{"id":10065,"date":"2018-01-30T18:44:16","date_gmt":"2018-01-30T18:44:16","guid":{"rendered":"https:\/\/www.wholegraindigital.com\/?post_type=the-granary&p=10065"},"modified":"2024-03-05T22:03:17","modified_gmt":"2024-03-05T22:03:17","slug":"data-protection","status":"publish","type":"post","link":"https:\/\/granary.wholegraindigital.com\/data-protection\/","title":{"rendered":"Data Protection"},"content":{"rendered":"
As part of your role with Wholegrain,, you\u2019ll come into contact with a lot of important, sensitive and confidential information about our clients, suppliers, business contacts, employees, and anybody else with whom we have a working relationship.\u00a0 Whilst we all know the importance of keeping information that is explicitly stated as \u201cconfidential\u201d private, with other types of information it can be less obvious as to how we should treat that information and what safeguards (if any) should be in place to manage it and keep it secure.\u00a0 The various data protection laws that exist in the UK provide that clarification and the contents of this policy come directly from those laws.\u00a0\u00a0<\/span><\/p>\n It\u2019s essential that you treat any information pertaining to our clients, suppliers, business contacts, employees and anyone else whom we have a working relationship with, with the utmost care and confidentiality. Furthermore, such information, as well as the \u201cpersonal data\u201d as referred to in the Data Protection Act 1998 and defined below, must be treated in accordance with the rules, requirements and boundaries stipulated within this policy.\u00a0 At the end of this policy is a list of roles and accountabilities that summarise our expectations of all stakeholders of this policy.\u00a0 Anybody found to have violated this policy could be liable for action, up to and including termination of their employment or the cessation of their contract for\/of services. It is that serious.<\/span><\/p>\n This policy applies to all employees and contractors of Wholegrain.\u00a0 It does not form part of your contract of employment or contract for services and may be amended from time to time. \u00a0 It should be read in conjunction with our \u2018Confidentiality Policy\u2019 which references what Wholegrain classifies as confidential information and how it must be managed.\u00a0\u00a0<\/span><\/p>\n Any, and all, personal data used in conjunction with this policy shall be collected, held, and processed in accordance with this \u2018Data Protection Policy.\u2019 Appendix 1 (Employee personal data);<\/span><\/p>\n Appendix 2 (Contractor personal data)<\/span><\/p>\n There are a number of important definitions in data protection law that will be referred to in this policy.\u00a0 We\u2019ve included these here at the start so that you have the background info before we dive into the specifics of data protection:\u00a0<\/span><\/p>\n \u201cconsent\u201d- this refers to the consent of the \u201cdata subject\u201d (see below for definition). Consent in the context of data protection must always be freely given (i.e. not connected with some other action. For example, requested at the same time and part and parcel of signing a new employment contract which might prevent the individual from withdrawing their consent to any provisions within the data protection policy); specific (so that people are clear on what they are consenting to); informed (so that folk know what their entitlement is in relation to their data and the ongoing processing of it); and unambiguous in its indication of the data subjects wishes by which they signify their agreement (or not as the case may be) to the \u201cprocessing\u201d of \u201cpersonal data\u201d relating to them.\u00a0<\/span><\/p>\n \u201cdata controller\u201d- this refers to the person or organisation which, alone or jointly with others, determines the purposes and means of the \u201cprocessing\u201d of personal data.\u00a0 For the purpose of this policy, Wholegrain Digital is the \u201cdata controller\u201d of all \u201cpersonal data\u201d relating to employees, contractors, clients, suppliers, and business contacts used within our business for commercial purposes.<\/span><\/p>\n \u201cdata processor\u201d- refers to the person or organisation who \u201cprocesses\u201d \u201cpersonal data\u201d on behalf of Wholegrain.\u00a0 Further details of the current data processors who work with Wholegrain are contained in the relevant appendices to this policy.<\/span><\/p>\n \u201cData Protection Audits\u201d- means an audit to assess how an organisation handles \u201cpersonal data\u201d and whether it complies with the relevant data protection legislation. A data protection audit helps identify and address any risks or gaps in data protection practices.\u00a0<\/span><\/p>\n \u201cData Protection Impact Assessment\u201d or \u201cDPIA\u201d- refers to a process undertaken to identify and minimise the data protection risks of a project, especially if the \u201cprocessing\u201d is likely to result in a high risk to individuals.\u00a0 A DPIA should be undertaken for any project which requires the processing of \u201cpersonal data.\u201d\u00a0<\/span><\/p>\n \u201cdata subject\u201d- refers to a living, identified, or identifiable person about whom the company holds \u201cpersonal data.