This document has been produced
by Primary Teaching Services Limited, www.primaryteaching.co.uk, a website
offering a mail order service to customers.
Key details
Policy Prepared by:
Karen White
Lewis Pye
Alan Lucas
Approved by Directors on 26th May 2018
Policy became operational on 26th May
2018
Next review date: 26th May 2025
Introduction
Primary Teaching Services
Limited needs to gather and use certain information about individuals.
These can include customers,
suppliers, business contacts, employees, and other people the organisation has
a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled, and
stored to meet the company’s data protection standards and comply with the law.
Contents
Section 1 The Data Protection Act 2018 (DPA)
Section 2 Regulation
Section 3 Individual Rights
Section 4 Scope
Section 5 Data Protection Risks
Section 6 Responsibilities
Section 7 Roles
Section 8 General Staff Responsibilities
Section 9 Training
Section 10 The Principles of Data Protection
Section 11 Fair, Lawful, Transparent
Section 12 Privacy Notices
Section 13 Data Use
Section 14 Data Storage
Section 15 Data Accuracy
Section 16 Adequacy and Relevance
Section 17 Data Retention
Section 18 Data Security
Section 19 Privacy by Design and Default
Section 20 Transferring Data Internationally
Section 21 Data Subject Rights
Section 22 Data Subject Rights - Processing Data in Accordance with the
Individuals Rights
Section 23 Data Subject Rights – Consent
Section 24 Data Subject Rights - The Right to be Informed
Section 25 Data Subject Rights - The Rights of Access
Section 26 Data Subject Rights - The Right to Data Portability
Section 27 Data Subject Rights - The Right to Rectification
Section 28 Data Subject Rights - The Right to Erasure
Section 29 Data Subject Rights - The Right to Restrict Processing
Section 30 Data Subject Rights - The Right to Object
Section 31 Data Subject Rights - Rights in Relation to Automated Decision
Making/Profiling
Section 32 Compliance – Monitoring
Section 33 Compliance - Data & Audit Register
Section 34 Compliance - Reporting Breaches
Section 35 Consequences of Failing to Comply - Disciplinary Terms
Section 36 Consequences of Failing to Comply – Contracted Third Parties
Section 37 Management Review
Section 38 Document & Version Control
Purpose
Primary Teaching Services
Limited (Referred to as the company hereafter) needs to process certain
information about natural living persons. These include customers, suppliers,
business contacts, employees, and any other natural persons that the
organisation has a relationship with or holds personal information on.
This policy describes how this
personal data must be processed and controlled to meet the company’s data
protection standards and to comply with the law. This data protection policy
ensures the company:
- Complies with the data protection laws
and follows good practices and codes of conduct.
- Protects the rights of all-natural living
persons on which it controls and processes data.
- Is open about how the organisation
controls and processes a natural living person’s data.
- Protects itself from the risks of data
breach and information leakage.
- Protect its proprietary information.
The Data Protection Law
The Data Protection Act (DPA)
DPA describes how organisations
— including the company— must collect, handle and store personal information.
These rules apply regardless of
whether data is stored electronically, on paper, or on other materials.
To comply with the law, personal
information must be collected and used fairly, stored safely, and not disclosed
unlawfully.
The Data Protection Act is
underpinned by important principles. These say that personal data must:
- used fairly, lawfully and transparently
- used for specific, explicit purposes
- used in a way that is adequate, relevant,
and limited to only what is necessary
- accurate and, where necessary, kept up to
date
- kept for no longer than necessary
- handled in a way that ensures appropriate
security, including protection against unlawful or unauthorised
processing, access, loss, destruction, or damage
General Data Protection
Regulation (GDPR)
GDPR describes how organisations
— including the company— must collect, handle and store personal information.
