Geoffrey Deacon Training and Geoffrey Deacon Racing Crew Data Protection Policy
We collect and process information about individuals (“personal data”) for business purposes, including employment and HR administration, provision of our services, marketing and business administration. This includes personal data relating to our staff, customers, supplies and other third parties.
Compliance with data protection law is essential to ensure that personal data remains safe, our business operations are secure, and the rights of individuals are respected.
Geoffrey Deacon Training is a controller under data protection law, meaning it decides how and why it uses personal data. This policy explains our procedures for complying with data protection law in relation to personal data. It also sets out our obligations regarding processing any personal data at Geoffrey Deacon Training.
If employees routinely handle individual’s’ personal data, they will be given specific training and/or instruction regarding data protection procedures in relation to your particular role. This will supplement your obligations as set out in this Policy.
There will also be other policies which will impact upon how we deal with personal data and data protection. The main ones are our Information Security Policy, Electronic Communications Policy and Social Media Policy and we expect you to comply with these where relevant.
This policy does not give any contractual rights to Employees. It may be updated at any time.
Who does this policy apply to?
This policy applies to all Geoffrey Deacon Training employees, workers (contractors, agency workers, consultants, volunteers, partners and directors) (“together referred to as “Employees” or “you”).
Who is responsible for data protection at the Company?
Geoffrey Deacon is ultimately responsible for the Company’s compliance with applicable data protection law.
We have appointed a Data Protection Lead who is responsible for overseeing, advising on and administering compliance with this Policy and data protection law.
All our employees have some responsibility for ensuring that personal data is kept secure and processed in a lawful manner although certain Employees will have particular responsibilities of which they will be aware and in respect of which they may receive specific instructions.
If you are in any doubt about how we handle personal data, or if you have any concerns or questions in relation to the operation (or suspected breaches) of this Policy, you should seek advice from the Data Protection Lead.
Why is data protection compliance important?
Data Protection law in the UK is regulated and enforced by the Information Commissioner’s Office (ICO). Failure to comply with data protection law may expose the company and, in some cases, individual Employees, to serious legal liabilities. In additional an individual may seek damages from us in the courts if we breach their rights under data protection law. Breaches of data protection law can also lead to serious damage to our brand and reputation.
In addition to the legal liabilities, failure to comply with your obligations under this Policy could lead to disciplinary action and, in serious cases, could result in the termination of your employment.
What is personal data?
Personal data means any information relating to any living individual (also known as a “data subject”) who can be identified (directly or indirectly) in particular by reference to an identifier (e.g. name, NI number, employee number, email address, physical features).
Relevant individuals can include your colleagues, consumers, members of the public, business contacts, etc. Personal data can be factual (e.g. contact details or date or birth), an opinion about a person’s actions or behaviour, or information which may otherwise impact on that individual. It can be personal, or business related.
Personal data may be automated (e.g. electronic records such as computer files or in emails or in manual records which are part of a filing system or are intended to form part of a filing system (e.g. structured paper files and archives).
What does “processing” personal data mean?
Processing personal data means any activity that involves the use of personal data (e.g. obtaining, recording or holding the data, amending, retrieving, using, disclosing, sharing, erasing or destroying). It also includes sending or transferring personal data to third parties.
Data Protection Obligations
Geoffrey Deacon Training is responsible for and must be able to demonstrate compliance with data protection law. To ensure that Geoffrey Deacon Training meets it responsibilities, it is essential that its Employees comply with data protection law and any other company policies, guidelines or instructions, relating to personal data when processing personal data in the course of their employment.
We have set out below the key obligations under data protection law and details of how we expect our Employees to comply with these requirements.
1. Process personal data in a fair, lawful and transparent manner
Legal grounds for processing
Data protection law allows us to process personal data only where there are fair and legal grounds, which justify using the information.
