© 2017 Balliefurth Farm.  

  • Facebook Social Icon
Balliefurth Limited and Balliefurth Farm 
Data Protection Policy

The General Data Protection Regulation is European wide data protection legislation that requires organisations working with individuals based in the European Economic Area to meet certain requirements regarding the collection, processing, security and destruction of personal information. This policy sets out how Balliefurth Farm and Balliefurth Ltd will seek to ensure compliance with the legislation. This policy also applies to Balliefurth Farm and Balliefurth Ltd’s dealings with clients and third parties that may be involved in processing customer related information. It covers the way personal information should be obtained, used, shared, physically stored and destroyed.

 

General Data Protection Regulation (GDPR)

The General Data Protection Regulation governs the processing (i.e. obtaining, holding, organising, recording, retrieval, use, disclosure, transmission, combination and destruction) or personal and sensitive data (i.e. information relating to an individual - the data subject) and sets out the rights of individuals whose information is processed in manual or electronic form or held in a structured filing system. There are six principles that describe the legal obligations of organisations that handle personal information about individuals. The principles are:

  1. Processing is lawful, fair and transparent

  2. Personal data is collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes.

  3. Personal data must be adequate, relevant and limited to what is necessary

  4. Personal data must be accurate, kept up to date and every reasonable step taken to ensure personal data is erased or rectified.

  5. Personal data must be kept in a form which identifies data subject for no longer than is necessary

  6. Personal data must be processed in a manner which ensures the appropriate security of the personal data.

  7. Data Controllers should be able to demonstrate compliance with the principles

Balliefurth Ltd and Balliefurth Farm fully support these principles.

 

Handling Personal Information, Lawfully, Fairly and Transparently

The first and second principles require Balliefurth Farm and Balliefurth Ltd to acquire and process personal information lawfully, fairly and in a transparent way. We are therefore clear at the outset about the purpose for which information is obtained and processed. We aim to ensure that:

  1. There are marketing plans and operational procedures in place for initiating contact with prospects and generating sales in a manner that complies with the General Data Protection Regulation;

  2. Personal information is collected and used only when there are legitimate business reasons which are balanced against the interests of the individual concerned

  3. Personal information is not used in ways that would have adverse effects on individuals

  4. The purpose or purposes for which the information is to be used is made clear to individuals and they have a choice as to whether to provide the information.

  5. Individuals are provided with easy to read and understand privacy notices when information is collected

  6. Personal information will only be handled in ways that individuals would reasonably expect

  7. On request, we can provide to the individual a copy of the personal information we hold about them.

Appropriate records will be maintained to demonstrate compliance with the above-mentioned requirements.

 

Consent

Consent will be required for certain types of information usage, generally relating to mailing lists and marketing communications. When consent is required, it must be given freely, specific, informed and unambiguous. Requests for consent should be separate from other terms and be in clear and plain language. The individuals consent to using their personal data must be as easy to withdraw as it is to give. Consent must be “explicit” for sensitive data. Balliefurth Farm and Balliefurth Ltd are required to demonstrate that consent was given.

 

Under the Privacy and Electronic Communication Regulations (PECR) there are specific requirements relating to unsolicited direct marketing communications. A solicited communication is one that is actively invited, either directly by the customer or via a third party. An unsolicited communication is one that the customer has not invited but they have indicated that they do not, for the time being, object to receiving it. If challenged, businesses would need to demonstrate that an individual has positively opted in to receiving further information from us.

 

Balliefurth Farm and Balliefurth Ltd understand that it is unlawful to contact customers or organisations that have informed us that they do not wish to receive unsolicited marketing material. Therefore, we are aware of and comply with the following:

 

Telesales – Balliefurth Farm and Balliefurth Ltd ensure that individuals and organisations they wish to contact are not registered on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS) respectively. If they are registered or have directly notified us not to call, then unsolicited direct marketing calls will not be made to them.

 

Emails and text message – Balliefurth Farm and Balliefurth Ltd will not contact individuals by email or via text message without obtaining prior consent unless the individual’s details have been obtained in the course of a sale or negotiations of a sale. Individuals will be given the opportunity to opt out of receiving further marketing emails or texts each time that such contact is made.

 

The Mailing Preference Service (MPS) is managed by the Direct Marketing Association and supported by Royal Mail to enable individuals to register their names and addresses to limit the amount of direct mail they receive. Unsolicited marketing material will not be sent by post to individuals that have informed Balliefurth Farm or Balliefurth Ltd they do not wish to receive such information or they have registered with the MPS.

 

Balliefurth Farm and Balliefurth Ltd will maintain an internal log of individuals and organisations that have indicated that they do not wish to receive unsolicited marketing information and conduct checks against the TPS, CTPS, FPS, eMPS and MPS databases as appropriate.

 

If data is purchased from third parties for prospecting purposes, Balliefurth Farm and Balliefurth Ltd ensure that the data has been acquired by the third party through fair and lawful means, the data can be used for the purposes of unsolicited marketing activities and that the data has been cross-checked by the third party against the appropriate preference service databases.

