GDPR and the Coach House Arts ltd Data Protection Policy – an Introduction
GDPR came into place May 25 2018 and will affect ALL businesses including limited companies for just such as ourselves…
What is GDPR?
GDPR builds on the existing 1998 Data Protection Regulations and came into force on the 25th May 2018. Working with Coach House Arts Ltd will require that you understand our policies in respect of GDPR and understand the importance of our being GDPR compliant and what you need to do to work with us.
How have our policies been created?
Coach House Arts Ltd as a company is very aware of the importance of Data Protection, in line with the 25 May GDPR regulations we have reviewed our existing policies and procedures and want to make sure that everyone who works with us understands the importance of GDPR, as an individual an for Coach House Arts Ltd as a whole. The policies are going to grow organically as we as a Company grow, ensuring best practice, so as always please make sure you talk to us if there is anything you do not understand, think can be improved on, or if you are concerned does not take into consideration a particular aspect of your job.
What are the data protection principles behind GDPR?
There are 8 main principles, these are that personal information:
must be fairly and lawfully processed
must be processed for limited purposes
must be adequate, relevant and not excessive
must be accurate and up to date
must not be kept for longer than is necessary
must be processed in line with *data subjects’ rights
must be secure
must not be transferred to other countries without adequate protection
for more info on data subjects’ rights see:
NON compliance could see business fined up to 20m euros or 4% or their global turnover – whilst it is unlikely that companies such as Coach House Arts Ltd will be fined, and the ICO is there to support companies in making sure that they are compliant, non-compliance could cause huge reputational damage.
What is personal data?
Personal data is any information relating to an identified or identifiable living person and includes name, contact details, identification Number, online identifier such as a username
More sensitive data includes: racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic information, biometrics, health – mental OR physical, sex life & sexual orientation
What is data processing? This is anything that is done to personal data, including collecting, recording, organising, structuring, storing, retrieving, using, erasing or destroying
It is useful to note that data protection does apply to anonymised data or data that cannot be linked to a specific individual….but most importantly REMEMBER just like safeguarding and H & S it is EVERYONE’S RESPONSIBILITY….
Do’s and Don’t’s a helpful list
Coach House Arts Ltd have put together a list of Do’s and Don’ts which can be found on page 5 and 6 and make up part of the Coach House Arts Ltd Protection Policy, have a look and make sure you are doing everything you need to…..anything you think has been missed out, where you think additional safety measures are required or if there is something we can help you with PLEASE make sure you let us know so we can improve on our policies and processes going forward….as we said before GDPR is everyone’s responsibility…
What to do now? Read the Coach House Arts Ltd Data Protection Policy and then….
Is everything clear, is there anything you are unsure about?
Consider what data you process, what applies to you, and if you comply
Act and put everything in place to make sure you do comply
ASK if there is anything you are unsure about
BRING your ideas to the next meeting
DATA AMNESTY! Clear out all data that is no longer relevant, be it on your computer or I pad or paper-based documentation….
CHECK new processes or actions put in place – have they helped you and what are your comments?
By working with Coach House Arts Ltd you are confirming that you have read and understood the aims and scope of our GDPR Policy and that everything is in place to make sure that you are working within the policy guidelines.
Coach House Arts Ltd Protection Policy
That Coach House Arts Ltd processes personal data fairly and lawfully and in line with the Data Protection Principles
All those working with Coach House Arts Ltd and involved with the collection, processing and disclosure of personal data are aware of their duties and responsibilities under this policy
That the data protection rights of those involved with Coach House Arts Ltd are safeguarded
That there is confidence in Coach House Arts Ltd Ability to process data fairly and securely
This policy applies to data of all those working for Coach House Arts Ltd, students, parents and carers and any other person carrying out activities on behalf of Coach House Arts Ltd and Board Members and includes the processing of personal data both in manual format and on computer.
Data Protection Principles
Coach House Arts Ltd will ensure that all personal data will be:
Processed fairly, lawfully and in a transparent manner
Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
Adequate, relevant and limited to what is necessary in relation to the activity for which the data is required
Accurate and, where necessary kept up to date
Is kept for no longer than is necessary for the purposes for which the personal data is processed
Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, damage and using appropriate technical and organisational measures
Coach House Arts Ltd will be able to demonstrate compliance with these principles and will have a process in place dealing with the following rights in respect of an individuals personal data:
To being informed what data is held, why it is being processed and who it is shared with
To access to relevant data
To Rectification of records
To restriction of processing
To data portability
To object to processing
Not to be subject to automated processing
Roles and Responsibilities
The Directors are responsible for implementing good data protection practices and procedures within Coach House Arts Ltd
It is the responsibility of all persons engaged in carrying out activities for Coach House Arts Ltd, employed or self employed to ensure that their working practices comply with the Data protection Principles
The Data Protection Officer will have responsibility for all issues relating to the processing of personal data and will report to the Directors.
The Data protection Officer will comply with responsibilities under the GDPR and deal with all SARS requests, requests for rectification, erasure, data security breaches.
The Directors are V Westaway and G. Barley
The Coach House Arts Ltd Data Protection Officer is V Westaway.
Data Security and data Security Breach Management
All employees or those engaged in work for Coach House Arts Ltd are responsible for ensuring that all personal data that they process is kept securely and not disclosed to any third parties.
