The Red Kite Baby Co Ltd – Data Protection Policy

 

 

Policy Information

Organisation

 

The Red Kite Baby Co Ltd

35 Lavenham Road

Beeches Industrial Estate

Yate

Bristol

BS37 5QX

 

Data Protection Officer – Nicholas Tucker

 

Data Controller – Debra Tucker

 

Scope of policy

 

The Data Protection Policy of The Red Kite Baby Co Ltd covers all levels of data processed within the above address.

 

Along with the following additional locations: –

 

31 Lavenham Road

33 Lavenham Road

34 Lavenham Road

 

 

Policy operational date

 

23rd May 2018 (23/05/18)

 

Policy prepared by

Nicholas Tucker – DPO

Date approved by Board/ Management Committee

22nd May 2018 (22/05/18)

Policy review date

23rd May 2021 (23/05/21)

 

Introduction

Purpose of Policy

·         compliance with the law (The General Data Protection Regulation (GDPR) (EU) 2016/679)

·         following good practice

·         protecting clients, staff, customers and other individuals

·         protecting the company

 

Types of Data

The Red Kite Baby Co Ltd will only require personal data should the need be essential.

 

The Red Kite Baby Co Ltd does not (and will not) require any form of special category data from suppliers, clients, customers, staff or anybody. In the event of a breach of policy and a request is made for special category data please refuse and contact the above mentioned DPO.

Policy Statement

The Red Kite Baby Co Ltd have the following Data Policy in place, in order to: –

 

·         comply with both the law and good practice

·         respect individuals’ rights

·         be open and honest with individuals whose data is held

·         provide training and support for staff who handle personal data, so that they can act confidently and consistently

·         Notify the Information Commissioner voluntarily, even if this is not required

 

To prepare for potential breaches of data, both internal and external, The Red Kite Baby Co Ltd have a responsibility to: –

 

·         Know how to identify a potential data breach

·         Understand that a data breach is not limited to loss or theft of personal data

·         Follow a prepared action plan for addressing any personal data breaches that may occur

·         Allocate responsibility for managing breaches to a dedicated person or team

·         Ensure our staff know how to escalate a security incident to the appropriate person or team within The Red Kite Baby Co Ltd

 

In the unlikely event following a breach of data The Red Kite Baby Co Ltd will: –

 

·         Notify all affected parties without undue delay

·         Notify ICO within 72 hours of breach detection

·         Document all breaches, even without need of reporting

·         Follow an internal process to notify individuals when it is likely to result in a high risk to their rights and freedom

·         Follow internal procedures to determine the level of risk any breach may result

·         Notify relevant supervisory authority of our processing activity

 

 

 

The Red Kite Baby Co Ltd data policy ensures that individuals have the rights to: –

 

·         The right to be informed

·         The right of access

·         The right to rectification

·         The right to erasure

·         The right to restrict processing

·         The right to data portability

·         The right to object

 

Please note that The Red Kite Baby Co Ltd does not, and will not, carry out any automated decision making and profiling.

 

 

Key Risks

Should any breach result in personal data being shared The Red Kite Baby Co Ltd will follow the above-mentioned steps.

 

Potential risks may include sharing of retained personal data within the public sector.

 

The Red Kite Baby Co Ltd do not hold any bank details to help minimise possible data breaches regarding this data.

 

 

Responsibilities

The Board / Company Directors

Have overall responsibility for ensuring that The Red Kite Baby Co Ltd complies with its legal obligations.

Data Protection Officer

 

Their responsibilities include: –

 

·         Briefing the Board on Data Protection responsibilities

·         Reviewing Data Protection and related policies

·         Advising other staff on Data Protection issues

·         Ensuring that Data Protection induction and training takes place

·         Notification to the ICO

·         Handling subject access requests

·         Approving unusual or controversial disclosures of personal data

·         Approving contracts with Data Processors

 

Specific Department Heads

None assigned

Employees & Volunteers

All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.  (From now on, where ‘employees’ is used, this includes both paid employees and volunteers.)

 

Enforcement

Internal breaches of data following deliberate actions of an employee will result in disciplinary action against all related parties.

