Hello member, visiter, friend.
Below contains the policy we hold about how we handle your data. If up have any questions or concerns then do give me a ring on 07594533648 or email me on firstname.lastname@example.org. A pdf version of the agreement below can be found by clicking here.
Data Protection Policy Statement and Procedure
Data collection and storage
Stroud Micro Dairy is required to hold, maintain and process certain personal data about members for the purpose of satisfying its operational and legal obligations. In simple language to be able to process and administrate your share and membership along with a regular farm update. Type of data collected may include:
Names, addresses, e-mails and phone numbers
Personal features (on photographs and pictures)
Any reviews, feedback, quotes, suggestions
Purchase and share history
The need to process data must be communicated to all data subjects. Members are advised at registration the information that Stroud Micro Dairy will collect, use and retain about them, and those to whom such information will be disclosed.
Stroud Micro Dairy retains the above details for the durations of a member’s share or until any accrued but yet unpaid purchases are charged and administrations related to the share are completed. Members are advised at registration the information that Stroud Micro Dairy will collect, use and retain about them, and those to whom such information will be disclosed.
For any staff, volunteers, contractors and suppliers or collaborators the type of data may also incude:
Qualifications and experience
Dates of birth, CVs, signed forms and attendance records of all staff, volunteers and collaborators
Prices, specifications, designs and any other information contained within, supporting or providing context to an offer or quote for work
2. Principles of Data Use
Stroud Micro Dairy fully endorses and adheres to the eight principles of the Data Protection Act. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data. Employees and any others who carry out these operations on behalf of Stroud Micro Dairy must adhere to these principles. These eight principles specify that information must:
Be fairly and lawfully processed and that the information shall not be processed or used unless certain conditions are met.
Be processed for limited purposes and in a specified manner compatible with that purpose.
Be adequate, relevant and not excessive for those purposes; and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.
Be accurate and, where necessary, kept up to date.
Not be kept for longer than is necessary for that purpose.
Be processed in accordance with the data subject’s rights, and ensuring that the rights of people about whom information is held can be fully exercised under the Act. (These include: the right to be informed that processing is being undertaken; the right of access to one’s personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is regarded as wrong information.);
Be kept safe and secure from unauthorised access, unlawful processing, accidental loss or destruction or damage by using the appropriate technical and organisational measures.
Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
3. Processing of data
Stroud Micro Dairy Data Processing Checklist
Processing any personal data, all staff should consider the checklist set out below:
Do you really need to record the information?
Are you satisfied that it is in the best interests of the member or the staff member to collect and retain the data?
Is the information ‘ordinary’ or is it ‘sensitive’?
Does Stroud Micro Dairy have the data subject’s consent?
Are you authorised to collect/store/process the data?
Unless the data has been obtained from a reliable source, have you checked with the data subject that the data is accurate?
Have you ensured that data is kept securely, that precautions have been taken against physical loss or damage, and that both access and disclosure are restricted.
Prevent unauthorised access to personal or sensitive data, whether in paper or electronic form.
Ensure the method of storing personal or sensitive data in any form is secure including the keeping of sensitive data in a secure room or secure lockable storage device and controlling access by personnel to such locations where data is stored.
Ensure the hardware and software used in processing the data is reliable and protected against viruses and other electronic intruder devices.
Put password protection on computers and central server systems on which data is stored and ensure that only authorised personnel are given details of the relevant password(s).
Prevent computer screens from being overlooked by unauthorised persons.
Ensure that all individuals who have access to the data are reliable and are trained how to comply with the Act.
Have in place methods for detecting and dealing with breaches of security including the ability to identify which individuals have worked with specific data and having a proper procedure in place for investigating and remedying breaches of data protection procedures.
Have a secure procedure for backing up and storing back-ups separately from originals, and have a secure method of disposal for back-ups, disks and printouts.
4. Members, collaborators and volunteers
Members, collaborators or volunteers responsabilities
Members, collaborators or volunteers
Ensure that all personal data provided to the Stroud Micro Dairy is accurate and up to date.
Ensure that any changes, of address, for example, are notified.
Stroud Micro Dairy cannot be held accountable for errors arising from changes about which it has not been informed.
