This document has been produced by Primary Teaching Services Limited, www.primaryteaching.co.uk, a website offering a mail order service to customers.
Primary Teaching Services Limited needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees, and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled, and stored to meet the company’s data protection standards and comply with the law.
Section 1 The Data Protection Act 1998 (DPA)
Section 2 Regulation
Section 3 Individual Rights
Section 4 Scope
Section 5 Data Protection Risks
Section 6 Responsibilities
Section 7 Roles
Section 8 General Staff Responsibilities
Section 9 Training
Section 10 The Principles of Data Protection
Section 11 Fair, Lawful, Transparent
Section 12 Privacy Notices
Section 13 Data Use
Section 14 Data Storage
Section 15 Data Accuracy
Section 16 Adequacy and Relevance
Section 17 Data Retention
Section 18 Data Security
Section 19 Privacy by Design and Default
Section 20 Transferring Data Internationally
Section 21 Data Subject Rights
Section 22 Data Subject Rights - Processing Data in Accordance with the Individuals Rights
Section 23 Data Subject Rights - Consent
Section 24 Data Subject Rights - The Right to be Informed
Section 25 Data Subject Rights - The Rights of Access
Section 26 Data Subject Rights - The Right to Data Portability
Section 27 Data Subject Rights - The Right to Rectification
Section 28 Data Subject Rights - The Right to Erasure
Section 29 Data Subject Rights - The Right to Restrict Processing
Section 30 Data Subject Rights - The Right to Object
Section 31 Data Subject Rights - Rights in Relation to Automated Decision Making/Profiling
Section 32 Compliance - Monitoring
Section 33 Compliance - Data & Audit Register
Section 34 Compliance - Reporting Breaches
Section 35 Consequences of Failing to Comply - Disciplinary Terms
Section 36 Consequences of Failing to Comply – Contracted Third Parties
Section 37 Management Review
Section 38 Document & Version Control
Primary Teaching Services Limited (Referred to as the company hereafter) needs to process certain information about natural living persons. These include customers, suppliers, business contacts, employees, and any other natural persons that the organisation has a relationship with or holds personal information on.
This policy describes how this personal data must be processed and controlled to meet the company’s data protection standards and to comply with the law. This data protection policy ensures the company:
DPA describes how organisations — including the company— must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper, or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely, and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
GDPR describes how organisations — including the company— must collect, handle and store personal information.
Article 5 of the GDPR requires that personal data shall be:
The GDPR provides the following rights for individuals:
This policy applies to:
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the DPA or GDPR.
This can include but aren’t limited to:
This policy helps to protect the company from some very real data security risks, including:
Everyone who works for or with the company has some responsibility for ensuring data is controlled and processed in a compliant manner.
Each team that handles sensitive data must ensure that it is handled and processed in line with this policy and the eight data protection principles of the DPA.
All staff will receive training on this policy, supporting policies, and company procedures. New joiners will receive training as part of the induction process. Further training will be provided annually or whenever there is a substantial change in the law or the company policy and procedure. Records of this training will be maintained as part of the Training Policy.
The company will ensure any processing of personal data has a documented legal basis. All parties who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice or a fair processing notice.
To ensure fair, lawful, and transparent processing the following is in place outlining how the company intends to use and protect data subjects, data.
Personal data is of no value to Primary Teaching Services Limited unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption, or theft:
Being transparent and providing accessible information to individuals about how we will use their personal data is important for Primary Teaching Services Limited. The following are details on how we collect data and what we will do with it:
|What information is being collected?||Name, Address, Contact Number, Email|
|Who is collecting it?||Any team member who process or inputs orders|
|How is it collected?||Verbally, paper order form, website, email, contact form|
|Why is it being collected?||To send out goods or for marketing|
|How will it be used?||Delivery address, Bill-to address, Sold-to address, marketing if opted in|
|Who will it be shared with?||Our suppliers when required for processing orders, marketing, and storage of data|
|Identity and contact details of any data controllers||Karen White|
|Retention period||7 years for auditing purposes. Non-purchaser data will be stored for 3 years.|
|Automated Emails||Automated Emails are generated for customers relating to order information. Automated sales emails are generated for customers who opted in to receive emails; the customer is always offered the right to unsubscribe.|
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
When data is stored electronically, it must be protected from unauthorised access, accidental deletion, and malicious hacking attempts:
The law requires Primary Teaching Services Limited to take reasonable steps to ensure data is kept accurate & up to date.
The more important it is that the personal data is accurate, the greater the effort Primary Teaching Services Limited should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
The company shall ensure that any personal data processed is accurate and up to date by following the Data Quality Assurance Procedure when collecting or processing data. Data subjects have a responsibility to take reasonable steps to ensure that any personal data the company holds is accurate and updated as required. For example, if their personal circumstances change, they should inform the company so that their records can be updated.
The company shall ensure that any personal data collected is used only for the purpose for which it was obtained. Personal data obtained for one purpose shall not be used for any unconnected purpose unless the individual concerned has provided consent or there is a legal obligation to do otherwise.
