Privacy and cookie policy
1. This policy relates to all our processing of personal data. All staff involved in this activity must follow this policy’s procedures.
2. As part of our General Data Protection Regulation {GDPR} obligations - to minimise the risk of breaches and uphold the protection of personal data - we promote privacy and data protection compliance from the early stages of all projects, and then throughout their life-cycles.
3. The Data Protection Officer, Paul Heigham, operations management and upper management is responsible for ensuring that appropriate Privacy Notices exist and are appropriately published to enable all data subjects to be aware of these notices and their contents before data is collected. All content will be in plain language. Where services are offered directly to a child, we will ensure that our privacy notice is written in a clear, plain way that a child will understand.
4. The controller - the person who decides how and why personal data is processed - ensures that appropriate technical and operational measures are in place so that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. Through these measures, the controller ensures that, by default, personal data are not made widely accessible without permission.
5. Before any personal data are processed, the specific purpose for this processing will be defined and the legal basis for this definition will be recorded to include:
- Ensuring data subject’s consent
- Contract activity where the data subject is a party
- Our legal obligations
- Protecting the rights, freedoms and interests of the data subject
- Our authority to carry out the processing that is in the public interest
- Any legitimate interests of the data controller or third party
- Obligations under UK law
6. With regard to special categories of personal data processed, the following may be taken into account:
- Explicit consent obtained from the data subject
- Data necessary for employment rights or obligations
- Protecting the rights, freedoms and interests of the data subject
- Data necessary for legitimate activities with appropriate safeguards
- Personal data made public by the data subject
- Legal claims
- Substantial public interest
- Preventative or occupational medicine, such as for the assessment of working capacity, medical diagnosis, health or social care treatment, or management of health and social care systems and services - where appropriate contracts with health professionals and safeguards are in place
- Public health, to ensure safeguards are in place for the protection of rights and freedoms of the data subject, or professional secrecy
- UK laws relating to genetic, bio-metric or health data
7. Privacy notices are designed to ensure data are processed fairly and lawfully, and are used to emphasise our commitment to transparency over how we use personal data.
8. In our Privacy Notices the controller, ops manager or upper management ensures that, so far as practicable, this information available to the data subjects where data has been acquired directly from them:
- Identity and contact details of the controller and the data protection officer, senior member of staff within Bellingham IT
- Purpose of the processing and the legal basis for the processing
- The legitimate interests of the controller or third party, where applicable
- Categories of personal data
- Any recipient or categories of recipients of the personal data
- Details of transfers to third country and safeguards
- Retention period or criteria used to determine the retention period
- The existence of each of data subject’s rights
- The right to withdraw consent at any time, where relevant
- The right to lodge a complaint with a supervisory authority
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation, and possible consequences of failing to provide the personal data
- The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
- This information is provided at the time the data are obtained. The right to object is made clear at “at the point of first communication”
In addition, when the data are not acquired directly from the subject, the following information must be included:
- Categories of personal data, such as name(s), address(s), bank account details for paying staff members.
- Telephone numbers and emergency contact names and numbers.
- The source from where the personal data originates, and whether it came from publicly accessible sources
- Information on website technologies used to collect personal data
- In this case, information is provided within a reasonable period of having obtained the data {within one month}. If the data are used to communicate with the individual, at the latest, when the first communication takes place; or if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.
9. The provisions of paragraph 8 do not apply where:
- The data subject already has the information
- The provision of the above information proves impossible or would involve an excessive effort
- If obtaining or disclosure of personal data is expressly identified by UK law
- If personal data must remain confidential subject to an obligation of professional secrecy regulated by UK law, including a statutory obligation of secrecy.