Your Data
And How We Handle it

Introduction:

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) from 1995. The regulation was adopted on 27 April 2016 and applied from 25 May 2018 after a two-year transition period.
The 1998 Data Protection Act, which came into force on 1 March 2000, will continue to apply until the new General Data Protection Regulations come into force in May 2018.
The following guidance is not a definitive statement on the Regulations but seeks to interpret relevant points where they affect Trinity Surfacing.
The Regulations cover both written and computerised information and the individual’s right to see such records.
All Trinity Surfacing’s staff are required to follow this Data Protection Policy at all times.
The Managing Director has overall responsibility for data protection within Trinity Surfacing, but each individual processing data is acting on the controller’s behalf and therefore has a legal obligation to adhere to the Regulations.

Definitions:

Processing of information
how information is held and managed.

Information Commissioner
formerly known as the Data Protection Commissioner.

Notification
formerly known as Registration.

Data Subject
used to denote an individual about whom data is held.

Data Controller
used to denote the entity with overall responsibility for data collection and management. Trinity Surfacing is the Data Controller for the purposes of the Act.

Data Processor
an individual handling or processing data

Personal data
any information which enables a person to be identified

Special categories of personal data
information under the Regulations which requires the individual’s explicit consent for it to be held by the Charity.

Data Protection Principles

As a data controller, Trinity Surfacing is required to comply with the principles of good information handling. These principles require the Data Controller to:

1. Process personal data fairly, lawfully and in a transparent manner.
2. Obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
3. Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held. Ensure that personal data is accurate and, where necessary, kept up-to-date.
4. Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
5. Ensure that personal data is kept secure.
6. Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.

Consent:

Trinity Surfacing must record explicit consent to storing certain information (known as ‘personal information) on file.

For the purposes of the Regulations, personal data recorded by Trinity Surfacing covers information relating to:
1. Online identifiers such as an IP address
2. Name and contact details, including telephone numbers and email addresses.
3. National Insurance (NI) Numbers
4. Bank account details
5. Genetic and/or biometric data which can be used to identify an individual

As a general rule Trinity Surfacing will always seek consent where personal information is to be held.

It should also be noted that where it is not reasonable to obtain consent at the time data is first recorded, and the case remains open, retrospective consent should be sought at the earliest appropriate opportunity.
If personal data needs to be recorded for the purpose of service provision, and the individual refuses consent, the case should be referred to the Managing Director for advice.

Obtaining Consent:

Consent may be obtained in a number of ways depending on the nature of the interview, and consent must be recorded on or maintained with the case records:
• face-to-face
• written
• telephone
• email.

Face-to-face/written: A Pro-forma should be used.
Telephone: Verbal consent should be sought and noted on the case record.
E-mail: The initial response should seek consent.

Consent obtained for one purpose cannot automatically be applied to all uses, e.g. where consent has been obtained from a delegate for the provision/registration of a course, separate consent would be required if, for example, direct marketing were to be undertaken.
Preliminary verbal consent should be sought at point of initial contact as personal and/or special categories of personal data will need to be recorded either in an email or on a computerised record. The verbal consent is to be recorded in the appropriate fields on the computer record or stated in the email for future reference. Although written consent is the optimum, verbal consent is the minimum requirement.
Specific consent for the use of any photographs and/or videos taken should be obtained in writing. Such media could be used for, but not limited to, publicity material, press releases, social media, and website.

Consent should also indicate whether agreement has been given to their name being published in any associated publicity. If the subject is less than 18 years of age, then parental/guardian consent should be sought.
Individuals have a right to withdraw consent at any time.

Ensuring the Security of Personal Information:

Unlawful disclosure of personal information:
1. It is an offence to disclose personal information ‘knowingly and recklessly’ to third parties.
2. Itisaconditionofcourseregistrationthatalldelegatesforwhomweholdpersonaldetailssigna consent form allowing us to hold such information.
3. A client’s individual consent to share information should always be checked before disclosing personal information to another agency.

Use of Files, Books and Paper Records:

In order to prevent unauthorised access or accidental loss or damage to personal information, it is important that care is taken to protect personal data. Paper records should be kept in locked cabinets/drawers (or within the Trinity Surfacing administration office location) overnight, and care should be taken that personal information is not left unattended and in clear view during the working day. If your work involves you having personal data at home or in your car, the same care needs to be taken.

Disposal of Scrap Paper, Printing or Photocopying Overruns:

Be aware that names/addresses/phone numbers and other information written on scrap paper are also considered to be confidential. Do not keep or use any scrap paper that contains personal information but ensure that it is either shredded or incinerated in accordance with company procedures.
If you are transferring papers from an external location, to the office for shredding this should be done as soon as possible and not left in a car for a period of time. When transporting documents, they should be carried out of sight in the boot of your car.

