Data Protection Policy
Last updated: [17/02/2022]
This Data Protection Policy sets out how the Knepp Castle Estate (we, our, us, the Knepp Castle Estate) handles the personal data of our tenants, suppliers, employees, workers and other third parties. This Policy applies to all personal data we process and must be followed by all staff and contractors who handle our personal data. This Policy sets out what we expect from you so that we can ensure that the Knepp Castle Estate complies with applicable law. Your compliance with this Policy is mandatory. Any breach of this Policy may result in disciplinary action.
In this Policy the following terms have the following meanings:
Data Protection PrinciplesWe adhere to the principles relating to the processing of personal data set out in the GDPR, which require personal data to be:
- processed lawfully, fairly and in a transparent manner;
- collected only for specified, explicit and legitimate purposes;
- adequate relevant and limited to what is necessary in relation to the purpose for which it is processed;
- accurate and kept up to date;
- not kept in a form which permits identification of individuals for longer than is necessary for the purpose for which the data is processed;
- processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage;
- not transferred to another country outside of the EEA without adequate safeguards being in place;
- made available to individuals and processed in a way that allows individuals to exercise their rights in relation to their data.
Lawfulness and fairnessWe are only allowed to use personal data when we can satisfy one of the following conditions:
- If we have the consent of the individual. If we rely on consent then we must clearly explain to people how their data will be used, we must keep a documented audit trail of how they provided their consent and they are entitled to withdraw consent at any time.
- If the processing of personal data is necessary to allow us to enter into a contract with the individual or to perform a contract with an individual. This could be the case where we need information to decide whether to enter into a tenancy with an individual or to pay an employee’s salary.
- If we need to process personal data to comply with a legal obligation, such as anti-money laundering obligations.
- If personal data is required to protect a person’s vital interests. Vital interests are interests that could relate to life-threatening conditions, rather than financial interests. For example, if you need to pass information to a paramedic in a medical emergency, this would be permitted.
- If it is in our legitimate interests to use the personal data and this is not outweighed by the rights and interests of the individuals concerned.
Purpose limitationWe are only permitted to process personal data in the way that people would expect and in line with the privacy notice that we have provided to individuals. You cannot use personal data for a new, different or incompatible purpose unless you have informed the individual of the new purpose, checked that we have a valid legal basis to permit the processing and updated our central record to capture the processing activity.
Data minimisationYou may only process personal data when necessary to perform your job duties. You are not permitted to process personal data for any reason unrelated to your job duties.
You must ensure when you are collecting personal data that you are only collecting the minimum amount of personal data necessary to fulfil the purpose for which you are collecting it. If you need to share personal data with other people (whether internally or externally) you must always consider exactly what data is required and only share the minimum possible amount of personal data.
AccuracyYou must ensure that personal data that we use and hold is accurate, complete and kept up to date. You must check the accuracy of data at the point of data collection and at regular intervals afterwards. If you become aware that any personal data is inaccurate or out of date you must update the information promptly and ensure that updates to information are made across all relevant places where the data is stored.
Storagelimitation You must not keep personal data in a form that permits identification of an individual for longer than is needed for the legitimate business purpose for which it was collected. When deciding for how long personal data should be kept you will need to consider the business need to keep the data and any legal or regulatory obligations that we may have to retain the data. We have a Data Retention Policy, that provides an overview of the key categories of personal data that we hold and the retention periods after which data should be securely deleted/destroyed or anonymised. You must comply with the Data Retention Policy and ensure that records for which you are responsible are handled in accordance with that Policy.
Security, integrity and confidentialityWe must ensure that personal data is kept securely and is safeguarded against unauthorised or unlawful processing and against accidental loss, destruction or damage. We maintain safeguards appropriate to our size, scope, the type of data that we hold and our resources. We will regularly test and evaluate the effectiveness of those safeguards to ensure security of our personal data. You are responsible for protecting the personal data that you have access to and handle as part of your role. You must implement appropriate and reasonable security measures to prevent unauthorised access to or loss of personal data. These measures include:
- Keeping hard copies of personal data in locked cupboards or locked rooms.
- Keeping a clear desk when you are not at your desk.
- Locking your screen when away from your desk.
- Never disclosing your log in details to anybody for any reason.
- Changing your password regularly and choosing a strong password in accordance with the guidance that we issue from time to time.
- Never taking copies of personal data outside the office unless absolutely necessary and, if so, ensuring they are kept in a secure manner.
- Only providing access to personal data on a ‘need to know’ basis.
- Never sharing personal data with third parties unless you have checked their identity and are confident that you are permitted to disclose personal data to them.
Reporting a personal data breachThe GDPR requires organisations that act as controllers (which includes us when we are processing our tenant, employee and other third party personal data)to report personal data breaches to the Information Commissioner unless they are low risk. If a data breach would have an impact on the individual, we also have a legal obligation to notify individuals about personal data breaches. If we have to notify a breach to the Information Commissioner we must do so within 72 hours of becoming aware of a breach and individuals must be notified without undue delay. It is therefore important that if you suspect or become aware of a personal data breach you notify Julie Alexander immediately of the issue. Julie Alexander will be responsible for determining the risks involved in the breach and whether a notification needs to be made to the Information Commissioner and/or to individuals affected by the breach. You must provide all information and assistance that you can so that an informed decision about the breach can be made. We are also required to keep a log of all data breaches, therefore even if the breach is low risk you must still notify the breach internally so that details of the breach can be added to the log.