Article 5 of the GDPR requires
that personal data shall be:
- processed lawfully, fairly, and in a
transparent manner in relation to individuals
- collected for specified, explicit, and
legitimate purposes and not further processed in a manner that is
incompatible with those purposes; further processing for archiving
purposes in the public interest, scientific or historical research
purposes or statistical purposes shall not be considered to be
incompatible with the initial purposes
- adequate, relevant, and limited to what
is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to
date; every reasonable step must be taken to ensure that personal data
that is inaccurate, having regard to the purposes for which it is
processed, is erased or rectified without delay
- kept in a form which permits
identification of data subjects for no longer than is necessary for the
purposes for which the personal data is to be processed; personal data may
be stored for longer periods insofar as the personal data will be
processed solely for archiving purposes in the public interest, scientific
or historical research purposes or statistical purposes subject to the
implementation of the appropriate technical and organisational measures
required by the GDPR in order to safeguard the rights and freedoms of
individuals
- processed in a manner that ensures
appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or organisational
measures
Individuals Rights
The GDPR provides the following
rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated
decision-making and profiling
Scope
This policy applies to:
It applies to all data that the
company holds relating to identifiable individuals, even if that information
technically falls outside of the DPA or GDPR.
This can include but aren’t
limited to:
Data protection risks
This policy helps to protect the
company from some very real data security risks, including:
Responsibilities
Everyone who works for or with
the company has some responsibility for ensuring data is controlled and
processed in a compliant manner.
Each team that handles sensitive
data must ensure that it is handled and processed in line with this policy and
the eight data protection principles of the DPA.
Roles
The Board of Directors is ultimately
responsible for ensuring that the company meets its legal obligations.
The Data Protection Officer/Managing
Director (Karen White), is responsible for:
The IT Manager (Lewis Pye), is
responsible for:
The Commercial Director (Diana Morris) is responsible for:
General staff responsibilities
Training
All staff will receive training
on this policy, supporting policies, and company procedures. New joiners will
receive training as part of the induction process. Further training will be
provided annually or whenever there is a substantial change in the law or the
company policy and procedure. Records of this training will be maintained as
part of the Training Policy.
The Principles of Data
Protection
Fair, lawful and transparent
conditions for processing
The company will ensure any
processing of personal data has a documented legal basis. All parties who are
responsible for processing personal data will be aware of the conditions for
processing. The conditions for processing will be available to data subjects in
the form of a privacy notice or a fair processing notice.
Privacy Notices
To ensure fair, lawful, and
transparent processing the following is in place outlining how the company
intends to use and protect data subjects, data.
Data Use
Personal data is of no value to
Primary Teaching Services Limited unless the business can make use of it.
However, it is when personal data is accessed and used that it can be at the
greatest risk of loss, corruption, or theft:
Being transparent and providing
accessible information to individuals about how we will use their personal data
is important for Primary Teaching Services Limited. The following are details
on how we collect data and what we will do with it:
What information is being collected? Name, Address, Contact Number, Email, Mobile
Number
Who is collecting it?
Any team member who processes or inputs
orders
How is it collected? Verbally, paper order form, website,
email, contact form
Why is it being collected?
To send out goods or for marketing via
email, post or SMS
How will it be used?
Delivery address, Bill-to address, Sold-to
address, marketing if opted in
Who will it be shared with?
Our suppliers when required for processing
orders, marketing, and storage of data
Identity and contact details of any data
controllers
Karen White
customerservices@primaryteaching.co.uk
Retention period
7 years for auditing
purposes. Non-purchaser data will be stored for 3 years.
Automated Emails
Automated SMS & emails are generated for
customers relating to order information. Automated sales SMS & emails are
generated for customers who opted in to receive emails; the customer is
always offered the right to unsubscribe.
Data Storage
These rules describe how and
where data should be safely stored. Questions about storing data safely can be
directed to the IT manager or data controller.
When data is stored on paper, it
should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to
data that is usually stored electronically but has been printed out for some
reason:
When data is stored
electronically, it must be protected from unauthorised access, accidental
deletion, and malicious hacking attempts:
Data Accuracy
The law requires Primary
Teaching Services Limited to take reasonable steps to ensure data is kept
accurate & up to date.
