Toggle Dark Mode

Privacy Policy

Protection of Personal Information and Fairer Processing

Policy objectives

To protect all Personal Information that Bradbury Fields Services for Blind and Partially Sighted People (hereinafter referred to as ‘Bradbury Fields’) is the Controller of or processes on behalf of another Controller.

To protect the rights and freedoms of the Information Subjects whose Personal Information Bradbury Fields is the Controller of or processes on behalf of another Controller.

To ensure appropriate controls are implemented that provide protection for Personal Information and are proportionate to their value and the threats to which they are exposed.

To ensure that Bradbury Fields complies with and can demonstrate compliance with all relevant legal, customer and other third-party requirements relating to the processing of Personal Information in particular the Data Protection Act 1998 and the General Data Protection Regulation (EU 2016/679).

Scope

This policy applies to the processing of Personal Information by any employees or suppliers of Bradbury Fields.

Responsibilities

It is the responsibility of the Chief Executive to ensure that this policy is implemented and that any resources required are made available.

It is the responsibility of the Chief Executive to monitor the effectiveness of this policy and report the results at management reviews.

It is the responsibility of Chief Executive to ensure that a Personal Information Processing Register is maintained.

It is the responsibility of all employees, to adhere to this policy and report to the Chief Executive any issues they may be aware of that breach any of its contents.

Bradbury Fields will maintain an appointed Data Protection Officer whose contact details are published on the company’s website and communicated to the Information Commissioner’s Office.

The appointed Data Protection Officer will:

  • Report directly to Top Management;
  • Be involved properly and in a timely manner, in all issues which relate to the protection of Personal Information;
  • Have the full support of Top Management in performing their tasks;
  • Be provided with all resources necessary to carry out the tasks required by the Data Protection Act 1998 and the General Data Protection Regulation (EU 2016/679);
  • Be provided with all the resources necessary to maintain their expert knowledge;
  • Have unlimited access to Personal Information processing operations;
  • Not receive any instructions from Top Management regarding the exercise of the tasks required by the Data Protection Act 1998 and the General Data Protection Regulation (EU 2016/679);
  • Not be dismissed or penalised by the Top Management for performing tasks and duties required of them by the Data Protection Act 1998 and the General Data Protection Regulation (EU 2016/679);
  • Not undertake any other tasks and duties that result in a conflict of interest.

It is the responsibility of the Data Protection Officer to:

  • Inform and advise Top Management, employees and any suppliers who undertake processing of Personal Information on behalf of Bradbury Fields, of their obligations in regards to this policy and the requirements of the Data Protection Act 1998 and the General Data Protection Regulation (EU 2016/679);
  • Monitor Bradbury Fields’s compliance with this policy, the Data Protection Act 1998 and the General Data Protection Regulation (EU 2016/679);
  • Ensure all employees have appropriate training with regards to processing of Personal Information;
  • Act as a contact point for the Information Commissioner’s Office on issues relating to the processing of Personal Information.

Definitions

Within this policy, the following definitions apply.

  • Asset: Any physical entity that can affect the confidentiality, availability and integrity of Personal Information.
  • Availability: The accessibility and usability of Personal Information upon demand by an authorised individual.
  • Automated decision-making: Processing of information that results in decisions being made about Information Subjects without any review of the information being made by an individual.
  • Beyond use: Controls placed on Personal Information that it is no longer necessary for Bradbury Fields to keep where it is not reasonably feasible to delete the information. These controls must comply with guidance from the Information Commissioner’s Office (see Information Commissioner’s Office Guidance on GDPR Compliance).
  • Confidentiality: The restrictions placed on the access or disclosure of Personal Information
  • Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of a set of Personal Information.
  • High risk processing: Processing of Personal Information (in particular using new technologies) that is likely to result in a high risk to the rights and freedoms of Information Subjects (see Information Commissioner’s Office Guidance on GDPR Compliance).
  • Identifiable Natural Person: A natural person who can be identified directly or indirectly, in particular with reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
  • Information subject: An Identifiable Natural Person who has Personal Information that Bradbury Fields is the Controller of or is a Processor of on behalf of a Controller.
  • Integrity: The accuracy and completeness of Personal Information.
  • Personal information: Any information relating to an Identifiable Natural Person.
  • Personal information protection principles: Principles that shall be applied in relation to all Personal Information as laid down in the Data Protection Act 1998, the General Data Protection Regulation (EU 2016/679) and any subsequent amendments.
  • Processor: A natural or legal person, public authority, agency, or other body which processes Personal information on behalf of a Controller.
  • Security incident: Any event that has a potentially negative impact on the confidentiality and/or integrity and/or availability of Personal Information or restrict the rights and freedoms of Information Subjects.

