J Bailey & Sons Ltd Data Protection Policy
Introduction
New data protection legislation is due to come into force on 25th May 2018. This aims to protect the privacy of EU citizens and prevent data breaches. It will apply to any public or private organisation processing personal data.
The new General Data Protection Regulations 2016 specify that any processing of personal data should be governed by a contract with certain provisions included.
J Bailey & Sons Ltd is required to gather and use certain information about individuals, customers, suppliers and organisations. This also includes other people the organisation has a relationship with or may need to contact.
The Data Protection Act 2018 describes how organisations, including J Bailey & Sons Ltd must collect, handle and store personal information. The rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
GDPR requires that personal data shall be:
- Fair and Lawful – conducting criminal record checks on employees must be justified by law.
- Specific for its purpose – Genetic and biometric information is now considered sensitive data, meaning that organisations may only request such information if it is required for a relevant purpose.
- Be adequate, only for what is needed – the individual must be informed of exactly what their data is being used for.
- Be accurate and kept up to date
- Not be held for longer than necessary
- Taken into account People's Rights – A new "right to be forgotten" means that someone can request that online content is removed from an organisation's database. The Data Portability Act means that a person can request all their personal data be transfered to another system for free. For example, they may wish to have all their photos transfered from one social network to another.
- Kept safe and secure
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection – must receive explicit consent from their customers for their personal information to be transferred outside of the EEA. GDPR can still hold a company liable even after data has been transferred to another country.
The Policy describes how this personal data must be collected, handled and stored, to meet the company's data protection
standards and to comply with the law.
The policy ensures that J Bailey & Sons Ltd complies with Data Protection Law and follows good practice. It protects the rights of customers and suppliers and is open about how it stores and
processes individuals data. It also protects itself from the risks of a Data Breach.
Data Protection Risks
This Policy helps to protect J Bailey & Sons Ltd from real data security risks, including:
- Breaches of Confidentiality – for example information being given out inappropriately
- Failing to offer choice – for example all individuals should be free to choose how J Bailey & Sons Ltd uses data relating to them
- Reputational Damage – for example, the company could suffer if hackers gained access to sensitive data
Responsibilities
Everyone who works for J Bailey & Sons Ltd has some responsibility for ensuring data is collected, handled and stored appropriately. All personal data must be handled and processed in line with this Policy and Data Protection Principles.
Key areas of responsibility within J Bailey & Sons Ltd:
- The Board of Directors is ultimately responsible for ensuring J Bailey & Sons Ltd meets it’s legal obligations
- Gill Hoddinott, the Data Protection Officer is responsible for
- Keeping the Board updated and data responsibilities, risks and issues
- Reviewing all data protection procedures and related policies
- Managing data protection questions from anyone covered by this policy
- Dealing with requests from individuals to see data held by J Bailey & Sons Ltd
- Checking and approving contracts or agreements with third parties that may handle our personal data
- The IT Manager,
Rob Bailey is responsible for:
- Ensuring all systems, services and equipment for storing data meets acceptable security standards
- Perform regular checks and scans to ensure safety of hardware and that software is functioning properly
- Evaluate third party services J Bailey & Sons Ltd is considering using to store or process data
-
The Marketing Manager,
Kate Bailey is responsible for:
- Approving data protection statements attached to communications such as emails and letters
- Addressing data protection queries from media
- Where necessary, work with members of staff to ensure marketing initiatives abide by data protection principles
J Bailey & Sons Ltd Staff Access to Personal Data
- The only staff able to access the data covered in this policy should be if they need it for their work
- Employees can request confidential information from their Manager if required but should not be shared informally
- J Bailey & Sons Ltd will provide advice on request from employees to help them understand their responsibilities when handling data
- Employees should keep all data secure
- Strong passwords must be used and should never be shared
- Personal data should not be disclosed to unauthorised people, either within the company or externally
- Data should be reviewed regularly and updated. If data is no longer required, it should be deleted and disposed of in an appropriate manner
- If staff are unsure about any aspect of data protection, they should request help from their manager
Data Storage
- Questions regarding storage of data can be directed to the IT Manager or Data Controller. When data is stored on paper, it should be kept in a secure place and handled by authorised members of staff only
- Guidelines apply to data that is usually stored electronically but may have been printed for some reason
- Paper files should be kept in a locked space when not required
- Employees should make sure that paper copies are only printed out when necessary and are not left where unauthorised people could see them
- Data printouts should be shredded and disposed of securely when no longer required
- Electronically stored data must be protected from unauthorised access, accidental deletion and malicious hacking attempts
- Data should be protected by a strong password that is changed regularly and never shared
- All data stored on removable media should be kept securely locked when not required
- Data should be stored on designated drives and servers and should only be uploaded to an approved cloud computing service
- Servers containing personal data should be sited in a secure lockable location
- Data should be backed up frequently and tested regularly, in line with the company’s standard backup procedures
- Data should never be saved directly to laptops or other mobile devices
- All server and computers containing data should be protected by approved security software and a firewall
Data Use
Personal data is of no use to J Bailey & Sons Ltd, unless the business can make use of it. When personal data is accessed and used it can be at a great risk of loss, corruption or theft:
- Employees should ensure the screens of their computers are always locked when left unattended
- Personal data should never be shared informally
- Personal data should never be transferred outside the European Economic Area
Data Accuracy
The law requires J Bailey & Sons Ltd to take responsibility to ensure data is kept accurate and up to date. It is the responsibility of employees of J Bailey & Sons Ltd who work with data to ensure data is kept accurate and up to date.
- Data will be held in as few places as necessary
- Staff should ensure data is updated as often as possible
- Data should be updated as inaccuracies are identified
Access Requests
All individuals who are the subject of personal data held by J Bailey & Sons Ltd are entitled to:
- Ask what information J Bailey & Sons Ltd hold about them and why
- Ask how to gain access to this information
- Be informed how to keep it up to date
- Be informed how J Bailey & Sons Ltd is meetings it's Data Protection obligations
A Subject Access Request can be obtained from J Bailey & Sons Ltd by emailing the Data Controller Gill.Hoddinott@jbaileyandsons.co.uk. The Data Controller will always verify the identity of anyone making a Subject Access Request prior to handing over information.
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without consent of the data subject.
Under these circumstances, J Bailey & Sons Ltd will disclose requested date. However, the Data Controller will ensure the request is legitimate, seeking assistance for the board and from the company's legal advisers where necessary.
J Bailey & Sons Ltd aim to ensure that individuals are aware that their data is being processed and they understand:
- How their data is being used
- How to exercise their rights
J Bailey & Sons Ltd has a Privacy Statement, setting out how data relating to individuals is used by the company. This is available on request.
Breach Procedure
If J Bailey & Sons Ltd has a breach potentially containing your data, we will inform you within 24 hours of the breach taking place or being identified. This will enable you to investigate and put in place appropriate measures to protect your customers and/or staff personal data and, if necessary we will report the breach to the Information Commissioners Office (ICO) within 72 hours.
If you experience a breach potentially containing our data, you must tell us immediately (within 24 hours) of the breach taking place. Please contact Gill.Hoddinott@jbaileyandsons.co.uk or telephone 01749 330475. This will enable you to investigate and put in place appropriate measures to protect your customer and staff personal data and, if necessary report the breach to the Information Commissioners Office (ICO) within 72 hours.
J Bailey & Sons Ltd will investigate whether the breach is a potential risk to individuals and is likely to result in a risk to individuals' rights and freedoms. If this is the case, J Bailey & Sons Ltd will notify the individuals affected providing steps they can take to protect themselves from consequences of the breach. All breaches will be documented and records maintained by the Controller.