Restorative Thinking takes its responsibilities with regard to the management of the requirements of the General Data Protection Regulation (GDPR) very seriously. This policy sets out how we manage those responsibilities.
We need to gather and use certain information about individuals. This can include customers, suppliers, business contacts, employees, and other people the organisation has a relationship with or may need to contact.
The Data Controller for Restorative thinking is:
Name: Lesley Parkinson
The data protection policy ensures that we:
Controller means the person who determines the purposes and means of the processing of personal data.
Processing means any operation or set of operations that are performed on personal data.
Personal Data any information relating to an identified natural person (data subject). An identifiable natural person can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the identity of that person.
Processor is the person or legal entity that processes personal data on behalf of a controller.
Consent any freely given, specific informed, and an indication of the data subjects wishes by which they statement or by affirmative action, signify agreement to the processing of personal data relating to them.
The Data Protection Act 2018 and GDPR (EU) 2016/679 describe how organisations, including Restorative Thinking, must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper, or using other materials.
To comply with the law, personal information must be collected and used fairly, stored safely, and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
We commit to comply with the General Data Protection Regulations and will ensure that personal data will be:
The Data Controller is responsible for and is required to be able to demonstrate compliance with the above principles.
Everyone who works with Restorative Thinking has a responsibility for ensuring that data is collected, stored, and handled appropriately.
Every employee, contractor, and consultant must ensure that personal data is handled and processed in line with this policy.
Generally, the following will apply:
Lawful needs will be identified before personal data can be processed. If there is no other lawful purpose identified, then consent must be sought. To be considered a lawful basis to process data one of the following must apply:
Where the processing is based on consent, the organisation will ensure that it can demonstrate that the data subject has consented to the processing of his or her personal data.
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the organisation ensures that the request for consent is presented in a manner that is distinguishable from the other issues, in an intelligible and easily accessible form using clear and plain language.
The data subject has the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Before giving consent, the data subject shall be informed thereof. It shall be easy to withdraw as to give consent.
When assessing whether consent is freely given, the organisation takes utmost account of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Information and records relating to data subjects will be stored securely and will only be accessible to authorised staff.
These guidelines apply to both hard copy data as well as data that is stored electronically.
Restorative Thinking operates a ‘paperless’ office but recognises that there may be circumstances where documents need to be printed in hard copy.
If there is a requirement for information to be printed, it should be kept in a secure place where unauthorised people cannot see it.
Data printouts should be shredded and disposed of securely when no longer required.
It is our responsibility to ensure all personal and company data is deleted beyond recovery from any computer system previously used within the organisation.
Copies of documents containing personal data are treated the same way as the original documents and will be retained for as long as necessary. However, if the copy is for the purpose of a meeting, the copies will be shredded as soon as practicable after the meeting.
Questions about storing data safely can be forwarded to a director.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion, and malicious hijacking attempts:
DATA COLLECTION & USE
Restorative Thinking will ensure that data is collected within the boundaries defined within this policy. This applies to data that is collected in person (face to face or over the telephone), electronically, or by completing a form. It applies to any location that is being used by staff, volunteers, or consultants to deliver the organisation’s business. When collecting data, the organisation will ensure, wherever possible, that there is a fair processing notice in place and that the data subject will have enough information for them to give informed consent.
Personal data is of no value to Restorative Thinking unless the business can make use of it. When personal data is accessed and used it can be at the greatest risk of loss, corruption, or theft:
Any data that is transmitted electronically will be encrypted and only use a secure connection. All servers storing personal information are GDPR compliant and secure, for an additional layer of security, we password protect any documents containing sensitive information.
Legislation requires Restorative Thinking to take reasonable steps to ensure that data is kept accurate and up to date.
It is your responsibility to ensure that your personal data as accurate and as up-to-date as possible.
Restorative Thinking is responsible for ensuring that staff processing personal data:
The organisation has a data retention schedule that clearly specifies the length of time each category of documents containing personal data is retained. At the end of the retention period, paper copies are shredded whilst electronic copies of documents are deleted permanently.
RIGHT TO ERASURE/RIGHT TO BE FORGOTTEN
Everyone has the right to ask Restorative Thinking to delete any data that we hold about them.
There are certain circumstances where data subjects can ask for their data to be erased:
There are certain circumstances where your request can be refused:
Restorative Thinking can also refuse your request if it is, as the law states, ‘manifestly unfounded or excessive’. There is no set definition of what makes a request ‘manifestly unfounded or excessive’. It depends on the circumstances of your request.
In such circumstances Restorative Thinking can:
In either case, we will tell you and justify our decision.
If, having considered your request, Restorative Thinking decides we do not need to erase your data, we will still respond to you. We will explain why we believe we do not have to erase your data, and let you know about your right to complain about this decision to the ICO, or through the courts.
Whilst some data can be destroyed instantly, other data must be retained to protect Restorative Thinking, to preserve evidence and, generally conform to good business practice. Some reasons for data retention include
RETURN OF DOCUMENTS
Original documents containing personal data such as passport, driving license, bank statements, etc. which are required to be viewed as part of safer recruitment practice, will be returned to the data subject as soon as the documents have been viewed and copied by Restorative Thinking.
DISCLOSURE OF DATA
In certain circumstances, the Data Protection Act 2018 allows personal data to be disclosed to law enforcement agencies without the consent of the employee.
Under these circumstances, Restorative Thinking will disclose requested data and will ensure the request is legitimate before releasing the information
This policy helps to protect Restorative Thinking from some very real data security risks, including: