Data Protection Policy

Introduction

Purpose

The Company takes the security and privacy of your data seriously. We need to gather and use information or data about you as part of our business and to manage our relationship with you.

This policy sets out our commitment to data protection, and individual rights and obligations in relation to personal data.

We will be transparent about how we collect and use the personal data of employees, and how we meet our data protection obligations in respect of data privacy and security under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).

This policy applies to the personal data of job applicants, employees, contractors, volunteers, interns and former employees, referred to as HR-related personal data. Note that this policy does not apply to the personal data of clients or other personal data processed for business purposes.

David Christie has been appointed as the person with responsibility for data protection compliance within the organisation. He can be contacted at david.christie@innovation-arts.com. Questions about this policy, or requests for further information.

The Company is known as a 'data controller' for the purposes of your personal data, which means that we decide the purpose and manner that personal data is used or will be used.

Definitions

"Personal data" is any information that relates to an individual who can be identified from that information (a 'data subject').

"Processing" is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

"Special categories of personal data" means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

"Criminal records data" means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.

Data protection principles

The Company processes HR-related personal data in accordance with the following six data protection principles set out in the GDPR:

• To process personal data lawfully, fairly and in a transparent manner.
• To collect personal data only for specified, explicit and legitimate purposes.
• To process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
• To keep accurate personal data and take all reasonable steps to update it and to ensure that inaccurate personal data is rectified or deleted without delay.
• To keep personal data only for the period necessary for processing.
• To adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

We are accountable for these principles and must be able to show that we are compliant.

Processing personal data

The Company tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons.

Personal data could include recruitment information, such as your application form and CV, your contract of employment, your bank details and information relating to your tax status including national insurance number, identity documents and information relating to your performance and conduct. This is not an exhaustive list.

There are various lawful reasons for processing your personal data set out in the data protection legislation. These may include performance of the contract between us, complying with any legal obligation or if it is in the legitimate interests of the Company. If it is the latter, we can do this if your interests and rights do not override ours and you have the right to challenge our legitimate interests and request that we stop this processing.

Examples of when we might process your personal data can be found in the privacy notice. We will only process special categories of your personal data in certain situations in accordance with the law. For example, we can do so if we have your explicit consent. If we asked for your consent to process a special category of personal data then we would explain the reasons for our request. You do not need to consent and can withdraw consent later if you choose by contacting the person for responsible for data protection in the Company.

Under the GDPR, we do not need your consent to process special categories of your personal data when we are processing it for the following purposes, which we may do:

• where it is necessary for carrying out rights and obligations under employment law;
• where it is necessary to protect your vital interests or those of another person where you/they are physically or legally incapable of giving consent;
• where you have made the data public;
• where processing is necessary for the establishment, exercise or defence of legal claims; and
• where processing is necessary for the purposes of occupational medicine or for the assessment of your working capacity.

We will update HR-related personal data promptly if an individual advises that his/her information has changed or is inaccurate.

Personal data gathered during the employment, worker, contractor, volunteer or internship] relationship is held in the individual's personnel file (in hard copy or electronic format, or both), and on HR systems. The periods for which the Company holds HR-related personal data are contained in its privacy notices to individuals.

The Company keeps a record of its processing activities in respect of HR-related personal data in accordance with the requirements of the GDPR.

Individual rights

As a data subject, individuals have a number of rights in relation to their personal data.

Subject access requests

Individuals have the right to make a subject access request. If an individual makes a subject access request, the Company will tell him/her:

• whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
• to whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
• for how long his/her personal data is stored (or how that period is decided);
• his/her rights to rectification or erasure of data, or to restrict or object to processing;
• his/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights; and
• whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making.

The organisation will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise.

If the individual wants additional copies, the organisation will charge a fee, which will be based on the administrative cost to the organisation of providing the additional copies.

To make a subject access request, the individual should send the request to the person with primary responsibility for data protection compliance David Christie - david.christie@innovation-arts.com. In some cases, we may need to ask for proof of identification before the request can be processed. We will inform the individual if we need to verify his/her identity and the documents we require.

The Company will normally respond to a request within a period of one month from the date it is received. In some cases, such as where large amounts of the individual's data are processed, we may respond within three months of the date the request is received. We will write to the individual within one month of receiving the original request to tell him/her if this is the case.

If a subject access request is manifestly unfounded or excessive, we are not obliged to comply with it. Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the Company has already responded. If an individual submits a request that is unfounded or excessive, the Company will notify him/her that this is the case and whether or not it will respond to it.

Other rights

Individuals have a number of other rights in relation to their personal data. They can require the Company to:

• rectify inaccurate data;
• stop processing or erase data that is no longer necessary for the purposes of processing;
• stop processing or erase data if the individual's interests override the organisation's legitimate grounds for processing data (where the organisation relies on its legitimate interests as a reason for processing data);
• stop processing or erase data if processing is unlawful; and
• stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual's interests override the organisation's legitimate grounds for processing data.

To ask the Company to take any of these steps, the individual should send the request to David Christie - david.christie@innovation-arts.com.

Data security

The Company takes the security of HR-related personal data seriously. We have internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.

