Data Protection Policy
Policy became operational on: 07/05/2018
Next review date: 07/05/2019
Foundations4growth Ltd (F4G) needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the GDPR.
Why this policy exists
This data protection policy ensures F4G Ltd:
Data protection law
F4G Ltd is committed to a policy of protecting the rights and privacy of individuals, including, staff, associates, clients and customers, in accordance with the General Data Protection Regulation (GDPR) May 2018. These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
F4G Ltd understand that the Data Protection Act is underpinned by eight important principles. These say that personal data must:-
Under the GDPR individuals have:
General Data Protection
This piece of legislation comes in to force on the 25th May 2018. The GDPR regulates the processing of personal data, and protects the rights and privacy of all living individuals, for example by giving all individuals who are the subject of personal data a general right of access to the personal data which relates to them.
Individuals can exercise the right to gain access to their information by means of a ‘subject access request’. Personal data is information relating to an individual and may be in hard or soft copy (paper/manual files; electronic records; photographs), and may include facts or opinions about a person.
For more detailed information on these Regulations see the Data Protection Data Sharing Code of Practice (DPCoP) from the Information Commissioner’s Office (ICO).
People, risks and responsibilities
This policy applies to:-
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act. This can include:-
Below is a list of personal data that we believe will be affected at F4G Ltd:-
Data protection risks
This policy helps to protect F4G Ltd from data security risks, including:-
Everyone who works for or with F4G Ltd has some responsibility for ensuring data is collected, stored and handled appropriately.
Everyone that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, there are key areas of responsibility:
Re IT, the Directors are also responsible for:-
The Directors are also responsible for:-
These rules describe how and where data should be safely stored.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. F4G Ltd keep hard copies of personal data in a filing cabinet which is kept locked. This can only be accessed by the Directors.
The following also applies to data that is usually stored electronically but has been printed out for some reason:-
Because we would not be the main controller of our client’s data, they would have the sole responsibility for the personal data on their customers. Whilst we would follow our data protection procedures written in this policy, e.g. storing data safely, not passing on data to other people, ultimately, we will follow the client’s data policy guidelines which they stipulate.
The law requires F4G Ltd to take reasonable steps to ensure data is kept accurate and up to date.
Subject access requests
All individuals who are the subject of personal data held by F4G Ltd are entitled to:-
If an individual contacts the company requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by email, addressed to Jan McLean-Smith at email@example.com. Jan will aim to provide the relevant data within 14 days.
If they want the information to be deleted F4G Ltd will:-
The data controller will always verify the identity of anyone making a subject access request before handing over any information. This will be done by:
The process that F4G Ltd will carry out to ensure we are complying with subject access requests is:-
Safeguarding personal data
F4G Ltd will ensure the safeguarding of personal data held by the company by:-
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, F4G Ltd will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the company’s legal advisers where necessary.
Under the Regulation of Investigatory Powers Act 2000, Lawful Business Practice Regulations, any email sent to or from F4G Ltd may be accessed by someone other than the recipient for system management and security purposes.
Process for review
This policy will be updated as necessary to reflect best practice or future amendments made to the General Data Protection Regulation (GDPR) May 2018 and Data Protection Act 1998.
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. The term comprises not only individuals but also organisations such as companies and other corporate bodies of persons.
Any person who processes the data on behalf of the data controller.
Any living individual who is the subject of personal data.
Information which relates to a living individual who can be identified from that data, from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Any operation or set of operations performed upon personal data, whether or not by automatic means. These include collecting, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Sensitive personal data
Personal data which consists of data related to the data subject’s racial or ethnic origin political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, the commission of offences or criminal proceedings.
What data held?
Who has access?
Rates & payments