Home > The Skinners Company Data Protection Policy

The Skinners Company Data Protection Policy

Introduction

The Skinners’ Company takes its responsibility towards its stakeholders’ personal privacy seriously.

Stakeholders are defined as:

  • The Company membership
  • Applicants and residents of the Company’s almshouse schemes
  • Grant applicants and beneficiaries of the Company’s grant making charities
  • School Governorship and links to the Company’s schools
  • Current and former members of Skinners’ Company staff

Loan Hall client details are handled by Skinners’ Hall’s sole caterer- Party Ingredients Limited and are not shared with the Skinners’ Company. (www.partyingredients.co.uk).

The General Data Protection Regulation (GDPR) (2018) regulates the way in which personal data relating to the aforementioned is stored and for what purpose it is kept. Data comprises information held both electronically and as hard copy.

1. Purpose

The purpose of this policy is to enable the Company to:

  • demonstrate an open and honest approach to personal data.
  • comply with the law in respect of the data it holds about individuals;
  • follow good practice;
  • protect all personal data;
  • protect the Company from the consequences of a breach of its responsibilities;

The purpose of the GDPR is to protect the rights and privacy of individuals and to ensure that data about them is not processed without their knowledge and is processed with their consent wherever possible. The previous Data Protection Act (1998) set out eight principles, which remain now that GDPR has been introduced. These are that data must:

  1. be processed fairly and lawfully;
  2. be obtained only for specified and lawful purposes;
  3. be adequate, relevant and not excessive;
  4. be accurate and up to date;
  5. not be kept for longer than is necessary;
  6. be processed in line with individuals’ rights;
  7. be securely kept;
  8. not be transferred to other countries without adequate protection.

The Company’s stakeholders/data subjects have the following rights under GDPR:

  1. the right to be informed;
  2. the right of access;
  3. the right to rectification;
  4. the right to erasure;
  5. the right to restrict processing;
  6. the right to data portability;
  7. the right to object.

2. Policy

Under GDPR, personal data means ‘any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

Personal data should only be kept where there is a legitimate interest to do so. Once obtained it should be used for a specific and lawful purpose without being processed any further. Any personal data should be limited to only that which is relevant.

GDPR states that the data should be kept for no longer than is necessary for the purposes for which the personal data is processed.

The Skinners’ Company will ensure that all personal data is fairly and lawfully obtained and processed and securely held, in accordance with these principles. It will:

  • comply with both the law and good practice;
  • respect individuals’ rights;
  • be open and honest with individuals whose data is held;
  • provide training and support for staff who handle personal data, so that they can act confidently and consistently.

3. Key Risks

The Skinners’ Company has identified the following potential key risks:

  • breach of confidentiality (information being given out inappropriately);
  • misuse of personal information;
  • individuals being insufficiently informed about the use of their data;
  • breach of security by allowing unauthorised access;
  • harm to individuals if personal data is not up to date.

4. Roles and Responsibilities

The Skinners’ Company recognises its overall responsibility for ensuring that each entity complies with its legal obligations.

The Clerk/ Chief Executive acts as the Data Protection Officer. The Clerk will:

  • ensure Data Protection and related policies remains under constant review;
  • ensure Data Protection training takes place for all administrative staff;
  • identify and log the personal data kept and ensure its security;
  • ensure that only data which is necessary for the Company to fulfil its role is processed;
  • keep under review the data which is processed to ensure it remains necessary;
  • undertake a Legitimate Interests Assessment and keep this under review;
  • inform stakeholders of personal data that the Company holds, the reason that the data is held, for how long the data will be held, how to make a subject access request, their right to rectification and their right to erasure;
  • deal with access requests. Requests by an individual for access to their data should be made in writing to the Clerk. Depending on the specific requirements of any request, and on resource availability, the Clerk will endeavour to meet any request within 10 working days.
  • ensure staff know how to report a data breach.
  • destroy personal data when it no longer needs to be processed.

