Rev 1. March 2018
Kate Pettitt collects necessary personal data about you (which includes but is not limited to name, address, email, phone number and may under certain circumstances include sensitive personal information) only if such details are required by us in the course of providing our services to you in the normal course of our business.
Why we need your data
We need to collect your personal data in order to provide you with our services in line with your customer relationship with this company. We need to collect relevant personal information about you but we will only collect that information if it is either legally required or relevant to the issue about which we are providing professional services. We will not collect any personal data from you we do not need in order to provide and oversee this service to you.
What we do with your data
All the personal data we process is processed only by our staff in the UK. Third parties have access to your personal data only when they are engaged with us in providing relevant professional services.
We have a Data Protection regime in place to oversee the effective and secure processing of your personal data.
How long we keep your data
We keep your personal data for a variety of data-retention periods. The data retention period varies depending on the nature of the information. For example, information concerning commercial job records may be held for longer than details regarding casual enquiries. Please refer to our data retention policy for more detail concerning data retention periods.
What we also need to do with your data
We also need to pass your data on to third parties but we will only do so to third parties who have a relevant professional relationship with us and the data passed on to them will be relevant to the issue about which we are advising you. For example, photographs for our website may be passed to the professional website developer.
What are your rights
If at any point you believe the information we process on you is incorrect you can request to see this information and have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office https://ico.org.uk/
Your rights include:
- The right to be informed.
- The right of access to your data.
- The right to ask us to rectify erroneous data.
- The right to ask us to delete data, although we may be legally required to keep data so we may refuse this request.
- The right to restrict data processing.
- The right to data portability, which refers to the right to data being stored in a format that can be provided in a commonly available machine readable format rather than locked in to a proprietary format.
- The right to object.
- The right not to be subjected to automated decision-making including profiling.
Rev 1. April 2018
It is important that all relevant staff know the data collection policy in order to comply with GDPR, the EU directive regarding data security and privacy. Staff employed by this business as well as its subcontractors and suppliers must adhere to our data collection, storage and processing policy because failure to do so could render the business non compliant with GDPR.
Legal Basis for Collecting Personal Information
The legal basis for collecting personal information would fall under one or more of the following areas:
- Consent: If the subject provides explicit consent for Kate Pettitt to collect their data they must also be informed of their right of erasure and their right of access. Consent cannot be withheld in regard to personal data because in so doing the duty of care and provision of services to the subject would be compromised. People who wish to withhold their personally identifying data are not permitted to conduct business with Kate Pettitt, but people can attend events and withhold permission to be photographed or have video footage taken of them.
- Legally required: Data that the company is legally required to provide must be collected (for example, an employee’s national insurance number that is legally required by HMRC).
- Genuine Business Interest: If Kate Pettitt has a genuine business interest in recording that particular item of personal data, it is perfectly legitimate for that personal data to be recorded. For example: there is a genuine business need to record the address of a customer who may be providing his or her home address. Such data must be collected in order that Kate Pettitt can fulfil its promise to provide the customer with the required standard of service.
Principles of Data Collection, Storage and Processing:
Personal Data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 83(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
It is not our policy to collect data from children (persons aged under 16)
Sensitive Personal Data
It is our policy to collect sensitive personal data from people insofar as that sensitive information is relevant to the satisfactory delivery of services or duty of care to employees, freelancers and subcontractors. That also may include (where relevant to employees): date of birth, national insurance number, or any other data that is very personal and private which could not reasonably be collected in the course of providing our services.
We must always notify people when we collect their data. When a booking is made in order to add people to the database system, it is our policy that the booking form obtains consent from the customer to ensure they agree that information can be used by Kate Pettitt and photographs and/or video footage can be taken.
Data Protection Officer (DPO)
The role of the Data Protection Officer includes driving remediation plans for security gaps. It is not mandatory for Kate Pettitt to have a DPO. The DPO is responsible for regularly reviewing and, where necessary, improving the security of personal data and is responsible for reviewing all complaints and data breaches. If a data breach is discovered, it is the DPO’s responsibility to advise the individuals whose data may have been compromised and provide advice as to their best course of action in order to minimise their risk. The procedure also requires that all complaints and breaches are documented and the resulting actions taken are also documented and regularly reviewed.
