Data Protection Policy (GDPR)

“Relevant individuals” are the individuals to whom this policy applies including children and young people and their parents/carers/families, school staff.

“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, email and postal addresses, date of birth, or a unique identification number. It can also include pseudonymised data.

“Special categories of personal data” is data which relates to an individual’s health, gender identity, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It can also include genetic and biometric data (where used for ID purposes).

“Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

The Organisation makes a commitment to ensuring that personal data, including special categories of personal data and criminal offence data (where appropriate) is processed in line with GDPR and domestic laws and all its employees conduct themselves in line with this, and other related, policies.

Where third parties process data on behalf of the Organisation, the Organisation will ensure that the third party takes such measures in order to maintain the Organisation’s commitment to protecting data. In line with current data protection legislation, the Organisation understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.

Types of Data Held

The following types of data may be held by the Organisation, as appropriate and with consent, on relevant individuals:

• name, address, date of birth of children and young people
• name, address, phone numbers, emails addresses of parents/carers/school staff
• IP address
• Photos, videos or audio recordings
• medical or health information

We may also collect, store and use the following ‘special categories’ of sensitive personal data which need more protection, called a ‘condition of processing’. We won’t use any of this information without a justified reason:

• Information about race or ethnicity;
• Philosophical or religious beliefs;
• Sexual orientation;
• Gender identity;
• Political opinions;
• Information about health;

We collect browsing data when you visit our websites, which may identify your device or web browser. This could be location data, how you found us and the pages you looked at on our website. We use this to provide you with the information that is most relevant to you.  This data is collected by cookies, which are small files stored on your computers’ or mobile devices’ web browser. These cookies are used to keep you logged in as you move around a site, provide content, and check website performance. This helps us make the website better for you and for others.

To understand how we use your device information, such as IP address (the location of the computer on the internet) and cookies, please see our Privacy Policy on our website which contains information about the use of cookies. It also explains how you can block, control or remove the cookies stored on your web browser.

Data Protection Principles

All personal data obtained and held by the Organisation will:

• be processed fairly, lawfully and in a transparent manner;
• be collected for specific, explicit, and legitimate purposes;
• be adequate, relevant, and limited to what is necessary for the purposes of processing;
• be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay;
• not be kept for longer than is necessary for its given purpose;
• be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures;
• comply with the relevant data protection procedures for international transferring of personal data.

In addition, personal data will be processed in recognition of an individuals’ data protection rights, as follows:

• the right to be informed;
• the right of access;
• the right for any inaccuracies to be corrected (rectification);
• the right to have information deleted (erasure);
• the right to restrict the processing of the data;
• the right to portability;
• the right to object to the inclusion of any information;
• the right to regulate any automated decision-making and profiling of personal data;
• the right to make a complaint about the way personal data is being handled.

Procedures

The Organisation has taken the following steps to protect the personal data of relevant individuals, which it holds or to which it has access:

1. it appoints or employs employees with specific responsibilities for:

1. the processing and controlling of data
2. the comprehensive reviewing and auditing of its data protection systems and procedures
3. overviewing the effectiveness and integrity of all the data that must be protected.

There are clear lines of responsibility and accountability for these different roles.

• it provides information to its relevant individuals on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions relevant individuals can take if they think that their data has been compromised in any way;
• it provides its employees and independent contractors with information and training to make them aware of the importance of protecting personal data, to teach them how to do this, and to understand how to treat information confidentially;
• it can account for all personal data it holds, where it comes from, who it is shared with and also who it might be shared with;
• it carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing, and to take measures to reduce the risks of mishandling and potential breaches of data security. The procedure includes an assessment of the impact of both use and potential misuse of personal data in and by the Organisation;
• it recognises the importance of seeking individuals’ consent for obtaining, recording, using, sharing, storing, and retaining their personal data, and regularly reviews its procedures for doing so, including the audit trails that are needed and are followed for all consent decisions. The Organisation understands that consent must be freely given, specific, informed, and unambiguous. The Organisation will seek consent on a specific and individual basis where appropriate. Full information will be given regarding the activities about which consent is sought. Relevant individuals have the absolute and unimpeded right to withdraw that consent at any time;
• it has the appropriate mechanisms for detecting, reporting, and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the Information Commissioner, and is aware of the possible consequences;
• it is aware of the implications international transfer of personal data internationally.