The more important it is that
the personal data is accurate, the greater the effort Primary Teaching Services
Limited should put into ensuring its accuracy.
It is the responsibility of all
employees who work with data to take reasonable steps to ensure it is kept as
accurate and up-to-date as possible.
Accuracy
The company shall ensure that
any personal data processed is accurate and up to date by following the Data
Quality Assurance Procedure when collecting or processing data. Data subjects
have a responsibility to take reasonable steps to ensure that any personal data
the company holds is accurate and updated as required. For example, if their
personal circumstances change, they should inform the company so that their
records can be updated.
Adequacy and relevance
The company shall ensure that
any personal data collected is used only for the purpose for which it was
obtained. Personal data obtained for one purpose shall not be used for any
unconnected purpose unless the individual concerned has provided consent or
there is a legal obligation to do otherwise.
Data retention
The company will retain personal
data for no longer than necessary. What is necessary will depend on the
circumstances of each case, taking into account the reasons that the personal
data was obtained, but should be determined in a manner consistent with the
company’s data retention guidelines. The company’s Information Asset Register
contains information on how long each asset should be retained. This retention
does not affect the subject’s right to erasure. Assets should be disposed of by
following the Disposals Procedure.
Data Security
The company shall keep sensitive
data secure against loss, misuse, or unauthorised disclosure. Where other
organisations process personal data as a service on behalf of the company,
there must be contractual clauses to provide the same level of data protection
as the company. In order to provide consistent information protection
throughout the company, the Information Security Policy shall be implemented
and enforced through the use of supporting policies and procedures, training,
and appropriate technologies.
Privacy by design and default
The company shall follow the
principle of privacy by design and default. This is an approach to projects
that promote privacy and data protection compliance from the start. The DPO
will be responsible for conducting Privacy Impact Assessments and ensuring that
all IT projects commence with a privacy plan. When relevant, and when it does
not have a negative impact on the data subject, privacy settings will be set to
the most private by default.
Data protection impact
assessments (DPIA)
Where processing personal
information is likely to result in a risk to the rights and freedoms of the
data subjects, a data protection impact assessment shall be carried out and the
results shall be implemented and incorporated into the project. Records of all
DPIAs shall be kept and the assessment shall be carried out according to the
Data Protection Impact Assessment Procedure.
Storing data
All data controlled by the
company must be kept in a secure manner. In cases where data is stored on
printed paper, it should be kept in a secure place where unauthorised personnel
cannot access it. Printed data should be shredded when it is no longer needed
according to the standards in the Disposals Procedure. Data stored on a
computer should be protected as outlined in the Information Security Policy.
Data stored on CDs or memory sticks must comply with the guidelines in the
Removable Media Policy. Data should be regularly backed up in line with the company’s
continuity and disaster recovery plans. All servers containing sensitive data
must be approved and protected by security software and strong firewalls.
Transferring data
internationally
The company complies with strict
restrictions on transferring data internationally. No data can be transferred
without first following the International Data Transfer Procedure. This
procedure ensures that data doesn’t get transferred unless there are appropriate
and approved security measures in place to protect the data, such as adequacy
decisions or binding corporate rules.
Data Subject rights
Processing data in accordance
with the individual's rights
The company shall abide by the
data subject’s rights laid out in both the DPA and GDPR. Any request from an individual
shall be handled by the DPO and a response issued within a month.
Consent
Where the company uses consent
as the legal basis for processing data, there must be a record of the data
subject’s active consent. Consent should be gathered in the manner outlined in
the Consent Management Procedure. The data subject has the right to withdraw
this consent at any time. This right does not affect any of the other rights.
In cases where sensitive
personal data is processed, the data subject's explicit consent to this
processing will be required, unless exceptional circumstances apply or there is
a legal obligation to do this (e.g. to comply with legal obligations to ensure
health and safety at work). Any such consent will need to clearly identify what
the relevant data is, why it is being processed and to whom it will be
disclosed.
