works on the basis of “Privacy by Design” which means that we develop data protection measures that meet the needs of our organisation and regularly review them.
(c) The date and version of this policy is shown in the header.
(2) The importance of this policy
(a) Everyone who works for, or on behalf of, the organisation has some responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy and the following policies –
A copy of these policies can be obtained from the Appointed Person
(b) Any employee who fails to comply with our data protection policy is dealt with under our disciplinary procedure.
(3) Criminal Liability
(a) The law provides for a number of criminal offences which can be committed in relation to personal data. These include making it an offence to alter personal data to prevent disclosure where a person has made a request exercising their data subject access right and they would have been entitled to receive information in response to that request.
(b)(i) Some of the offences (like the example above) apply not only to data controllers but to company directors and employees (including apprentices) and volunteers.
(ii) It is therefore vital that everyone in the organisation understands their responsibilities and obligations and contacts the Appointed Person to discuss any concerns or raise queries as soon as they arise and before processing any personal data.
(4) Information Commissioners Office (ICO) Registration
As the law permits we are NOT registered with the ICO.
(5) Accompanying documents
We refer to the following documents in this policy which are located at the end of this policy:
Our Data Inventory
Record of what data we hold and how and why we process it
Details of our organisational and technical measures to implement the data protection principles
Individual Request Form
A form which can be used by any individual data subject to exercise their personal data rights
2 WHO’S WHO INCLUDING OUR APPOINTED PERSON
(1) Data Controller
We are a data controller (we “decide the purposes and means” of any data processing”).
(2) Appointed Person
(a) This type of organisation does not need to appoint a Data Protection Officer. However we have an Appointed Person, who monitors and implements this policy to ensure that we comply with our obligations. Information at the end of this policy (section 14) includes how our Appointed Person can be contacted.
(b) The Appointed Person will offer guidance and assistance in respect of any aspect of data protection and is responsible for compliance. Our Appointed Person will also ensure that anyone working with us understands their personal responsibility to comply with this policy.
(c) The Appointed Person will also:
(3) We may also use data processors in relation to personal data. Data processors are people or organisations who process data on our behalf and in accordance with our instructions. For example we may use a market research company as part of our organisation’s marketing development.
(4) Staff Training and awareness
3 ABOUT DATA
Data (information) includes not only electronically stored information, but includes information written on paper and all records which form any part of our data “system”. Our data inventory contains our record of
Data can be:
(a) “Personal data”means information which relates to a living person who can be identified from that data (a “data subject”) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data. Examples of personal data include:
(b) “Special Category personal data” refers to more sensitive types of personal data about an individual including their:
(c) Non-personal information– will not identify a person but just helps us to use the information to improve our services by identifying, for example, information collected using our website by recording pages accessed and files downloaded to record how visitors to the website use it.
We may aggregate information which is anonymous and does not identify an individual. For example, we may aggregate information about where people live and their ages for marketing purposes.
This policy is primarily concerned with personal (including special category) information.
(2) How we collect data
(a) Direct Data
Most of the data we collect is obtained directly from data subjects through trade shows, our websites, our dealings with others, such as clients, staff and those with whom we work, as well as suppliers.
(b) Indirect data
Occasionally we may collect data indirectly, for example publicly available information. When we receive information about any individual from another source, then within a reasonable period of having obtained the data (a maximum of one month or our first communication or before the data is disclosed) we will let the data subject know
4 WHAT IS DATA PROTECTION?
By law you can only process (collect, record, organise, use, disclose share etc) personal data (data which could identify a natural person), if you
(1) Data Protection Principles
We agree with and adhere to the main principles laid out by law, so that personal data must:
We are accountable for these principles and must be able to show that we comply.
(2) Lawful Basis
(a) For personal data, the lawful bases are:
(b) For special categories of personal data, the lawful bases are:
Our data inventory at Annex 1 contains our record of
(3) Withdrawing Consent
(a) Consent must be as easy to withdraw as it is to give (and without suffering any detriment unless consent is necessary for the service provided) which means that we have to provide information about how to do this. Examples of how consent can be withdrawn include:
(b) We must take action as soon as is possible and within no longer than 7 dayswhen someone withdraws their consent and we have a set procedure for dealing with this.