Access to personal data should only be given to those who need access for the purpose of their duties.
All data will be destroyed securely.
Coach House Arts Ltd will have a data security management process and all relevant persons will be aware of and follow the data breach security management process.
All relevant persons will be aware with the list of Do’s and Don’ts in relation to data security, and as recorded within this policy.
Sharing Data with a Third Party and Data Processing Undertaken on Behalf of Coach House Arts Ltd
Personal data will only be shared with appropriate authorities and third parties where it is fair and lawful to do so. Where a third party undertakes data processing on behalf of Coach House Arts Ltd, Coach House Arts Ltd will ensure that there is a written agreement requiring that the data is processed in accordance with the Data Protection Principles.
All new persons employed by or engaged in work on behalf of Coach House Arts Ltd will be made aware of the data protection requirements.
Photographs, Additional Personal Data and Consents
Where Coach House Arts Ltd seeks consent for the processing of person data such as photographs at events it will ensure that appropriate consents are obtained, these consent forms will also advice how the consent can be withdrawn. Where the personal data involves a person under 16 years written consent will be required from the adult with parental responsibility.
DO get permission before taking any confidential information home
DO transport information from school on SECURE computing devices – where possible AVOID taking paper documents out of the office
DO use SECURE portable computing devices such as encrypted laptops and encrypted memory sticks when working from home
DO ensure that any information saved on a USB, camera, laptop or phone is SECURELY & PROMPTLY deleted off the device and/or saved on the Coach House Arts shared drive
DO ensure that all paper based information that is removed from the office is kept confidential and secure, ideally in a sealed envelope which indicates a return address if misplaced.
DO ensure that any confidential documents that are taken home are stored in a LOCKED drawer.
DO ensure that any paper based information or laptops are kept safe and close to hand when off premises and never leave unattended, especially in public places. Remember to to be careful when reading…
DO ensure that when transporting documentation to keep it securely in your car
DO return paper based information to the office as soon as possible and file/dispose of it securely.
DO REPORT any loss of information (paper based or held on portable computer devices) to the Directors and Data Protection Officer immediately, this INCLUDES during the holidays and weekends.
DO ensure that all email and postal addresses are checked to ensure safe despatch – when sending personal information this should be marked Private – Contents of Addressee Only.’
DO ensure when mailing information that ONLY the specific information required by the recipient is sent
DO anonymise personal information where necessary
DO ensure that access to information is restricted to the appropriate people only
DO encrypt documents where necessary
DO make sure you ask if there is anything you are unsure about
DO remove downloads from home PC if working from home
DO set up and maintain a strong password
DO password protect your phone if you use it to access work emails
DO make sure that all information is retained and disposed of in line with appropriate requirements
DO remember by working with Coach House Arts you are confirming that you have read and understood the aims and scope of our GDPR Policy and that everything is in place to make sure that you are working within the policy guidelines
DON’T take confidential information to a public place or social event unnecessarily
DON’T unnecessarily copy other parties into e-mail correspondence – personal emails are classified as personal data
DON’T include full names in subject lines – use initials only
DON’T scan documents to a generic scan mail – use a specified admin one or one that has been specifically set up
DON’T leave confidential documents in general/accessible areas at home or in the office
DON’T make calls to parents or carers in public places – this includes using the office phone to make confidential calls when other unrelated parties may be present
DON’T email confidential documents to a computer that is not a work computer and is not adequately secure
DON’T store work documents on a home computer
DON’T leave unclaimed documents on the printer or copier
DON’T leave personal information on your desk or on your computer when you are away from your desk/the office
DON’T leave documentation in vehicles over night
DON’T discuss confidential matters at social events or in public places
DON’T put confidential documents in non-confidential bins, recycling bins
DON’T print off reports with personal data (e.g. student data) unless ABSOLUTELY necessary
DON’T use unencrypted memory sticks or unencrypted laptops
Process for Data security Breach Management
EVERYONE working for Coach House Arts Ltd has an INDIVIDUAL responsibility for reporting data loss or security risk IMMEDIATELY
The DPO & Directors must without delay consider and implement appropriate steps to contain or recover the breach, this may include paperwork misplaced or a misspent email.
ALL breaches must be documented – this must include the facts, effects, remedial action taken, see data Breach Reporting Form – page 7.
FURTHER steps and actions to be decided on risk factors to be considered to include emotional distress, physical risk, financial damage, risk of identity fraud. Where a breach has been made it must reported to the ICO (if applicable) this must be carried out within 72 hours.
The DPO and Directors to review any breach and identify necessary improvements and amend the policy accordingly.
Data Breach Reporting Form
Date of Breach:
Date Director and/or data Protection Officer Notified:
Brief Description of type of data breach, those affected and number of possible data records affected:
Review Notes With Directors and/or Data Protection Officer
Assess and note possible consequences of data breach:
Agree and record measures to be taken, or proposed to be taken, to address the personal data breach, including, and where appropriate, actions taken to limitate as much as is possible any adverse effects:
To be completed by Data Protection Officer and/or a Director
Review of data breach and Coach House Arts Ltd Protection Data Policy
Summary of actions taken:
Date Policy amended in response (if applicable):