Overseas transfers of personal dataThe GDPR restricts data transfers of personal data outside the EEA unless adequate safeguards for the personal data are put in place. You transfer personal data to another country if you transmit, send, view or access that data to or in a different country. You may only transfer personal data outside the EEA if one of the following conditions applies:
- The European Commission has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection.
- Appropriate safeguards are in place, such as binding corporate rules that have been authorised by the data protection regulators, standard contractual clauses approved by the European Commission or, for transfers to the USA, the recipient of the personal data is Privacy Shield certified.
- The individual has provided explicit consent to the transfer (we do not usually rely on consent because it can be withdrawn at any time).
- The transfer is necessary for the purpose of one of the exemptions set out in the GDPR, including where necessary for the performance of a contract between us and the individual, to establish, exercise or defend legal claims and, in some limited cases, in our legitimate interests. If we wish to rely on one of the exemptions, we must document why we consider that it applies.
Individuals’ rights and requestsIndividuals have a number of rights under GDPR in relation to how we handle their personal data. These rights are as follows:
- Right to be informed –we explain this in detail in the ‘Transparency’ section above.
- Right to request access to personal data that we hold about them.
- Right to prevent use of personal data for marketing purposes –if we receive an opt-out request we must ensure that the relevant individual no longer receives our marketing materials.
- Right to ask us to erase personal data in certain circumstances.
- Right to have inaccurate data corrected and to have incomplete data completed.
- Right to restrict processing of personal data in certain circumstances (for example if the accuracy of data is disputed).
- Right to object to our processing of personal data if the legal basis that we are relying on to justify our processing is legitimate interests.
- Right to request a copy of an agreement under which personal data is transferred outside the EEA.
- Right to object to decisions that are based solely on automated decision-making processes.
- Right to receive a copy of personal data provided to us by the individual in a commonly used electronic format. We are only required to comply with such requests when the legal basis for our processing is consent or contractual necessity.
Record keepingThe GDPR requires us to keep full and accurate records of our data processing activities. As we are an organisation with fewer than 250 employees, we only have to keep a record or our data processing activities that are high risk or which involve special category data or criminal conviction data. Our central record is maintained by Julie Alexander and is verified on an annual basis. If you become aware of any new uses of personal data, you must ensure that the central record is updated as required.
Privacy by design and DPIAsWe are required to implement privacy by design measures when processing personal data by implementing technical and organisational measures in an effective manner to ensure compliance with GDPR principles. You must assess what privacy by design measures can be taken into account when dealing with systems and processes that involve personal data. Privacy by design measures include the following:
- Anonymisation or pseudonymisation
- Data minimisation
- Restricting access to personal data on a need to know basis
- A description of the processing, its purposes and the legal basis of processing.
- An assessment of the proportionality and necessity of the processing in relation to its purpose.
- An assessment of the risk to individuals.
- The risk mitigation measures put in place.
Automated decision making and profilingAutomated decision-making that has a legal effect (for example to determine whether we would enter into a contract with somebody) or a similarly significant effect is prohibited under GDPR unless certain conditions are met. We do not currently undertake any automated decision-making that has such a significant effect. If you become aware that we intend to implement automated decision-making you must ensure that you seek advice on whether the automated decision-making is permissible under GDPR.
Direct marketingWe are subject to certain rules when marketing to individuals. Prior consent is required before we can send any marketing communications by email or text message. In addition, we must explain to people that we will use their personal data for marketing purposes and respect any ‘opt-outs’ that are received. You must not add people to our marketing databases without first obtaining their express consent and keeping a record of that consent. If an individual opts out of receiving our marketing, this request must be dealt with promptly. If you receive such a request, you must inform Julie Alexander (firstname.lastname@example.org) or Rachel Knott (email@example.com) who will process the request. JA/RK will remove individual from mailing lists.
Sharing personal dataGenerally,we are not permitted to share personal data with third parties unless certain safeguards and contractual arrangements have been put in place. You may only share personal data internally if the person requesting the information has a job-related need to know the information. You may only share personal data with third parties, such as our suppliers, if:
- They have a need to know the information to provide contracted services•Sharing the personal data is in line with the privacy notice that we have provided to individuals
- The third party has agreed to comply with required data security standards and has adequate security measures in place
- You have checked whether the third party will transfer personal data outside the EEA and, if so, there are approves measures in place to protect the data
- A written contract has been put in place which contains the mandatory GDPR clauses
- Check the identity of the person making the request
- Ensure that the request is specific and appears to be proportionate and reasonable
- Obtain authorisation from Julie Alexander before disclosing any personal data
- Keep a record of the request, the checks made by us and the data disclosed