Data Protection and Data Security Policy

Statement and purpose of policy

Gramacri Ltd is committed to ensuring that all personal data handled by us will be processed according to legally compliant standards of data protection and data security.

We confirm for the purposes of the data protection laws, that Gramacri Ltd (the Company) is a data controller of the personal data in connection with your employment or your engagement with us. This means that we determine the purposes for which, and the manner in which, your personal data is processed.

The purpose of this policy is to help us achieve our data protection and data security aims by:

  1. notifying our staff, customers, suppliers and other third parties of the types of personal information that we may hold about them, how long for and what we do with that information;
  2. setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring staff understand our rules and the legal standards; and
  3. clarifying the responsibilities and duties of staff in respect of data protection and data security.

This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, in our absolute discretion.

For the purposes of this policy:

  1. Data protection laws means all applicable laws relating to the processing of Personal Data, including, for the period during which it is in force, the UK General Data Protection Regulation.
  2. Data subject means the individual or customer to whom the personal data relates.
  3. Personal data means any information that relates to an individual or customer who can be identified from that information.
  4. Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.
  5. Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
  6. Customer(s) means any individual or school to whom the personal data relates.

Data protection principles

Staff whose work involves using personal data relating to Staff, Customers or other third parties must comply with this policy and with the following data protection principles which require that personal information is:

  1. processed lawfully, fairly and in a transparent manner. We must always have a lawful basis to process personal data, as set out in the data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be disclosed.
  2. collected only for specified, explicit and legitimate purposes. Personal data must not be collected for one purpose and then used for another. If we want to change the way we use personal data, we must first tell the data subject.
  3. processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing. We will only collect personal data to the extent required for the specific purpose notified to the data subject.
  4. accurate and the Company takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when collected and regular checks must be made afterwards. We will make reasonable efforts to rectify or erase inaccurate information.
  5. kept only for the period necessary for processing. Information will not be kept longer than it is needed and we will take all reasonable steps to delete information when we no longer need it. For guidance on how long particular information should be kept, continue to read this policy.
  6. secure, and appropriate measures are adopted by the Company to ensure as such.

Who is responsible for data protection and data security?

  1. Maintaining appropriate standards of data protection and data security is a collective task shared between us and you. This policy and the rules contained in it apply to all staff of the Company, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers (Staff).
  2. Questions about this policy, or requests for further information, should be directed to the Data Protection Officer.
  3. All Staff have personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data security. Managers have special responsibility for leading by example and monitoring and enforcing compliance. The Data Protection Officer must be notified if this policy has not been followed, or if it is suspected this policy has not been followed, as soon as reasonably practicable.
  4. Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing Staff or Customer personal data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

What personal data and activities are covered by this policy?

This policy covers personal data:

  1. which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information we possess;
  2. Which relates to customers of the company;
  3. Which relates to potential customers with whom we have some contact;
  4. is stored electronically or on paper in a filing system;
  5. which relates to Staff (present, past or future);
  6. Which relates to potential members of staff, or to any other individual whose personal data we handle or control;
  7. which we obtain, is provided to us, which we hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.

This personal data is subject to the legal safeguards set out in the data protection laws.

What personal data do we process about Staff?

We collect personal data about you which:

  1. you provide or we gather before or during your employment or engagement with us;
  2. is provided by third parties, such as references or information from suppliers or another party that we do business with; or
  3. is in the public domain.

The types of personal data that we may collect, store and use about you include records relating to your:

  1. home address, contact details and contact details for your next of kin;
  2. recruitment (including your application form or curriculum vitae, references received and details of your qualifications);
  3. pay records, national insurance number and details of taxes and any employment benefits such as pension and health insurance (including details of any claims made);
  4. telephone, email, internet, fax or instant messenger use;
  5. performance and any disciplinary matters, grievances, complaints or concerns in which you are involved.

What personal data do we process about Customers?

  1. First and last name;
  2. Customer name;
  3. Customer telephone number;
  4. Mobile number (if provided);
  5. E-mail address for an individual at the Customer’s premise or Customer e-mail;
  6. Finance e-mail (bursar or business manager);
  7. Record of children’s names in class lists that you have provided us with for assessments purposes only; (for schools)
  8. Details of any interactions or conversations with our team;
  9. Information gathered by the use of cookies in your web browser;
  10. Personal details which help us to recommend services of interest;

How we use your personal data

We will use either Customers or Staff personal information to carry out our business, to administer your employment or your engagement with us and to deal with any problems or concerns you may have, including, but not limited to:

  • Staff Address Lists: to compile and circulate lists of home address and contact details, to contact you outside working hours if needed.
  • Comply with our contractual obligations. For example, to add you to our payroll service.
  • Sickness records: to maintain a record of your sickness absence and copies of any doctor’s notes or other documents supplied to us in connection with your health, to inform your colleagues and others that you are absent through sickness, as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence, to inform reviewers for appraisal purposes of your sickness absence level, to publish internally aggregated, anonymous details of sickness absence levels.
  • Monitoring IT systems: to monitor your use of e-mails, internet, telephone and fax, computer or other communications or IT resources.
  • Disciplinary, grievance or legal matters: in connection with any disciplinary, grievance, legal, regulatory or compliance matters or proceedings that may involve you.
  • Performance Reviews: to carry out performance reviews.
  • Equal Opportunities Monitoring: to conduct monitoring for equal opportunities purposes and to publish anonymised, aggregated information about the breakdown of the Employer’s workforce.
  • Comply with our legal obligations, for performance of contracts and for other legitimate reasons
  • Deal with enquiries from customers and potential customers
  • Keep in touch with customers and others for the purpose of providing news and information and for marketing, by using our emails, text, social media and other communications
  • Perform a specific activity for which the individual or Customer has given us consent.

Accuracy and relevance

We will:

  1. ensure that any personal data processed is up to date, accurate, adequate, relevant and not excessive, given the purpose for which it was collected.
  2. not process personal data obtained for one purpose for any other purpose, unless you agree to this or reasonably expect this.
  3. If you consider that any information held about you is inaccurate or out of date, then you should tell the Data Protection Officer. If they agree that the information is inaccurate or out of date, then they will correct it promptly. If they do not agree with the correction, then they will note your comments.

Your rights over your personal data:

You have the following rights in relation to your personal data.

Subject access requests:

You have the right to make a subject access request. If you make a subject access request, we may charge a £10 administration fee for the service and we will tell you:

  1. whether or not your personal data is processed and if so why.
  2. to whom your personal data is or may be disclosed.
  3. for how long your personal data is stored (or how that period is decided);
  4. your rights of rectification or erasure of data, or to restrict or object to processing;

We will provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you agree otherwise.

To make a subject access request, contact our Data Protection Officer at cmattaliano@gramacri.com

We may need to ask for proof of identification before your request can be processed. We will let you know if we need to verify your identity and the documents we require.

We will normally respond to your request within 28 days from the date your request is received. In some cases, eg where there is a large amount of personal data being processed, we may respond within 3 months of the date your request is received. We will write to you within 28 days of receiving your original request if this is the case.

If your request is manifestly unfounded or excessive, we are not obliged to comply with it.

Other rights:

You have other rights in relation to your personal data. You can require us to:

  1. rectify inaccurate data;
  2. stop processing or erase data that is no longer necessary for the purposes of processing;
  3. be withdrawn at any time from any newsletters or emails by replying to any of our correspondence: “Unsubscribe”.

To request that we take any of these steps, please send the request to cmattaliano@gramacri.com.

Data security

We will use appropriate technical and organisational measures to keep personal data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Maintaining data security means making sure that:

  1. only people who are authorised to use the information can access it;
  2. where possible, personal data is pseudonymised or encrypted;
  3. information is accurate and suitable for the purpose for which it is processed; and
  4. authorised persons can access information if they need it for authorised purposes.

By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining to destroying the information.

Personal information must not be transferred to any person to process (eg while performing services for us on or our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.

Our security procedures include:

  1. Any desk or cupboard containing confidential information must be kept locked.
  2. The Company operates a ‘clean desk policy’ and no personal data should be left on desks or accessible on unattended pcs or laptops.
  3. Computers must be locked with a strong password that is changed regularly or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
  4. Data stored on CDs or memory sticks must be encrypted or password protected and locked away securely when they are not being used.
  5. The Data Protection Officer must approve of any cloud used to store data.
  6. All servers containing sensitive personal data must be approved and protected by security software.
  7. Servers containing personal data must be kept in a secure location, away from general office space.
  8. Data should be regularly backed up in line with the Employer’s back-up procedure.
  9. All our USB devices used at the customers’ premises that contain the lesson plans and the resources for the Academic Year, do not hold any information related to the customer and/or children.
  10. Our staff are not permitted to use personal laptops or iPads in the customers’ premises, they must use customers’ computer hardware in order to comply with GDPR.

Telephone Precautions. Particular care must be taken by Staff who deal with telephone enquiries to avoid inappropriate disclosures. In particular:

  1. the identity of any telephone caller must be verified before any personal information is disclosed;
  2. if the caller’s identity cannot be verified satisfactorily then they should be asked to put their query in writing;
  3. do not allow callers to bully you into disclosing information. In case of any problems or uncertainty, contact the Data Protection Officer.

Methods of disposal. Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.

Storage and retention

Personal data relating to customers, leads and staff is stored in our CRM system on a secure server in England. We also store data from our website, this is stored on a secure server in the USA.

Some personal data is also held on our head office computer and on our email system and accessed by authorised users only.

Personal data of staff and of third parties with contractual arrangements with the Company and related correspondence is held on personal computers at our head office. 

All our PCs and laptops must be password protected with acceptable levels of anti-malware controls. We arrange reviews and updates of our security as appropriate.

Paper records are confined primarily to signed contracts with suppliers and consultants and other third parties.  These are kept secure in our head office.

As far as possible, personal data should be stored electronically and not in hard copy paper form.

Staff: Upon termination of your contract with us, we may ask you to complete a form if you would like us to keep your details on file for any future opportunities. If you do not wish to be contacted for future opportunities, we have to keep your details on file for five years to comply with employment law. However, your data will not be used and will remain dormant.

Customers: upon termination of your engagement with us, we may ask if you would like us to keep your details on file for any future opportunities that arise and may be of legitimate interest to you. We also want to make all customers on file aware of any new services we offer or any changes in availability for services in their area. However, We only store personal information that allows us to function as a business.

Data impact assessments

Some of the processing that the Company carries out may result in risks to privacy.

Where processing would result in a high risk to Staff or Customers rights and freedoms, the Company will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

Data breaches

If we discover that there has been a data breach that poses a risk to the rights and freedoms of individuals or customers, we will report it to the Information Commissioner’s Office within 72 hours of discovery.

If a data breach is detected, the Data Protection Officer/ Managing Director should immediately be informed. The Data Protection Officer will be consulted as soon as possible, and will monitor all actions to be taken by way of reporting the breach to the police and/or Information Commissioner’s Office and overcoming the problems that arise.

Training

We will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.

Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy will receive additional training to help them understand their duties and how to comply with them.