Policy Statement

The aim of this Policy is to establish controls to ensure compliance with all applicable General Data Protection Regulations (GDPR), and to ensure that business is conducted in a responsible manner. This Policy sets out how the organisation deals with your personal data, data subject access requests and employee’s obligations in relation to personal data.

Upper Wensum Environmental Cluster Group CIC reputation for maintaining lawful business practices is of paramount importance, and this Policy is designed to preserve these values. The business is committed to acting fairly and with integrity in all its business dealings.

1. The Data Protection Principles

These principles require that personal data must:

• Be fairly and lawfully processed.

• Be processed for limited purposes and not in any manner incompatible with those purposes.

• Be adequate, relevant and not excessive.

• Be accurate.

• Not be kept any longer than necessary.

• Be processed in accordance with individuals’ rights.

• Be secure.

• Not be transferred to other users, organisations or countries without adequate protection.

2. Personal Data

The GDPR regulates the processing of personal data, including the collection, storage, use, alteration, disclosure and destruction of information.

The Company (the Data Controller) will ensure that only personal data necessary for each specific purpose is processed including information relating to your employment, performance, training and occupational health. This will ensure that only the minimum amount of personal data is collected, and the extent of processing is limited to that which is necessary.

Personal data is retained for no longer than necessary (in line with statutory requirements) and access to the data is restricted to that necessary for each specific purpose.

3. Sensitive Personal data

This includes data relating to the following:

• Health records

• Trade Union membership

• Racial or ethnic origin

• Criminal proceedings and convictions

• Political opinions

• Sexual life and sexual orientation

• The commission or alleged commission of any offence

• Clients’ sensitive personal information

• Religious or philosophical beliefs

• Genetic and Biometric data

The Company will not retain sensitive personal data without the express consent of the employee or client in question

4. Accountability

The Company will keep extensive internal records of data processing operations, which will be produced for inspection on request.

5. Data Processing

All personal data processed will be for a specific, explicit and legitimate purpose. Under the GDPR Regulations consent must be freely given and should be as easily given as it is to withdraw. The Company will process all data for legitimate purposes (processing members’ requirements for example).

Our data processors are the Farm Lead, Administrative Assistant and Accountant.

All IT systems, services and equipment used for storing data will meet acceptable security standards and regular checks and scans will be performed to ensure security hardware and software is functioning correctly. All third parties used to store or process data will be evaluated prior to use (for example Cloud computing services).

6. Rights of Data subjects

All data subjects will be informed about the types of information the Company keeps about them, the purpose for which it is used and the types of organisations that it may be passed to (unless this is self-evident – for example an employee’s NI number is given to HMRC).

Data subjects have the right under the Data Protection Act 1998 to request information about the data held and processed about them. Under the GDPR, Upper Wensum Environmental Cluster Group CIC will provide the requested information without delay, with no charge and within one month of the request.

Data subjects also have a right to request that their personal data be erased when the use of such data is no longer required in order to meet the specific purpose for which consent was given. Individuals also have the right to request that their data be amended and the right to data portability.

All such requests should be made via the Farm Lead or Administrative Assistant.

7. Employees Obligations

If an employee acquires any personal information in the course of their duties, they must ensure that:

• The information is accurate and up to date, in so far it is practicable to do so.

• The use of the information is necessary for a relevant purpose and that it is not kept longer than necessary.

• The information is secure.

An employee should ensure that they:

• Use password protected and encrypted software for the transmission and receipt of emails

• Lock files in a secure cabinet.

• Destroy, or dispose of, information that is no longer required for its original purpose in line with company procedures (this applies both to electronic (deleting) and hard copy data (shredding / )).

8. Young Persons

No one will process data relating to any individual aged 16 or under.

9. Data Breach Notification

A personal data breach means a breach of security where company property or devices which could be lost, stolen or corrupted by external sources, could result in a risk to the rights of individuals resulting in loss of confidentiality.

If Upper Wensum Environmental Cluster Group CIC suspect a breach, or a breach does occur, it will be reported to an information authority within 72 hours.

Where the breach poses a high risk to the rights and freedoms of any individual, that individual will also be notified.