Associated documents

All associated documents referred to in this policy are highlighted in bold and underlined.

Policy

Application of the Personal Information protection principles.

The following principles must be applied and compliance with them demonstrated in relation to all Personal Information that is accessed, stored or processed by employees, and employees or suppliers, while they are accessing or processing the Bradbury Fields’ information assets and any Personal Information that Bradbury Fields is the Controller of or processing on behalf of another Controller:

Personal information shall be processed lawfully, fairly and in a transparent manner;

Personal information shall be collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes;

Any Personal Information collected shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

Any Personal information processed shall be accurate, kept up to date (where necessary) and every reasonable step is taken to ensure that Personal Information that is inaccurate with regards to the purposes for which it is processed is erased or rectified without delay;

Personal information shall not be kept in form that permits identification of Information Subjects for longer than is necessary for purposes for the which the personal information is processed (Personal Information may be put Beyond Use where deletion is not reasonably feasible);

Appropriate technical and organisational measures shall be taken to ensure appropriate security of the Personal Information, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage;

All processes and operations that involve the processing of Personal Information must be designed to ensure that these principles can be achieved and are applied. Where any changes are required to Bradbury Fields’ Assets that impact on the processing of Personal Information, a review of the Control Measures applied must be completed.

Registration with the Information Commissioner

It is the responsibility of the Chief Executive to ensure that the appropriate registration is maintained with the Information Commissioner.

Personal Information Processing Register

A Personal Information Processing Register must be maintained that contains information on:

All Personal Information that Bradbury Fields is the Controller of regardless of whether it is processed by Bradbury Fields or by a Processor engaged by Bradbury Fields;

All Personal Information that Bradbury Fields is a Processor of on behalf a Controller or other Processor;

The types of Information Subjects that the Personal Information relates to, the limit of the information collected and the source that it is obtained from;

The reason the processing is undertaken and the legal grounds for doing so;

The types of processing employed and the methods and technologies used;

The details of any Processers used (where Bradbury Fields is the Controller) or direct Sub-Processors used (where Bradbury Fields is the Processor);

The country or region where the Personal Information is processed and stored;

All recipients of the Personal Information;

The period for which the Personal Information is retained and the justification for doing so;

Whether any Automated Processing is undertaken;

Whether the Personal Information falls into a Special Category and if so the processing justification offered by Article 9 of the General Data Protection Regulation (EU 2016/679) that applies.

Whether the Personal Information is transferred in any way outside of the EU and if so the countries/territories/organisations it is transferred to.

Consent to process Personal Information

Where Bradbury Fields is a Controller of Personal Information and it undertakes processing of Personal Information requiring the consent of the Information Subject, a record of the consent must be obtained from the Information Subjects using:

Personal Information Processing Consent (Children) Form where the Controller is providing online services to children under the age of 16

Personal Information Processing Consent Form in all other circumstances, unless consent can be demonstrated by some other statement or a clear affirmative action;

Processing of Personal Information Obtained from an Information Subject

Where Bradbury Fields has collected personal data directly from an Information Subject, they must be provided with a Privacy Notice that will contain the following information and they must consent to the processing of their Personal information of:

