General Data Protection Regulation Policy

Last updated February 2020.

Introduction

Churchbury Photographic Services Ltd – GDPR Policy

Churchbury Photographic needs to gather and use certain information about individuals.

This will include customers, suppliers, contractors and other people the company has a relationship with or may need to contact. This will also include names, class and school admission number for school children and staff of our schools, particularly to produce ID cards, data matched images on CD, and named individual and group photographs.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with the law.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.

The General Data Protection Regulation 2018 Policy ensures that Churchbury Photographic Service Ltd;

1. Complies with the data protection law and follows good practice
2. Will be open about how they store and process individual’s data
3. Protects the rights of staff, customers and partners
4. Protects itself from the risks of a data breach

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

Churchbury Photographic Services Limited is Data Protection Registered with Information Commissioners Office (ICO) Registration Number ZA349446

Examples

Where the DPA does apply, a common-sense approach suggests that if a photographer asks permission to take a photograph, this will usually be enough to ensure compliance.

• Photographs taken for official school use may be covered by the DPA and pupils and students should be advised why they are being taken.
• Photographs taken purely for personal use are exempt from the DPA.
• Photographs of pupils or students are taken for passes or for parents/guardians to buy. These images are likely to be stored electronically with other personal data and the terms of the DPA will apply.
• A small group of pupils are photographed, and the photograph will be used in the school prospectus. This will be personal data but will not breach the DPA if the children and /or parents or guardians are aware this is happening and the context in which the photograph will be used.
• For Churchbury Photographic Services Limited to use for marketing purposes, i.e. brochure contents or website model release.

The General Data Protection Regulation 2018 is underpinned by six important principles. These say that personal data must be;

1. Processed lawfully, fairly and in a transparent manner in relation to the individual.
2. Collected for specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes of statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of the individuals.
5. Accurate and, where necessary, kept up to date, every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed are erased or rectified without delay.
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

People, risk, and responsibilities

This policy applies to all staff, contractors, suppliers and any other persons working on behalf of Churchbury Photographic Services Limited.
It applies to all data that the company holds relating to identifiable individuals, even if that information falls outside of the General Data Protection Regulation 2018.
This can include;

1. Names of individuals
2. Postal Address
3. Email address
4. Telephone Number
5. Photographs
6. Any other information relating to individuals.

Data Protection Risks

This policy will help to protect Churchbury Photographic Services Limited from very real data security risks such as:

1. Breaches of confidentiality
2. Reputational damage
3. Failing to offer choice.

Impact Assessments

The company carries out and maintains regular Data Protection Impact Assessments on processes used within the organisation to identify and minimise the potential impact of risk within our data processing activities. Areas of the business include ID Services, Online Ordering, Sales, Photography, Accounts and Laboratory.

Responsibilities

Everyone who works for or with Churchbury Photographic Services have some responsibility for ensuring data is collected, stored and handled appropriately.

All employees have received GDPR training and are aware of the responsibility they have.

Certain people have key areas of responsibility, and they are,

1. The Directors are ultimately responsible for ensuring that Churchbury Photographic Services Limited meet with their legal obligations.
2. The Data Protection representative is responsible for;
   • Keeping the directors updated about data protection responsibilities, risk and issues.
   • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
   • Arranging data protection training, handling data protection questions and advice for the people covered by this policy.
   • Dealing with requests from individuals to see data Churchbury Photographic Services Limited holds about them.
   • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
3. The Digital Executive is responsible for;
   • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
   • Performing regular checks and scans to ensure security hardware and software is functioning properly.
   • Evaluating any third-party services, the company is considering using to store or process data.
   • Ensuring the marketing databases are checked and kept up to date for customers unsubscribing.

General Staff Guidelines

1. The only people able to access data covered by this policy should be those who need it for their work.
2. Data should not be shared informally. When access to confidential information is required, employees can request it from the Data Protection representative.
3. Employees should keep all data secure by taking sensible precautions, in particular
   • Personal data should not be disclosed to unauthorised people either within the company or externally
   • Strong passwords must be used, and they should never be shared.
   • Employees should request help from the Data Protection representative or a director if they are unsure about any aspect of data protection.
   • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
4. Churchbury Photographic Services Limited will provide training to all employees to help them understand their responsibilities when handling data.

