GDPR and DPA - Privacy and Personal Data Policy, BellsCroft Consultancy 2018
Privacy and Personal Data Policy.
Written 1st of March 2018 Written by Michelle Pearse and Donna McDade Business partners of BellsCroft Consultancy.
This policy is written, in the best of our knowledge, to comply with GDPR, General Data Protection Regulations 2018 and Data Protection Act 1998.
It is aimed at informing our participants on how we store and use their personal data.
Key people responsible for data – Michelle Pearse and Donna McDade.
What personal data BellsCroft hold.
Attendance register: name, where they work, signature and optional email. (non-sensitive) Health Declarations: -injuries, medication any other health conditions which may have an impact on their participation in the physical part of the training. (sensitive) Training assessment: Theory and Physical assessment (non-sensitive) Evaluation forms: names and e-mail optional (non-sensitive)
Where has the information come from?
All personal information comes directly from the individual participant we hold no information that is not provided directly from the participant. We hold no third-party information.
How do we store the information?
Files held securely and compliantly (Paper copy) in the office via a locked storage system. (See retention period) Files held securely and compliantly, scanned on to the cloud (One Drive) and back up onto an external hard drive.
Data retention periods.
We keep the paper copy for 12 months it is then shredded and given to a secure company to destroy appropriately and compliantly. Electronic copy we keep for as long as necessary.
Who would we share the information with and how?
Employer - the only information that the employer can request is a copy of certificate. Participant - can access any of the information we hold on them and we will aim to have that information with them with in a 48hour timescale, no longer than a month. Investigating teams (not including the Police) - any relevant information subject to the lines of enquiry. Police - Any information we hold on the person of interest. There are no charges for requests of data unless it is unfounded or excessive, if this is the case we hold the right to refuse the request. If we refuse a request, we must tell the individual why and that you have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month. You have the right to complain to the ICO if you think there is a problem with the way we handle individual’s data. Personal data breach, ICO will be notified within a 72-hour period.
Clear consent will be sort by name and optional e-mail on non-sensitive data. Clear explicit consent will be sort by- signature of participants on all sensitive data we hold on individuals. On booking training the organisation will be sent the Privacy and Personal Data Policy. This policy will be available on our website and participants will be informed at each point of signature. Children-: For a child participant under the age of 16 we will request the parent to sign the health declaration and training conditions form to gain consent.
Option to opt out.
Participants can ask us not to hold this information we will ask them to send us an email to confirm and evidence this request. We will destroy any information we hold and inform the participant when this has been completed. This does have an impact on the evidence that we would be able to provide to any investigating teams, including the police. We will audit data on a two-yearly reaccreditation process for organisations. Occasionally, the data will be audited between this period. We would aim for a 48hour response but will be completed within one month. GDPR and DPA - Privacy and Personal Data Policy for BellsCroft Consultancy 2018
Michelle Pearse and Donna McDade - Business Partners
Signature: Donna McDade Date: 1st March 2018
Signature: Michelle Pearse Date: 1st March 2018