- Policy prepared by Ian Noble and approved by Dancing Goat Coffee Limited Directors on the 25th May 2018
- Policy became operational on 25th May 2018
- Next review date 25th May 2019
Dancing Goat Coffee needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organization has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet Dancing Goat Coffee Limited’s data protection standards and to ensure it complies with the law.
Why this policy exists
This data protection policy ensures Dancing Goat Coffee Limited
- Complies with data protection law and follows good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Data Protection Law
To comply with the law, personal information must be collected and used fairly, stored safely and not be disclosed unlawfully. The rules apply regardless of whether data is stored electronically, on paper or on other materials.
All personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of the data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area, unless that country or territory also ensures an adequate level of protection
People, Risks and Responsibilities
This policy applies to
- The head office of Dancing Goat Coffee Limited
- All staff and volunteers on Dancing Goat Coffee Limited
- All contractors, suppliers and other people working on behalf of Dancing Goat Coffee Limited
It applied to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act.
This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- …plus any more information relating to individuals
Data Protection Risks
This policy helps Dancing Goat Coffee Limited from data security risks including
- Breach of confidentiality. For example, information being given out inappropriately
- Failing to offer choice. For example, all individuals should be free to choose how Dancing Goat Coffee Limited uses data relating to them.
- Reputational damage. For example, Dancing Goat Coffee Limited could suffer if hackers successfully gained access to personal data.
Everyone who works for Dancing Goat Coffee Limited has some responsibility for ensuring data is collected, stored and handled appropriately.
Everyone who handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, the following have key areas of responsibility:
- The company directors are ultimately responsible for ensuring that Dancing Goat Coffee Limited meets its legal obligations
- Ian Noble is responsible for:
- Keeping all directors updated about data protection responsibilities, risks and issues.
- Reviewing the data protection procedures and related policies, in line with the agreed schedule.
- Arranging relevant data protection training and/or advice for the people covered in this policy.
- Handling data protection questions from anyone covered by this policy.
- Dealing with requests from individuals to see the data which Dancing Goat Coffee Limited holds about them.
- Checking and approving any contracts or agreements with third parties that may handle Dancing Goat Coffee Limited’s sensitive data
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards
- Perform regular checks to ensure security hardware and software is functioning properly.
- Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.
- Approving any data protection statements attached to communications such as emails and letters
- The only people able to access data covered by this policy should be those that need it for their work
- Data should not be shared informally. When access to confidential information is required, this should be requested from Ian Noble.
- Dancing Goat Coffee Limited will provide advice and if necessary training to all employees to help them understand their responsibilities when handling data.
- Employees should keep all data secure, by taking sensible precautions and by following the guidelines below
- Strong passwords should be used and they should never be shared.
- Personal data should not be disclosed to unauthorized people.
- Data should be reviewed regularly and updated. If it is out of date and no longer required then it should be deleted and disposed of.
- Anyone involved with Dancing Goat Coffee should speak with Ian Noble if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely stored. Any questions about storing data safely should be directed to Ian Noble.
When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet
- No paper or printouts should be left where unauthorized people can see them.
- Data printouts should be shredded and disposed of securely when no longer needed.
When data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared.
- If stat is stored on removal media (external hard drive for example) these should be kept locked away securely when not in use.
- Data should only be stored on designated drives and should only be uploaded to an approved cloud computing service.
- Data should be backed up frequently and said back ups tested regularly.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All computers containing data should be protected by approved security software and a firewall.
Personal data is of no value to Dancing Goat Coffee Limited unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft. All due care and attention should be made when dealing with personal data, as detailed above.
The law requires Dancing Goat Coffee Limited to take reasonable steps to ensure that data is kept accurate and up to date.
- Data will be held in as few places as necessary.
- Every opportunity should be used to ensure that data is up to date, for example, by confirming a customer’s details when they call.
- Dancing Goat Coffee Limited will make it easy for data subjects to update the information Dancing Goat Coffee Limited holds about them. For example via the company website.
- Data should be updated as inaccuracies are discovered. For instance if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
Subject access requests
All individuals who are the subject of personal data held by Dancing Goat Coffee Limited are entitled to
- Ask what information the company holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the company is meeting it’s data protection obligations.
If an individual contacts the company requesting this information, this is called a subject access request.
Subject access requests from individuals should be made via email, addressed to Ian Noble at firstname.lastname@example.org
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to certain agencies without the consent of the data subject.
Under these circumstances, Dancing Goat Coffee Limited will disclose the requested data. However, Ian Noble will ensure that the request is legitimate.
Dancing Goat Coffee Limited aims to ensure that individuals are aware that their data is being processed and that they understand:
- How the data is being used
- How to exercise their rights