Date of version: 20 January 2020
This policy applies to the use of all personal data held on a computer system or other equipment, including CCTV, that can be automatically processed (or is recorded with the intention that it will be processed) to provide information where that data is under the direct or indirect control of the Think Cre8tive Group CIC.
The Act, and this policy, also applies to manual records where such records form part of, or are intended to form part of, a relevant filing system.
Reasons/purposes for processing information
To enable the Think Cre8tive Group CIC to provide education, support and general advice services for our clients/service users; to promote the Think Cre8tive Group CIC; to maintain our own records and accounts; to support and manage our staff and volunteers.
Type/classes of information processed
Refers to information relevant to the above reasons/purposes and may include:
- Personal details
- Family details
- Lifestyle and social circumstances
- Financial details
- Education and employment details
- Visual images
This may also include sensitive classes of information including:
- Physical or mental health details
- Racial or ethnic origin
- Religious or other beliefs
- Trade union membership
- Offences and alleged offences/criminal proceedings, outcomes and sentences
Who the information is processed about:
- Company Directors
- Clients/service users
- Professional advisers/consultants
- Business contacts
- Welfare and pastoral professionals
- Persons who may be the subject of an enquiry
- Suppliers and service providers
Who the information may be shared with:
Think Cre8tive Group CIC sometimes needs to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary, we are required to comply with all aspects of the Data Protection Act. Where necessary or required we share information with:
- Family, associates and representatives of the person whose personal data we are processing
- Professional advisers
- Current, past or prospective employers
- Voluntary and charitable organisations
- Healthcare, social and welfare organisations
- Financial organisations
- Survey and research organisations
- Persons making an enquiry or complaint
- Press and the media
- Local and central government
- Security organisations
- Police forces, prison and probation services, courts and tribunals
- Suppliers and service providers
Personal information is also processed in order to undertake research. For this reason the information processed may include name, contact details, family details, lifestyle and social circumstances, financial details, goods and services. The sensitive types of information may include physical or mental health details, racial or ethnic origin and religious or other beliefs.
For information from survey respondent, where necessary or required this information may be shared with customers and clients, agents, service providers, survey and research organisations.
Purpose of Policy
To set out rules for governing the handling of personal information in relation to Think Cre8tive Group CIC’s employees, clients/service users and suppliers, thereby providing a code of good information-handling practice and ensuring that all requirements of the Data Protection Act 1998 are met.
Employees and volunteers should not record data if an individual concerned has not supplied their personal information directly for Think Cre8tive Group CIC’s purposes.
All employees and volunteers should be aware of, and should abide by, their obligations under the Data Protection Act. Any breach of the Act or this policy could result in legal and/or disciplinary proceedings being taken against any level of employee. The implementation of this policy is the responsibility of each and every employee.
We will all follow 8 Data Protection Principles:
1. Fair and Lawful Processing
– personal data must be processed fairly and lawfully and shall not be processed until certain conditions are met.
2. Notification (Registered Purposes) and Processing of Data
– personal data must be obtained only for specified and lawful purposes and must not be processed in any way that is incompatible with that purpose.
3. Adequate and Relevant Data
– personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
4. Accuracy of Personal Data
– personal data shall be accurate and kept up to date.
5. The Period for which Personal Data should be Held
– personal data processed for any purposes shall not be kept for longer than is necessary for those purposes.
6. The Individual’s Rights and Subject Access
– personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Security of Personal Data
– appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Transfer of Information
– personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.