{"id":10065,"date":"2018-01-30T18:44:16","date_gmt":"2018-01-30T18:44:16","guid":{"rendered":"https:\/\/www.wholegraindigital.com\/?post_type=the-granary&p=10065"},"modified":"2024-03-05T22:03:17","modified_gmt":"2024-03-05T22:03:17","slug":"data-protection","status":"publish","type":"post","link":"https:\/\/granary.wholegraindigital.com\/data-protection\/","title":{"rendered":"Data Protection"},"content":{"rendered":"

As part of your role with Wholegrain,, you\u2019ll come into contact with a lot of important, sensitive and confidential information about our clients, suppliers, business contacts, employees, and anybody else with whom we have a working relationship.\u00a0 Whilst we all know the importance of keeping information that is explicitly stated as \u201cconfidential\u201d private, with other types of information it can be less obvious as to how we should treat that information and what safeguards (if any) should be in place to manage it and keep it secure.\u00a0 The various data protection laws that exist in the UK provide that clarification and the contents of this policy come directly from those laws.\u00a0\u00a0<\/span><\/p>\n

It\u2019s essential that you treat any information pertaining to our clients, suppliers, business contacts, employees and anyone else whom we have a working relationship with, with the utmost care and confidentiality. Furthermore, such information, as well as the \u201cpersonal data\u201d as referred to in the Data Protection Act 1998 and defined below, must be treated in accordance with the rules, requirements and boundaries stipulated within this policy.\u00a0 At the end of this policy is a list of roles and accountabilities that summarise our expectations of all stakeholders of this policy.\u00a0 Anybody found to have violated this policy could be liable for action, up to and including termination of their employment or the cessation of their contract for\/of services. It is that serious.<\/span><\/p>\n

This policy applies to all employees and contractors of Wholegrain.\u00a0 It does not form part of your contract of employment or contract for services and may be amended from time to time. \u00a0 It should be read in conjunction with our \u2018Confidentiality Policy\u2019 which references what Wholegrain classifies as confidential information and how it must be managed.\u00a0\u00a0<\/span><\/p>\n

Any, and all, personal data used in conjunction with this policy shall be collected, held, and processed in accordance with this \u2018Data Protection Policy.\u2019

This policy should be read in conjunction with the relevant appendices to it:
<\/span><\/p>\n

Appendix 1 (Employee personal data);<\/span><\/p>\n

Appendix 2 (Contractor personal data)<\/span><\/p>\n

Definitions<\/b><\/h2>\n

There are a number of important definitions in data protection law that will be referred to in this policy.\u00a0 We\u2019ve included these here at the start so that you have the background info before we dive into the specifics of data protection:\u00a0<\/span><\/p>\n

\u201cconsent\u201d- this refers to the consent of the \u201cdata subject\u201d (see below for definition). Consent in the context of data protection must always be freely given (i.e. not connected with some other action. For example, requested at the same time and part and parcel of signing a new employment contract which might prevent the individual from withdrawing their consent to any provisions within the data protection policy); specific (so that people are clear on what they are consenting to); informed (so that folk know what their entitlement is in relation to their data and the ongoing processing of it); and unambiguous in its indication of the data subjects wishes by which they signify their agreement (or not as the case may be) to the \u201cprocessing\u201d of \u201cpersonal data\u201d relating to them.\u00a0<\/span><\/p>\n

\u201cdata controller\u201d- this refers to the person or organisation which, alone or jointly with others, determines the purposes and means of the \u201cprocessing\u201d of personal data.\u00a0 For the purpose of this policy, Wholegrain Digital is the \u201cdata controller\u201d of all \u201cpersonal data\u201d relating to employees, contractors, clients, suppliers, and business contacts used within our business for commercial purposes.<\/span><\/p>\n

\u201cdata processor\u201d- refers to the person or organisation who \u201cprocesses\u201d \u201cpersonal data\u201d on behalf of Wholegrain.\u00a0 Further details of the current data processors who work with Wholegrain are contained in the relevant appendices to this policy.<\/span><\/p>\n

\u201cData Protection Audits\u201d- means an audit to assess how an organisation handles \u201cpersonal data\u201d and whether it complies with the relevant data protection legislation. A data protection audit helps identify and address any risks or gaps in data protection practices.\u00a0<\/span><\/p>\n

\u201cData Protection Impact Assessment\u201d or \u201cDPIA\u201d- refers to a process undertaken to identify and minimise the data protection risks of a project, especially if the \u201cprocessing\u201d is likely to result in a high risk to individuals.\u00a0 A DPIA should be undertaken for any project which requires the processing of \u201cpersonal data.\u201d\u00a0<\/span><\/p>\n

\u201cdata subject\u201d- refers to a living, identified, or identifiable person about whom the company holds \u201cpersonal data.\u201d Within Wholegrain, our data subjects are our employees, contractors, suppliers, clients, and anyone else who we work in conjunction with, provide services to or obtain services from.\u00a0<\/span><\/p>\n

\u201cpersonal data\u201d- means <\/span>any<\/span> information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject. When people think of personal data they often think this is referring to an individual\u2019s name, phone number, address etc\u2026 However, personal data covers a range of identifiers including, but not limited to: email address; date of birth; race; gender; religion or belief; credit card numbers; data held by a hospital or doctor; a photograph where an individual is identifiable etc\u2026.<\/span><\/p>\n

\u201cpersonal data breach\u201d- refers to a breach of security leading to the accidental and\/or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise \u201cprocessed.\u201d<\/span><\/p>\n

\u201cprocessing;\u201d \u201cprocess;\u201d or \u201cprocessed\u201d- means any operation or set of operations performed on personal data or sets of personal data. This is whether or not that processing is by automated or manual means, and includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.\u00a0<\/span><\/p>\n

\u201cpseudonymisation\u201d- refers to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. For pseudonymisation to exist, that additional information must be kept separately and furthermore is also subject to technical and organisational measures to ensure that such personal data is not attributed to an identified or identifiable person.<\/span><\/p>\n

\u201cspecial category personal data\u201d- means personal data that reveals racial or ethnic origin, religion or belief, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric or genetic data.\u00a0 This information is considered particularly sensitive and as such has additional safeguards in place for it to be processed. <\/span><\/p>\n

Scope<\/b><\/h2>\n

Our policy applies to all team members whether you\u2019re working from home or our offices, as well as subcontractors, suppliers and anybody else that we collaborate with or who acts on our behalf and may require occasional access to the data that we hold, store and process.<\/span><\/p>\n

This policy relates to the personal data that the company holds, stores and processes relating to identifiable individuals or data subjects that have a connection to Wholegrain in one way or the other.\u00a0<\/span><\/p>\n

The Company\u2019s Data Protection Officer is Chris Lewis, Managing Director, who is responsible for administering this policy and for developing and implementing any applicable policies, procedures, and guidelines necessary to support the adherence to this policy by all employees, contractors and other parties working on behalf of Wholegrain.\u00a0 Where applicable, the Data Protection Officer will implement such practices, processes, controls, and training as are reasonably necessary to ensure compliance. <\/span><\/p>\n

Data Protection Principles<\/b><\/h2>\n

The purpose of the Data Protection Act 1998 (as amended) is to safeguard any information held by an organisation about an individual and that is classified as either personal or sensitive information or data. \u00a0 This is regardless of whether that data exists electronically, on paper, or on any other materials. The Act states that personal information must be collected and used fairly, stored safely, and not disclosed unlawfully and is\u00a0 underpinned by the following principles that specify that personal data must:<\/span><\/p>\n