Data Protection Policy November 2013
In order to operate efficiently, we must collect information about people with whom we work. These are known as ‘data subjects’, may include shareholders, directors, employees, customers or suppliers and may include current, past and prospective subjects.
This personal information must be handled properly under the Data Protection Act 1998 ('the Act'). The Act regulates the way that we handle the 'personal data' that we collect in the course of complying with our obligations as an employer and/or dealing with issues arising from the provision of goods and services to the public. The Act gives certain rights to people whose 'personal data' we may hold.
We consider that the correct treatment of personal data is integral to our successful operations and to maintaining the trust of the persons we deal with.
WCF and all its trading brands are registered with the Information Commissioner to process personal data. WCF Ltd is named as the Data Controller under the register kept by the Information Commissioner in accordance with section 19 of the Act.
Information covered by the Act
The Act uses the term 'personal data' which essentially means any recorded information held by us and from which a living individual can be identified. It will include a variety of information including names, billing and delivery addresses, telephone numbers, e-mail addresses and other personal details.
We may utilise the data supplied for administration, credit assessment and debtor recovery and for advertising or marketing activities depending on mail preferences. Where indicated we may also pass data on to carefully selected third parties with relevant offers. Data subjects have the legal right to ask WCF not to utilise their personal data for marketing purposes by checking certain boxes on order forms or by speaking with a customer service representative. For credit purposes we may consult a reference agency who will record the search.
Data Protection Obligations
We ensure that any personal data held is:
- fairly and lawfully processed;
- obtained for limited purposes and not further processed in any manner that is not compatible with those purposes;
- adequate, relevant and not excessive;
- accurate and kept up to date;
- not kept longer than necessary for the purposes for which it was taken;
- processed in accordance with the subject's rights under the Act;
- protected against unauthorised or unlawful processing and against accidental loss or destruction of, or damage; and
- not transferred to countries outside the European Economic Area (‘EEA’) unless the country to which the data is to be transferred has adequate protection for the individuals.
We ensure that at least one of the following conditions is met before we process any personal data:
- the individual has consented to the processing;
- the processing is necessary for the performance of a contract with the individual;
- the processing is required under a legal obligation (other than one imposed by a contract);
- the processing is necessary to protect vital interests of the individual;
- the processing is necessary to carry out public functions; or
- the processing is necessary in order to pursue our legitimate interests or those of third parties (unless it could unjustifiably prejudice the interests of the individual).
- Sensitive Personal Data
Under the Act, one of a set of additional conditions must be met for 'sensitive personal data'. This includes information about racial or ethnic origin, political opinions, religious and other beliefs, trade union membership, physical or mental health condition, sex life, criminal proceedings or convictions. We ensure that one of the following additional conditions is met before we process any sensitive personal data:
the individual has explicitly consented to the processing;
we are required by law to process the information for employment purposes;
we need to process the information in order to protect the vital interests of the individual or another person; or
the processing in necessary to deal with the administration of justice or legal proceedings
We ensure that individuals are given their rights under the Act including:
- the right to obtain their personal information from us except in limited circumstances;
- the right in certain circumstances to require us to rectify, block, erase or destroy the personal data held;
- the right to ask us not to process personal data where it causes substantial unwarranted damage to them or anyone else; and
- the right to claim compensation from us for damage and distress caused by any breach of the Act.
- Subject Access Requests
All subjects have a right of access to their own personal data under the provisions of the Act. This request should be made in writing to the Company Secretary detailing your full name, address, date of birth, any account number if relevant along with a £10 administration fee made payable to WCF Ltd and confirmation of identity (driving license or passport). Subject access requests will be responded to within 40 days of receipt.
While it is unlikely, we may be required to disclose your user data by a court order or to comply with other legal requirements. We will use all reasonable endeavours to notify you before we do so, unless we are legally restricted from doing so.
We shall not sell, rent, distribute or otherwise make user data commercially available to any third party, except as described above and with your prior permission.
We will ensure that:
- everyone managing and handling personal information understands that they are responsible for following good data protection practice;
- the Company Secretary is assigned with specific responsibility for data protection and the implementation of this policy;
- staff who handle personal information are appropriately supervised and trained;
- queries about handling personal information are promptly and courteously dealt with;
- people know how to access their own personal information via a subject access request;
- subject access requests are dealt with promptly and courteously;
- methods of handling personal information are regularly assessed and evaluated;
- any disclosure of personal data will be in compliance with approved procedures;
- we take all necessary steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure;
- we do not send any documents containing personal information outside the EEA; and
- all contractors who are users of personal information supplied by the council will be required to confirm that they will abide by the requirements of the Act with regard to information supplied by us.
Jo L Ritzema
A copy of the signed Data Protection Policy is available at reception, on the company’s website and on staff notice boards.