Data Protection Policy

  • Home
  • Data Protection Policy

Data Protection Policy

Scope: This policy applies to ALL community facilities operated by Baby Artiste Ltd

Effective Date: February 2022

Review Date: February 2025

Author: Shanara Mackay

Policy Owned by: Baby Artiste Ltd

National Standards/Regulation:

Legislation: Data Protection Act 1998, Data Protection Act 2018, General Data Protection Regulations (EU Regulation 2016/679)

 

 POLICY AND SCOPE

This policy outlines how Baby Artiste Ltd will enforce Data Protection Act 1998 legislation and any others associated with data protection including the EU General Data Protection Regulations 2016. All sensitive personal information processed by DHI and its contractors will be handled in accordance with the relevant legal guidelines.

Baby Artiste Ltd staff are expected to comply with the data protection policy. Staff include employees, bank staff, volunteers, work experience staff and management.

DEFINITIONS

The meanings of key terms referred to in the policy are provided below:

                  Data protection term                                         Definition
Confidentiality Information should only be shared with authorised individuals.
Data Breach Where personal/sensitive or confidential data has potentially been viewed, stolen or used by an unauthorised individual.
Processing of data Actions involving data, inclusive of collection, retention, using, disclosure, disposal or storage of personal data.
Integrity Data should be regularly monitored for accuracy and should not be altered or tampered with.
Data Inventory A system for recording information.
Sensitive data Personal information relating to an individual i.e. race, ethnicity, sexuality, religious beliefs, political opinion, trade union activities, physical or mental health. GDPR also includes genetic and biometric data. Article 10 of the GDPR covers criminal data.
Personal data Information that directly or indirectly identifies an individual including NI number, NHS number, IP Address.
Data Protection Officer A member of staff given responsibility for ensuring that the Data Protection Act and relevant associated legislation are complied with.
Fair Processing Notice Individuals who have personal information collected from them are entitled to know what information is being collected, why and the reasons for storing it.
Information Commissioners Office The UK’s independent authority established to uphold information rights.

 

POLICY STATEMENT

This policy outlines Baby Artiste Ltd’s compliance with Regulations and Data Protection principles to:

  • Keep data subjects informed regarding how we will use their information in a way which is clear and transparent
  • Conduct Privacy Impact Assessments throughout the process of collecting information
  • Ensure that personal data is processed in the manner expected by the data subject
  • Solely collect personal data for defined and legitimate purposes
  • Allow data subjects access to personal information held about them and grant them the right to request amendments, removal or restriction
  • Maintain records to ensure regulations are met and information held on file is accurate
  • Only process data securely, thereby maintaining confidentiality and reducing the risk of it being tampered with
  • Not store personal data for longer than is legitimately necessary (i.e. the purpose for which it was collected).

PRIVACY

Baby Artiste Ltd will protect the privacy of individuals whose information we process. Baby Artiste Ltd will plainly detail through Privacy Notices how it intends to use personal information. Where permission needs to be granted to process data, Baby Artiste Ltd will make note of it and give individuals the option to withdraw consent at any time.

PRIVACY IMPACT ASSESSMENTS

Baby Artiste Ltd will conduct Privacy Impact Assessments prior to implementing new processes or approving any amendments to the process of collecting personal information. Protecting the privacy of individuals will be placed at the forefront of these assessments. The Data Protection Officer will advise on Privacy Impact Assessments.

ROLES

DATA PROTECTION OFFICER

Baby Artiste Ltd processes significant amounts of personal information and also uses CCTV cameras to safeguard employees, members of the public and general assets.

In Baby Artiste Ltd the Data Protection Officer is ultimately responsible for:

  • Informing the organisation of its legislative obligations in relation to data protection
  • Cooperating with the Information Commissioner’s Office
  • Monitoring compliance and facilitating training, awareness and regular audits
  • Providing advice and assistance to members of staff on the Data Protection Act
  • Liaising with data subjects wishing to exercise their rights
  • Providing guidance on Privacy Impact Assessments.