Date of Birth is not stored and
the terms and conditions see www.primaryteaching.co.uk/ts-and-cs do not agree
to sales to customers under the age of 16.
The right to be informed
Under GDPR data subjects have
the right to be informed about how their data is processed. To comply with this
right, the company provides the required information in its fair processing
notice.
The right of access
Under the Data Protection Act,
data subjects are entitled, subject to certain exceptions, to request access to
information held about them. These requests shall be passed to the DPO to
handle. When handling these requests, a response must be made to the data
subject within one month. The requests must be recorded and monitored and the
process from the Subject Access Request Procedure should be followed.
The right to data portability
Upon request, a data subject
should have the right to receive a copy of their data in a structured format.
These requests should be processed within one month, provided there is no undue
burden and it does not compromise the privacy of other individuals. A data
subject may also request that their data be transferred directly to another
system. This must be done for free.
Under GDPR data subjects can
request that their personal data be transferred from one data controller to
another.
These requests shall be passed
to the DPO to handle. When handling these requests, a response must be made to
the data subject within one month. The requests must be recorded and monitored
and the process from the Data Portability Procedure should be followed.
The right to rectification
Under GDPR data subjects can
request that personal information held on them be corrected.
These requests shall be passed
to the DPO to handle. When handling these requests, a response must be made to
the data subject within one month. The requests must be recorded and monitored
and the process from the Subject Rectification Request Procedure should be
followed.
The right to erasure
Under GDPR data subjects may
request that any information held on them be deleted or removed, and any third
parties who process or use that data must also comply with the request. An
erasure request can only be refused if an exemption applies.
These requests shall be passed
to the DPO to handle. When handling these requests, a response must be made to
the data subject within one month. The requests must be recorded and monitored
and the process from the Subject Erasure Request Procedure should be followed.
The right to restrict processing
Under GDPR data subjects can
request a restriction of processing on their personal data in instances where
the data subject does not wish for their data to be erased but does not want
the data processed.
These requests shall be passed
to the DPO to handle. When handling these requests, a response must be made to
the data subject within one month. The requests must be recorded and monitored
and the process from the Restricting Processing Procedure should be followed.
The right to object
Under GDPR data subjects can
object to processing if they suspect that their data is being processed
illegally. Following an objection, the data controller is required to
investigate the claim and communicate the results to the data subject.
These requests shall be passed
to the DPO to handle. When handling these requests, a response must be made to
the data subject within one month. The requests must be recorded and monitored
and the process from the Objection Request Procedure should be followed.
Rights in relation to automated
decision-making and profiling
Under GDPR data subjects have
the right to be informed if they are being subject to automated decision-making
and the possible consequences this automated decision-making could have on
them. As documented in section 13 under Data Use.
Compliance
Monitoring
Everyone must observe this
policy. The DPO has overall responsibility for this policy. They will monitor
it regularly to make sure it is being adhered to.
Data audit and register
Regular data audits to manage
and mitigate risks will inform the data register. This contains information on
what data is held, where it is stored, how it is used, who is responsible, and
any further regulations or retention timescales that may be relevant.
Reporting breaches
All members of staff have an
obligation to report actual or potential data protection compliance failures.
This allows us to:
Consequences of failing to
comply
Disciplinary Terms Where an
employee has been found to have violated the company policies or procedures the
following actions may be taken:
Contracted Third Parties
Where a contracted third party
has been found to have violated the contractual obligations relating to data
protection, the following actions may be taken:
Management and Review
This policy should be reviewed
as scheduled once every year, unless performance indicators, changes to
legislation, or the organisation necessitate it.
Last Review Date: 25th March 2024
Next Review Date: 26th May 2025
Data Protection Policy
Profile Version: 3 |
Certification date: 5th December, 2023