Computers:

Where computers are networked, access to personal and special categories of personal information is restricted by password to authorised personnel only.
If working in a public area, e.g. reception, you should lock your computer when leaving it unattended.
Firewalls and virus protection to be employed at all times to reduce the possibility of hackers accessing our system and thereby obtaining access to confidential records. Where computers or other mobile devices are taken for use off the premises, the device must be password protected.

Cloud Computing:

When commissioning cloud-based systems, Trinity Surfacing will satisfy themselves as to the compliance of data protection principles and robustness of the cloud-based providers.

Direct Marketing:

Trinity Surfacing will not share or sell its database(s) with outside organisations.
Trinity Surfacing holds information on our staff, clients and other delegates to whom we will from time to time send information that may be of interest to them. Specific consent to contact will be sought, including which formats they prefer (e.g. mail, email, phone, etc.) before making any communications.
We recognise that clients, staff and delegates for whom we hold records have the right to unsubscribe from our mailing lists. This wish will be recorded on their records and will be excluded from future contacts.

The following statement is to be included on any forms used to obtain personal data:

We promise never to share or sell your information to other organisations or businesses for the purposes of marketing, and you can opt-out of our communications at any time by writing to Trinity Surfacing, Winnington House, 2 Woodberry Grove, London, N12 0DR or by sending an email to [email protected].

Privacy Statements:

Any documentation which gathers personal and/or special categories of personal data should contain the following Privacy Statement information:
• Explain who we are
• What we will do with their data
• Who we will share it with
• Consent for marketing notice
• How long we will keep it for
• That their data will be treated securely
• How to opt-out
• Where they can find a copy of the full notice

Personnel Records:

The Regulations apply to staff records. Trinity Surfacing may at times record special categories of personal data as part of a staff member’s contract of employment.

Confidentiality:

When working from home, or from some other off-site location, all data protection and confidentiality principles still apply. All computer data, e.g. documents and programmes related to work for Trinity Surfacing, should not be stored on a personal computer. If documents need to be worked on at a non-business computer, they should be saved onto a USB drive which should be password protected.
Workstations in areas accessible to the public, e.g. reception or trading office, should operate a clear desk practice so that any paperwork, including paper diaries, containing personal and/or special categories of personal data is not left out on the desk where passers-by could see it.
When sending emails to outside organisations, care should be taken to ensure that any identifying data is removed.

Any paperwork kept away from the office should be treated as confidential and kept securely as if it were held in the office. Documents should not be kept in open view (e.g. on a desktop) but kept in a file in a drawer or filing cabinet as examples, the optimum being a locked cabinet but safely out of sight is a minimum requirement.

Retention of Records:

Paper records should be retained for the following periods at the end of which they should be shredded or incinerated:
• Client records – 6 years after ceasing to be a client.
• Staff records – 6 years after ceasing to be a member of staff.
• Financial/accounting documents– 7years.
• Employer’s liability insurance – 40 years.
• Archived records should clearly display the destruction date.

What to Do If There Is a Breach:

If you discover or suspect, a data protection breach you should report this to the Managing Director who will review our systems to prevent a reoccurrence and to determine whether it needs to be reported to the Information Commissioner.
Any deliberate or reckless breach of this Data Protection Policy by an employee may result in disciplinary action, which may result in dismissal.

The Rights of an Individual:

Under the Regulations, an individual has the following rights with regard to those who are processing his/her data:
• personal and special categories of personal data cannot be held without the individual’s consent (however, the consequences of not holding it can be explained and a service withheld).
• Data cannot be used for the purposes of direct marketing of any goods or services if the Data Subject has declined their consent to do so.
• Individuals have a right to have their data erased and to prevent processing in specific circumstances:
o Where data is no longer necessary in relation to the purpose for which it was originally collected
o When an individual withdraws consent
o When an individual object to the processing and there is no overriding legitimate interest for continuing the processing
o Personal data was unlawfully processed
• An individual has a right to restrict processing – where processing is restricted, Trinity Surfacing is permitted to store the personal data but not further process it. Trinity Surfacing can retain just enough information about the individual to ensure that the restriction is respected in the future.
• An individual has a ‘right to be forgotten’.
Trinity Surfacing will not undertake direct telephone marketing activities under any circumstances.
Data Subjects can ask, in writing to the Managing Director, to see all personal data held on them, including emails and computer or paper files. The Data Processor (Trinity Surfacing) must comply with such requests within 30 days of receipt of the written request.

Powers of the Information Commissioner:

The following are criminal offences, which could give rise to a fine and/or prison sentence
• The unlawful obtaining of personal data.
• The unlawful selling of personal data.
• The unlawful disclosure of personal data to unauthorised persons.

Further Information:
Further information is available at www.informationcommissioner.gov.uk