\u201d Within Wholegrain, our data subjects are our employees, contractors, suppliers, clients, and anyone else who we work in conjunction with, provide services to or obtain services from.\u00a0<\/span><\/p>\n \u201cpersonal data\u201d- means <\/span>any<\/span> information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject. When people think of personal data they often think this is referring to an individual\u2019s name, phone number, address etc\u2026 However, personal data covers a range of identifiers including, but not limited to: email address; date of birth; race; gender; religion or belief; credit card numbers; data held by a hospital or doctor; a photograph where an individual is identifiable etc\u2026.<\/span><\/p>\n \u201cpersonal data breach\u201d- refers to a breach of security leading to the accidental and\/or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise \u201cprocessed.\u201d<\/span><\/p>\n \u201cprocessing;\u201d \u201cprocess;\u201d or \u201cprocessed\u201d- means any operation or set of operations performed on personal data or sets of personal data. This is whether or not that processing is by automated or manual means, and includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.\u00a0<\/span><\/p>\n \u201cpseudonymisation\u201d- refers to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. For pseudonymisation to exist, that additional information must be kept separately and furthermore is also subject to technical and organisational measures to ensure that such personal data is not attributed to an identified or identifiable person.<\/span><\/p>\n \u201cspecial category personal data\u201d- means personal data that reveals racial or ethnic origin, religion or belief, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric or genetic data.\u00a0 This information is considered particularly sensitive and as such has additional safeguards in place for it to be processed. <\/span><\/p>\n Our policy applies to all team members whether you\u2019re working from home or our offices, as well as subcontractors, suppliers and anybody else that we collaborate with or who acts on our behalf and may require occasional access to the data that we hold, store and process.<\/span><\/p>\n This policy relates to the personal data that the company holds, stores and processes relating to identifiable individuals or data subjects that have a connection to Wholegrain in one way or the other.\u00a0<\/span><\/p>\n The Company\u2019s Data Protection Officer is Chris Lewis, Managing Director, who is responsible for administering this policy and for developing and implementing any applicable policies, procedures, and guidelines necessary to support the adherence to this policy by all employees, contractors and other parties working on behalf of Wholegrain.\u00a0 Where applicable, the Data Protection Officer will implement such practices, processes, controls, and training as are reasonably necessary to ensure compliance. <\/span><\/p>\n The purpose of the Data Protection Act 1998 (as amended) is to safeguard any information held by an organisation about an individual and that is classified as either personal or sensitive information or data. \u00a0 This is regardless of whether that data exists electronically, on paper, or on any other materials. The Act states that personal information must be collected and used fairly, stored safely, and not disclosed unlawfully and is\u00a0 underpinned by the following principles that specify that personal data must:<\/span><\/p>\n Data subjects have the following key rights with respect to their personal data:<\/span><\/p>\n Data protection laws seek to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject.\u00a0 For the processing of personal data to be lawful, at least one of the following needs to apply:<\/span><\/p>\n If the personal data in question is special category personal data, then at least one of the following conditions must be met:<\/p>\n\n\n\n If consent is relied upon as the lawful basis for collecting, holding and\/or processing personal data, then the following must apply:<\/p>\n\n\n\n Wholegrain will ensure that all personal data collected, processed, and held by us is kept accurate and up to date. This includes, but is not limited to, the rectification of personal data at the request of a data subject. <\/p>\n\n\n\n The accuracy of personal data will be checked when it is collected and at regular intervals thereafter. If any data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.<\/p>\n\n\n\n Personal data will not be kept for any longer than is necessary in the context of the purpose(s) for which that personal data was originally collected, held, and processed. When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.\u00a0 Please refer to the company\u2019s \u2018Data Retention Policy\u2019 for further information.