Where the Company engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Data breaches

If the Company discovers that there has been a breach of HR-related personal data that in the words of the GDPR 'poses a risk to the rights and freedoms of individuals' it will report it to the Information Commissioner within 72 hours of discovery. The Company will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.

If you become aware of a data breach you must contact the Directors immediately and retain any evidence in relation to that breach. Under no circumstances should you seek to cover up a breach, or the Company may be unable to take action to remedy it promptly and effectively.

International data transfers

We will not transfer HR-related personal data to countries outside the EEA.

Individual responsibilities

Individuals are responsible for helping the Company keep their personal data up to date. Individuals should let us know if data provided to us changes, for example if an individual moves house or changes his/her bank details.

Individuals may have access to the personal data of other individuals and of our customers and clients in the course of their employment contract, volunteer period, internship. Where this is the case, we rely on individuals to help us meet our data protection obligations to staff and to customers and clients.

Individuals who have access to personal data are required:

• to access only data that they have authority to access and only for authorised purposes;
• not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;
• to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
• not to remove personal data, or devices containing or that can be used to access personal data, from the organisation's premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
• not to store personal data on local drives or on personal devices that are used for work purposes.

Further details about the Company's security procedures can be found in our data security policy.

Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the Company's disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

Training

The Company will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter. Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.

Data Security Policy

Introduction

This policy sets out the Company's approach to managing the information required to conduct our business securely and confidentially.

It applies to all employees and other workers and to information held manually or electronically.

Our data storage is managed by David Christie.

Where is our data held?

Data is held in secure physical storage facilities on site.

Personal data is held confidentially on the google drive, with password controlled access. Regular system back ups are made.

Most data is held on the Company's server for data security and accessibility.

Laptops and i-Pads are issued to employees.

Personal data on employees can only be accessed by Directors via a unique user name and password.

Transfer of data

Employees may transfer personal data to authorised recipients using our e mail system.

Each email account is accessible only via unique user names and passwords distinct to individual employees.

Data held on Microsoft e mail accounts is stored on dedicated server space in either the UK, EU or USA. Microsoft are signatories to the EU-US Privacy Shield Agreement and have confirmed that they are compliant with all UK and EU regulations on data protection.

Personal devices

Employees may use their personal mobile phones for business purposes.

Virus protection

Everyone should abide by some simple rules to ensure the security and confidentiality of the Company's IT network.

Employees must not install any software on the Company's computers including laptops without prior authorisation from a Director.

E mails or attachments from non-trusted sources should not be opened, as it is easy for viruses to enter the network. If you have any doubts about the source or content of an e mail, do not open it.

Password policy

Passwords protect the Company's network and computer system. Care should be taken to keep passwords confidential. No one should attempt to gain unauthorised access to other computers or to confidential information they are not entitled to access.

Passwords must be unique to individual users, comprise a combination of letters and numbers, replaced regularly and if they were ever compromised.

In certain circumstances, such as sickness absence and holidays, employees may be required to share their passwords with their manager. However, it is not envisaged that passwords would be shared in other circumstances, other than between Directors.

If you leave your work station for any length of time, you should take appropriate action to protect confidentiality by logging off or activating your screensaver with an appropriate password.

Clear desk and clear screen policy

All information containing personal data should be put away in locked drawers or cupboards overnight or when away from your desk for an extended period of time.

Documents should not be saved to the desktop and computer screens should always be locked whenever you are away from your desk for an extended period of time.

Physical security

All data held by the Company whether electronically or paper-based is protected by a number of physical security measures.

The building is accessed only via a lockable door and keys are issued only to designated key holders.

Outside of office hours the building is kept locked and secured by a key code alarm. The alarm is linked to the local Police or security company and if triggered will result in security being automatically called out.

CCTV is also installed outside the premises for the purposes of preventing and detecting crime. A separate policy covers the use of CCTV.

Electronic security

Wireless internet access is provided within our office and secured by our Internet Services Provider.

Acceptable use of computers and equipment

Computer facilities and other equipment provided by the Company are provided for the Company's business use only.

Equipment and facilities provided by the Company must not be used for personal reasons without permission having been granted in advance by the Directors.

The Company may monitor and intercept electronic communications (including e mail, voice and text messages) received at work in order to ensure the integrity of its IT systems or to prevent and detect criminal behaviour.

Please see the Company's Data Protection policy for more information about the responsibilities and obligations that you and we both have in respect of personal data security.

It is also important that when using the Company's computers and facilities you do so responsibly and in accordance with the rules set out in this Data Security policy and rules on the use of the internet and e mail.

Data breaches

Any suspected data breaches must be reported immediately to your manager, or to another senior manager or Director, in line with the Company's Data Breach procedure.

Serious or deliberate breaches of data security are listed in our disciplinary procedure as gross misconduct and may result in disciplinary action, including the termination of employment.

We believe that proper use of our computer systems will enhance the service that we provide to our customers and improve our efficiency and reputation.

Your right to make a complaint

You have the right to make a complaint about how we process your personal data to the Information Commissioner:

ico.org.uk/concerns
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113