Examples of legal grounds for processing personal data include the following (at least one of these must be satisfied for each processing activity):
· Complying with a legal obligation (e.g. health and safety or tax laws);
· Entering into or performing a contract with the individual (e.g. an Employee’s terms and conditions of employment, or a contract for services with an individual customer);
· Acting in the company’s or a third party’s legitimate interests (e.g. maintaining records of business activities, monitoring business productivity); and
· Obtaining the consent of the individual (e.g. for sending direct marketing communications).
Where consent is relied upon, it must be freely given, specific, informed and unambiguous and we must effectively demonstrate that consent has been given.
In line with the ICO guidance regarding the employee/Employer relationship, we do not use consent as a legal ground for processing Employee data unless the data processing activities concerned are genuinely optional.
In most cases, consent is not required for other standard business activities involving use of customer or supplier data, but it may be needed for activities which are not required to manage the main business relationship, such as direct marketing activities.
Data protection law also requires us to process personal data in a transparent manner by providing individuals with appropriate, clear and concise information about how we process their personal data.
We usually provide individuals with basic information about how we use their data on forms which collect data (such as application forms or website sites) and in longer privacy notices setting out details including: the types of personal data that we hold about them, how we use it, our legal grounds for processing the information, who we might share it with and how long we keep it for. For example, we provide information about our processing of Employees’ personal data in our Employee Privacy Notice.
We may supplement these notices, where appropriate with reminders or additional information at the time particular processing activities take place or become relevant for an individual (for example when they sign up to a new service or event).
2. Take extra case when handling sensitive or special categories of personal data
Some categories of personal data are “special” because they are particularly sensitive. These include information that reveals details of an individual’s:
· Racial or ethnic origin
· Political opinions
· Religious or philosophical beliefs
· Trade Union Membership
· Physical or mental health
· Sexual life and sexual orientation
· Biometric or genetic data (if used to identify that individual) and
· Criminal offences or convictions
Where special category personal data is concerned, data protection law requires us to have (as well as one of the legal grounds described in Section 1), an additional legal ground to justify using this sensitive information. The appropriate legal ground will depend on the circumstances.
Additional legal grounds for processing special category data including the following. Those marked with an asterisk (*) would be particularly relevant to processing Employees’ special category personal data:
· Complying with a legal obligation/exercising a legal right in the field of employment*
· Assessing working capacity (based on expert medical opinion, and subject to obligations of confidentiality)*
· Carrying out equalities monitoring in relation to racial or ethnic origin, religious beliefs, health or sexual orientation*
· Exercising, establishing or defending legal claims*
· Preventing or detecting unlawful acts, or
· Explicit consent of the individual. (As well as the requirements for consent outlined in section 1 above, this requires an express statement from the individual that their special category of data may be used for the intended purposes.)
3. Only process personal data for specified, explicit and legitimate purposes
We only process personal data in accordance with our legitimate purposes to carry out our business operations and to administer employment and other business relationships.
4. Make sure that personal data is adequate, relevant and limited to what it is necessary for your legitimate purposes
Data protection law requires us to ensure that when we process personal data, it is adequate, relevant to our purposes and limited to what is necessary for those purposes (also known as “data minimisation”). In other words, we ask for the information we need for our legitimate business purposes but we don’t ask for more information than we need in order to carry out our business operations.
5. Keep personal data accurate and (where necessary) up to date.
The Company will take steps to ensure that personal data is accurate and (where necessary) kept up to date. For example, we request that Employees provide us with any change in contact details or personal information. We also take care that decisions impacting individuals are based on accurate and up to date information.
6. Keep personal data for no longer than is necessary for the identified purposes
Records containing personal data should only be kept for as long as they are needed for the identified purposes. The company has in place data retention, storage and deletion policies and internal processes/guidelines regarding various types of company records and information that contain personal data.
· We take appropriate steps to retain personal data only for so long as is necessary, taking into account the following criteria:
· The amount, nature and sensitivity of the personal data
· The risk of harm from unauthorised use or disclosure
· The purposes for which we process the personal data and how long we need the particular data to achieve these purposes
· How long the personal data is likely to remain accurate and up to date
· For how long the personal data might be relevant to possible future legal claims; and
· Any applicable legal, accounting, reporting or regulatory requirements that specify how long certain records must be kept.
