- This policy is a Hanworth Country Park policy and is an internal operations policy that applies to Hanworth Country Park employees.
- This document tells us what our rules and responsibilities are whenever we obtain, store of process and personal data.
- It relates to all personal and sensitive data held, stored and processed in all formats, hard copy or digital.
- It relates to all employees that have access to and use Hanworth Country Park information.
Hanworth Country park are committed to protecting all information that we obtain store and process in a way which respects the rights of the data subjects.
We will do this in a number of ways that ensures we are fully compliant with the GDPR regulations.
We will always:
- Process information lawfully, fairly and transparently
- Ensure personal data is adequate, specific and limited to what is necessary to fulfill the purpose for which it is intended.
- Ensure that data stored is accurate and kept up to date
- Ensure data is not kept longer than necessary
- Ensure that the data we hold is processed securely
- Ensure that any processes undertaken are done so within the rights of the data subjects regarding personal information
- Ensure any data is not transferred to any area outside the EEA (European Economic Area) where they cannot ensure adequate levels of protection.
What are the consequences of not following this policy?
Current legislation set out the legal requirements for each organisation, failure to meet these standards and protect the personal data could result in:
- the company being fine up to 4% of the companies annual turnover or €20 Million (whichever is greater)
- damage to the companies reputation
- breaches being reported to the ICO (information commissioners office)
- the group or individual involved could face prosecution
- disciplinary action or performance management action taken against an employee found to be in breech of this policy
Our responsibilities for data protections
At Hanworth Country Park we engage and meet with a variety of people during the day to day activities of the organisation. We are likely to hold personal data from a number of different people, for example:
- our employees;
- holiday makers;
- people making enquiries;
- regular visitors;
- complainants, and
- other service providers.
The personal data that we collect will include names, date of birth, telephone numbers, email addresses, residential addresses, payment details, education history, qualifications and in some cases we will hold ‘special categories’ of data such as health information. These are subject to more strict data processing conditions.
Making sure the processing is fair and lawful
To ensure the data processing is lawful, it must meet at least one of the following conditions;
- Consent: the data subject has given clear consent to process the data for a specific purpose
- Contract: the processing of data is necessary for a contract you have with the individual, or they have asked you to take specific steps before entering into a contract
- Legal obligation: the processing is necessary to comply with the law,
- Vital interest: the processing is necessary to save someones life
- Public interest: the processing is necessary to perform a task in the public interest, or for official functions
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
All data processing must be transparent, this means we will give a full explanation to the data subjects of why and how we will process their data at the time of collection.
- religious beliefs or ethnic origin,
- sexual orientation,
- trade union membership, and
- political opinions.
To lawfully process these categories (also known as sensitive information) one extra condition must be met in addition to one of the six conditions listed above. The additional conditions include;
- processing is necessary for carrying out our obligations under employment and social security and social protection law. For example, processing data regarding an employees health condition to make reasonable adjustments to allow them to continue working.
- Safeguarding the vital interests of an individual (in life and death situations) and the data subject is unable to give consent.
- The processing is carried out in the course of legitimate activities
- the processing is necessary for pursuing legal claims
If no other legal conditions apply, the process may only be lawful after gaining explicit consent from the data subject.
What must we tell people before we collect or process their data?
Before any data collection or processing occurs we must inform the data subject of what information will be collect and for what purpose it will be used. To ensure that we fully compliant with the GDPR regulations and our legal obligations surrounding data handling and protection, a privacy notice must be used to inform the person of:
- who we are and how to contact us,
- why we are obtaining and processing the required information, and the legal basis for doing so,
- if the data is not provided, the possible consequences for future contracts or statutory requirements,
- any automated decision making tools which may affect the data subject,
- any third party of whom we will share the data with, and why
- any intention of sharing the data outside of the EEA and how we ensure their information is adequately protected,
- how long the data will be stored for and how we determine the retention period,
- their legal rights as a data subject,
- their right to withdraw consent at anytime where the processing relies on consent,
- who they can contact if they wish to make a complaint about how their data is handled
- should the purpose of processing change, that we will provide further information before the processing is carried out.
- If we are required to pass the data on to a third party, we will give the data subject that information before the information is passed on.
All information provided must be written clearly and in plain language (no jargon or complex terms) and must be easy to understand.
If there is not legal basis for processing explicit consent must be sought from the person. They must be made aware how, why we are gathering the information and how we plan to use it. Consent provided in these conditions can be withdrawn at anytime and all processes will be stopped.
How much data do we need?
Data that is to be collected from a data subject must be collected for a specific purpose, this purpose will be outlined in the privacy notice received by the data subject before any data is collected. Only the information required for the task should be collected and stored for the minimum time required for that purpose. We will not obtain personal information on a ‘just in case’ basis.
Personal data will only be accessible to the employees which require the information for their work. All personal data will be password protected, appropriately encrypted where required and paper forms of data will be filed in lockable filing cupboards.