 

PECR and Cookies

 

Under the PECR, as from 26th May 2011, businesses must seek consent before any cookie is set on an individual’s computer. Cookies are small, often encrypted text files, located in browser directories. They are used by companies to help users navigate websites efficiently and perform certain functions. Cookies are also used to keep computer users logged in and their personal details private or for tracking their activity so that companies can improve the website. Cookies can be used by third parties to track information about individuals and spam them with adverts. By themselves, cookies pose no risk since they do not contain viruses.

 

Session cookies enable the website to track user movement from page to page so that the user does not get asked for the same information again. The most common example of this functionality is the shopping cart feature of an e-commerce website. Session cookies are never written on the hard drive and they do not collect any information from the user's computer. Session cookies expire at the end of the user's browser session.

 

Persistent cookies are stored on the user's computer and are not deleted when the browser is closed. Such cookies can retain user identities and preferences, allowing those preferences to be used in future browsing sessions.

 

Balliefurth Farm and Balliefurth Ltd are responsible for ensuring that our website complies with the PECR and that, where necessary, appropriate information is disclosed to website users and consent is obtained from users before cookies are set.

 

Fair Treatment

 

Fairness generally requires us to be transparent, i.e. clear at outset and open with individuals about why the information is being collected and how it will be used. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.

 

Balliefurth Farm and Balliefurth Ltd aim to ensure that, in all cases, consent and privacy statements will:

  • Be clear, fair and not misleading

  • Explain the consequences of not providing the required information

  • Explain how long the information will be kept for

  • Explain that if the information will be shared, who with and how they will use it

  • Explain how customers may be contacted e.g. telephone, email, SMS, post

  • Explain customers’ rights – e.g. they can obtain a copy of their personal information

  • Explain who to contact if they wish to know more information about how their information is held or to opt-out of receiving further information or if they need to complain

  • Explain customer’s right to complain to the Information Commissioner’s Office.

 

Balliefurth Farm and Balliefurth Ltd are responsible for ensuring that the following details are communicated to clients:

  1. The identity of the business or if appropriate, its nominated representative

  2. The purpose for which the business intends to process the prospect’s or customer’s personal information and if the information is to be shared or disclosed to other organisations (so that the individual concerned can choose whether or not to enter into a relationship with the company sharing it)

  3. Any additional information that will enable the business to process the information fairly

  4. How customers can access the information held about them (as this may help them to spot inaccuracies or omissions in their records – see section below on Rights of Data Subjects)

 

Minimum amount of Personal Data
 

Under the principles of GDPR Balliefurth Farm and Balliefurth Ltd identify the minimum amount of personal data we need so as to properly fulfil our purpose. We ensure that we hold that much information, but nothing further. If we need to hold particular information about certain individuals, we only collect the information for those individuals and nothing more. We do not hold personal data on the off-chance that it might be useful in the future.

Accurate and Kept up to Date

Balliefurth Farm and Balliefurth Ltd will:

  • Take reasonable steps to ensure the accuracy of any personal information we obtain

  • Ensure that the source of any personal information is clear

  • Establish if the individual has challenged the accuracy of the information, this is evaluated and recorded carefully

  • Consider whether it is necessary to update the information, particularly if the purpose relies on the information being current.

 

Balliefurth Farm and Balliefurth Ltd understand that an expression of an opinion about an individual is classed as their personal information. The record of an opinion (or of the context it is held in) will contain enough information to enable a reader to interpret it correctly. If an opinion is likely to be controversial or very sensitive, or if it will have a significant impact when used or disclosed, Balliefurth Farm and Balliefurth Ltd understand that it is even more important to state the circumstances or the evidence it is based on. Any remarks made in emails or system notes would need to be disclosed if the individual. Therefore, Balliefurth Farm and Balliefurth Ltd ensure that records do not contain anything that might be considered derogatory, or offensive, even though the record is generally for internal use.

 

Rights of Individuals
 

The General Data Protection Regulation creates specific rights of individuals. These include:

 

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights in relation to automated decision making and profiling.

 

Subject Access Requests
 

An individual has the right to see the information that Balliefurth Farm and Balliefurth Ltd hold about them and can make a request to access this information. Requests must be responded to within 30 days of receipt.

In line with the GDPR, Balliefurth Farm and Balliefurth Ltd will request certain information before responding to a request:

  • Enough information to judge whether the person making the request is the individual to whom the personal information relates to avoid personal information about one individual being sent to another, accidentally or as a result of deception.

  • Sufficient information that would reasonably be required to find the personal information amongst the records held by the company and covered by the request.

In the event of an individual making a subject access request via a third party, Balliefurth Farm or Balliefurth Ltd will request written consent from the individual to confirm that the third party can request and receive information on the individual’s behalf.

An individual who makes a request is entitled to be:

  • Told whether any personal information is held and being used

  • Given a description of the personal information, the reasons it is being processed, and whether it will be shared with any other organisations or individuals

  • Given a copy of the information

  • Given details of the source of the information (where this is available)

 

Requests for Information from Law Enforcement Agencies
 

The General Data Protection Regulation includes exemptions, which allow personal information to be disclosed to law enforcement agencies without the consent of the individual who is the subject of the information, and regardless of the purpose for which the information was originally gathered. Balliefurth Farm and Balliefurth Ltd will release personal information to law enforcement agencies if required to do so.