7. Take appropriate steps to keep personal data secure
Keeping personal data safe and complying with the company’s security procedures to protect the confidentiality, integrity, availability and resilience of personal data is a key responsibility for the company and its workforce.
The company has an [Information Security Policy which sets out its organisational and technical security measures to protect information, including personal data] OR [set out details of information security measures here or in an Appendix including physical, technological and organisation controls, e.g. locked filing cabinets, building security, information subject to access controls and passwords, encryption of hardware or software, pseudonymisation, anti-virus and network protection, software updates, security testing, secure disposal of records and equipment, backup, protocols on use of technology and data storage.
The Company has a Communications Policy setting out protocols for Employees on the use of technology and communications systems, which also help to ensure appropriate security of personal data storage or communications using such systems.
8. Take extra care when sharing or disclosing personal data
The sharing or disclosure of personal data is a type of processing, and therefore all the principles described in this Policy need to be applied.
Internal data sharing
The Company ensures that personal data is only shared internally on a “need to know” basis.
External data sharing
We will only share personal data with other third parties where we have a legitimate purpose, and an appropriate legal ground under data protection law which permits us to do so. Commonly, this could include situations where we are legally obliged to provide information (e.g. to HMRC for tax purposes) or where necessary to perform our contractual duties to individuals (e.g. provision of information to our pension providers). This will also include where we have a legitimate interest to share the information with industry bodies such as RIABS for the processing of accident benefit claims, the BHA and Weatherbys for the administration of racing.
We may appoint third party service providers (known as processors) who will handle information on our behalf, for example to provide payroll, data storage or other technology services.
We may send you communications from our business, including but not limited to our newsletter, information about horses for sale, ownership opportunities, open days and events
You have the right to ask us to for a copy of the data we hold about you, that we correct any incomplete or inaccurate data and that we delete personal data where there is no good reason for us to continue to hold it.
If you do not wish to receive our communications, there will be an unsubscribe button at the base of every email, or please email email@example.com and we will remove you from the list.
The company remains responsible for ensuring that its processors comply with data protection law and this Policy in their handling or personal data. We must assess and apply data protection and information security measures prior to and during the appointment of a processor. The extent of these measures will vary depending on the nature of the activities but will include appropriate risk assessments and reviews, and contractual obligations.
Details of the recipients or categories of personal data (including processors and other third parties) should be set out in privacy notices as described in section 1 above.
9. Do not transfer personal data to another country unless there are appropriate safeguards in place
An overseas transfer of personal data takes place when data is transmitted or sent to, viewed, accessed, or otherwise processed in, a different country. European Union data protection law restricts, in particular, personal data transfers to countries outside of the European Economic Area, to ensure that the level of data protection afforded to individuals is not compromised (as the laws of such countries may not provide the same level of protection for personal data as within the EEA).
To ensure that data protection is not compromised when personal data is transferred to another country, the Company assesses the risks of any transfer of personal data outside of the UK (taking into account the principles in this Policy, as well as the restrictions on transfers outside of the EEA) and puts in place additional appropriate safeguards where required.
We do not currently transfer personal data outside of the UK.
10. Report any data protection breaches without delay
The Company takes any data protection breaches very seriously.
These can include lost or mislaid equipment or data, use of inaccurate or excessive data, failure to address an individual’s rights, accidental sending of data to the wrong person, unauthorised access to, use of or disclosure of data, deliberate attacks on the company’s systems or theft of records, and any equivalent breaches by the company’s service providers.
Where there has been a breach of security leading to the accidental or unlawful destructions, loss, alteration, unauthorised disclosure of or access to individual’s personal data, the company will take immediate steps to identify, assess and address it, including containing the risks, remedying the breach, and notifying appropriate parties (see below).