\u00a0<\/p>\n\n\n\n The company will ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. To achieve this, all technical and organisational measures that are taken to protect personal data will be regularly reviewed and evaluated to ensure their ongoing effectiveness and the continued security of personal data. <\/p>\n\n\n\n Data security will be maintained at all times by protecting the confidentiality, integrity, and availability of all personal data as follows:<\/p>\n\n\n\n The company will follow a privacy-by-design approach (i.e. the incorporation of data privacy protections into the design of information systems, products, and services) at all times when collecting, holding, and processing personal data. Data Protection Impact Assessments (a.k.a DPIAs) will be conducted if any processing presents a significant risk to the rights and freedoms of data subjects; for any and all new projects; and for new uses of personal data which involve the use of new technologies and where the processing involved is likely to result in a high risk to the right and freedoms of data subjects. DPIA\u2019s will be overseen by the Data Protection officer and will address:<\/p>\n\n\n\n In addition, data protection compliance will be regularly reviewed and evaluated by means of Data Protection Audits which will include: <\/p>\n\n\n\n Where personal data is collected directly from data subjects, those data subjects must be informed of its purpose at the time of collection. <\/p>\n\n\n\n The company will provide the following information to every data subject at the point of collection:<\/p>\n\n\n\n In the event that personal data is obtained from a third-party, those data subjects must be informed of its purpose at the time of collection and that it is to be transferred to another party. This must occur before that transfer is made or as soon as possible afterwards.\u00a0 In any event, the notification cannot occur more than one month after the personal data is obtained.<\/p>\n\n\n\n Data subjects may make a subject access request (a.k.a. \u201cSAR\u201d) at any time to find out more about the personal data which the company holds about them, what it is doing with that personal data and why. A SAR request should be submitted to the Data Protection Officer who will normally respond within one month of receipt. If additional time is required in order to respond to the request, the data subject will be advised accordingly. <\/p>\n\n\n\n The company does not charge a fee for the handling of normal SARs however, may impose a fee for additional copies of information and for requests that are manifestly unfounded or excessive, particularly where requests are repetitive.<\/p>\n\n\n\n Data subjects have the right to require the company to rectify any of their personal data that is inaccurate or incomplete. The company will rectify the personal data in question within one month of being informed of the issue. If additional time is required, the data subject will be advised accordingly. <\/p>\n\n\n\n With respect to the erasure of personal data, data subjects have the right to request that the company erases their personal data in the following circumstances:<\/p>\n\n\n\n Unless the company has reasonable grounds to refuse to erase personal data, all requests for erasure will be complied with within one month of receipt of the data subject\u2019s request. If additional time is required, the data subject will be advised accordingly.<\/p>\n\n\n\n Data subjects may request that the company ceases processing the personal data it holds about them.\u00a0 If a data subject makes such a request, the company will retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.\u00a0 In the event that any affected personal data has been disclosed to third parties, those parties will be informed of the applicable restrictions on processing it unless it is impossible or would require disproportionate effort to do so.<\/p>\n\n\n\n Data subjects can object to the company processing their personal data based on legitimate interests for direct marketing (including profiling). In such an event, the company will cease processing the data subject\u2019s personal data immediately, unless it can demonstrate that the company\u2019s legitimate grounds for such processing override the data subject\u2019s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims. <\/p>\n\n\n\n In the case of direct marketing, where a data subject objects to the company processing their personal data for direct marketing purpose, the company will cease such processing promptly. <\/p>\n\n\n\n
This policy should be read in conjunction with the relevant appendices to it:
<\/span><\/p>\nDefinitions<\/b><\/h2>\n
Scope<\/b><\/h2>\n
Data Protection Principles<\/b><\/h2>\n
\n
The Rights of Data Subjects<\/b><\/h2>\n
\n
Lawful, fair, and transparent processing of data<\/b><\/h2>\n
\n
Processing of \u201cSpecial Category Personal Data\u201d<\/strong><\/h2>\n\n\n\n
\n
Explicit Consent<\/strong><\/h2>\n\n\n\n
\n
Accuracy of data and keeping data up to date<\/strong><\/h2>\n\n\n\n
Data retention<\/strong><\/h2>\n\n\n\n
Secure Processing<\/strong><\/h2>\n\n\n\n
\n
Accountability and record-keeping<\/strong><\/h2>\n\n\n\n
\n
\n
Keeping data subjects informed<\/strong><\/h2>\n\n\n\n
\n
Data Subject Access\u00a0<\/strong><\/h2>\n\n\n\n
Rectification and erasure of personal data<\/strong><\/h2>\n\n\n\n
\n
Restriction of personal data processing<\/strong><\/h2>\n\n\n\n
Objections to personal data processing<\/strong><\/h2>\n\n\n\n
Complaints about personal data processing<\/strong><\/h2>\n\n\n\n