Data Protection Policy
Data Protection Policy
Our data protection policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.
We are committed to:
- ensuring that we comply with the eight data protection principles, as listedbelow
- meeting our legal obligations as laid down by the Data Protection Act1998
- ensuring that data is collected and used fairly andlawfully
- processing personal data only in order to meet our operational needs or fulfil legal requirements
- taking steps to ensure that personal data is up to date andaccurate
- establishing appropriate retention periods for personaldata
- ensuring that data subjects’ rights can be appropriatelyexercised
- providing adequate security measures to protect personaldata
- ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protectionissues
- ensuring that all staff are made aware of good practice in dataprotection
- providing adequate training for all staff responsible for personaldata
- ensuring that everyone handling personal data knows where to find furtherguidance
- ensuring that queries about data protection, internal and external to the organisation, is dealt with effectively andpromptly
- regularly reviewing data protection procedures and guidelines within theorganisation
DATA PROTECTION PRINCIPLES
- Personal data shall be processed fairly andlawfully
- Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or thosepurposes
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they areprocessed
- Personal data shall be accurate and, where necessary, kept up todate
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or thosepurposes
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act1998
- Appropriatetechnicalandorganisationalmeasuresshallbetakenagainstunauthorisedand unlawfulprocessingofpersonaldataandagainstaccidentallossordestructionof,ordamage to, personaldata
- Personal data shall not be transferred to a country or territory outside the European EconomicAreaunlessthatcountryorterritoryensuresanadequatelevelofprotectionforthe rights and freedoms of data subjects in relation to the processing of personaldata
WHEN DOES THE NEW REGULATION START?
- May 25, 2018
- There are new rights for people to access the information companies’ hold about them, obligations for better data management for businesses, and a new regime of fines
DOES BREXIT MATTER?
- The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small changes but our own law will be largely the same
WHAT IS GDPR EXACTLY?
- The GDPR is Europe’s new framework for data protection laws – it replaces the previous 1995 data protection directive which current UK law is based upon.
- The EU’s GDPR website says the legislation is designed to “harmonise” data privacy laws across Europe as well as give greater protection and rights to individuals
ACCESS TO YOUR DATA
Under the new law Compassion Care Training Ltd has an obligation to seek your full consent on any personal data which is collected from you before, during and after delivering training, for example sharing your personal information with any other organisations or for the purposes of advertising and marketing their business. The new framework underpinning GDPR also gives individuals a lot more power to access the information that’s held about them. Under the GDPR this is being scrapped and requests for personal information can be made free-of-charge. When anyone of our valued customers asks for their data, this information must be available within one month. Under the new framework CCT will work collaboratively with their valued customers to access any information held by the organisation. The new regulation also gives all our valued customers the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there’s no legitimate interest, and if it was unlawfully processed
WHAT IS PERSONAL DATA?
- Personal data can be anything that allows a living person to be directly or indirectly identified
- This may be a name, an address, or even an IP address
- It includes automated personal data and can also encompass pseudonymised data if a person can be identified from it
WHAT IS SENSITIVE PERSONAL DATA?
- GDPR calls sensitive personal data as being in ‘special categories’ of information
- These include trade union membership, religious beliefs, political opinions, racial information, and sexual orientation
ACCOUNTABILITY AND COMPLIANCE
Under the new GDPR framework, Compassion Care Training Ltd Co. will be more accountable for their handling of all its valued customers’ personal information as updated in this data protection policy. Under GDPR, the “destruction, loss, alteration, unauthorized disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator – in the case of the UK, the ICO – where it could have a detrimental impact on those affected. This can include, but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more. Compassion Care Training Ltd Co will inform, the ICO about a breach within 72 hours after Compassion Care Training Ltd has convincing evidence about the breach and will have a responsibility to inform the people affected.
Compassion Care Training Ltd will work collaboratively with its valued customers to obtain consent to process data in some situations. Compassion Care Training Ltd will seek consent to lawfully use any of its valued customers and will ask its customers to sign consent forms or send an email to its company email firstname.lastname@example.org to “positively opt-in or agree or opt out to have their information used in marketing or any other activities of advertising its products and services such as Facebook, LinkedIn and Instragram.
In line with the new GDPR framework, Compassion Care Training Ltd will ensure that, the rights of individuals are fully covered, including systems to delete personal data or provide data electronically and in a commonly used format
The GDPR Framework Guidelines incorporated by CCT includes rights for individuals as:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object and
- The right not to be subject to automated decision-making including profiling
LAWFUL BASIS FOR PROCESSING PERSONAL DATA
- Compassion Care Training Ltd has a duty to report certain types of data breach to the ICO, and in some cases, to individuals in line with the current GDPR framework
- Compassion Care Training Ltd will notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage
DATA PROTECTION OFFICERS
- Compassion Care Training Ltd Director with the company’s legal team and Accountant are responsible for data protection compliance and governance arrangements of all its valued customers
- Compassion Care Training Ltd is a small growing company with a small turnover of approximately £40 000 per year, its current structure does not require a designated Data Protection Officer (DPO) to carry out the large scale processing of special categories of data, such as health records, or information about criminal convictions which applies to big organizations
This policy has been reviewed in line with current Data Protection Policies. The GDPR is Europe’s new framework for data protection laws– it replaces the previous 1995 data protection directivewhich current UK law is based uponapproved& authorised by: