Firefly Innovation - Training and Facilitation
GDPR Policy

Firefly Innovation’s GDPR Policy


Company details

 

Company Name: Firefly Innovation Ltd

Address: 33 Crawhill Drive, Bargeddie, North Lanarkshire, G69 7FL

ICO Registration No.: ZA518221

Web: www.fireflyinnovates,com

Primary contact: Joanne Hagerty

Email: joanne@fireflyinniovates.com

Phone: +44 (0)7729289194

Version: Aug 22

Last Reviewed: Aug 24

 

This policy is based on ensuring that Firefly Innovation Ltd (FFI) meet the Eight principles of Data Protection.

 

The Data Protection Act sets out the eight principles with which Firefly Innovation and its employees, contractors and suppliers must comply whenever it processes personal data.

 

The Data Controller is Joanne Hagertty

 

All staff should undergo GDPR Training which can be gained through utilising training courses such as those available from Business Gateway or similar suppliers and by utilising the GDPR checklist (available from Joanne Hagerty), or from other training support that is available.

 

You should check any information you individually hold on personal computer drives or in paperwork and safely destroy anything that Firefly Innovation does not have a legal reason to retain. Make sure old information is destroyed.

 

KEY MESSAGE - Only use the minimum amount of data to get the job done

 

1.     What is Personal Data?

When we say ‘personal data’ we mean identifiable information about you, like your name, email, address, telephone number, bank account details, payment information, support queries, community comments and so on. If you can’t be identified (for example, when personal data has been aggregated and anonymised) then this notice doesn’t apply. 

 

These stipulate that the data must:

 

1) ‘Be collected and processed fairly and lawfully’

 

In order for us to process data ‘fairly’, we should:

ensure that we have a legitimate reason to obtain or process the data

the Data Subject must be made aware that their data is being used and their consent obtained. They must never be deceived or misled - they must have a clear understanding of the reasons for which it is proposed that their data be used

 

  • If any sensitive personal data is involved Data Subjects must have provided their express consent to the processing

 

  • Care needs to be taken to ensure that personal data is only ever obtained from a person who is legally authorised to supply it.

 

 

1.     Financial Data

 

 

As part of the Engagement process completed with clients then GDPR guidelines will be included within this, this includes holding personal information for the purposes of the delivering our services to our clients. This may include financial data such as turnover and profit levels but will not include any data such as bank details.

 

Data Repository

 

We use DropBox as the final repository for all client information, reports, documents and personal information and this will be held within the guidelines and associated policy from DropBox.

 

Where client data is being held on laptops or other devices please see “section 7” for data security.

 

  1. ‘Be obtained only for the specific and lawful purposes described in the register entry, and shall not be further processed in any manner incompatible with that purpose or those purposes’

 

The main issues raised by this principle are;

 

All personal data which is processed by FFI must be covered by our Registration with the Information Commissioner. Most routine uses of personal data by staff will be covered by our Registration. However, if you are processing any data (for example, maintaining a database or running a research project involving the use of personal data) and think it may involve us handling new personal data for the first time or using personal data for a new purpose, please ensure you have contacted the client and gained there consent for obtaining the information. Initial engagement forms should meet this requirement.

 

  • personal data held for one purpose should not be used for another
  • personal data must not be disclosed to any third person (other than those described in the University’s Registration in certain circumstances), so take great care when you receive a request for data from a third party (see guidance on disclosing data).

 

 

  1. ‘Be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are held’

 

To ensure compliance:

 

  • you should not collect any personal data not strictly necessary for the purpose it is obtained. If you are obtaining or holding any sensitive personal data take special care to properly consider its necessity
  • records should also be unambiguous, accurate and professionally worded.

 

  1. ‘Be accurate and, where necessary, be kept up to date’

 

Personal data must not be inaccurate or misleading to any matter of fact. This applies to information from a third party. The source of information should always be included on records.

 

  1. 'Be held no longer than is necessary for the registered purpose’

 

Failure to remove data when its purpose has been served is a breach of the Data Protection Act. As FFI needs to hold and process personal data for a variety of different legitimate reasons, it is not always possible to stipulate how long particular data should be retained. FFI will decide on a case-by-case basis when data should be destroyed.

 

  1. ‘Be processed in accordance with the rights of the Data Subjects under the Act’

 

FFI must ensure that all personal data is processed in accordance with the rights of Data Subjects, who can:

 

  • make Subject Access Requests to find out what information we hold about them, the purposes for which it will be used and to whom it has been disclosed
  • prevent processing for the purposes of direct marketing or the processing of data which is likely to cause them substantial damage or distress
  • ask, if appropriate, to have the data corrected or deleted
  • be informed about automated decision-making processes that affect them and prevent significant decisions that affect them from being made solely on automated processes.

 

  1. ‘Be held under secure conditions, together with appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’

 

Access to personal data will only be granted to staff insofar as is necessary for legitimate operational purposes. The personal or private use of personal data held by the FFI is strictly forbidden.

 

All staff with access to personal data must be mindful that they play a role in ensuring that it is always kept securely. They must familiarise themselves with FFI’s Data Protection Policy and follow our guidance on data security.

 

  1. ‘Not be transferred to a country or territory outside the European Economic Area, unless that country ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of personal data’

 

Personal data must not be transferred to a country outside European Economic Area unless:

explicit consent has been obtained from the Data Subject(s)

 

  • the data has been completely anonymised
  • that country ensures an adequate level of protection for Data Subjects
  • a contract is in place with the recipient of the personal data, which puts the necessary safeguards in place.

 

Special care should be taken when travelling with a laptop or other mobile device which contains personal data.

 

SUMMARY

 

Processing Personal Data

At least one of these must apply whenever you process personal data.

There may be more than one. Select the one which is appropriate to the activity you are doing:

 

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. Explicit consent requires a very clear and specific statement of consent.
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life.
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

 

It is essential data breaches and near misses are reported immediately to your line manager

 

 

We should not be holding data on the following;

 

Special data is: Special categories of personal data that reveals:

 

  • racial or ethnic origin;
  • political opinions;
  • religious and philosophical beliefs;
  • Trade Union membership;
  • genetic data;
  • biometric data for uniquely identifying a natural person; and
  • sex life and sexual orientation.