Should volunteers, collaborators or members - while interacting with or participating in Stroud Micro Dairy activities and under the direct supervision of a member of staff - come into contact with personal data that is irrelevant to their activity at Stroud Micro Dairy, they will be covered by the Stroud Micro Dairy's notification to the Information Commissioner. In such cases, staff must notify volunteers, collaborators and members about the relevant provisions of this guidance, and volunteers, collaborators and members must abide by them.
Stroud Micro Dairy is not responsible for notification of personal data processed by members,collaborators or volunteers for their own use. Personal information should not be disclosed either orally or in writing, intentionally or otherwise to any unauthorised third party. (Staff should note that unauthorised disclosure may be a disciplinary matter.)
5. Right of Access to Information
All individuals who are the subject of personal data held by the Stroud Micro Dairy are entitled to:
Ask what information the Institute holds about them and why.
Ask how to gain access to it.
Be informed how to keep it up to date.
Be informed what the Stroud Micro Dairy is doing to comply with its obligations under the 1998 Data Protection Act.
The Data Protection Act 1998 and the Freedom of Information Act 2000 provide an individual with the right to access personal data relating to him / her which is held by Stroud Micro Dairy. This applies to data held electronically and also manual records that are held in a relevant filing system. Any individual who wishes to exercise this right should make the request in writing to the Data Protection Officer. Stroud Micro Dairy will charge an administration fee of £10 for each request received, and will only release any information upon receipt of a written application, along with proof of identity and the administration fee. The requested information will be provided within 40 days of receipt of written request, unless there is sufficient reason for delay. The right of access applies to all individuals: Stroud Micro Dairy staff, members and any other individual for whom Stroud Micro Dairy holds personal data. Certain information (for example confidential references given by a third party) will not be disclosed to staff without obtaining the referee’s consent to disclose the information. Publication of Organisational Information Information that is already in the public domain is exempt from the 1998 Act. This would include, for example, information on or from members contained within newsletters or externally circulated publications such as any Stroud Micro Dairy publicity material. Any individual who has good reason for wishing details in such publications to remain confidential should contact the Stroud Micro Dairy. Disclosure outside of the EEA The 1998 Act places restrictions on the transfer of personal data outside the European Economic Area (EEA), unless the country or territory involved ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Stroud Micro Dairy may, from time to time, desire to transfer personal data to countries or territories outside of the European Economic Area in accordance with purposes made Data Protection Policy Statement and Procedure Page 3 of 4 Stroud Micro Dairy known to individual data subjects. For example, the names and contact details of members of staff on a website may constitute a transfer of personal data world wide. Accordingly, the consent form signifies an individual’s consent to the inclusion of such data on the authorised the Stroud Micro Dairy website. If an individual wishes to raise an objection to this disclosure then written notice should be given to the Data Protection Officer. Other personal data, even if it would otherwise constitute fair processing, must not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the EEA to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects. If, after careful consideration, it is regarded as essential that the transfer of personal data outside the EEA should take place - and if the transfer does not qualify as one of the circumstances when this principle does not apply - the consent of the data subject must be sought. Members of staff should note that: this restriction has particular implications for international relationships, research projects and information placed onto websites. Staff must take special care in connection with requests for the transfer of personal data outside the European Economic Area (EEA). In particular, staff should not: disclose personal data requested by non-EEA governments, agencies and organisations for the purposes of assessing the names, numbers and whereabouts of foreign nationals working overseas without the specific and informed consent of the data subjects concerned. Staff should not disclose personal data requested by non-EEA governments for the purpose of determining liability to attend National Service, without the specific and informed consent of the data subjects concerned. Emails It is recognised that email is used for such communications and that such emails should form part of the Stroud Micro Dairy’s records. All staff and students need to be aware that:
The 1998 Act applies to emails which contain personal data about individuals which are sent or received by members of the Stroud Micro Dairy. Subject to certain exceptions, individual data subjects will be entitled to make a data subject access request and have access to emails which contain personal data concerning them, provided that the individual data subject can provide sufficient information for the organisation to locate the personal data in the emails; Further information This policy is intended for guidance, not as an authoritative statement of the law. Further information and advice is available from the Data Protection Officer.
Policy Last Reviewed May 2018 Next revision date May 2019
Reviewed by: Kees Frederiks
Please reach us by email at email@example.com or by phone at 07594533648