Doculand – Cookie and Data Protection policy

Data Protection & Records Management Policy

 

1.Aim of PolicyPolicy is to provide compliance with the Data Protection Acts 1998 and 2018 (including EU General Data Protection Regulations 2016/679).  It will also provide details on how personal data should be processed, how it is accessed and used, length of record retentions and the decision making process for transferring records to the Company Archive.
2.Who is Covered by this PolicyAll staff members of DocuLand are responsible for maintaining compliance with the Policy regardless of role or location.  Contractors who process or hold personal data on behalf of the DocuLand will also have to comply with this Policy.
3.Designated ResponsibilitiesSuat Saat

Director

Data Controller & Senior Information Risk Owner: Has overall responsibility for Data Protection & Records Management
  Travel Modernism LimitedData Protection Officer
  Chris Walsh

 

Data Processor and Records Manager
4.Legal Justification for Processing and Retaining Personal DataConsentMembers of the public actively consent to their personal data being processed when purchasing a service or buying a product, which is highlighted as a privacy notice within emails, within our premises, invoices and on the website
   Cookies are very small text files that are stored on your computer when you visit some websites.

 

We use cookies to help identify your computer, so we can tailor your user experience, track shopping basket contents and remember where you are in the order process.

 

You can disable any cookies already stored on your computer, but these may stop our website from functioning properly.

 

The following is strictly necessary in the operation of our website.

 

This website will:

 

Remember what is in your shopping basket

 

Remember where you are in the order process

 

Remember that you are logged in and that your session is secure. You need to be logged in to complete an order.

 

The following are not Strictly necessary but are required to provide you with the best user experience and also to tell us which pages you find most interesting (anonymously).

 

Functional Cookies

 

The DocuLand website will:

 

Track the pages you visit via Google Analytics

Targeting Cookies

 

This website will:

 

Allow you to share pages with social networks

 

This website will not:

 

Share any personal information with third parties.

  ContractDocuLand will process personal data with regard to contracts and other legal agreements as required in pursuant of our business.
  Legal ObligationAs a private limited company DocuLand has to comply with the Companies Act 2006 which requires us to account for the sources of income and destination of expenditure, thus the processing of personal data complies with this requirement.
  Legitimate InterestsDocuLand has a legitimate interest in processing personal data of clients as part of its business activities and retaining these records purely for financial and administrative purposes.  CCTV operates in the entrance area to deter and prevent crime against staff and customers.
5.Processing of DataCustomersData processing consists of customers sending their personal data to us, in paper format by person, file transfer, email or post.  This may include medical history, invoices and employment files in both paper format and digital. CCTV operates in the entrance area to deter and prevent crime against staff and customers.
  StaffStaff on recruitment will have personnel files created and populated with records such as application form, references, contract, salary payments, pension entitlement, appraisals and other related administrative records during the course of their employment.  CCTV operates in the entrance area to deter and prevent crime against staff and customers.
  ContractThe Director, will process and retain contracts and other legal agreements between DocuLand and third parties. Which are held on DocuLands server and back-up archive, in digital format.
  Legal ObligationService and product payments received are all processed electronically and are kept in the DocuLand accounts, cash flows spreadsheet and copies of relevant records are kept in DockLands server and back-up archive. Expenditure is the same as income apart from where cheques are issued, and these are held by the Director.
  Automated Decision MakingDocuLand employs no automated decision making with regards to the processing or retention of personal data.
6.

 

Retention  of RecordsCustomer detailsCustomer personal data will be reviewed for retention six years after the customer procured a service or product.  Decisions for further retention will be primarily governed by legal or governance issues.
  Staff detailsStaff personal files kept until 75th birthday or 6 years after the staff member leaves whichever is sooner.  The file can be destroyed once a staff summary records has been created with the following fields: Name; Previous names; Assignment number; Pay bands; Date of birth; Addresses; Positions held; Start and end dates; Reason for leaving and Building or sites worked at.
  Contract, Legal Agreement & Financial RecordsLegally required to retain records for a minimum of six financial years after the financial year they relate to.
  CCTV footageCCTV footage is retained for 30 days and then deleted.  Only the Director has access to the footage.
7.Legal Rights of Data SubjectsSubject Access RequestsA Data Subject has the right to make a subject access request in writing about themselves to DocuLand with regard to records held by DocuLand. DocuLand will require two proofs of identity, one of which must be photographic, eg passport and the other proof of address such as bank statement.  DocuLand is required to respond within thirty days of the request with either a response to say no records held or to provide electronic copies in a method to be agreed with the requestor.  DocuLand reserves the right to redact information concerning third party information and to reject requests that would be cost excessive.  DocuLand will not charge for subject access requests.
  Amendment or ErasureRequests for amendment of customer data will normally be carried out within 30 days of receiving a written request.  Requests for erasure will be reviewed on a case by case basis.  If it relates to Archive Records we won’t erase the Record but will place a note alongside it to reflect any objection received.
8.Data Protection Act ComplaintsProcessIn the first instance please contact the Data Protection Officer and they will review your complaint and respond within 30 days.

