Data Protection Policy

Restorative Thinking takes its responsibilities with regard to the management of the requirements of the General Data Protection Regulation (GDPR) very seriously. This policy sets out how we manage those responsibilities.

We need to gather and use certain information about individuals.  This can include customers, suppliers, business contacts, employees, and other people the organisation has a relationship with or may need to contact.

The Data Controller for Restorative thinking is:

Name:                                  Lesley Parkinson


Contact:                               01772-742353

The data protection policy ensures that we:

  • Comply with data protection law and follow good practice.
  • Protect the rights of staff, customers, and partners.
  • Are open about how we store and process individuals’ data.
  • Protect ourselves from the risks of a data breach.




Controller                  means the person who determines the purposes and means of the processing of personal data.

Processing                means any operation or set of operations that are performed on personal data.

Personal Data          any information relating to an identified natural person (data subject).  An identifiable natural person can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the identity of that person.

Processor                  is the person or legal entity that processes personal data on behalf of a controller.

Consent                    any freely given, specific informed, and an indication of the data subjects wishes by which they statement or by affirmative action, signify agreement to the processing of personal data relating to them.



The Data Protection Act 2018 and GDPR (EU) 2016/679 describe how organisations, including Restorative Thinking, must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper, or using other materials.

To comply with the law, personal information must be collected and used fairly, stored safely, and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles.  These say that personal data must:

  • Be processed fairly and lawfully.
  • Be obtained only for specific, lawful purposes.
  • Be adequate, relevant, and not excessive.
  • Be accurate and kept up to date.
  • Not be held for any longer than necessary.
  • Processed in accordance with the rights of data subjects.
  • Be protected in appropriate ways.
  • Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.



We commit to comply with the General Data Protection Regulations and will ensure that personal data will be:

  • Processed lawfully, fairly, and in a transparent manner in relation to individuals.
  • Collected for specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed.
  • Accurate and, where necessary, kept up to date.
  • Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organisational measures (integrity and confidentiality).


The Data Controller is responsible for and is required to be able to demonstrate compliance with the above principles.



Everyone who works with Restorative Thinking has a responsibility for ensuring that data is collected, stored, and handled appropriately.

Every employee, contractor, and consultant must ensure that personal data is handled and processed in line with this policy.



Generally, the following will apply:

  • The only people able to access data covered by this policy should be those who need it for their work.
  • Data should not be shared informally. When access to confidential information is required, employees/consultants can request it from a director.
  • Employees/consultants should keep all data secure, by taking sensible precautions and following the guidelines below.
  • Strong passwords must be used and should never be shared.
  • Personal data should not be disclosed to unauthorised people, either internally or externally.
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted/disposed of appropriately.
  • Employees/consultants should request help from a director if they are unsure about any aspect of data protection.



Lawful needs will be identified before personal data can be processed.  If there is no other lawful purpose identified, then consent must be sought.  To be considered a lawful basis to process data one of the following must apply:

  • Processing is necessary for the performance of a contract with the data subject, or to take steps to enter a contract.
  • Processing is necessary to comply with legal obligations.
  • Processing is necessary to protect the vital interests of data subjects or another person.
  • Processing is necessary to fulfill a task that is in the public interest or the exercise of official authority.
  • Processing is necessary for the legitimate interests of the organisation, and those legitimate interests are not outweighed by the possible harm to the data subjects’ rights and interests.
  • Processing of data has consent from the data subject.


Where the processing is based on consent, the organisation will ensure that it can demonstrate that the data subject has consented to the processing of his or her personal data.

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the organisation ensures that the request for consent is presented in a manner that is distinguishable from the other issues, in an intelligible and easily accessible form using clear and plain language.

The data subject has the right to withdraw consent at any time.  The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.  Before giving consent, the data subject shall be informed thereof.  It shall be easy to withdraw as to give consent.

When assessing whether consent is freely given, the organisation takes utmost account of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.



Information and records relating to data subjects will be stored securely and will only be accessible to authorised staff.

These guidelines apply to both hard copy data as well as data that is stored electronically.

Restorative Thinking operates a ‘paperless’ office but recognises that there may be circumstances where documents need to be printed in hard copy.

If there is a requirement for information to be printed, it should be kept in a secure place where unauthorised people cannot see it.

Data printouts should be shredded and disposed of securely when no longer required.

It is our responsibility to ensure all personal and company data is deleted beyond recovery from any computer system previously used within the organisation.

Copies of documents containing personal data are treated the same way as the original documents and will be retained for as long as necessary.  However, if the copy is for the purpose of a meeting, the copies will be shredded as soon as practicable after the meeting.

Questions about storing data safely can be forwarded to a director.