Subject Access Requests
People may access their data by requesting it, providing they supply Kate Pettitt with proof of their identity and proof of address. All requests for data erasure or provision must be forwarded to the Data Protection Officer immediately. It is a legal requirement that such requests are processed within 30 days. It is our policy that the DPO will, upon satisfactory proof of identity, process the Subject Access Request using the DPO’s own ability to access the database and carry out the appropriate steps to fulfil the Subject Access Request.
An original driver’s licence, original passport or original birth certificate are accepted as proof of identity. A recent letter from the Inland Revenue or other government department or utility company is accepted as proof of address. Copies of those documents are not taken and they must be the originals (not copies). On satisfactory proof of identity and address the DPO is required to provide the person with the personal information that is kept on file – note that “personal information” does not include our records, only their own personal data which is keep on Kate Pettitt’s Customer database or in any other file. If the subject asks for the data in machine readable format, the Data Protection Officer will supply it in machine readable format, for example the DPO will provide the data as an Excel spreadsheet or CSV file. No charge may be made for provision of an SAR, but the subject may be required to visit Kate Pettitt in order to prove identity and be given the information.
Subject Erasure Requests
If a person asks for their data to be erased, proof of identity and address is required as for Subject Access Requests. The Data Protection Officer will then either erase the data or ensure it has been anonymised by altering all personal identifying information including but not limited to Name, Address, Post Code, phone number and any other information which could be used to identify that individual. The process is to be completed within 30 days, but the DPO has the right to refuse to erase data under certain circumstances (for example where the subject has an outstanding invoice it is not feasible to erase all of that subject’s data).
The Data Protection Officer will check there are no outstanding invoices payable by the customer and that there is no other particular reason for retaining the data, then the data will be erased or anonymised. The data backups will, in time, erase the data from backups as well because those backups will be overwritten. The Data Protection Officer will also ensure that if a backup is restored, it does not bring back into the database any Subject Erasure Requests. No charge may be made for provision of an SER, but the subject may be required to visit Kate Pettitt in order to prove identity.
Data and Profile Processing
It is our policy not to process data other than use it to communicate with the subjects, to ensure prompt payment and prompt service, to ensure correct provision of our services and (where the subject has opted-in) to ensure the subject is kept informed of our services and to fulfil our duty of care to employees, subcontractors and freelancers. We therefore do not process personal data for any other reason. It is our policy not to use data for profiling.
It is our policy to keep personal data secure. The database is protected with appropriate passwords on the computer system. Therefore, it is required that these passwords are not saved in the keychain or otherwise auto-entered, they must be manually typed in every time in order to access the information. Additionally, the database is held on a server which is physically secure.
Complaints & Data Breaches
If any member of staff discovers a data breach or receives a complaint about the processing, storage, retrieval or deletion of personal data (including images) they must contact the Data Protection Officer immediately upon becoming aware of the complaint or discovering the breach. The organisation will notify the Information Commission Officer at ico.org.uk within 72 hours of being aware of the complaint or breach.
Complaints must be made in writing with full details of the complaint, including the full names and addresses of the individuals who are affected by the incident as well as the type of data which falls within the scope of the incident. The DPO will review the complaint within 30 days and take appropriate steps to resolve the complaint. The DPO will also notify all affected individuals in a timely manner that there has been a complaint or data breach, and will make recommendations to the individuals affected as to how they can mitigate further risks (such as changing passwords etc).
Bivouac GDPR Incident Record
This document must be used to record and review any incidents.
Duration of Data Retention
Kate Pettitt’s policy is to retain data for as long as it is necessary or until the individual asks for it to be removed. At present, the data retention period deemed useful to the genuine business interests of the company is as follows:
- For customers: 6 years after the most recent job carried out for that customer.