The company will retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with the company’s data retention guidelines. The company’s Information Asset Register contains information on how long each asset should be retained. This retention does not affect the subject’s right to erasure. Assets should be disposed of by following the Disposals Procedure.
The company shall keep sensitive data secure against loss, misuse, or unauthorised disclosure. Where other organisations process personal data as a service on behalf of the company, there must be contractual clauses to provide the same level of data protection as the company. In order to provide consistent information protection throughout the company, the Information Security Policy shall be implemented and enforced through the use of supporting policies and procedures, training, and appropriate technologies.
The company shall follow the principle of privacy by design and default. This is an approach to projects that promote privacy and data protection compliance from the start. The DPO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan. When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
Where processing personal information is likely to result in a risk to the rights and freedoms of the data subjects, a data protection impact assessment shall be carried out and the results shall be implemented and incorporated into the project. Records of all DPIAs shall be kept and the assessment shall be carried out according to the Data Protection Impact Assessment Procedure.
All data controlled by the company must be kept in a secure manner. In cases where data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it. Printed data should be shredded when it is no longer needed according to the standards in the Disposals Procedure. Data stored on a computer should be protected as outlined in the Information Security Policy. Data stored on CDs or memory sticks must comply with the guidelines in the Removable Media Policy. Data should be regularly backed up in line with the company’s continuity and disaster recovery plans. All servers containing sensitive data must be approved and protected by security software and strong firewalls.
The company complies with the strict restrictions on transferring data internationally. No data can be transferred without first following the International Data Transfer Procedure. This procedure ensures that data doesn’t get transferred unless there are appropriate and approved security measures in place to protect the data, such as adequacy decisions or binding corporate rules.
The company shall abide by the data subject’s rights laid out in both the DPA and GDPR. Any request from an individual shall be handled by the DPO and a response issued within a month.
Where the company uses consent as the legal basis for processing data, there must be a record of the data subject’s active consent. Consent should be gathered in the manner outlined in the Consent Management Procedure. The data subject has the right to withdraw this consent at any time. This right does not affect any of the other rights.
In cases where sensitive personal data is processed, the data subject's explicit consent to this processing will be required, unless exceptional circumstances apply or there is a legal obligation to do this (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
Date of Birth is not stored and the terms and conditions see www.primaryteaching.co.uk/ts-and-cs do not agree to sales to customers under the age of 16.
Under GDPR data subjects have the right to be informed about how their data is processed. To comply with this right, the company provides the required information in its fair processing notice.
Under the Data Protection Act, data subjects are entitled, subject to certain exceptions, to request access to information held about them. These requests shall be passed to the DPO to handle. When handling these requests, a response must be made to the data subject within one month. The requests must be recorded and monitored and the process from the Subject Access Request Procedure should be followed.
Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data be transferred directly to another system. This must be done for free.
Under GDPR data subjects can request that their personal data be transferred from one data controller to another.
These requests shall be passed to the DPO to handle. When handling these requests, a response must be made to the data subject within one month. The requests must be recorded and monitored and the process from the Data Portability Procedure should be followed.
Under GDPR data subjects can request that personal information held on them be corrected.
These requests shall be passed to the DPO to handle. When handling these requests, a response must be made to the data subject within one month. The requests must be recorded and monitored and the process from the Subject Rectification Request Procedure should be followed.
Under GDPR data subjects may request that any information held on them be deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
These requests shall be passed to the DPO to handle. When handling these requests, a response must be made to the data subject within one month. The requests must be recorded and monitored and the process from the Subject Erasure Request Procedure should be followed.
Under GDPR data subjects can request a restriction of processing on their personal data in instances where the data subject does not wish for their data to be erased but does not want the data processed.
These requests shall be passed to the DPO to handle. When handling these requests, a response must be made to the data subject within one month. The requests must be recorded and monitored and the process from the Restricting Processing Procedure should be followed.
Under GDPR data subjects can object to processing if they suspect that their data is being processed illegally. Following an objection, the data controller is required to investigate the claim and communicate the results to the data subject.
These requests shall be passed to the DPO to handle. When handling these requests, a response must be made to the data subject within one month. The requests must be recorded and monitored and the process from the Objection Request Procedure should be followed.
Under GDPR data subjects have the right to be informed if they are being subject to automated decision making and the possible consequences this automated decision making could have on them. As documented in section 13 under Data Use.
Everyone must observe this policy. The DPO has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.
Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible, and any further regulations or retention timescales that may be relevant.
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
Disciplinary Terms Where an employee has been found to have violated the company policies or procedures the following actions may be taken;
Where a contracted third party has been found to have violated the contractual obligations relating to data protection, the following actions may be taken:
This policy should be reviewed as scheduled once every year, unless performance indicators, changes to legislation or the organisation necessitate it.
Last Review Date: 28th May 2021
Next Review Date: 26th May 2022
Profile Version: Beacon 2021 | Certification date: November 25th, 2021