1 ABOUT THIS POLICY
1.1 TAPIOCHRE LIMITED (with company number: 04822166) (we, us or our) use information about people (e.g. customers, website visitors, colleagues) when we conduct our business. It is a vital asset which we need to carry out our business activities (e.g. providing our services, monitoring our website). We see it as important to keep this information safe because it can create risk for those people if it is misused or misplaced (e.g. identity fraud).
1.2 The law formally recognises the value and risk of using people’s information by creating obligations on organisations like us that use or access it and granting rights to the individuals that it relates to. This type of law is called data protection law.
1.3 This policy sets out:
- what our obligations are under data protection law;
- what to do if we want or are asked to use people’s information in a new way;
- if, when and how we can share people’s information with others;
- what records we need to keep as evidence that we are fulfilling our obligations; and
- other policies you need to be familiar with.
1.4 This policy applies to all members of staff and all must comply with this policy.
1.5 The Information Commissioner’s Office (ICO) is the UK regulator and is responsible for checking that businesses comply with data protection law.
1.6 Chris Elliott is our Data Protection Officer and responsible for advising and monitoring how we use personal data in our business practice. Our directors are responsible for making (and providing adequate resources to implement) any decisions, including whether to report a breach to the ICO.
1.7 The ICO handles complaints and can fine businesses that do not fulfil their data protection obligations.
1.8 We may have contracts with third parties (e.g. customers, suppliers) which contain data protection clauses. Contracts can be enforced by parties and ultimately by the courts if there is a disagreement.
1.9 Our employment contracts require our staff to comply with this policy and failure to follow this policy may be a disciplinary matter.
2 THE KEY CONCEPTS
2.1 Data Processing - here we overview the key concepts that we apply to data processing when working for our clients.
Personal Data: any information which does (or could be used to) identify a living person. It does not matter whether such information is kept digitally or in hard-copy, or whether it is in writing or some other format (e.g. CCTV footage, photographs). Examples of personal data include: name, email address, postal address, IP address and cookies information, we also process still images of people. There are other types of personal data such as health conditions and criminal history but we do not process this data.
Processing: the processing we undertake is to receive data from our clients via email and then to either assist the client to add such content to their own website or to add the content on their behalf. As such this activity includes access to or storing the information for a period of time in order to perform the processing prior to deletion of the data once it has been added to the website.
Data Subject: The categories of data subject that are included in the processing that we perform on behalf of the client are:
a) Children and young adults under the age of 18
b) Client employees
Controller: our client is the organisation that makes decisions about what and why information is being collected about individuals.
Processor: we are the organisation that carries out a task for the Controller which requires them to process personal data. We follow the instructions we receive from the Controller and there is an agreement in place before we can begin any processing.
Lawful Grounds: We (as a business) identify the Lawful Ground we are relying on whenever we process personal data as 'contract'.
3 PRINCIPLES OF DATA PROTECTION LAW
3.1 It is our responsibility (when we are the Controller) to decide how we achieve the principles of Data Protection Law.
3.2 The 7 principles require us to:
I. We use personal data in a lawful, fair and transparent way: We make sure we know which of the six Lawful Grounds we are relying on and how a Data Subject can find out how their information is being used.
II. We only collect personal data for specific, explicit and legitimate purpose (aka purpose limitation): We are clear about why we want to use the information must have a good reason before we begin to collect information about people.
III. We collect the least amount of personal data we need to achieve our aim (data minimisation): We always identify the types of information we plan to collect and decide whether it is necessary to have that information to achieve our aim. If it is not necessary, we do not collect the information at all.
IV. We ensure sure personal data is accurate: We have processes in place which ensure we record information correctly and that we can amend it if we later find out there was a mistake.
V. We only keep personal data for as long as we need it (storage limitation): We only keep information whilst we need it to achieve our aim. Sometimes the law requires us to keep information for a specific amount of time. If we are the Controller, it is our responsibility to decide how long to keep information for and why. We must record our decision. If we are the Processor, we ask the Controller (i.e. our client) how long they want us to keep the information for. If the Controller (i.e. our client) ceases to work with us for any reason we ensure all data associated with them is deleted within 30 days of notice of the end of the contract.
VI. We keep personal data safe (by ensuring its security, integrity and confidentiality): We use appropriate technical (e.g. anti-virus, passwords, multi-factor authentication, data encryption) and organisational (e.g. staff training and working practices) to protect information.