- For Kate Pettitt staff and/or freelancers: As long as those people are employed or provide services to Kate Pettitt, and for a period no more than 10 years thereafter.
- For photographs and/or videos used on the website or any other promotional material: For a period no more than 6 years after the photograph was taken unless that image is deemed to be of ongoing genuine business use to Kate Pettitt or deemed to be of historical interest.
Periodic reviews on the retention of data are carried out and any personal data is removed or anonymised after an appropriate period of time.
Suppliers and Partners
All suppliers and partners who wish to make use of personal data provided by Kate Pettitt must be GDPR compliant and co-operate with us in ensuring the security and privacy of personal data. Suppliers and partners must not sell, lend, transfer, give or otherwise provide in any form the personal data that has been provided to them by Kate Pettitt.
Where suppliers, freelancers and subcontractors supply their home address, it is deemed that the address they provide is their business address used for the purposes of supplying professional services to Kate Pettitt. As a result, such addresses are not “home addresses” but the business address of the supplier therefore it is not necessary to obtain consent nor are these addresses considered personal information. The same concept also applies to the phone numbers that suppliers provide, and any other information that coincidentally is personal as well as business information.
Data Protection Impact Assessment (DPIA)
DPIA must be carried out if the data falls within any of the following criteria:
- Evaluation or scoring, including profiling and predicting especially from aspects concerning the Data Subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements
- Automated decision-making with legal or similar significant effects
- Systematic monitoring of individuals
- Sensitive data
- Personal Data on a large scale
- Datasets that have been matched or combined
- Data concerning vulnerable Data Subjects
- Innovative use or application of technological or organisational solutions
- Data transfers across borders outside the European Union
- Data that Prevents Data Subjects from exercising a right or using a service or a contract
The Data Protection Officer will regularly assess whether or not data falls within the above criteria and ensure DPIA if it does.
The company’s policy requires that use of that data for marketing purposes is determined only by an “opt-in” system, whereby the subject is sent marketing information only if the subject has positively opted to receive such information. Subjects are able to withdraw that consent at any time, and on withdrawing that consent, the DPO must be notified in order that this individual’s option is changed and that change results in no further marketing information being sent to the subject (i.e. that the unsubscribe request is effective).
It is our policy not to transfer data to any other EU state or to any country outside the EU except for the purposes of backing up data which can be backed up to a cloud server the location of which cannot be guaranteed.
The data which is collected from customers includes only relevant information such as: full name, phone number, email address and any other relevant information that could be used to enhance Kate Pettitt’s ability to provide services to the customer.
The data which is collected from Kate Pettitt staff, subcontractors and freelancers is by necessity more detailed and could include all of the data points collected from guests as well as the additional data specifically required in order to satisfy the legal requirements and duty of care which the company is obliged to provide. This data may include, but is not limited to, Police Record Disclosure number (DBS), nationality and passport number (in order to prove legality of employment), medical records, gender, next of kin and date of birth. People who are next of kin have the right to ask for their data to be erased.
Data Security & Backups
Data is not encrypted but is protected from unauthorised access by way of a conventional login and password system. Data is backed up and the backups are eventually overwritten. Servers are kept secure from access by the general public and customers and only authorised personnel are provided with the login details required to access the data in the normal course of their employed duties.
No personal data is shared with any external organisation except those organisations with which Kate Pettitt has a professional working relationship and where that data is to be used only to enhance the provision of services to the customer.
CCTV / Video Footage / Still Photography of Children (aged under 16 years)
Consent to obtain photographic images (whether by CCTV, video footage or still photography) is obtained from the subjects’ parents or guardians.
Consent is obtained in writing to assure Kate Pettitt that all people who are photographed provide consent for Kate Pettitt to record information and to take photographs and record video footage. In the event such consent is withheld employees of Kate Pettitt must ensure that person is not included in any photograph or video taken.
Subjects have the right to request the erasure of photographs and/or video footage.