The name and contact details of Bradbury Fields’s Information Security Manager/Data Protection Officer;

The scope and legal justification of processing that will be undertaken with the information they provide;

Where the legal justification for processing the Personal Information is the Controller’s legitimate interest, details of the legitimate interest;

Where the legal justification for Processing the Personal Information is that the Information Subject has consented to the processing, the existence of a right to withdraw consent at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal;

The categories of recipients who will have access to their Personal Information;

The time period for which their information will be stored or the criteria that will be applied to determine the time period;

Any planned transfers of their information to a third country or international organisation and information on the safeguards being applied and the means by which the Information Subject can obtain a copy of them or where they are available;

Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

Whether any automated decision-making will be applied to their information and if so, the logic that will be applied and the envisaged consequences for them;

Whether Bradbury Fields is a joint Controller of the information and if so and overview of the agreement in place with other joint Controllers;

Their rights to:

  • request access to their information
  • request corrections be made to their information
  • request their information be deleted
  • request that processing of their information is restricted
  • request their information be transferred to another Controller
  • lodge a complaint with the Information Commissioner
  • and the means by which they can notify Bradbury Fields to exercise one or more of these rights;

Processing of Personal Information obtained from third parties

Where Bradbury Fields is a Controller of Personal Information and it undertakes processing of Personal Information obtained from a third party (i.e. not directly from the Information Subjects it relates to) then unless:

The Information Subject already has the information that Bradbury Fields has obtained; or

The collection or disclosure of the information is authorised or required by EU or UK law; or

The disclosure of the information is restricted by due to the obligation of a professional body that has provided it or a requirement of EU or UK law;

It would require a disproportionate effort to provide the information.

Bradbury Fields will provide the following information to Information Subjects about whom the Personal Information relates to:

The name and contact details of Bradbury Fields’s Information Security Manager/Data Protection Officer;

The scope and legal justification of processing that will be undertaken with the information they provide;

The categories of information that will be processed;

The categories of recipients who will have access to their Personal Information;

The source of the Personal Information and whether that source was publicly available;

The time period for which their information will be stored or the criteria that will be applied to determine the time period;

Where the legal justification for processing the Personal Information is the Controller’s legitimate interest, details of the legitimate interest;

Where the legal justification for Processing the Personal Information is that the Information Subject has consented to the processing, the existence of a right to withdraw consent at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal;

Any planned transfers of their information to a third country or international organisation and information on the safeguards being applied and the means by which the Information Subject can obtain a copy of them or where they are available;

Whether any automated decision-making will the applied to their information and if so, the logic that will be applied and the envisaged consequences for them;

Whether Bradbury Fields is a joint Controller of the information and if so and overview of the agreement in place with other joint Controllers;

Their rights to:

request access to their information

request corrections be made to their information

request their information be deleted

request that processing of their information is restricted

request their information be transferred to another Controller

request to not be subject to a decision based solely on Automated

Processing.

lodge a complaint with the Information Commissioner

and the means by which they can notify Bradbury Fields to exercise one or more of these rights;

This information will be provided to Information Subjects either within one month of Bradbury Fields obtaining the information or at the time of first communicating with the Information Subject (whichever is the soonest).

Accessing, processing and storage of Personal Information

The Chief Executive must ensure that appropriate physical and technical controls are in place to:

Protect to confidentiality, integrity and availability of all Personal Information;

Prevent unlawful processing of Personal Information.

Personal information should be accessed, processed and stored only to:

Fulfil the needs of customers;

Comply with legal requirements;

Enable the effective implementation of the organisation’s ISMS.

Access to Personal Information must be provided in only where is necessary for individuals to undertake tasks assigned to them that require access.

Requests by Information Subjects to exercise their rights and freedoms

For all Personal Information that Bradbury Fields is the Controller of:

All requests by Information Subjects whose Personal Information is processed by Bradbury Fields, to exercise their rights and freedoms under the Data Protection Act 1998 and the General Data Protection Regulation (EU 2016/679) will be managed in accordance with the Handling of Personal Information Requests Procedure.

