Data Protection Policy

Everyone has rights with regard to how their personal information is handled. During the course of our activities Kent School Photography will collect, store and process personal information about our suppliers and customers and any others we communicate with, and we recognise the need to treat it in an appropriate and lawful manner.

The types of information that we may be required to handle include details of suppliers, customers, and others that we communicate with. The information, which may be held on paper, computer or other media, is subject to certain legal safeguards specified in UK GDPR and UK data protection laws. These laws impose restrictions on how we may use that information.

Kent School Photography has a commitment to ensuring that personal data is processed in line with UK GDPR and relevant UK law and that Kent School Photography works in line with this and other related policies. Where third parties process data on our behalf, we will ensure that the third party takes the necessary measures to maintain our commitment to protecting personal data and a signed contract or data processor agreement is in place.

 

Status Of The Policy

This policy sets out Kent School Photography’s rules on data protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, transportation and destruction of personal information.

Kent School Photography is responsible for ensuring compliance with UK GDPR and with this policy. Any questions or concerns about the operation of this policy should be referred in the first instance to the Data Controller info@kentschoolphotography.co.uk

 

Definitions

Data is personal information about an individual who can be directly or indirectly identified from that information. This personal information is referred to as ‘Data’ in the remainder of this policy.

Data Subjects for the purpose of this policy include all living individuals about whom we hold Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their Data.

Data Controllers are the people who or organisations which determine the purposes for which, and the manner in which, any Data is processed. They have a responsibility to establish practices and policies in line with relevant laws. Kent School Photography is the Data Controller of all Data used in our business.

Data Processors include any people who or organisations which process Data on behalf of a Data Controller. Data Controllers are excluded from this definition, but it could include third party suppliers which handle Data on our behalf.

Processing is any activity that involves use of Data. It includes obtaining, recording or holding Data, or carrying out any operation or set of operations on Data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Data to third parties.

Data Breach is any act or omission which compromises the security, confidentiality, integrity or availability of Data, or the safeguards that we or a third party put in place to protect the Data, including losing the Data or disclosing it to unauthorised people.

Data Protection Principles

Anyone processing Data must comply with the eight enforceable principles of good practice. These provide that personal data must be:

1)    Processed fairly, lawfully, and in a transparent manner.
2)    Processed for specified, explicit and legitimate purposes and in an appropriate way.
3)    Adequate, relevant and limited to what is necessary for the stated purpose.
4)    Kept accurate and up to date
5)    Not kept longer than necessary for the stated purpose.
6)    Processed in a manner that ensures appropriate security of Data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures.
7)    Not transferred to another country without appropriate safeguards being in place.
8)    Processed in line with Data Subjects’ rights.

Kent School Photography is responsible for and need to demonstrate compliance with the data protection principles listed above.

Fairness and Lawfulness

The purpose of UK GDPR is not to prevent the processing of Data, but to ensure that it is done fairly and without adversely affecting the rights of the Data Subject. The Data Subject must be told who the Data Controller is (in this case Kent School Photography), who the Data Controller’s representative is (in this case Chris Bell), the purpose for which the data is to be processed by us and the legal basis for doing so, and the identities of anyone to whom the Data may be disclosed or transferred.

UK GDPR allows processing of Data for specific purposes, which are where it is needed:

a.     For the performance of a contract, such as photographic sales
b.    To comply with a legal obligation
c.     In order to pursue our legitimate interests (or those of a third party) and where the interests and fundamental rights of the Data Subject do not override those interests
d.    To protect the Data Subject’s vital interests
e.    In situations where the Data Subject has given explicit consent

Kent School Photography, as Data Controller, will only process Data on the basis of one or more of the lawful bases set out above. Where consent is required, it is only effective if freely given, specific, informed and unambiguous. The Data Subject must be able to withdraw consent easily at any time and any withdrawal will be promptly honoured.

Transparency

Kent School Photography will provide all required, detailed and specific information to Data Subjects about the use of their Data through appropriate Privacy Policies which will be concise, transparent, intelligible, easily accessible and in clear and plain language.

Purpose Limitation

Data may only be processed for the specific purposes notified to the Data Subject via the Privacy Notice. This means that Data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the Data is processed, the Data Subject must be informed of the new purpose via a new or amended Privacy Notice before any processing occurs.

Data Minimisation

Data should only be collected to the extent that it is required for the specific purposes notified to the Data Subject in the Privacy Notice. Any Data that is not necessary for those purposes should not be collected in the first place.

Accuracy

Data must be accurate, complete and kept up-to-date. Information that is incorrect is not accurate and steps should therefore be taken to check the accuracy of any Data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date Data should be amended or destroyed.

Storage Limitation

Data should not be kept longer than is necessary to carry out the specified purposes. This means that Data should be destroyed or erased from our systems when it is no longer required.

Security, Integrity And Confidentiality

Kent School Photography will ensure that appropriate technical and organisational security measures are taken against unlawful or unauthorised processing of Data, and against the accidental loss of, or damage to, Data. Data Subjects may apply to the courts for compensation if they have suffered damage from such a loss.

Kent School Photography will put in place procedural and technological safeguards appropriate to our size, scope and business, our available resources and the amount of Data we hold, to maintain the security of all Data from the point of collection to the point of destruction.

We will consider and use, where appropriate, the safeguards of encryption, anonymisation and pseudonymisation (replacing identifying information with artificial information so that the Data Subject cannot be identified without the use of additional information which is kept separately and secure).

We will regularly evaluate and test the effectiveness of these safeguards.

Maintaining data security means guaranteeing the confidentiality, integrity and availability of the Data, defined as follows:
a.     Confidentiality means that only people who are authorised to use the Data can access it.
b.    Integrity means that Data should be accurate and suitable for the purpose for which it is processed.
c.     Availability means that authorised users should be able to access the Data if they need it for authorised purposes.

Transfer Limitation

Kent School Photography will not transfer Data to any recipients outside the European Economic Area (EEA).

Kent School Photography will not sell any data to third parties.

Data Subject’s Rights And Requests

Data must be processed in line with Data Subjects’ rights. Data Subjects have the following rights, which apply in certain circumstances:
a.     The right to be informed about processing of Data
b.     The right of access to their own Data
c.     The right for any inaccuracies to be corrected
d.     The right to have information deleted
e.     The right to restrict the processing of Data
f.      The right to portability
g.     The right to object to the inclusion of Data
h.     The right to regulate any automated decision-making and profiling of Data
i.      The right to withdraw consent when the only legal basis for processing Data is consent
j.      The right to be notified of a Data Breach which is likely to result in high risk to their rights and freedoms
k.     The right to make a complaint to the Information Commissioner’s Office or other supervisory authority.

A formal request from a Data Subject for details of Data that we hold about them must be made in writing  to info@kentschoolphotography.co.uk.

Breach Notification

Where a Data Breach is likely to result in a risk to the rights and freedoms of the individual(s) concerned, we will report it to the Information Commissioner’s Office within 72 hours of us becoming aware of it, and it may be reported in more than one instalment.

Individuals will be informed directly if the breach is likely to result in a high risk to their rights and freedoms.

If the breach is sufficient to warrant notification to the public, we will do so without undue delay.

Training

New employees must read and understand this policy as part of their induction. All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential Data Breach. All employees are trained to protect individuals’ Data to which they have access, to ensure data security and to understand the consequences to themselves and us of any potential breaches of the provisions of this policy.

Records

We will keep full and accurate records of all our data processing activities.

Monitoring And Review Of The Policy

Kent School Photography will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.