 

Data Security
 

Balliefurth Farm and Balliefurth Ltd have appropriate security measures to prevent personal information held being accidentally or deliberately compromised. In particular, Balliefurth Farm and Balliefurth Ltd

  • Have designed and organised security to fit the nature of the personal information held and the harm that may result from a security breach

  • Are clear about everyone’s responsibility for ensuring information security

  • Make sure that the correct physical and technical security is in place, backed up by robust processes and procedures and reliable, well-trained staff

  • Are ready to respond to any breach of security swiftly and effectively.

 

Balliefurth Farm and Balliefurth Ltd recognise that information security breaches may cause real harm and distress to the individuals if their personal information is lost or abused (this is sometimes linked to identity fraud).

 

Managing and Monitoring Staff

Balliefurth Farm and Balliefurth Ltd ensure that staff, or those acting on their behalf are aware of, trained and comply with regulatory requirements and company policies on data protection and information security matters.

 

There are controls in place to ensure that those people handling customer or confidential business information are honest and trustworthy and do not disclose information about customers without checking the identity of callers and verifying that they are entitled to the information being requested.

 

There are controls in place to ensure that only authorised personnel can access, alter, disclose or destroy personal information and only act within the scope of their authority. All paper records containing customer information and commercially sensitive information are stored securely when not in use and desks are cleared at the end of the working day.

 

PCI - DSS
 

The Payment Card Industry Data Security Standard (PCI-DSS) was put together by the PCI Security Standards Council to decrease payment card fraud across the internet and increase credit card data security. Balliefurth Ltd comply with the PCI-DSS requirements, this is enforced by the Worldpay through whom we have our merchant account.

 

Outsourcing
 

Balliefurth Farm and Balliefurth Ltd have procedures in place if we use third parties to process information to ensure that we:

 

  • Only choose a data processor that provides sufficient guarantees about its security measures to protect the information and the processing it will carry out;

  • Take reasonable steps to check that those security measures are working effectively in practice; and

  • Put in place a written contract setting out what the data processor is allowed to do with the personal information or business information.

 

Balliefurth Farm and Balliefurth Ltd require third parties that it works with to ensure that there are adequate security measures in place to secure the information that is being held.

 

Data Loss
 

If personal information is accidentally lost, altered or destroyed, attempts to recover it will be made promptly to prevent any damage or distress to the individuals concerned. In this regard Balliefurth Farm and Balliefurth Ltd consider the following:

 

  • Containment and recovery – the response to the incident includes a recovery plan and, where necessary, procedures for damage limitation.

  • Assessing the risks – assess any risks and adverse consequences associated with the breach, as these are likely to affect how the breach needs to be contained.

  • Notification of breaches – informing the Information Commissioner’s Office or other relevant Supervising Authority as necessary (within 72 hours), law enforcement agencies and individuals (whose personal information is affected) about the security breach is an important part of managing the incident.

  • Evaluation and response – it is important to investigate the causes of the breach, as well as, the effectiveness of controls to prevent future occurrence of similar incidents.

  • Additionally, Balliefurth Farm and Balliefurth Ltd would also look to ensure that any weaknesses highlighted by the information breach are rectified as soon as possible to prevent a recurrence of the incident.

 

Data Retention
 

To comply with information retention best practice Balliefurth Farm and Balliefurth Ltd establish standard retention periods for different categories of information, keeping in mind any professional rules or regulatory requirements that apply and ensuring that those retention periods are being applied in practice. Any personal information that is no longer required will either be archived or deleted in a secure manner.

 

Balliefurth Farm and Balliefurth Ltd retention periods for different categories of personal information are based on individual business needs.

 

Balliefurth Farm and Balliefurth Ltd understand the difference between permanently deleting a record and archiving it. If a record is archived or stored offline, it will reduce its availability and the risk of misuse or mistake. If it is appropriate to delete a record from a live system, Balliefurth Farm and Balliefurth Ltd will also delete the record from any backup of the information on that system, unless there are business reasons to retain back-ups or compensating controls in place.

 

Secure Disposal of Records and Computer Equipment
 

Once the retention period expires or, if appropriate, the customer or business information is no longer required; paper records should be disposed of in a secure manner. All paper records containing customer or business information are disposed of by shredding. This includes all archived records.

 

All used computers, printers and any other electronic equipment that may contain or that will have stored customer or corporate information in electronic format must be disposed of in an appropriate manner after the information has been completely wiped off. An external provider will be used to ensure that the memory on the devices is completely clean of information before the item is disposed of.

 

Monitoring and Reporting
 

The Data Controller will monitor the adherence to this policy and report to the other directors any issues or concerns regarding its compliance.

 

Review
 

This policy will be reviewed periodically in light of changing business priorities and practices and to take into account any changes in legislation.

 

This policy was updated on 21st May 2018