Data Protection Policy
- Policy prepared by: Peter Boyce and Steve Thompson
- Approved by Board on: 11thApril 2018
- Next review date: April 2019
Cumulus Outdoors needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the Company’s data protection standards – and to comply with the General Data Protection Regulations (GDPR).
Why this policy exists
This data protection policy ensures Cumulus Outdoors:
- Complies with data protection law and follows good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Data protection Law
New General Data Protection Regulations come into force on the 25thMay 2018 and these describe how organisations must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
Lawful basis for processing
GDPR requires that we process all personal data lawfully, fairly and in a transparent manner. Processing is only lawful if we have a lawful basis under Article 6. These are:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this cannot apply if you are a public authority processing data to perform your official tasks.)
The bases under which Cumulus Outdoors, as a small organisation (see below) processes data are Consent (eg customers), contract (eg employees) and Legal Obligation (eg required qualifications).
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Cumulus Outdoors Requirements
As a small organisation, we are required to have a policy which covers document processing activities that:
- are not occasional; or
- could result in a risk to the rights and freedoms of individuals; or
- involve the processing of special categories of data or criminal conviction and offence data.
Categories and Purposes
Our categories of individuals and the purposes to hold information are:
- for marketing purposes to enable Cumulus Outdoors to inform existing and potential customers about activities, products and services etc. Consent will be sought prior to including names on any lists we hold.
- Consent must be specific to distinct purposes.
- Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.
- Separate consent must be obtained for different processing activities so it is clear how the data will be used when you obtain consent.
- Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- For safety reasons to temporarily hold medical information
- Employees: to enable contracts of employment to be agreed between the Company and the employee. These contracts and any supporting data (such as qualifications) will be fully visible to the employee.
- Freelance staff: to enable contracts for services to be agreed, for details of required qualifications to be recorded and for legally required documentation to be verified and confirmed as in date.
Sharing of Data
Cumulus Outdoors does not share data with any external organisations or individuals without authorised consent.
Should Cumulus Outdoors ever propose to share the collected data, it will be explained to the data subject who the data will be shared with (be it a particular organisation or a type of organisation) and why it is proposed to share the data.
If the data is going to be used in a way in which the data subject would expect, the privacy notice will be made available for the data subject to access. However, if any of the following was proposed at any time, Cumulus Outdoors will actively communicate the privacy notice to the data subject:
- sharing sensitive personal data; or
- sharing is likely to be unexpected or objectionable; or
- sharing the data, or not sharing it, will have a significant effect on the individual; or
- sharing is particularly widespread, involving organisations individuals might not expect; or the sharing is being carried out for a range of different purposes.
General staff guidelines
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally. When access to confidential information is required, employees can request it from the appropriate person.
- The Company will provide training to all employees to help them understand their responsibilities when handling data.
- Employees should keep all data secure by taking sensible precautions and following Company guidelines.
- In particular, strong passwords must be used and not be shared.
- Personal data should not be disclosed to unauthorised people, either within the Company or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
- When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
- When not required, the paper or files should be kept in a locked drawer or filing cabinet or room locked when unoccupied.
- Data printouts should be shredded and disposed of securely when no longer required.
- When stored electronically, data must be protected from unauthorised access, accidental deletion and malicious hacking attempts.
- Data should be protected by strong passwords that are changed regularly.
- If data is stored on removable media, these should be kept securely when not in use.
- Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing service.
- Data should be backed up frequently.
- All computers and servers containing data should be protected by approved security software and a firewall.
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally.
- Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
- Data should be held in as few places as necessary. Staff should not create any unnecessary additional sets.
- Data should be updated as inaccuracies are discovered.
Subject access requests
If an individual contacts the Company requesting this information, this is called a subject access request. All individuals who are the subject of personal data held by Cumulus Outdoors are entitled to:
- Ask what information the Company holds about them and why.
- Ask how to gain access to it.
- Be informed how it is kept up to date.
- Be informed as to how the Company is meeting its data protection obligations.
The Company will verify the identity of anyone making a subject access request prior to handing over any information.
When a data breach is discovered, the Company will inform any individuals affected within 72 hours. It is the responsibility of the Office Manager, or a Director of Cumulus Outdoors, to inform those individuals.