EFFECTIVE 25TH MAY 2018
This policy sets out the basis on which any personal data including special category personal data that we collect from you, or that you provide to us, will be processed by us. Personal data means information about you that may identify you from that data.
This policy applies to Customers, Children, Employers and Partners.
This policy ensures Rosedene Nurseries/Rosedene Northallerton Ltd meets the Data Protection Principles which require information to be:
Handled fairly and lawfully
Kept and used for limited purposes
Required for good reason
Correct and up to date
Not kept longer than necessary
Not transferred to unapproved countries outside the European Economic Area
Data Controller Statement
Rosedene Nurseries/Rosedene Northallerton Ltd (also referred to in this policy as “we” or “us”) registered office is Hemlington Initiative Centre, Cass House Road, Middlesbrough, TS8 9QW Telephone 01642 596768, company number 4392463 is the Data Controller in respect of all data collected.
What information do we collect from you or ask you to provide?
We collect data directly from you during enrolment and induction, this includes;
Personal Information – such as your name, date of birth, National Insurance number, gender, contact details
Special Categories of personal data – such as ethnic origin, physical or mental health or condition.
We will collect information you voluntarily provide us when you contact us with queries, complaints or customer feedback.
If you visit our Website, we may automatically collect the following information:
Technical information, including the internet protocol (IP) address used to connect your computer to the Internet, login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
Information about your visit to our Website such as the products and/or services you searched for and view, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
Other sources of personal data
We may also use personal data from other sources, such as specialist companies that supply information, online media channels and public registers and public website domains.
Purpose of data?
We need to collect, hold and process information about you in order to:
Confirm your identify and keep in touch with you by post, email, text or telephone
Understand your needs and provide you with the appropriate support
Meet our statutory obligations including those related to equality & diversity
Manage our employer customer account and provide you with details of our services
Respond to queries, complaints or customer feedback
Legal basis for processing your data
Candidate Recruitment – Legitimate interest: To ensure that Rosedene Nurseries/Rosedene Northallerton Ltd match candidates wishing to seek apprenticeship and learning opportunities and considering their interests, skills and abilities to match them with employer apprenticeship and employment opportunities.
Child Enrolment– Legitimate interest: To ensure Rosedene Nurseries/Rosedene Northallerton Ltd meets their learning and welfare needs. For special categories of personal data, this is processed as it is necessary.
Employers – Legitimate interest: To ensure Rosedene Nurseries/Rosedene Northallerton Ltd supports recruitment needs for employees.
Improving our service – Legitimate interest: To make sure that Rosedene Nurseries/Rosedene Northallerton Ltd continue to improve our service and provide the best and most effective service possible to our customers.
Who might we share your information with?
We do need to share your data with some third parties.
Data will be visible to service providers who provide the mechanisms Rosedene Nurseries/Rosedene Northallerton Ltd use to collect and store data:
Databases are provided by approved suppliers
Company Shared Drive Data and email service is provided approved suppliers.
Data transfer routes are provided by One drive
How do we protect your information?
Measures we have in place to protect your information include computer safeguards such as firewalls and data encryption and we enforce physical access controls to our buildings and files to keep data safe. We only authorise access to employees who need it to carry out their job responsibilities. Please note that we cannot guarantee the security of any personal data that you transfer to us by email, for example a CV you submit to us for a vacancy. CVs and Applications submitted via our website portal are secure.
How do we store your information?
Rosedene Nurseries/Rosedene Northallerton Ltd maintains records of the geographical location of your personal data. This is either:
Stored within the European Economic Area (EEA)
Stored in countries approved by the European Commission as having adequate levels of protection in place eg Canada
Stored in the USA, with organisations who are certified with Privacy Shields, eg Google, this means that Google provide a level of protection which is deemed adequate by the European Commission
How long do we keep hold of your information?
Employee data will be retained in accordance with our contractual requirements.
Your rights under General Data Protection Regulation
You have a number of rights under data protection law. We will need to ask you for proof of your identify before we can respond to a request to exercise any of the rights set out below. We also may need to ask you for more information, for example to help us to locate the personal data that your request relates to.
Right 1 – A right to access your information
You have a right to ask us for a copy of your personal data that we hold about you. A request to exercise this right is called a “subject access request” and must be made in writing. Details of our subject access procedure and documentation can be found on our website.
Right 2 – A right to object to us processing your information
You can exercise this right by emailing us at Rosedene Nurseries/Rosedene Northallerton Ltd head office.
Right 3 – A right to have inaccurate data corrected
You have the right to ask us to correct inaccurate data that we hold about you; on notification we will correct your personal data.
Right 4 – A right to have your data erased
Right 5 – A right to ask us not to market to you
You can ask us not to send you direct marketing.
Right 6 – A right to have processing of your data restricted
You can ask us to restrict processing of your personal data in some circumstances, for example if you think the data is inaccurate and we need to verify its accuracy.