(c) Any staff member may receive a withdrawal of consent and they must
5 WHAT DO WE USE PERSONAL INFORMATION FOR?
(1) Using data
(a) Our Organisation needs to process data for its business purposes and where the law says there are limited and justifiable circumstances. Processing should always be “fair, lawful and transparent”.
(b) Processing means any operation which is performed on personal data, including data which is part of a filing system and any automated processing. Processing includes
(c) Our business purposes include
Our data inventory at Annex 1 contains our record of
(d) We do NOT use data for decisions which are solely taken on an automatic basis.
(2) Privacy Notices
It is important that every data subject receives essential and important information about how we collect and use personal data. We have provided
This section relates to the additional professional confidentiality obligations imposed on us.
(a) Most information which our clients supply to us is confidential, which means that we will not share/disclose it with anybody else until they have instructed us to do so or we have to release it by regulatory compliance, law or Court Order. So, for example, if we are instructed to share personal information with a third party, we will ask for the data subject's written consent to do that. However, some authorities (such as HMRC) may examine our information if they have a right to do so.
(b) We will obtain consent for each person/organisation that we have been instructed to share data with.
(c) Outsourcing - as part of our business we may use external providers for services such as for administration support and pass information to them. However, we have confidentiality agreements in place with them which means that information will only be held by them to provide services to us.
6 MANAGING DATA RISKS AND SECURITY
Data security means that we do what we reasonably can to protect the personal data that we hold and ensure our security is in accordance with current legal requirements.
(1) Managing risk - Data Protection Impact Assessments (DPIA)
It is important that we assess risks involved when we process data and so there will be occasions when we conduct a Data Protection Impact Assessments (DPIA).
DPIAs allow us to both identify risks and resolve issues at the earliest stage. There are certain circumstances when we must carry out a DPIA, including when
The Appointed Person has overall responsibility for the DPIA
(2) Security Measures
(a) Our appropriate security measures are based on the likely risks to data which we have identified, for example loss of data or unauthorised disclosure. We have implemented appropriate organisational (people and processes) and technical measures to effectively implement the data protection principles.
(b) Our data inventory contains our record of
(c) Our Security Measures at Annex 2 outline the appropriate organisational (people and processes) and technical measures we have implemented.
(d) Everyone must adhere to our data security procedures and will receive appropriate training. Any employee who fails to comply with our data protection policy is dealt with under our disciplinary procedure and such an event may mean termination.
7 INDIVIDUAL RIGHTS
(1) The law gives rights to each individual in respect of their personal data. The rights included are:
- obtain confirmation as to whether personal data is processed
- be provided with further information about the processing
- access their (the data subject’s) data/obtain a copy of it
(2) Although it does not have to be used we have an Individual Request Form (at Annex 3) which individual data subjects can use to exercise these rights and we have a set procedure for dealing with these requests. You can access this at https://cdn.shopify.com/s/files/1/0757/2349/files/Individual_Requests_Form_V2.docx?8840257945697388273
(3) Dealing with requests to exercise data rights
(a) Any staff member may receive a request from an individual data subject to exercise a data right, irrespective of whether it is on an Individual Request Form or not (for example, someone may ask on the phone or by email). The staff member will
(b) We deal with each request as soon as we are able and within one month of receipt. If there is going to be a delay in dealing with any request or there is a reason why we can’t comply with your request we will let the individual data subject know and explain why within one month of receiving their request. We must deal with even complex cases within 3 months.
(c) Individual data subjects have the right to lodge any data protection complaints with the ICO, who is the UK’s supervisory authority. They should visit www.ico.org.ukfor more information including how to access their helpline.
8 RECORDS AND RETENTION OF DATA
(1) Record keeping is an important part of our data protection because it demonstrates how much we value data security and is a vital part of our compliance with the law. We keep a record of our data processing activities, including recording:
In addition, data processors will be asked to keep a record about who instructed them to process special category data.
(2) Our criteria
We keep information about people
(3) Data Retention
How long personal information/data is kept
We will retain personal information for up to 5 years from the date of our last contact.
We will retain personal information for 7 years from the date that you ceased to be a client.
We will retain personal information for 7 years from the date that you ceased to be a supplier.
We will retain personal information for 7 years from the date that you ceased to be an employee.