Any information that needs to be provided to Information Subjects who submit requests will be provided in a concise, transparent, intelligent, and easily accessible form, using clear and plain language.

Any information requested by Information Subjects in the relation to any of their Personal Information processed by Bradbury Fields that Bradbury Fields is legally obliged to provide, will be provided free of charge unless the request if manifestly unfounded or excessive, in which case Bradbury Fields may change a reasonable fee for providing the information of refuse to act on the request.

Where the request covers the deletion of information that has been made public then Bradbury Fields will take all reasonable steps possible to inform other Controllers who are processing the information to delete any copy of the information that they hold or any links they have to the information.

Transferring Personal Information

Any transfer of personal information to a third party must be carried out under a written agreement, setting out the scope and limits of the sharing.

In the event that Bradbury Fields needs to transfer Personal Information to a non-EU country or an international organisation then:

A Non-EU Personal Information Transfer Form must be completed and authorised by the Information Security Manager/Data Protection Officer;

The Information Subjects affected must be informed before the transfer takes place and provided with information regarding the safeguards that Bradbury Fields will ensure are in place.

Compliance and Controls Assessments

To ensure that:

All controls employed to protect Personal Information is controlled or processed by Bradbury Fields are maintained and effective;

Bradbury Fields complies with the Data Protection Act 1998 and the General Data Protection Regulation (EU 2016/679);

Audits will be completed annually and the results recorded using a Personal Information Processing Compliance Assessment Form.

Arrangements with Joint Controllers

Where Bradbury Fields is a joint Controller of any Personal Information then a Joint Controller Agreement (or an equivalent agreement) will be implemented with any joint Controllers;

Arrangements with Controllers

Where Bradbury Fields undertakes processing on behalf of a Controller

A Personal Information Processing Agreement will be (or an equivalent agreement) will be implemented with any Processors.

No processing of information provided by the Controller will be undertaken without an explicit instruction from them.

Arrangements with Processors

Where Bradbury Fields uses a supplier to undertake processing on its behalf:

A Personal Information Processing Agreement will be (or an equivalent agreement) will be implemented with any Processors;

A Personal Information Processor Assessment will be completed to assess whether they can provide sufficient guarantees to implement appropriate control measures that will ensure the processing they undertake complies with the Data Protection Act 1998 and the General Data Protection Regulation (EU 2016/679) and protects the rights and freedoms on the Information Subjects whose information they process on behalf of Bradbury Fields.

An audit of a supplier’s compliance with the Data Protection Act 1998 and the General Data Protection Regulation (EU 2016/679 will be undertaken where:

The information obtained from a Personal Information Processor Assessment raises doubts as to the adequacy of the guarantees provided by a Processor; or

The supplier is undertaking High Risk Processing; or

An information security incident occurs that has a significant impact on the confidentiality or integrity or availability of any Persona Information and following an investigation of the root cause of the incident, the controls and processes employed by the supplier are identified as having been a contributing factor.

The audit will be completed using a Personal Information Processing Compliance Assessment Form.

High Risk Processing

A data impact assessment must be completed for any High Risk Processing of Personal Information that Bradbury Fields is a Controller of before any such processing is started.

The results of the data impact assessment must be recorded in the Personal Information Processing Register.

If a data impact assessment indicates that the processing would result in a high risk to the rights and freedoms of the Information Subjects whose Personal Information is being processed, then the Chief Executive must consult with the Information Commissioner’s office before any processing is started

Personal Information Breaches

In the event of a Security Incident that compromises the confidentiality, integrity of availability of any Personal Information actions shall be taken and records maintained in accordance with the Security Incident Management Procedure.

Policy Review

This policy shall be reviewed at least 3 yearly or if significant changes occur that might affect its continuing suitability, adequacy and effectiveness.