 

If DocuLand doesn’t address your complaint satisfactorily you can contact the Information Commission’s Office to investigate by calling 0303 123 1113 or clicking https://ico.org.uk/concerns/handling/

9.Privacy Impact Assessments DocuLand will undertake a privacy impact assessment before making any changes to the processing, use or disclosure of personal data within DocuLand or to third parties.
10.Disclosure of Personal DataSubject Access Requests by Authorised BodiesDocuLand may receive requests for the disclosure of personal data from the Police or other authorised bodies.  The requests will be reviewed on a case by case.
  Sale or transfer of personal data to third parties for commercial purposesDocuLand will not disclose personal data to third parties unconnected with the administration of the product or service procured by the customer.
11.Breaches of the Data Protection ActDefinitionA personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.  A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
  Actions to be TakenOn becoming aware of a personal data breach please inform the Data Protection Officer.

 

The Data Protection Officer will conduct an investigation and determine if the Information Commissioner’s Office needs to be informed within 72 hours of being made aware of a breach.

 

The requirements to notify the ICO will depend if the breach involves any of the following circumstances.

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”

 

The Data Protection Officer will need to undertake actions to mitigate as far as possible the effects on the individuals concerned.  We’re also required to inform the individuals concerned of the incident and the actions taken to remedy the matter.

 

Even if the breach doesn’t require ICO notification, the Data Protection Officer will need to document the incident and provide justification for not reporting the breach.

12.CommunicationsEmailPlease use the DocuLand email account to communicate with customers and suppliers.  The emails form part of the records created by DocuLand and belong to it in order to provide legal and historical evidence of actions taken and decisions made.  Emails sent and received are included within the scope of subject access requests.  Therefore it will be easier to process these requests and not infringe on your personal business if you have to disclose emails from your private email account.  By using the DocuLand account you present a professional approach to customers and external contacts.  When sending emails to a large number of recipients please use the blind carbon copy (bcc) for the email addresses so they are not disclosed to other members.
13.Record KeepingFinancialWe’re legally required to retain records for a minimum of six financial years after the financial year they relate to.
  AdministrationImportant to retain these records as both legal evidence of governance and for potential future retention within the DocuLand Archive.  For a full list of records and their retention periods, please see retention schedule in Appendix A.
  Disposal of RecordsRecords containing personal information which are selected for disposal should be disposed of in a confidential manner.  These may include shredding for paper/compact discs, destruction of digital drives or through a confidential waste company.  Please contact the Data Protection Officer if you require advice on the subject.  A record should be kept of those records disposed of along with a date of destruction and justification.
    
Appendix A: Retention Schedule
    
Types of RecordsRetention PeriodRetention Action
   
Agendas & Minutes of Director Meetings10 yearsTransfer to the Archive
   
Contracts & Legal Agreements & Records10 yearsTransfer to the Archive
   
Financial Records including bank statements, invoices & receiptsMinimum of six financial years after the financial year they relate toDestroy confidentially
   
Complaints10 yearsReview & retain if litigation may occur or relates to child safeguarding issues
   
Customer Personal Data Records6 years after the product or service was procuredReview & retain if of continuing legal or governance required.  Otherwise the records should be destroyed in a confidential manner
   
Customer Records (digital & hard copies)30 daysDelete unless required for legal or operational reasons
   
CCTV footage30 daysDelete unless required for legal reasons
   
Disposal RegisterPermanentTransfer to the Archive
   
ProductsPermanentTransfer one example of each product made to the Archive
   
Publications & NewslettersPermanentTransfer to the Archive
   
Photographs & Film footagePermanentTransfer to the Archive
   
Websites & Social Media contentAnnuallyCopies of content should be transferred to the Archive
   
D. Scott-Davies, Data Protection Officer, Director, Travel Modernism Limited, 11 May 2018