9 PERSONAL DATA BREACHES AND OUR OBLIGATIONS
(1)(a) A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
(b) Although we take great care with our data the law requires us to have a process in place should a problem occur. Therefore
(i) it is the responsibility of every member of staff who deals with personal data to be able to recognise a personal data breach.
(ii) if you become aware of an actual or potential breach of our data obligations you must
(c) Our Appointed Person will then determine what action must be taken, including whether the ICO must be notified.
(2) The Appointed Person will then take the necessary action to
(a) Fully investigate the issue.
(b) Take remedial action.
(c) Keep a record of the breach which will include
(d) Report relevant breaches to the ICO without undue delay after being identified and, where feasible, not later than 72 hours after becoming aware of a breach so as to minimise the risk of damage. Unless it is not possible to do so at the time (in which case the information will be provided without undue delay) that information will include
(e) In cooperation with the ICO and/or any other relevant authorities (such as the police) and taking into account any guidance, directly notify any affected individual data subjects involved, without undue delay and as soon as is reasonably feasible (the ICO may still decide to do this directly), of the data breach to allow them to take the necessary precautions unless one of the following exemptions are met
(i) the breach is unlikely to result in a high risk for an individual’s rights and freedoms
(ii) there was appropriate organisation and technical protection (such as encrypted data) in place when the breach occurred
(iii) notification would equate to a disproportionate effort, when an alternative such as a public information campaign may mean the individual can effectively be informed
(e) Where the Appointed Person notifies the affected individual data subjects about the data breach they will also make recommendations to mitigate potential adverse effects.
10 SHARING DATA WITH THIRD PARTIES DATA SHARING POLICY
(1) Types of data sharing
Sharing data can be because we want
Before we share any data we always ensure that
We also use a third party data-sharing checklist to record essential information when we are sharing data with a third party. The checklist is available from the Appointed Person.
(2) Who we share data with
Ourorganisationneeds to share personal data with various third parties including:
Lists of the third parties with whom we share data are available from the Appointed Person
(3) Data Protection measures we take when sharing data
We have written agreements with those third parties to ensure that they
11 INTERNATIONAL DATA TRANSFER POLICY
(1) Sometimes it is necessary for organisations to transfer personal data outside the EEA and because some countries do not have the same level of data protection the law restricts the transfer of personal data so that this can only take place if
(2) We do send some personal data outside the EEA but transfers do not take place unless the Appointed Person has confirmed that we meet one of the exemptions or conditions which enable us to do so.
12 POLICY IMPLEMENTATION, MONITORING & CHANGES
(1) Clients will be made aware of this policy and its main content when we reach an agreement to provide our services and products to them.
(2) Suppliers will be made aware of the policy at the time we enter into an agreement that they will supply to us.
(3) Staff will be made aware of the policy and its content during induction or other training.
(4) We will review this Policy at least every twelve months (or as and when we know that any important changes in the law or guidelines is coming) and, where possible, twelve weeks’ notice of any changes to the Policy will be given to staff and, as applicable, clients and suppliers.
(5) Suggestions about this Policy are welcome. Please make suggestions to the Appointed Person.
(1) Any queries or complaints regarding our data protection should be addressed to our Appointed Person, using the details at the end of this policy.
(2) Any individual can complain to a supervisory authority – currently the ICO. The ICO can be contacted via its website at https://ico.org.uk/concerns/(there is usually a live chat facility) or by using its telephone helpline on 0303 123 1113.
(3) Any individual data subject who wants to; obtain details about what personal information we hold about them; rectify data; restrict or object to processing; as from 25thMay 2018exercise the right to erasure, must contact our Appointed Person using the details at the end of this policy – please also see section 7 of this policy.
14 CONTACT DETAILS FOR THE APPOINTED PERSON
Appointed Person:Chris Brookman
By Post:7 Tuns Lane, Silverton, Exeter, Devon. EX5 4HY
By telephone:01392 861763
ANNEX 1 – OUR DATA INVENTORY
Please download our data inventory by clicking here.
ANNEX 2 – OUR DATA SECURITY MEASURES
This contains details of our organisational and technical measures to effectively implement the data protection principles.
ANNEX 3 – OUR INDIVIDUAL REQUESTS FORM
This is an option for which individual data subjects who want to exercise any of their legal rights in respect of their personal data can use.
Please download the form by clicking here.