If the Company discovers that there has been a personal data security breach that poses a risks to the rights and freedoms of individuals, we will report it to the ICO within 72 hours of discovery.
We also keep an internal record of all personal data breaches regardless of their effect and whether or not we report them to the ICO.
If a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, we will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures we have taken.
11. Do not use profiling or automated decision-making unless you are authorised to do so
Profiling, or automated decision making, occurs where an individual’s personal data is processed and evaluated by automated means resulting in an important decision being taken in relation to that individual. This poses particular risks for individuals where a decision is based solely on that profiling or other automated processing.
One example of solely automated decision making would be using an online psychometric test to automatically reject job applicants who do not meet a minimum pass mark (without any human oversight such as review of the test results by a manager).
Data protection law prohibits decision making based solely on profiling or other automated processing, except in very limited circumstances. In addition, where profiling or other automated decision making is permitted, safeguards must be put in place and we must give individuals the opportunity to express their point of view and challenge the decision.
We do not generally conduct profiling or other automated decision making in respect of Employees’ or customer’s personal data.
12. Integrate data protection into operations
Data protection law requires the Company to build data protection considerations and security measures into all of our operations that involve the processing of personal data, particularly at the start of a new project or activity which may impact on the privacy of individuals. This involves taking into account various factors including:
· The risks (and their likelihood and severity) posed by the processing for the rights and freedoms of individuals
· Technological capabilities
· The cost of implantation
· The nature, scope, context and purposes of the processing of personal data
We also seek to assess data protection risks regularly through the lifecycle of any project or activity which involves the use of personal data.
Individual Rights and Requests
Under data protection law, individuals have certain rights when it comes to how we handle their personal data. For example, an individual has the following rights:
The right to make a subject access request This enables the individual to receive a copy of the personal data we hold about them, together with information about how and why we process it and other rights which they have (as outlined below). This enables them to check that we are lawfully processing it and to correct any inaccuracies.
The right to request that we correct incomplete or inaccurate personal data that we hold about them
The right to request that we delete or remove personal data that we hold about them where there is no good reason for us continuing to process it. They also have the right to ask us to delete or remove their personal data where they have exercised their right to object to processing
The right to object to our processing of personal data for direct marketing purposes or where we are relying on our legitimate interest (or that of a third party) where we cannot show a compelling reason to continue the processing
The right to request that we restrict our processing of your personal data. This enables individuals to ask us to suspend the processing of personal data about them, for example if they want us to establish the accuracy or the reason for processing it.
The right to request that we transfer your personal data to them or to another party, in a structured format. (this is known as the right to “data portability”). The applicability of this right depends on the legal grounds on which we process it.
The right to challenge a decision based solely on profiling/automated processing, to obtain human intervention and to express their point of view.
We are required to comply with these rights without undue delay and, in respect of a certain rights, within a one month timeframe.
Individuals also have the right to make a complaint at any time to the ICO about, and to take action in court to enforce their rights and seek compensation for damage suffered from any breaches.
In order to comply and demonstrate our compliance with data protection law, the company keeps various records of our data processing activities. These include a Record of Processing which must contain, as a minimum: the purposes of processing; categories of data subjects and personal data; categories of recipients of disclosure of data; information about international data transfers; envisaged retention period; general descriptions of security measures applied; and certain additional details for special category data
We require employees to undergo some basic training to enable them to comply with data protection law policy. Additional training may be required for specific roles and activities involving the use of personal data.
To this end, we provide training as part of induction process for new joiners and operate an ongoing training programme to make sure that employees’ knowledge and understanding of what is necessary for compliance in the context of their role is up-to-date. Attendance at such training is mandatory and will be recorded.
Departures from this policy
There are some very limited exceptions under data protection law which may permit departure from aspects of this policy in such circumstances.
You will be given specific instructions if any exceptions are relevant to your role.
If you think you should be able to depart from his policy in any circumstances, you must contact the Data Protection Lead before taking any action.
This Policy is effective from May 25th, 2018
Geoffrey Deacon Training
Company Number: 05014451