When data is stored electronically, it must be protected from unauthorised access, accidental deletion, and malicious hijacking attempts:

  • Data should be protected by strong passwords that are changed regularly and never shared between employees.
  • Data should not be stored on removable media.
  • Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing service.
  • Servers containing personal data should be sited in a secure location and away from general office space.
  • Data should be backed up frequently. Those backups should be tested regularly.
  • Data should never be saved onto mobile devices such as smartphones, tablets, etc.
  • The only laptop that data should be stored on is one issued by the company and password protected.
  • All servers and computers containing data should be protected by approved security software and a firewall.



Restorative Thinking will ensure that data is collected within the boundaries defined within this policy.  This applies to data that is collected in person (face to face or over the telephone), electronically, or by completing a form.  It applies to any location that is being used by staff, volunteers, or consultants to deliver the organisation’s business.  When collecting data, the organisation will ensure, wherever possible, that there is a fair processing notice in place and that the data subject will have enough information for them to give informed consent.

Personal data is of no value to Restorative Thinking unless the business can make use of it.  When personal data is accessed and used it can be at the greatest risk of loss, corruption, or theft:

  • When working with personal data, employees/consultants should ensure the screens of their computers are always locked when left unattended.
  • Personal data should not be shared informally.
  • Personal data should never be transferred outside of the European Economic Area.
  • Employees should not save copies of personal data to their own computers and should always access and update the central copy of any data.



Any data that is transmitted electronically will be encrypted and only use a secure connection.  All servers storing personal information are GDPR compliant and secure, for an additional layer of security, we password protect any documents containing sensitive information.



Legislation requires Restorative Thinking to take reasonable steps to ensure that data is kept accurate and up to date.

It is your responsibility to ensure that your personal data as accurate and as up-to-date as possible.

  • Data will be held in as few places as necessary. Employees/consultants should not create any unnecessary additional data sets.
  • Employees/consultants should take every opportunity to ensure data is updated, i.e. confirming a customer’s details when they call.


Restorative Thinking is responsible for ensuring that staff processing personal data:

  • Understand that they are contractually responsible for following good data protection practice as per the requirements of the Data Protection Act 2018 and GDPR.
  • Undertake Data protection/GDPR training.
  • Know what to do in case they receive requests under Legislation.
  • Are aware of how to copy, store, transmit, destroy, and return personal data.



The organisation has a data retention schedule that clearly specifies the length of time each category of documents containing personal data is retained.  At the end of the retention period, paper copies are shredded whilst electronic copies of documents are deleted permanently.



Everyone has the right to ask Restorative Thinking to delete any data that we hold about them.

There are certain circumstances where data subjects can ask for their data to be erased:

  • The organisation no longer needs the data for which it was intended.
  • Initially, consent was given to use your personal data, but you have now withdrawn consent.
  • You have objected to the use of your data, and your interests outweigh those of the organisation.
  • You have objected to the use of your data for direct marketing purposes.
  • The organisation has unlawfully collected and processed your data.
  • The organisation has a legal obligation to erase your data.
  • If you are now an adult, you have a right to have your data erased if it was collected from you as a child.


There are certain circumstances where your request can be refused:

  • When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic, and literary purposes).
  • When the organisation is legally obliged to keep hold of your data such as to comply with financial or other regulations e.g. safeguarding.
  • When the organisation is carrying out a task in the public interest or when exercising its official authority.
  • When keeping your data is necessary for establishing, exercising, or defending legal claims.
  • When erasing your data would prejudice scientific or historical research or archiving that is in the public interest.


Restorative Thinking can also refuse your request if it is, as the law states, ‘manifestly unfounded or excessive’.  There is no set definition of what makes a request ‘manifestly unfounded or excessive’. It depends on the circumstances of your request.

In such circumstances Restorative Thinking can:

  • request a reasonable fee to deal with the request; or
  • refuse to deal with the request.


In either case, we will tell you and justify our decision.

If, having considered your request, Restorative Thinking decides we do not need to erase your data, we will still respond to you. We will explain why we believe we do not have to erase your data, and let you know about your right to complain about this decision to the ICO, or through the courts.



Whilst some data can be destroyed instantly, other data must be retained to protect Restorative Thinking, to preserve evidence and, generally conform to good business practice.  Some reasons for data retention include

  • Litigation
  • Accident Investigation
  • Security incident investigations
  • Regulatory requirements



Original documents containing personal data such as passport, driving license, bank statements, etc. which are required to be viewed as part of safer recruitment practice, will be returned to the data subject as soon as the documents have been viewed and copied by Restorative Thinking.



In certain circumstances, the Data Protection Act 2018 allows personal data to be disclosed to law enforcement agencies without the consent of the employee.

Under these circumstances, Restorative Thinking will disclose requested data and will ensure the request is legitimate before releasing the information



 This policy helps to protect Restorative Thinking from some very real data security risks, including:

  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
  • Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.