SPACE 2 (UK) (t/a SNH) - Data Protection Policy
DATA CONTROLLER REQUIREMENTS: Data from staff, customers & suppliers
SPACE 2 UK needs to gather and use certain information about individuals.
These can include customer, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with the law.
This data protection policy ensures that we: • Comply with the data protection law and follow good practice • Protect the rights of staff, customers and partners • Are open about how we store and process individuals’ data • Protect ourselves from the risks of a data breach
Data Protection Act 1998/General Data Protection
The Act describes how organisations must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act/GDPR is underpinned by eight important principles. These say that personal data must: • Be processed fairly and lawfully • Be obtained only for specific, lawful purposes • Be adequate, relevant and not excessive • Be accurate and kept up to date • Not be held for any longer than necessary • Processed in accordance with the rights of data subjects • Be protected in appropriate ways • Not be transferred outside of the EEA unless that country or territory also ensures an adequate level of protection
This policy applies to all staff, volunteers, contractors, suppliers and other people working on behalf of SPACE2 UK It applies to all data that the company holds relating to identifiable individuals. This can include: • Names of individuals • Postal addresses • Email addresses • Telephone numbers • Any other information relating to individuals relevant to SPACE2 UK’s fulfilment of its contractual obligations.
Data protection risks
This policy helps to protect SPACE2 UK from some very real data security risks including: • Breach of confidentiality: for instance, information being given out inappropriately • Reputational damage: for instance, the company could suffer if hackers successfully gained access to sensitive data
Everyone who works for or with SPACE2 UK has some responsibility for ensuring data is collected, stored and handled appropriately. However, the Data Protection Officer is Simon Goodison, who will ensure that the company acts in accordance with this policy
General Staff Guidelines
Staff will be trained to act in accordance with the guidelines relating to security of data.
The law requires that we take reasonable steps to ensure data is kept accurate and up to date and it is the responsibility of all staff to ensure that this is done
• Data will be held in as few places as necessary. Staff should not create any unnecessary data sets
• Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call
• Data should be updated as inaccuracies are discovered.
Data Subject Access Requests
All individuals who are the subject of personal data held by SPACE2 UK have the following rights, upon written request:
- Right of access: The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.
- Right to rectification: If the information is inaccurate.
- Right to erasure: individuals can request their data be deleted hen there is no longer a compelling need to retain it (subject to compliance with HMRC or VAT requirements).
- Right to restrict processing: Individuals have a right to ‘block’ or suppress processing of personal data.
- When processing is restricted, we are permitted to store the personal data, but not further process it.
- We can retain just enough information about the individual to ensure that the restriction is respected in future.
- Right to data portability. This right only applies:
- To personal data an individual has provided to a controller;
- Where the processing is based on the individual’s consent or for the performance of a contract.
- When processing is carried out by automated means.
- Right to object: Individuals must have an objection on “grounds relating to his or her particular situation”. We will stop processing the personal data unless:
- We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual (e.g. HMRC).
- The processing is for the establishment, exercise or defence of legal claims.
- Rights related to automated decision making including profiling. The GDPR has provisions on:
- Automated individual decision-making (making a decision solely by automated means without any human involvement).
- Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.