We take privacy issues seriously and are open about the way data is collected and used. Please read this policy which outlines the principles we follow.
We are committed to:
– protecting the personal information you give us
– telling you how we use the information we gather from you
– getting your consent to our disclosure of your personal information
Glossary of key terms
"Data controllers" means organisations that determine how people's personal data is processed and for what purpose.
"Data Subjects" means any living individuals whose data the Data Controller processes.
"Processing" means any action in relation to that personal data, including filing and communication.
"Personal Data" includes everything from which a Data Subject can be identified. It ranges from simple contact details and encompasses, file notes or minutes, a record of anyone's intentions towards that person, and communications (such as emails) with or about them.
Some categories of Personal Data are "special category data" under the GDPR. These comprise data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; data concerning health or data concerning a natural person’s sex life or sexual orientation; and biometric data. Extra protection is provided for these data. Neither contractual grounds nor legitimate interests will apply to sensitive or “special category” personal data (see below): this will require explicit consent to process, except under a statutory right or obligation (e.g. concerning employment) or if particular rare and urgent grounds exist (e.g. preventing or detecting a crime or acting to protect someone’s vital interests to protect them from imminent harm).
We, ProbateAdmin Ltd (‘the Company’) are a data controller for the purposes of the GDPR. Our registered office is 3 Churchfield Harpenden, Herts, AL5 1LJ, Tel: 01582 808561, registered in England and Wales under Company number 11817849.
This policy is intended to provide information about how we use (or "process") personal data about individuals.
any contract between us and third parties;
our health and safety policies, including as to how concerns or incidents are recorded; and
the our IT policies, including our Acceptable Use policy
Our Data Protection Officer (DPO) is Kevin Parsons. Our DPO is not personally liable for data protection, responsibility for that rests within the Company. Our DPO can be contacted at firstname.lastname@example.org with the subject line “for the attention of the DPO”
In order to carry out our ordinary functions we may process personal data about individuals as part of our daily operation for the following reasons.
Fulfilling a contract with the individual
Compliance with a legal obligation
Vital interests, i.e. to protect someone’s life
We assert that the following uses will fall within the category of our “legitimate interests”:
To provide our products and services;
For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records);
To give and receive information and references about past, current and prospective employees and to provide references to potential employers of past employees;
To monitor the use of our IT and communications systems in accordance with our IT: acceptable use policy;
Where otherwise reasonably necessary for our core purposes, including to obtain appropriate professional advice and insurance for the Company.
In addition, the Company may need to process special category personal data or criminal records information in accordance with rights or duties imposed on us by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. These reasons may include:
To safeguard employees’ welfare and provide appropriate pastoral (and where necessary, medical) care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual's medical condition where it is in the individual's interests to do so: for example for medical advice, social services or insurance purposes;
To run any of our systems that operate on bio metric data, such as for security; or
For legal and regulatory purposes (for example diversity monitoring and health and safety) and to comply with our legal obligations and duties of care.
TYPES OF PERSONAL DATA PROCESSED BY THE COMPANY
This will include by way of example:
names, addresses, telephone numbers, e-mail addresses and other contact details;
car details (about those who use our car parking facilities);
bio metric information, which will be collected and used by the Company in accordance with the Company's bio metrics policy. This is stored as a numerical code, not in the form of a stored image e.g. fingerprint
bank details and other financial information, e.g. about customers to whom we make electronic payments;
past, present and prospective employees' academic, disciplinary and attendance records (including information about any special needs);
where appropriate, information about individuals' health, and contact details for their next of kin;
references given or received by the Company about employees and information provided by previous employees and/or other professionals or organisations working with employees.
HOW THE COMPANY COLLECTS DATA
Generally, the Company receives personal data from the individual directly. This may be via a form, or simply in the ordinary course of interaction or communication (such as email or written assessments).
However in some cases personal data may be supplied by third parties (for example professionals or organisations for whom the individual works or who are working with that individual); or collected from publicly available resources.
WHO HAS ACCESS TO PERSONAL DATA AND WHO THE COMPANY SHARES IT WITH
Occasionally, the Company will need to share personal information relating to its community with third parties, such as professional advisers (lawyers and accountants) or relevant authorities (HMRC or the Police).
For the most part, personal data collected by the Company will remain within the Company, and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis). Particularly strict rules of access apply in the context of:
medical records held and accessed only by the appropriate Company staff or otherwise in accordance with express consent; and
pastoral or safeguarding files.
We will not give information about Data Subjects to anyone outside the Company without their consent unless the law and our rules allow us to.
Bodies which might legally require us to share data include the Police and HMRC.
Finally, in accordance with Data Protection Law, some of the Company’s processing activity is carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the Company’s specific directions.
Data is currently processed by:
Wix.com in order to provide analytical and tracking information about our website probateadmin.co.uk
Fullstory.com in order to provide behavioural information about how our products are being used.
Freshdesk.com in order to provide our Helpdesk services and Knowledge Base
HOW LONG WE KEEP PERSONAL DATA
The Company will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the legal recommendation for how long to keep ordinary employees personnel files is up to 7 years following departure from the Company. However, incident reports and safeguarding files will need to be kept much longer, in accordance with specific legal requirements. If you have any specific queries about how this policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact the DPO. However, please bear in mind that the Company may have lawful and necessary reasons to hold on to some data.
Individuals have various rights under Data Protection Law to access and understand personal data about them held by the Company and in some cases ask for it to be erased or amended or for the Company to stop processing it, but subject to certain exemptions and limitations.
Any individual wishing to access or amend their personal data, or wishing it to be transferred to another person or organisation, should put their request in writing to the DPO.
The Company will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. The Company will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, the Company may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.
You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege. The Company is also not required to disclose any confidential reference given by the Company for the purposes of the education, training or employment of any individual.
Where the Company is relying on consent as a means to process personal data, any person may withdraw this consent at any time (subject to similar age considerations as above). Please be aware however that the Company may have another lawful reason to process the personal data in question even without the individual’s consent.
DATA ACCURACY AND SECURITY
The Company will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must notify the Company of any changes to information that they know the Company holds about them.
An individual has the right to request that any inaccurate or out-of-date information about them is erased or corrected (subject to certain exemptions and limitations under Act): please see above.
The Company will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to the Company’s systems. All employees and owners will be made aware of this policy and their duties under Data Protection Law and receive relevant training.
Where the Company has material grounds to believe that information is defunct, such as a phone number being listed unavailable or an email bouncing back, the Company will delete this information speedily.
Data providers in dispute over whether information held by the Company is fair and accurate have the right to lodge with the Company their divergent information, opinion, or account, and ask that it be held alongside the Company’s.
QUERIES AND COMPLAINTS
Any comments or queries on this policy should be directed to the DPO using the contact details above.
If an individual believes that the Company has not complied with this policy or acted otherwise than in accordance with Data Protection Law, they should notify the Board of Directors of the Company in writing at the Company’s registered office address. The Company can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with the Company before involving the regulator.
LEGAL AND REGULATORY FRAMEWORK
The Protection of Freedoms Act 2012 (biometrics and CCTV)
Privacy Notices, Transparency and Control (ICO Guidance, drafted in anticipation of GDPR but not a full GDPR Privacy Notices Code of Practice)
Privacy Notices under the GDPR (short-form guidance with checklist)
Direct Marketing Guidance (PECR) (last updated April 2016 but still applicable after GDPR)
The Subject Access Code of Practice (last updated June 2017)
The ICO Code of Practice on CCTV (last updated June 2017)
Overview of the General Data Protection Regulation (short-form overview)