Data Protection Policy
The Real Good Company Ltd
Data Protection Policy
This policy applies to the UK office for The Real Good Company ltd and its subsidies and regions. All employees, customers and sessional workers operating on behalf of The Real Good Company ltd.
Website Cookie Policy
Cookies used on the websites will not contain personally identifiable information, however cookies are used on our website in order to process your online orders. You can choose, below, not to allow cookies. If you do, it will mean that you will not able to order from us online. The majority of browsers accept cookies automatically, but you can change the settings of your browser to erase cookies or prevent automatic acceptance if you prefer. Three main types of cookies are used, order processing cookies, Personalisation cookies and Analytics cookies. The full website cookie policy can be viewed on out website at www.therealgoodcompany.co.uk
Customer Data Protection
The Real Good Company are committed to protecting your privacy. We will only use the information that we collect about you lawfully (in accordance with the Data Protection Act 1998) We collect information about you for direct email marketing and to process your order. The types of information we will collect about you includes:
Your name, Address, phone number, email address (if applicable), marketplace user name (if applicable).
We never collect or store sensitive information. You can check the information that we hold about you by emailing us, if you find any inaccuracies we will delete or correct it promptly. The personal information which we hold will be held securely in accordance with our internal security policy and the law.
Personal Data
The Real Good Company commit to comply with both the law and good practice of data protection. Employee are provided with support for staff who handle personal data, so that they can act confidently and consistently. The Real Good Company are registered with the ICO (Information Commissioner office).
The Real Good Company recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals. In the main this means: keeping information securely in the right hands, and holding good quality information. Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, The Real Good Company will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
Key risks
Information about individuals getting into the wrong hands, through poor security or inappropriate disclosure of information. individuals being harmed through data being inaccurate or insufficient
The Real Good Company has identified the following potential key risks, which this policy is designed to address:
Breach of confidentiality (information being given out inappropriately) — especially at branch level. Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed
Failure to establish efficient systems of managing changes to branch volunteers, leading to personal data being not up to date.
Harm to individuals if personal data is not up to date
Confidentiality
The Real Good Company have a privacy statement for Data Subjects, setting out how their information will be used. This will be available on request, and a version of this statement will also be used on the [Organisation name] web site. (See Appendix A.)
Communication with staff It is worth describing how staff will be informed and trained in their responsibilities, and also what the procedure is if they have any questions about whether information should be disclosed, or access allowed.
For the first (such as a financial reference request from a bank), consent from the Data Subject is likely to be the normal authorisation. This consent should be recorded. For the second, it may be appropriate for the Data Subject not even to be informed; authorisation should be made at a senior level within your organisation.
Where anyone within The Real Good Company feels that it would be appropriate to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done with the authorisation of the Data Protection Officer. All such disclosures will be documented.
Security
The Real Good Company has identified the following risks: Information passing between the UK office and branches or mailing houses could go astray or be misdirected. Staff or volunteers with access to personal information could misuse it.
Poor web site security might give a means of access to information about individuals once individual details are made accessible on line. Staff may be tricked into giving away information, either about supporters or colleagues, especially over the phone, through “social engineering”.
Setting security levels The greater the consequences of a breach of confidentiality, the tighter the security should be. It may be worth defining broad security levels. Access to information on the main computer system will be controlled by function.
Security measures For each confidentiality level it may be worth setting out the broad security measures to be followed, such as password protection, clear desk policy, entry control.
Business continuity This would include backup procedures (both for data and for key staff availability) and emergency planning.
Data Storage
The Real Good Company is moving towards a single database holding basic information about all supporters and volunteers. Branches will for the time being, however, continue to hold separate registers of their members, and sessional workers may also keep separate information about those they are supporting. Data on any individual will be held in as few places as necessary, and all staff and volunteers will be discouraged from establishing unnecessary additional data sets. Effective procedures will be in place so that all relevant systems are updated when information about any individual changes. The procedure for archiving or destroying data could be mentioned, along with any special considerations. Archived paper records of members are stored securely off site.
The Real Good Company will establish retention periods for at least the following categories of data:
Customers . Employees .
Responsibility
Any subject access requests will be handled by the Data Protection Office, William Chisholm within 40 days. Subject access requests must be in writing. It may be worth providing a standard request form (although its use cannot be made mandatory). There should be a clear responsibility on all staff to pass on anything which might be a subject access request to the appropriate person without delay. It is probably not useful to go into detail on the subject access procedure in the policy. Requests are infrequent and can be complex. They may require taking legal advice. Subject access requests must be in writing. All staff and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay. All those making a subject access request will be asked to identify any branches or sessional workers who may also hold information about them, so that this data can be retrieved.
Provision for verifying identity Where the person managing the access procedure does not know the individual personally there should be provision for checking their identity before handing over any information.
Where the individual making a subject access request is not personally known to the Data Protection Officer their identity will be verified before handing over any information.
Charging The organisation must spell out whether it charges for subject access (or access by some types of Data Subject). (The maximum fee which may be charged is £10.) If there is a charge, there must be a procedure for telling the Data Subject this when they make an access request.
Procedure for granting access The normal provision is for the required information to be provided “in permanent form”. If the organisation is willing to allow supervised access in person, this could be stated.
Transparency
The Real Good Company is committed to ensuring that in principle Data Subjects are aware that their data is being processed and for what purpose it is being processed; what types of disclosure are likely; and how to exercise their rights in relation to the data. Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.
Procedure If there are standard ways for each type of Data Subject to be informed, these could be given, for example: the handbook for staff in the welcome letter or pack for members, with occasional reminders in the newsletter during the initial interview with clients on the web site.Data Subjects will generally be informed in the following ways: Staff: in the staff handbook
Consent
The Real Good Company Where data is being processed without consent it is still very important to ensure that the Data Subject knows what is being done. Consent will normally not be sought for most processing of information about staff and sessional workers, with the following exceptions: Staff details will only be disclosed for purposes unrelated to their work for [Organisation name] (e.g. financial references) with their consent. Information about customer will only be made public with their consent. (This includes photographs.)
Opting out Even where the organisation is not relying on consent, it may wish to give people the opportunity to opt out of their data being used in particular ways (in addition to the right to opt out of direct marketing — see below).
Withdrawing consent The organisation may wish to acknowledge that, once given, consent can be withdrawn, but not retrospectively. There may be occasions where the organisation has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.
Staff training & acceptance of responsibilities
The Real Good Company will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions. All staff who have access to any kind of personal data should have their responsibilities outlined during their induction procedures.