 

Security

Scope

Following internal audits, The Red Kite Baby Co Ltd have implemented a revised security plan regarding the storage and use of data.

 

This includes (while not limited to): –

 

Secure locked areas

Secure locked cabinets

Shredded data with disposal

 

Setting Security Levels

The Red Kite Baby Co Ltd have established varied levels of security, along with added procedures, for more sensitive data.

Security Measures

On site measures include, but not limited to: –

 

·       Secure locked area for archiving

·       Password protected database

·       Password protected computers

·       Keypad entry system

·       Secure locked filing system

·       Clear desk policy

·       CCTV

·       Malware / Virus detection software

 

Business Continuity

Server backup, every 12 hours.

Specific Risks

The Red Kite Baby Co Ltd have taken extra security when working off site. Each access will require additional log in information supplied via an ip search through an external IT company.

 

No data is to be taken outside of the office in paper format.

 

 

Data recording and storage

Accuracy

The Red Kite Baby Co Ltd will not accept any personal data from a third-party source.

 

For accuracy no sensitive data will be read back verbally.

 

Updating

Data will not be kept on record for longer than 72 hours unless an extended period is required. This will be advised to each individual with the request of consent to do so.

 

Upon the expiration of a required period all data will be destroyed as per our procedures.

Storage

All physical examples of data will be stored within a locked and secure environment. This area will not be accessible to visitors or any unsupervised contractors.

Retention periods

·       Personal details (name, address, telephone numbers) – 3 days

·       Invoice details – 7 years

·       Email details – 2 years

·       Bank details – not kept

 

All data will be kept for the above time unless instructed otherwise.

Archiving

Invoice archiving – 7 years

 

 

Right of Access

Responsibility

All right of access requests will be handled by either the DPO or DC within The Red Kite Baby Co Ltd – this will conform within the one-month time line.

Procedure for making request

Right of access requests must be in writing.

 

Please send all requests to enquiries@redkitebaby.com or within writing to the above address.

 

Provision for verifying identity

Additional data may be required in order for verify any authenticity. This data will not be retained past 72 hours.

Charging

Data requests will be free of charge to related parties.

 

Requests will be refused from any third party.

 

Should there be a deemed excess of requests within a short timescale this may incur an administration charge.

Procedure for granting access

If the request is made electronically, any reply should provide the information in a commonly used electronic format.

 

 

Transparency

Commitment

The Red Kite Baby Co Ltd will explain its commitment to ensuring that Data Subjects are aware that their data is being processed and

·         for what purpose it is being processed

·         what types of disclosure

·         how to exercise their rights in relation to the data

 

Procedure

Standard ways for each type of Data Subject to be informed:

·         the handbook for employees

·         in the welcome letter or pack for members, with occasional reminders in the newsletter

·         during the initial interview with clients

·         on the web site

 

Responsibility

Responsibility for data transparency will be with the DPO and DC

 

 

 

Lawful Basis

Underlying principles

Data collection is necessary for The Red Kite Baby Co Ltd to operate.

 

We have checked that the processing is necessary for the relevant purpose and are satisfied that there is no other reasonable method to achieve that purpose.

 

We have documented or decision on which lawful basis applies to help us demonstrate compliance.

 

Opting out

Should you not wish for any data to be retained, processed or taken please opt out at the appropriate and relevant stage.

 

Please note that failure to provide some essential data may result in a failure to supply.

Withdrawing consent

The Red Kite Baby Co Ltd wish to acknowledge that, once given, consent can be withdrawn, but not retrospectively.  There may be occasions where there is no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn

 

 

 

 

 

Employee training & Acceptance of responsibilities

Induction

All employees who have access to any kind of personal data will have their responsibilities outlined during their induction procedures

 

Continuing training

Additional platforms will be provided if there are opportunities to raise Data Protection issues during employee training, team meetings, supervisions, etc.

 

Procedure for staff signifying acceptance of policy

·       Individual and team meetings

·       Data Protection Policy review

·       Additional training

·       Refresher training every six months

 

 

Policy review

Responsibility

The Data Protection Officer

 

Procedure

Meeting between the DPO and the DC to discuss any additional and required procedures.

Timing

Review will take place six months before policy renewal