Data Storage

Churchbury Photographic Services Limited collect and uses the personal data provided to administer the orders and deliver the photographs. We also use the data to resolve any queries that may arise.

Our Guidelines for Storing Data

1. All data stored on paper are kept in a secure place where unauthorized people cannot view it. When not required the paper or files are kept in a locked drawer or filing cabinet. Employees must also make sure paper and printouts are NOT left where unauthorized people may view them. E.g. Leaving by a printer.
2. Data printouts are shredded and disposed of securely when no longer required.
3. When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious attempts, so all data is protected by strong passwords that are changed on a regular basis and never shared with other employees.
4. If data is stored by removable media, i.e. CD, DVD or USB these are kept locked away securely when not being used. All removeable media devices are securely disposed of responsibly by an appropriate method of data destruction.
5. Data is only stored on designated drives and servers.
6. Data is stored on a secure server, which is in turn backed up in a RIAD configuration to add an additional drive. Preventing loss of data through drive failure.
7. QR (online access) tickets created for the day of photograph shoot generated from data processed, shall be returned to the Data Controller for appropriate disposal at the end of photograph day.
8. When images are edited by Churchbury Photographic employees outside of the main office, all steps are taken to ensure that once images are transferred to head office, they will be deleted on all external devices.
9. No files are saved to external laptops or phones.
10. All computers have anti-virus, malware protection and firewall installed which is kept up to date.
11. We collect pupil information from our schools, for pupil management information systems, this is encrypted within a spreadsheet (csv. file) at all points of contact and kept on a secure server. This information is only requested and used by our employees who are DBS checked.

Data Use

When personal data is accessed and used by Churchbury Photographic Services Limited there is a risk of loss, corruption or theft, so the following procedures are in place;

• When working with personal data, all employees ensure the screens of their computers are always locked when left unattended.
• Data must be encrypted before being transferred electronically. The Digital Executive can explain how to send data to authorized contacts.
• Employees will never save copies of personal data to their own computers.

Data Accuracy

The law requires Churchbury Photographic to take responsibility for ensuring the data is kept accurate and up to date, and it is the responsibility of all employees to take reasonable steps to ensure it is kept as accurate and up to date as possible.

• Data will be held in as few places as necessary. Staff will not create any unnecessary additional data sets.
• Staff must take every opportunity to ensure data is updated. For example, by confirming a school’s details when they call i.e. changes to Head or office staff.
• Data should be updated as inaccuracies are discovered. For example, if a school no longer exists it is deleted from our data base.

Data Retention

1. Card Machine receipts will be stored for 6 years, plus the current year.
2. Photographs and corresponding QR tickets will be stored as JPEGs for 7 years (school life, e.g. reception to year 6)
3. Order confirmations will be deleted once older than 3 months.
4. General emails will be deleted once older than 3 months.
5. Data received for processing and generation of QR tickets for production of batch upload disk onto pupil management system will be deleted at the end of each term (every 4 months)
6. Unused QR tickets created for the day of photograph shoot generated from data processed, shall be returned to the Data Controller for appropriate disposal at the end of photograph day.
7. Website accounts will be deleted once older than 7 years, unless instructed to do so sooner by account holder.
8. At the beginning of each calendar year all website order confirmations will be deleted except for orders placed within 3 months.
9. Transfer of files for creation of staff Id cards will be kept for duration of contact with school.
10. Upon termination of contract of services, all data relating to school and staff will be deleted after 1 year of termination.

Photographers

All our photographers have enhanced DBS checks and carry a copy of their up to date certificates, as well as ID badges with their photograph and DBS number on.

In the event of images being edited outside of the main office, they will be transferred via an internal FTP.

Sales

Our sales team store school contact information on a spreadsheet on a secure computer. This data will include the school name, telephone number and often the generic school email address. They may also collect a contact name, via direct contact permission given. No other personal details are stored or collected. All the sales team are DBS checked.