How to contact us
What if you have a complaint?
You have a right to complain to the Information Commissioner’s Office (ICO) which regulates data protection compliance in the UK, if you are unhappy with how we have processed your personal data. You can find out how to do this by visiting www.ico.org.uk
ROSEDENE NURSERIES LTD/ROSEDENE NORTHALLERTON LTD
PRIVACY NOTICE MAY 2018
Rosedene Nurseries Ltd/Rosedene Northallerton Ltd needs to hold and to process personal data about its employers, learners, employees, candidates, contractors and other individuals, in order to carry out its business and organisational functions.
GDPR defines personal data as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Examples of Personal Data
Date of Birth
Examples of Sensitive Personal Data (Special Categories)
Compliance with legislation will be achieved through the implementation of controls and responsibilities including measures to ensure that:
Personal data is processed lawfully, fairly and transparently. This includes the provision of appropriate information to individuals upon collection of their data by Rosedene Nurseries Ltd/Rosedene Northallerton Ltd in the form of privacy or data collection notices. Rosedene Nurseries Ltd/Rosedene Northallerton Ltd must also have a legal basis to process personal data.
Personal data is processed only for the purposes for which it was collected.
Personal data is adequate, relevant and not excessive for the purposes for which it was collected.
Personal data is accurate and where necessary kept up to date.
Personal data is not kept for longer than necessary.
Personal data is processed in accordance with integrity and confidentiality principles; this includes physical and organisational measures to ensure that personal data, both manual and digital, are subject to an appropriate level of security when stored, used and communicated by Rosedene Nurseries Ltd/Rosedene Northallerton Ltd, in order to protect against unlawful or malicious processing and accidental loss, destruction or damage. It also includes measures to ensure that personal data transferred to or otherwise shared with third parties have appropriate contractual provisions applied.
Personal data is processed in accordance with the rights of individuals, where applicable. These rights are
- The right to be informed.
- The right of access to the information held about them by Rosedene (through a subject access request).
- The right to rectification.
- The right to erase.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The rights in relation to automated decision making and profiling.
The design and implementation of Rosedene Nurseries Ltd/Rosedene Northallerton Ltd systems and processes must make provision for the security and privacy of personal data
Personal data will not be transferred outside of the European Economic Area (EEA) without the appropriate safeguards in place
Additional conditions and safeguards must be applied to ensure that more sensitive personal data (defined as Special Category data in the legislation), is handled appropriately by Rosedene Nurseries Ltd/Rosedene Northallerton Ltd. Special category personal data is personal data relating to an individual’s:
- Race or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data (where used for identification purposes);
- Sex life or sexual orientation.
- In addition, similar extra conditions and safeguards also apply to the processing of the personal data relating to criminal convictions and offences.
This Policy applies to:
All personal data held and processed by the Rosedene Nurseries Ltd/Rosedene Northallerton Ltd. This includes expressions of opinion about the individual and of the intentions of Rosedene Nurseries Ltd/Rosedene Northallerton Ltd in respect of that individual. It includes data held in any system or format, whether electronic or paper;
All employees, management, contractors, associates, business partners and other parties who have access to company data.
All locations from which personal data is accessed including away from Rosedene Nurseries Ltd/Rosedene Northallerton Ltd Offices
Roles and Responsibilities
Rosedene Nurseries Ltd/Rosedene Northallerton Ltd. Director is the Accountable Officer who has ultimate responsibility for compliance with the Data Protection Act.
The Directors are responsible for ensuring that personal data within their areas is processed in line with this Policy and established procedures.
Rosedene Nurseries Ltd/Rosedene Northallerton Ltd. permanent and temporary employees and associates are responsible for incorporating this policy and its associated procedures into their own working practices to ensure compliance.
All staff and other approved users of Rosedene Nurseries Ltd/Rosedene Northallerton Ltd systems must:
Complete data protection training and must seek advice and guidance from the Director of Rosedene Nurseries Ltd/Rosedene Northallerton Ltd if clarification is required;
Comply with related procedures including Data transmission, storage and handling guidelines and data retention and deletion procedure;
Immediately report to the Director of Rosedene Nurseries Ltd/Rosedene Northallerton Ltd any actual or suspected misuse, unauthorised disclosure or exposure of personal data, “near misses” or working practices which jeopardise the security of personal data held by Rosedene Nurseries Ltd/Rosedene Northallerton Ltd.
The Director of Rosedene Nurseries Ltd/Rosedene Northallerton Ltd. is responsible for overseeing compliance with the data protection legislation.
Staff must note that any breach of this Policy may be treated as misconduct under the disciplinary procedure and could lead to disciplinary action or sanctions. Serious breaches of this Policy may constitute gross misconduct and lead to summary dismissal or termination of contract.
This policy will be monitored by Data Protection audit procedure.
This policy will be reviewed annually or when changes are required.