Privacy Policy

Last revised: May 2020

Introduction

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The following guidance is not a definitive statement on the Regulations but seeks to interpret relevant points where they affect Sprint Renewables Limited.

The Regulations cover both written and computerised information and the individual's right to see such records. It is important to note that the Regulations also cover records relating to staff and volunteers.

All Sprint Renewables Limited staff are required to follow this Data Protection Policy at all times. The Director has overall responsibility for data protection within Sprint Renewables Limited but each individual processing data is acting on the director's behalf and therefore has a legal obligation to adhere to the Regulations.

Definitions

Processing of information
How information is held and managed.
Information Commissioner
Formerly known as the Data Protection Commissioner.
Notification
Formerly known as Registration.
Data Subject
Used to denote an individual about whom data is held.
Data Controller
Used to denote the entity with overall responsibility for data collection and management. Sprint Renewables Limited is the Data Controller for the purposes of the Act.
Data Processor
An individual handling or processing data.
Personal data
Any information which enables a person to be identified.
Special categories of personal data
Information under the Regulations which requires the individual's explicit consent for it to be held.

Data Protection Principles

As data controller, Sprint Renewables Limited is required to comply with the principles of good information handling. These principles require the Data Controller to:

  1. Process personal data fairly, lawfully and in a transparent manner.
  2. Obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
  3. Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
  4. Ensure that personal data is accurate and, where necessary, kept up-to-date.
  5. Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
  6. Ensure that personal data is kept secure.
  7. Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights of the individuals to whom the personal data relates.

Consent

Sprint Renewables Limited must record service users' explicit consent to storing certain information (known as 'personal data' or 'special categories of personal data') on file.

For the purposes of the Regulations, personal and special categories of personal data covers information relating to:

  1. The racial or ethnic origin of the Data Subject.
  2. His/her political opinions.
  3. His/her religious beliefs or other beliefs of a similar nature.
  4. Whether he/she is a member of a trade union.
  5. His/her physical or mental health or condition.
  6. His/her sexual life.
  7. The commission or alleged commission by him/her of any offence.
  8. Online identifiers such as an IP address.
  9. Name and contact details.
  10. Genetic and/or biometric data which can be used to identify an individual.

Consent is not required to store information that is not classed as special category of personal data as long as only accurate data that is necessary for a service to be provided is recorded. As a general rule Sprint Renewables Limited will always seek consent where personal or special categories of personal information is to be held.

Where it is not reasonable to obtain consent at the time data is first recorded and the case remains open, retrospective consent should be sought at the earliest appropriate opportunity.

Obtaining Consent

Consent may be obtained in a number of ways depending on the nature of the interview, and consent must be recorded on or maintained with the case records: face-to-face, written, telephone, or email.

Consent obtained for one purpose cannot automatically be applied to all uses. For example, where consent has been obtained from a service user in relation to information needed for the provision of that service, separate consent would be required if direct marketing were to be undertaken.

Specific consent for use of any photographs and/or videos taken should be obtained in writing. If the subject is less than 18 years of age then parental/guardian consent should be sought.

Individuals have a right to withdraw consent at any time.

Ensuring the Security of Personal Information

It is an offence to disclose personal information 'knowingly and recklessly' to third parties. A client's individual consent to share information should always be checked before disclosing personal information to another agency. Where such consent does not exist, information may only be disclosed if it is in connection with criminal proceedings or in order to prevent substantial risk to the individual concerned, and in either case permission of the Director should first be sought.

Personal information should only be communicated within Sprint Renewables Limited's staff and volunteer team on a strict need to know basis.

Paper records should be kept in locked cabinets/drawers overnight. Documents should only be stored on the server or cloud-based systems and not on individual computers. Where computers or other mobile devices are taken for use off the premises the device must be password protected.

Direct Marketing

Sprint Renewables Limited will not undertake direct telephone marketing activities under any circumstances. Specific consent to contact will be sought from our staff, clients and other supporters, including which formats they prefer, before making any communications.

We promise never to share or sell your information to other organisations or businesses. You can opt out of our communications at any time by telephoning 01226 337654, writing to Sprint Renewables Ltd, Unit 9C Mapplewell Business Park, Mapplewell, Barnsley, S75 6BP, or by emailing info@sprintrenewables.co.uk.

Privacy Statements

Any documentation which gathers personal and/or special categories of personal data will include the following information: who we are, what we will do with your data, who we will share it with, consent for marketing, how long we will keep it, that your data will be treated securely, how to opt out, and where to find a copy of the full notice.

Retention of Records

Paper records should be retained for the following periods, at the end of which they should be shredded:

  • Client records — 6 years after ceasing to be a client.
  • Staff records — 6 years after ceasing to be a member of staff.
  • Unsuccessful staff application forms — 6 months after vacancy closing date.
  • Volunteer records — 6 years after ceasing to be a volunteer.
  • Timesheets and other financial documents — 7 years.
  • Employer's liability insurance — 40 years.

What to Do If There Is a Breach

If you discover, or suspect, a data protection breach you should report this to your line manager who will review our systems, in conjunction with the Compliance Manager, to prevent a reoccurrence. The Compliance Manager should be informed of the breach, action taken and outcomes to determine whether it needs to be reported to the Information Commissioner.

Any deliberate or reckless breach of this Data Protection Policy by an employee or volunteer may result in disciplinary action which may result in dismissal.

The Rights of an Individual

Under the Regulations an individual has the following rights with regard to those who are processing his/her data:

  • Personal and special categories of personal data cannot be held without the individual's consent.
  • Data cannot be used for the purposes of direct marketing of any goods or services if the Data Subject has declined their consent.
  • Individuals have a right to have their data erased and to prevent processing where: data is no longer necessary; an individual withdraws consent; an individual objects to the processing; or personal data was unlawfully processed.
  • An individual has a right to restrict processing.
  • An individual has a 'right to be forgotten'.

Data Subjects can ask, in writing, to see all personal data held on them, including emails and computer or paper files. Sprint Renewables Limited must comply with such requests within 30 days of receipt of the written request.

Further Information

Further information is available at www.ico.org.uk.

The Information Commissioner's Office:
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Switchboard: 01625 545 700
Data Protection Help Line: 01625 545 745