General Data Protection Regulation
CLEAR CASTLE LIMITED (t/a Waters & Gate) incorporated and registered in England and Wales with company number 07929590 whose registered office is at The Town Mission, Lower Rudyerd Street, North Shields, England NE29 6NG (“Waters & Gate”);
Introduction
Waters & Gate is fully committed to compliance with the requirements of the General Data Protection Regulation (“the GDPR”).
Waters & Gate will therefore follow procedures to ensure that all employees, contractors, agents, consultants or partners who have access to any personal data held by or on behalf of Waters & Gate, are fully aware of and abide by their duties and responsibilities under the GDPR.Statement of policy
To operate efficiently, Waters & Gate collect and uses information about people with whom it works. These may include members of the public, current, past and prospective employees, clients and their customers, and suppliers. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, and there are safeguards within the GDPR to ensure this.
Waters & Gate regards the lawful and correct treatment of personal information as very important to its successful operations and to maintaining confidence between Waters & Gate and those with whom it carries out business.
Waters & Gate will ensure that it treats personal information lawfully and correctly. To this end Waters & Gate fully endorses and adheres to the Principles of Data Protection as set out in the GDPR – The principles of Data Protection
Article 5 of the GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The GDPR makes a distinction between personal data and special categories of personal data.
Personal data is defined as, any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier.
A personal identifier that may constitute personal data can include name, account number, location data, or an online identifier.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Special categories of personal data are defined as personal data consisting of information as to:
• Racial or ethnic origin;
• Political opinion;
• Religious or other beliefs;
• Trade union membership;
• Genetic data or biometric data for the purpose of uniquely identifying a natural person
• Physical or mental health or condition;
• Sexual life.
Handling of personal/sensitive information
Waters & Gate will, through appropriate management and the use of strict criteria and controls: –
• Observe fully conditions regarding the fair collection and use of personal information;
• Meet its legal obligations to specify the purpose for which information is used;
• Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
• Ensure the quality of information used;
• Apply strict checks to determine the length of time information is held;
• Take appropriate technical and organisational security measures to safeguard personal information;
• Ensure that personal information is not transferred abroad without suitable safeguards;
• Ensure that the rights of people about whom the information is held can be fully exercised under the GDPR.
These include:
• The right to be informed that processing is being undertaken;
• The right of access to one’s personal information without delay and at the latest within one month of receipt of a request;
• The right to rectify information regarded as wrong information without delay and at the latest within one month;
• The right to be forgotten by requesting the deletion or removal of personal data when there is no compelling reason for its continued processing;
• The right to restrict processing by suppressing the processing of personal data;
• The right to data portability so that individuals can obtain and reuse their personal data for their own purposes across different services;
• The right to object to processing, direct marketing and processing for purposes of scientific / historical research and statistics;
• Rights related to automated decision making including profiling.
In addition, Waters & Gate will ensure that:
• There is someone with specific responsibility for data protection in the organisation;
• Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
• Everyone managing and handling personal information is appropriately trained to do so;
• Everyone managing and handling personal information is appropriately supervised;
• Anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do;
• Queries about handling personal information are promptly and courteously dealt with;
• Methods of handling personal information are regularly assessed and evaluated;
• Performance with handling personal information is regularly assessed and evaluated;
• Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.
All employees are to be made fully aware of this policy and of their duties and responsibilities under the GDPR.
All managers and staff within Waters & Gate will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:
• Paper files and other records or documents containing personal/sensitive data are kept in a secure environment;
• Personal data held on computers and computer systems is protected by the use of secure passwords, which where possible have forced changes periodically;
• Individual passwords should be such that they are not easily compromised.
All contractors, consultants, partners or agents of Waters & Gate must:
• Ensure that they and all of their staff who have access to personal data held or processed for or on behalf of Waters & Gate, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under the GDPR. Any breach of any provision of the GDPR will be deemed as being a breach of any contract between Waters & Gate and that individual, company, partner or firm;
• Allow data protection audits by Waters & Gate of data held on its behalf (if requested);
• Indemnify Waters & Gate against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.
All contractors who are users of personal information supplied by Waters & Gate will be required to confirm that they will abide by the requirements of the GDPR with regard to information supplied by Waters & Gate.
Implementation
Waters & Gate has appointed an Information Security Officer. This officer will be responsible for ensuring that the Policy is implemented. Implementation will be led and monitored by the Information Security Officer. The Information Security Officer will also have overall responsibility for:
• The provision of cascade data protection training, for staff within Waters & Gate.
• For the development of best practice guidelines.
• For carrying out compliance checks to ensure adherence, throughout the company, with the GDPR.
Personal data breaches
The Information Commissioner (ICO) is the supervisory authority in the UK and maintains a public register of data controllers. Waters & Gate is registered as such.
The GDPR requires organisations to report certain types of personal data breach to the ICO within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, Waters & Gate will notify the appropriate data controller at the earliest opportunity and will inform those individuals without undue delay.
Waters & Gate maintains a robust information security management system in accordance with ISO 27001 that includes the identification and reporting of incidents, investigation and resolution.
The Information Security Officer is responsible for keeping a record of personal data breaches, and where appropriate notifying the relevant supervisory authority, the appropriate data controller and the affected individuals.