VII. We demonstrate that we process personal data properly (accountability): We document and record how we use personal data, who we share it with and how we made our decision, chiefly driven by our client instructions which we hold on record for 90 days from the date of the instruction. We maintain these documents they are updated at the point of change of instruction by our client (Controller) where they request us (as the processor) to access personal data in a new way or for a new reason.
4 USING PERSONAL DATA IN A LAWFUL, FAIR AND TRANSPARENT WAY
4.1 We only access or use Personal Data once a Lawful Grounds has been identified. We can only use Personal Data to:
- Perform a contract: We use or access personal data where this is required to carry out a contract with our client.
- Comply with a legal obligation: We use or access personal data where the law requires you to do so.
- Prevent risk to life of the Data Subject or another person (vital interests): We may use personal data where a person’s life is at risk. It is unlikely that we would need to use information in this way as part of our business.
- Pursue a justifiable commercial aim (legitimate interest): We use personal data to help us pursue a legitimate business aim (e.g. communicate with customers who have provided their personal data (email address, phone, name, address) in day to day transactional communications, to increase brand awareness via email newsletters, to perform contracts and invoicing and defend legal claims). We only do this where the benefits of doing so would not outweigh the risks to the Data Subject. If you are not sure if we have a legitimate interest, whether you can rely on this Lawful Ground, or you receive a question or complaint about the way we use personal data to pursue a commercial aim, you should let our Data Protection Officer know as soon as possible.
- Perform the activity that the Data Subject has given their permission (consent) for: We use personal data where the individual has stated that they are happy for us to use their information for a specific activity. We only rely on consent for some activities, and we keep a clear email record of who has given their consent (permission) and what activity they have given their permission for.
4.2 We obtain and record consent (and respect when a Data Subject changes their mind). Where we intend to use consent as the Lawful Ground for a business activity, it is only valid if the decision of the data subject is:
- Specific (related to a clearly defined activity or purpose)
- Informed (explained in a way that the Data Subject understands)
- Unambiguous and given by a clear affirmative action (we do not design or use forms with pre-ticked boxes. We do not use a person’s information if they have not responded)
- Separate from other contractual terms given to the Data Subject
Freely and genuinely given (we do not use consent as a Lawful Grounds where the relationship we have with the data subject could pressure them into accepting something. We do not refuse to provide our service to a data subject who does not want to provide permission to another activity.
4.3 We always give data subjects the option to change their mind (at the time and at a later date).
4.4 Any marketing communications we send to individuals must include a link which allows the recipient to unsubscribe.
4.5 You must be able to direct Data Subjects to the relevant privacy notice. Individuals have the right to know how their personal data is used by us. We publish privacy notices to explain what information we collect, how we use it and who we share it with. We are able to direct an individual to the relevant privacy notice on our website.
5 USING PERSONAL DATA FOR A SPECIFIC, EXPLICIT AND LEGITIMATE PURPOSE (PURPOSE LIMITATION)
5.1 We conduct a due diligence exercise before using personal data for a new purpose. The directors decide the purposes for which we use personal data and keep an up-to-date record of the purposes (in the Record of Processing Activities, see below). We encourage innovation and new ideas but we also make sure that we consider the impact on Data Subjects before approving new projects or business practices. Approval must be sought from our Data Protection and a data protection impact assessment should be compiled where this is requested by them.
5.2 We will inform Data Subjects before we use their information for a new purpose (e.g. we will update the relevant privacy notice).
6 USING THE LEAST AMOUNT OF PERSONAL DATA NEEDED TO ACHIEVE THE AIM (DATA MINIMISATION)
6.1 We only access and use the personal data we need in order to perform our role. All staff are aware that accessing personal data that they are not authorised to access or that they have no reason to access may result in disciplinary action. If you have received or accessed information in error, you should let our Data Protection know as soon as possible.
7 KEEPING PERSONAL DATA SAFE
7.1 Recognising and reporting any suspected data breach. If we or you believe there has been a data breach we/you must contact our Data Protection Officer as soon as possible. You can learn more about Data Breaches and your responsibilities in the Data Breach Policy.
7.2 We abide by our processes and policies. We provide training on how to use our IT systems and handle hard-copy information (e.g. clear desk policy, use of confidential waste bin). You must do not try to override or circumvent technical measures put in place to protect information (e.g. user permissions) and you must follow organisation measures we implement.
7.3 Keeping logins and passwords confidential (do not share accounts). All account credentials, passwords and other information provided as part of our security procedures are confidential. It is your responsibility to keep your login information secure and you must notify our Data Protection Officer if you think your account has been accessed by someone else (or otherwise compromised).