Access to Data

Relevant individuals have a right to be informed whether the Organisation processes personal data relating to them and to access the data that the Organisation holds about them. Requests for access to this data will be dealt with under the following summary guidelines:

• written request for access to records should be made to the Organisation;
• the Organisation will not charge for the supply of data unless the request is manifestly unfounded, excessive, or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the individual making the request;
• the Organisation will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within one calendar month. This may be extended by a further two months where requests are complex or numerous.

Relevant individuals must inform the Organisation immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. The Organisation will take immediate steps to rectify the information.

For further information on making a subject access request please contact Jamma Wellbeing’s Office Manager (info@jammawellbeing.com).

Data Disclosures

The Organisation may be required to disclose certain data/information. The circumstances leading to such disclosures include, but are not limited to:

• any relevant services operated by third parties for example local support services, where parents/carers/families have consented to this;
• disabled individuals – whether any reasonable adjustments are required to assist them in relation to services provided;
• individuals’ health data – to comply with health and safety or in support of their access to information, services and products;
• Organisation management and administration – to record and respond to any compliments, comments or complaints from relevant individuals;
• third party organisations to perform their public or statutory duties.

These kinds of disclosures will only be made when strictly necessary for the purpose.

Data Security

The Organisation adopts procedures designed to maintain the security of data when it is stored and transported.  Its employees and independent contractors must:

• ensure that all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them;
• ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised individuals;
• refrain from sending emails or other digital communication methods (e.g. instant messaging) containing sensitive information to their personal email address;
• check regularly on the accuracy of data being entered into computers;
• always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them;
• use computer screen blanking to ensure that personal data is not left on screen when not in use.

Personal data relating to relevant individuals should not be kept or transported on laptops, USB sticks, or similar devices, unless expressly authorised by the Organisation. Where personal data is recorded on any such device it should be protected by:

• ensuring that data is recorded on such devices only where absolutely necessary
• using an encrypted system — a folder should be created to store the files that need extra protection and all files created or moved to this folder should be automatically encrypted
• ensuring that laptops, hard drives or USB drives are not left lying around where they can be stolen.

Failure to follow the Organisation’s rules on data security by any of its employees may be dealt with via the Organisation’s internal disciplinary procedure. The Organisation may also self-refer the matter to the Information Commissioner.

International Data Transfers

The Organisation does not transfer personal data to any recipients outside of the EEA.

Complaints

If you have concerns or complaints about the way in which your personal information is used, you have the right to make a complaint to the Organisation.

To raise a complaint, you can complete a Complaint Form. Once complete, this should be returned to the Organisation following the details on the form to info@jammawellbeing.com. You can stipulate whether you wish the complaint to be dealt with informally or formally in the first instance.

Your complaint will be acknowledged within 30 days, and you will receive a response without undue delay.

If you have complained and still are not happy with our response, you can submit a complaint to the Information Commissioner (IC), the supervisory authority in the UK for data protection matters.

Breach notification

Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of the Organisation becoming aware of it and may be reported in more than one instalment.

Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.

If the breach is sufficient to warrant notification to the public, the Organisation will do so without undue delay.

Training for Employees

New employees and contractors of the Organisation are obliged to read and understand the Organisation’s internal policies on data protection as part of their induction.

All employees and contractors receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.

The nominated data controller/auditors/protection officers for the Organisation are trained appropriately in their roles under data protection legislation.

All employees and contractors who collect paper feedback forms from schools, transport these and then scan these or need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Organisation of any potential lapses and breaches of the Organisation’s policies and procedures.

Records

The Organisation keeps records of its processing activities including the purpose for the processing and retention periods. These records will be kept up to date so that they reflect current processing activities.

Data Protection

The name and contact details of the Organisation’s Data Protection lead is below:

• Richard Stewart, Chief Executive
• info@jammawellbeing.com