ID Department

Data is stored on password protected computers in a locked room within the alarmed main building.

All paper and removable media containing images are stored in lockable cabinets in a locked room, and entry is restricted to staff who are all DBS checked.

Data stored for ID cards usually contains the person’s name, DBS number, job title and their school name. This data is stored for varying lengths of time depending on the terms of the contract or the customers preference for replacement or re – issue of lost or expired cards, but never longer than deemed necessary. Paper copies are kept in line with the standard accounting procedures to assist in dealing with any queries that may arise later.

Office and Laboratory

The Main office is alarmed with additional internal security to access the lab and packing area in within main office building. This is where all the images are produced and packed by us within the same building. We are situated within a gated locked enclosure with alarm control monitored by Sentry Alarm Systems.

Online Orders

Churchbury Photographic Services Limited online orders utilise secure web platforms that is closely maintained and monitored by our Digital Executive.

No images are stored or visible online until a unique access code is entered, images are identified using an image reference number with school name, or by unique access code.

Churchbury Photographic online orders website has a SHA-256 SSL certificate provided by Symantec Corporation. Card payments are provided by PayPal or Stripe who deal with the complete process of handling the card payments. This means we do not process the payment information and do not store it ourselves. The Payment is transacted through secure server software, which encrypts all information against inception.

Payments

1. Cheque and cash payments that are handed in to the school are collected by one of our employees, (where deemed necessary and/or appropriate the orders will be collected in secure bags) taken directly to our secure office. Upon return, they are collated and processed by authorised employees.
2. Online payments are processed by PayPal or Stripe. Churchbury Photographic does not collect or store any payment details.
3. Telephone orders are processed by First Data Merchant Solutions, card details are entered directly into the machine, no details are written and stored. A customer receipt is printed and sent with order. The merchant printout is retained by Churchbury Photographic for a period of 6 years, plus the current year. The printout is stored in a locked filing cabinet in a secure room.

Servers

Our servers are all located in our secure office premises. Our images are not stored with any cloud-based software.

Our servers are regularly checked and maintained by the Digital executive to ensure the latest antivirus firewalls and other security measures are in place.

A weekly back-up is run to a local hard drive, which is stored securely offsite.

Security

We constantly review the encryption methods and levels of our digital files that are required to be transferred. We use security software to test our network for any vulnerabilities.

Data is stored on a closed network with no outside connection to prevent cyber-attacks.

Subject Access Requests (S.A.R)

All individuals who are the subject of personal data held by Churchbury Photographic Services Limited are entitled to:

1. Request what information the company holds about them and why.
2. Request how to gain access to it.
3. Be informed how to keep it up to date.
4. Be informed how Churchbury photographic Services Ltd is meeting its data protection obligations.

If individual’s contact the company requesting this information, this is called a subject access request.

These should be made by email addressed to the Data Protection representative at info@churchburyphoto.co.uk. The representative can supply a standard request form, although individuals do not have to do this.

The Data protection representative will aim to provide the relevant data within 30 days, providing they have verified the identity of anyone making a subject access request before handing over any information.

The right to be forgotten

The data subject has the right to immediately erase their personal data, if the following applies:

1. The data is no longer necessary in relation to its original intent
2. The data subject withdraws their consent. (see Privacy Policy for exceptions)
3. The data was processed unlawfully

Any erasure requests need to be submitted in writing to the Data Protection Representative.

Disclosing data for other reasons

In very rare circumstances the General Data Protection Regulation 2018 allows personal data to be disclosed to law enforcement agencies without consent of the data subject.

Under these circumstances, Churchbury Photographic Services Limited will disclose the requested data. However, the Data Protection representative will ensure the request is legitimate, seeking advice from the Company’s legal advisers where necessary.

Providing Information

Churchbury photographic Services Limited aims to ensure that individuals are aware that their data is being processed, and that they understand how the data is being used, and how to exercise their rights.

The company has a privacy statement, setting out how data relating to individuals is used by the company.

This is available on request or a version is also available on the company’s website, www.churchburyphoto.co.uk/privacy-policy/