8 SHARING PERSONAL DATA WITH OTHERS
8.1 We only share personal data internally which is required for the recipient’s role. We see it as important to remain diligent even when sharing information within the company. In cases if uncertainty advice should be sought from the Data Protection Officer before you share any information. We should follow IT best practice guidelines (e.g. password protect files, send links rather than attachments to documents) and maintain a clear desk policy.
8.2 We only share personal data externally where we have a contract (unless there is a legal exception). It is mandatory to have a contract in place where we share information. These contracts set out which organisation is the Controller and which is the Processor. In general it is worth noting that with our clients, we are almost always the Processor and the client is the Controller.
8.3 Where the recipient is outside the United Kingdom or the European Economic Area there are additional requirements. We check with our Data Protection Officer before we send any personal data to an organisation or person who is located (or whose servers are located) in a country outside the United Kingdom or European Economic Area.
8.4 Where the disclosure is required by law. In exceptional circumstances we might be contacted by an external organisation (e.g. police, solicitor) who requests personal data. We refer these requests to our Data Protection Officer as soon as possible so that they can evaluate the request and decide whether to respond on behalf of us. We do not release any information unless we are instructed by our Data Protection Officer.
8.5 We recognise when we have received a Data Subject access request (and other data right requests). Individuals are granted specific rights under data protection law, one of which is the right to access information. If we receive a Data Subject right request, we notify our Data Protection Officer as soon as possible.
9 DELETING (OR RETURNING) PERSONAL DATA THAT IS NO LONGER NECESSARY
9.1 We securely delete information at the end of its retention period. We maintain a compliance document which lists how long we retain (keep) information, called a Retention Schedule. When the period expires, we must delete or destroy the information and any copies of the information in line with the relevant procedure (e.g. confidential waste for hard copy information. We check all our information at least annually to ensure we continue to comply with our Retention Schedule.
9.2 We delete personal data that does not belong to us when instructed to do so. Where we use, store or access personal data on behalf of another organisation (e.g. our business customers), we act as the Processor. We always have a contract with the other organisation where we process personal data. At the end of the contract, we contact the other organisation to request their instruction as to whether we should delete their personal data.
9.3 We check before we fulfil a Data Subject request to erase personal data. Data protection law entitles individuals to ask organisations to delete their personal data. If we receive this type of request, we notify our Data Protection Officer as soon as possible. .
10 THE COMPLIANCE RECORDS WE KEEP
We are aware of the different compliance records we keep: we have up-to-date compliance records which help us to understand how the business uses information and ensure that we use it in a safe way and only for permitted purposes. the directors are responsible for ensuring compliance records are maintained (and reviewed at least annually).
Record of Processing Activities (ROPA): We use this document to set out key information we use when we act as a Processor and Controller. It states the:
- purpose we are processing personal data (e.g. updating a client website with personal data content
- Lawful Grounds we rely on (e.g. contract)
- categories of individuals (e.g. client staff, client students)
- types of personal data (e.g. names, email addresses etc).
- Where we act as a Processor, we also include the details of the organisation that is the Controller.
Retention Schedule: We use this document to identify when we should securely destroy information. It groups categories of information and sets a clear expiry date (e.g. 30 days after a client contract ends).
Incident Report: We use this document to record any suspected data breaches. It sets out what data was affected and what action we took (e.g. whether the incident was formally reported). We use it to help us improve the ways we keep information safe (e.g. update staff/client training, install additional security features).
Data Protection Impact Assessments: We use this document to risk assess existing and proposed projects and activities that involve the use of personal data. It helps the directors decide whether to approve a course of action.
Legitimate Interests Assessment (LIA): We use this document whenever we are acting as the Controller and rely on Legitimate Interest as its Lawful Ground. It records that the directors have properly considered whether we are justified in using personal data to pursue the aim. It has three parts (purpose test - identify the aim; necessity test - must personal data be processed to achieve the aim; and balancing test - do the benefits of pursuing the aim outweigh the risk to the individuals).
The Data Protection Officer maintains our compliance records and acts to ensure that our compliance documents can be properly maintained.
11 IF YOU HAVE ANY QUESTIONS ABOUT THIS POLICY
You should speak to our Data Protection Officer. They can be contacted at:
Phone number: +44 7958 726700
12 KEEPING THIS POLICY UP TO DATE
This policy was created on 2 July 2023 and will be reviewed and updated annually, or sooner if required by data protection laws.