C12 Ltd t/a C12 Sales is required to gather, process and hold information about its employees, customers, suppliers, leads and other contracting parties in order to carry out its day to day operations, to meet its objectives and to comply with legal obligations.

We are committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within our organization.

C12 Sales will ensure that personal data will:

• Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
• Be obtained for a specific and lawful purpose
• Be adequate, relevant but not excessive
• Be accurate and kept up to date
• Not be held longer than necessary
• Be processed in accordance with the rights of data subjects
• Be subject to appropriate security measures
• Not to be transferred outside the European Economic Area (EEA)

 

Definitions

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. C12 Sales will seek to abide by this code in relation to all the personal data it processes, i.e.

• Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
• Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
• Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
• Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
• Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

 

Types of Information Processed

 

C12 Sales processes the following personal information:

• Names
• Addresses
• Telephone and mobile numbers
• Email addresses

Personal information is kept in the following forms:

• Spreadsheets in both electronic and paper forms
• Electronic format
• Paper-based forms

Notification

The needs we have for processing personal data are recorded on the public register maintained by the Information Commissioner.  We notify and renew our notification on an annual basis as the law requires.

If there are any interim changes, these will be notified to the Information Commissioner within 28 days.

The name of the Data Controller within our organisation as specified in our notification to the Information Commissioner is Jacob N. Cook.

Policy Implementation

To meet our responsibilities all persons dealing with personal information will:

• Ensure any personal data is collected in a fair and lawful way;
• Explain why it is needed at the start;
• Ensure that only the minimum amount of information needed is collected and used;
• Ensure the information used is up to date and accurate;
• Review the length of time information is held;
• Ensure it is kept safely;
• Ensure the rights people have in relation to their personal data can be exercised

 

We will ensure that:

• Everyone managing and handling personal information is trained to do so.
• Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do;
• Any disclosure of personal data will be in line with our procedures.

• Queries about handling personal information will be dealt with swiftly and politely.

Data Security

Personal information will be kept safe in the following ways:

• Using lockable cupboards (restricted access to keys)
• Password protection on personal information files
• Setting up computer systems to allow restricted access to certain areas
• Not allowing personal data to be taken off site (as hard copy, on laptop or on memory stick)
• If personal data can be taken off site, it may be taken only in paper form, by a person authorised and trained in its safe keeping.
• Back up of data on computers (onto a separate hard drive / onto tapes kept in locked filing cabinet)
• Password protected attachments for sensitive personal information sent by email

 

Data Destruction

All personal data is disposed of safely using the following method:

• Paper based information to be shredded and disposed of securely
• Electronic information to be deleted from computer systems and wiped from all back-up files.

Breach

Any unauthorised disclosure of personal data to a third party by an employee or other staff member may result in disciplinary proceedings.

If there are any other breaches of this policy, the Data Controller will conduct a full investigation and recommend remedial action to be taken to avoid the breach re-occurring.

 

Subject Access Requests

Anyone whose personal information we process has the right to know:

• What information we hold and process on them
• How to gain access to this information
• How to keep it up to date
• What we are doing to comply with the Act.

 

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.

Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files.  Any person wishing to exercise this right should apply in writing to The Data Controller, C12 Sales, Waverley House, Waverley Road, Huddersfield, HD1 5NA.

We may make a charge of £10 on each occasion access is requested.

We may also require proof of identity before access is granted. The following forms of ID will be required:

• Picture ID
• Address ID.

Queries about handling personal information will be dealt with swiftly and politely.

We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request (and relevant fee).

Review

This policy will be reviewed at intervals of 1 year to ensure it remains up to date and compliant with the law.