STAFF

Baby Artiste Ltd staff members will:

  • Complete mandatory training and any additional required training
  • Lock away personal or sensitive information during breaks
  • Not leave personal information unattended
  • Ensure that personal information is stored appropriately and access controlled
  • Maintain confidentiality of personal information by taking necessary precautions against potential breaches
  • Work in private areas where data cannot be seen by unapproved parties when viewing sensitive material
  • Ensure that personal information sent externally is secure
  • Comply with Clear Desk/Screen Policies
  • Dispose of information securely once the purpose of collection has been met.

ACCOUNTABILITY

The Data Protection Officer will be responsible for the Data Inventory and its maintenance.

DATA DISPOSAL

Where the purpose of the data has been met, staff will dispose of it in secure manner.

INCIDENT/BREACH MANAGEMENT

Where a breach of the Data Protection Act and GDPR is suspected, it must be dealt with in compliance with the Information Security Incident Procedure.

The Data Protection Officer must be informed, and where there is significant risk to the privacy of the data subject(s), a notification must also be sent to the Information Commissioner’s Office and data subject within 72 hours of Baby Artiste Ltd becoming aware of the breach.

RIGHTS OF INDIVIDUALS

The Data Protection Act and GDPR grant individuals the following rights:

Right of Access by Data Subject The right to receive a copy of personal information held by DHI.
Right to be informed The right to be made aware of how the data will used at the time of collection.
Right of correction The right to correct inaccurate information
Right to disposal The right to have personal information deleted if:

·        Permission is withdrawn (where permission was a legal requirement)

·        Processing is unlawful

·        Some other legal compliance means that data has to be erased

·        The purpose for collection has been met

·        Data subject asks that information be erased and there is no legitimate reason to keep it.
Right to Object Individuals can reject to processing at any point.
Right to Restriction Right to have processing of personal data restricted under particular circumstances.
Right to not be subject to automated processing and decision making Right to not be subject to a decision via automated processing with no human influence (inclusive of profiling), where the decision would have a legal effect or similarly significant impact on the individual.

 

All requests must be handed over as soon as is reasonably practicable to the Data Protection Officer, who will process it appropriately within one calendar month.

RESEARCH

Baby Artiste Ltd regularly conducts research to improve the services we offer to our customers. Personal data which is processed for research purposes will not be used in any decision making process relating directly to individual customers or processed in a manner which would have a substantially negative effect.

Baby Artiste Ltd is not obliged to grant subject access if the individual cannot be identified by the results of the research.

Baby Artiste Ltd staff using personal data in research will:

  • Only use minimal information and anonymised data where possible
  • Store the data securely
  • Receive training on how personal data can be used in research
  • Ensure that processing is compliant with data protection principles
  • Where appropriate, inform data subjects about the purposes of data protection and seek consent
  • Consult with the Data Protection Officer before processing personal data
  • Ensure that personal data collected are necessary for the purpose(s) of the research.

DATA SHARING

Sharing personal data with third parties requires documentation which should include suitable clauses with regards to confidentiality and non-disclosure and reference to the Data Protection Act and the GDPR. Allowing third party access must also support the purpose for which personal data was initially provided in order for it to be lawful.

Managment is responsible for approving all sharing agreements. Contracts must include standard data protection clauses.

BREACHES

Staff members who consider that data protection has been breached within Baby Artiste Ltd in respect of themselves or others must report the matter to the Data Protection Officer and their line manager.

Reports of a breach or suspected breach will be investigated thoroughly and appropriately acted on. A guilty outcome of an investigation may result in disciplinary action and/or criminal prosecution against individuals.

A decision must also be made as to whether or not to voluntarily notify the Information Commissioner’s Office of any breach of the Data Protection Act and the GDPR. This decision will be made by the Data Protection Officer and possibly the Director of Baby Artiste Ltd in more serious cases.

.
COMPLAINTS

An individual is entitled to contact the Data Protection Officer and Information Commissioner’s Office if they are unhappy with the processing of their personal information. Complaints to the Data Protection Officer will be considered under the Complaints Procedure.

The Data Protection Officer will deal with all complaints from the Information Commissioner’s Office, and he/she will provide full assistance with any investigation.

The results of any investigation will be assessed by Baby Artiste Ltd to better improve services.

QUERIES

Queries should be directed to frontline staff who are responsible for handling them.

POLICY REVIEW

This policy will be reviewed at least every 3 years; however, it will be continuously monitored for effectiveness and the application of best practice.

(version: 1.0)