Data Protection Policy
Introduction
The General Data Protection Regulation (GDPR) 2016 (Article 5) says that personal data should be;
processed lawfully, fairly and in a transparent manner in relation to individuals;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5 also requires that;
the controller shall be responsible for, and be able to demonstrate, compliance with the principles.
In order to operate efficiently, we collect, store, disclose and process information about projects we work for on behalf of clients. The nature of this work includes collecting personal information from the general public in the form of name, age, address, postcode, email addresses and contact numbers.
This policy has been written to ensure that not only the letter, but also the spirit of the law is embedded within Creatrix PR and adhered to at all times. It also demonstrates to others (clients, suppliers, consultants) that we are committed to ensuring personal information is handled appropriately, lawfully and the right and freedoms of individuals are safeguarded.
Associated Documents/Legal Requirements
General Data Protection Regulation (GDPR) 2016
Data Protection Act 1988
Confidentiality Policy
Code of Conduct
IT Computer Security Policy
Who does the Policy Apply to?
This Policy and associated procedures apply to employees, clients, suppliers and consultants of Creatrix PR. All those involved in work within the company are required to familiarise themselves and comply with this Policy and its associated procedures, including any future updates that may be issued from time to time.
A breach of the law may damage the reputation or standing of
Creatrix PR and may result in a fine from the Information Commissioner’s Office
(ICO) or legal action.
What is Creatrix PR Policy?
We consider that the correct treatment of personal information is integral to our successful operations and to maintaining the trust of the people we deal with.
We will ensure that we:
Comply fully with the law and the Information Commissioner’s good practice guidance 1;
Co-operate fully with the Information Commissioner’s Office and other law enforcement offices;
Put in place processes and procedures to ensure we handle personal and sensitive data in compliance with the requirements of the law;
Have processes and procedures in place to ensure we comply with the law’s fair processing requirements;
Respect the rights of individuals;
Be open and honest with individuals whose personal information we hold;
Ensure queries about handling personal information are properly, promptly and courteously dealt with;
Ensure methods of handling personal information are regularly assessed and evaluated;
Put in place appropriate security measures to maintain and protect the type of personal information we hold, from the point of collection to the point of destruction, including measures against unlawful or unauthorised processing of personal information and against accidental loss of or damage to personal information;
Enforce this Policy and supporting procedures consistently throughout Creatrix PR
Implement a communication and training programme to ensure that all employees are aware of the principles of the Act and compliance with the Act is embedded into the culture of the organisation.
Who is responsible for implementing the Policy?
The appointed Data Protection Manager, so nominated by the Directors of the company is responsible for formally approving this Policy and any amendments from time to time.
Creatrix PR will ensure that their behaviours and actions demonstrate the importance of complying with the law. They will also ensure the apportionment of key responsibilities under this Policy so that there is clear responsibility and accountability for ensuring that the business is monitored and controlled properly.
Creatrix PR and those employees with delegated responsibility for team leadership and supervision are responsible for the day-to-day implementation of this Policy amongst the teams that are directly managed by them. Managers will ensure that the accompanying procedure documents are complied with at all times.
Creatrix PR employees are each individually responsible at
all times for ensuring that they comply with this Policy and all associated
operational procedure documents for handling personal information. All staff
members should ensure that they read, understand and act within the rules set
out in this Policy in order to ensure that good data protections practices are
established and followed. All staff will
be provided with education and training appropriate to their roles and will be
expected to comply with the Act and adhere to the processes and procedures in
place.
How do I implement this Policy and where can I find further advice and guidance?
Please contact the Data Protection Manager or the Directors of Creatrix PR should you wish to discuss any matters relating to this Policy or its application.
Right to be Informed.
Under the GDPR 2016 individuals are provided with a number of rights. The first of these is the Right to be Informed.