Every colleague has a responsibility to ensure that personal data held is accurate and kept up to date. Also, they must not view, collect manage, handle or otherwise process data that is not required for them to carry out their work.
Safe secure and data erasure
Data collected will be accuracy checked at the point of collection and at appropriate points later on.
Personal data will be kept secure at all points of processing, this includes protecting it from unlawful processing, accidental loss, destruction or damage.
We will not keep personal data longer than is necessary for the purposes that it was collected for. We will ensure we comply with all regulatory requirements, best practice and official guidance in relation to retention periods for specific records
At the time of erasure of personal data, we will ensure all data stored whether that is on paper or our computing systems is erased with no way or restoring the data, paper documentation will be shredded.
How does this policy affect me?
- An an employee you are required under the terms of you contract to comply with this policy.
- We will provide appropriate training for all staff to raise awareness of our responsibilities and obligations
- We will issue best practice procedures and instructions in the future for further guidance
- As a manager and leader you are responsible for the personal data in your working area, and ensure that all data handling procedures comply with this data handling and protection policy
- Companies who are appointed by us as a contractor are required to comply with this policy under their contract with us. Any breach of this policy could result in enforcement action against the company or terminating the contract.
What would happen if there is a data breach?
Any suspicion that a data breach has occurred should be reported immediately to the appropriate manger on site.
Any data breach could be:
- an unauthorised person accessing personal data
- lost personal data, even if it is temporary
- Sending an email to the wrong recipient where other email addresses are contained within the email
- data uploaded onto an unsecured server
- data transferred outside of the EEA without appropriate security
- a computer or small device, such as a phone is infected with a virus or another malicious software
- personal data becomes corrupt
- log in details are lost, or hacked
- a power cut where personal data is not accessible for a period of time.
We will keep records of personal data breaches, even if they are not reported to the ICO, and the records will enable the ICO to verify our compliance with GDPR. This will show, details of the breach, its effects, and the actions taken.
Any data breaches that are likely to result in risk to a person will be reported to the ICO within 72 hours from when any colleague becomes aware of the breach.
Working with other organisations and transferring data
Only when the data subject has been informed that there may be a possibility of their data being shared in a privacy notice will we share personal information. Unless there is a legal exemption applying to informing the data subjects. Only authorised and properly instructed personnel are allowed to share data.
We will only share data when :
- there is a legal obligation such as a court direction, or statutory duty,
- sharing the data to apply or enforce a contract with the data subject or
- sharing data to protect our rights, property, or safety of our employees, contractors or visitors to our site.
We must keep records of data we have shared with third parties, and include and exemptions that apply.
We will follow the ICO statutory Data Sharing Codes of Practice when sharing personal data with our data controllers
WE must ensure that our third party data controllers comply with the current legislation on data handing and comply with our own policies on handling data.
We will also ensure that our third parties will provide us with the relevant information upon the discovery of any potential data breach
Data Access requests
Any data subject has number of rights to monitor and control data held about them, these are:
- the right to request any of their personal data (Subject Access Request)
- the right to have any incorrect data amended
- the right to restrict certain processes
- the right to data portability, this refers to receiving personal information about themselves in a format which enables them to use this information with another person or organisation
- the right not to be the subject of automated decisions, and
- the right to withdraw consent where we rely on consent to process their data
Any valid subject access requests will be responded to within 28 days from the date which we receive the request, when required we reserve the right to extend the timescale and will inform the data subject if this is the case and explain the lawful basis for doing so.
Any information provided to data subjects will be delivered in a clear, accurate and in plain language.
All data sent to the data subject will show:
- what data is being held and for what purpose,
- confirm compliance with the data protection legislation and explain the retention periods applying to the data being held
- how to complain to the ICO if they choose to,
- redact to obscure of withhold any personal or identifiable data relating to any other person.
Any data will only be given to the person who has requested the data. Unless the data subject has given expressed permission for a person acting on their behalf.
If there are any doubts or concerns regarding the identity of the person requesting the data, we will seek to verify their identity before any data is released.
Any marketing will comply with the rules set out in the data protection and handling policy, Electronics Communications Regulations and any laws which may replace the regulations around direct marketing. This includes but is not limited to, when we make contact with data subjects by post, email, social media messaging, telephone or text messaging.
Any material that we send will identify us as the sender and will explain how they can object to receiving any future marketing communications.
If the data subject exercises their right to object to direct marketing we will stop in the direct marketing as soon as possible.
Relevant legislation and guidance
- Data Protection Act (2018)
- General Data Protection Regulation (GDPR)
- Privacy and Electronic Communications Regulations (PECR)
- Computer Misuse Act 1990
- The common law duty of confidentiality
- Any other laws and regulations relating to the protection of personal data
We will review this policy two years from its first publication or sooner should the legislation, regulation or best practice means we need to.