Creatrix PR is required by law to provide the following information to individuals when collecting their personal data during project/contract work;
our purpose for processing their personal data
our retention periods for that personal data
who it will be shared with
This privacy information/statement will be concise, transparent, intelligible, easily accessible, and it will use clear and plain language. It will be included on all feedback forms and/or online/digital feedback platforms produced and used in the course of a project.
Right to Access, Rectification and Erasure.
Right to Access
The GDPR 2016 gives individuals the Right to Access to their personal information. An individual can submit a Subject Access Request (SAR) requiring Creatrix PR to tell them about the personal information we hold about them, and to provide them with a copy of that information.
All SARs made to Creatrix PR (written and verbal) will be logged within the company’s ‘GDPR Compliance’ document, will be responded to immediately and at the very latest within one month, as required by the law. Creatrix PR will only seek to extend the period of compliance (up to two months) where requests are complex or numerous.
Requests will be free of charge. However, if a request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request. If the request is made electronically, we will provide the information in a commonly used electronic format.
Right to Rectification
Under Article 16 of the GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed.
If requested Creatrix PR will take reasonable steps to satisfy that the data is accurate and rectify the data if necessary. All requests received by Creatrix PR (written and verbal) will be logged within the company’s ‘GDPR Compliance’ document. Requests will be dealt with within one month and will be free of charge, however, if a request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request.
Right to Erasure
Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. Individuals can make a request for erasure verbally or in writing.
All requests received by Creatrix PR (written and verbal) will be logged within the company’s ‘GDPR Compliance’ document and dealt with within one month. Requests will be dealt with free of charge, however, if a request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request.
If the information has been disclosed to others, Creatrix PR must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort.
Retention of Data
During the course of a project/contract and the collection of personal information all paper copies of feedback forms will be stored in sealed containers and kept securely. These boxes will not be left unattended or in insecure locations overnight, such as in employees’ cars.
Once the data from the hardcopy forms has been transferred onto a digital database the forms will be securely destroyed. This will be recorded on the Creatrix PR Consultation Worksheet used for each project. Creatrix PR also keeps a record of the collection and destruction of confidential material.
The digital database will sit on the company’s secure server and will be accessible only by Senior Managers and Company Directors. Please see the Creatrix PR IT Computer Security Policy for more information.
Online and/or digital feedback platforms, for example SurveyMonkey, are accessed only via a password protected website. When this data is downloaded it will be saved onto a digital database which will sit on the company’s secure server and will be accessible only by Senior Managers and the Company Directors.
All feedback received will be anonymised. All contact information provided by members of the public will be kept separate to the feedback they have provided.
The personal data provided by members of the public including but not exclusive to name, age, address, postcode, email addresses and contact numbers, will be kept for the duration of the project or for up to three years (whichever is sooner) before being deleted.
The data collected during a project will not be shared with third parties apart from members of the professional project client team with prior consent. This permission will be sought when it is collected and made clear in the privacy statement. The data collected will never be shared with agencies/companies/individuals NOT involved in a project and NEVER without prior consent.
Breaches
Creatrix PR will report certain types of personal data breach to the ICO within 72 hours. If a breach is likely to results in a high risk of adversely affecting individuals’ rights and freedoms Creatrix PR will also inform those individuals.
Personal data breaches can include:
access by an unauthorised third party;
deliberate or accidental action (or inaction) by a controller or processor;
sending personal data to an incorrect recipient;
computing devices containing personal data being lost or stolen; alteration of personal data without permission;
and loss of availability of personal data.
Creatrix PR will contact individuals affected and describe, in clear and plain language, the nature of the personal data breach and, at least:
the name and contact details of the Data Protection Manager
a description of the likely consequences of the personal data breach; and
a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
In the event of a breach the incident must be reported to the Company Directors and the Data Protection Manager immediately. The incident must also be logged in the Creatrix PR GDPR Compliance document.
Significant breaches of this Policy may be handled under Creatrix PR disciplinary procedures, which may results in dismissal for gross misconduct.
Any such breach could also lead to criminal prosecution.