The Clerk’s/CEO contact details are shown under section 7: Data Breach

5. Retention

The Skinners’ Company will only process information necessary to carry out its work and to provide or administer activities for Company members, almshouses schemes, grant giving charities, School Governance and administration of staff.
Retention of data is determined by the following lead processors:

  • Director of Membership- Members details
  • The Charities Officer- Almshouses and grant giving charities
  • Director of Education- School Governorship
  • Finance Director- Staff records

Hall Manager ensures the Company has the means to destroy data by shredding hard copy (aided by an off-site shredding company) and deleting electronic files as soon as they are no longer relevant. The Skinners’ Company will only keep the information while an individual is a member, almshouse resident, grant beneficiary or school governor, or as long as necessary for administration purposes up to a maximum of 2 years. Past employee details are kept for as long as pension liabilities exist.

6. Access and security

Access to data stored by the Company is restricted to those with a need to know or those data subjects who formally request access to their personal file.

The following security measures will be used to protect data:

  • All hard copies of data are protected in locked storage cabinets in locked offices with restricted access controlled by the Hall Manager.
  • All electronically stored data is held on a password protected network and on password protected mobile phones. Backups occur daily. Employees set strong passwords and change them regularly.

If a breach of data security is suspected or occurs the Clerk should be informed.

7. Data breach

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Any known breach will be reported by the Skinners’ Company to the Information Commissioner’s Office (ICO) within 72 hours of its discovery. In the event of a data breach, the Clerk must be informed and the individual whose data is involved in the breach will also be notified. The ICO can apply a fine.

If you suspect a data breach, please contact the Clerk:

by post

The Clerk-The Data Controller
The Skinners’ Company
Skinners’ Hall
8 Dowgate Hill
LONDON
EC4R 2SP

by telephone

020 7236 5629

by email:

clerk@skinners.org.uk

8. Identified use of personal information-

Quick Select


The Company Membership

Use of members personal Information

The personal information will only be used for the purposes outlined below.

  • Administration of membership(s)
  • Fulfilment of orders for goods and services requested
  • In-house research and statistical analysis
  • Communication about campaigns, membership, events and other activities

Processing personal data for the above purposes entail sharing your information with the Company’s trading subsidiary Pellipar Services Company Limited, employees and main contractors. Agreements exist between the Skinners Company and such parties that there must be no further disclosure of such personal data.

The City of London Chamberlain’s Court

It is necessary upon taking up Freedom of the City of London via the Skinners’ Company, for the Company to provide the City of London’s Chamberlin’s Court with the recipient’s name address and details of their birth certificate.

This information that is required of the Chamberlain's Court will be held under the provisions of the City of London’s own policy and procedures:

A member may request access to their personal data held by the City of London by contacting:

Verifying, updating and amending your membership personal information

We aim to keep your records as up-to-date as possible. If, at any time, you want to verify, update or amend your personal data or preferences please contact us.

Please provide your full name and date of birth, to help us track your membership record.

You can contact us as follows:

by post

Director of Membership Services
The Skinners’ Company
Skinners’ Hall
8 Dowgate Hill
LONDON
EC4R 2SP

by telephone

020 7213 0551

by email:

membership@skinners.org.uk

Please allow up for 10 working days for us to amend your details.

Online

Alternatively, you can amend your contact details online at www.skinners.org.uk.

If you log in using your username and password, you can select to amend details and preferences. Then select personal details and preferences and log in to change your personal contact details. These changes are actioned within 2 working days. It is noted on your record that you chose to change these details and therefore any mistakes are not The Skinners’ Company’s responsibility.


Applicants and residents of the Company’s almshouse schemes

Use of almshouse applicant and resident personal Information

Applicants applying for accommodation will disclose personal data on their application form. The revised 2018 application form will contain the following clause:

It is part of the trustees’ responsibilities to ensure that applicants for almshouses are suitably qualified under the terms of the charity’s governing document. Trustees therefore need to investigate the personal circumstances of applicants. If your application for accommodation is successful, the personal data supplied on this form and other information relating to an almshouse appointment will be held on file for the duration of your appointment as a resident and for two further years. Some details may be checked with relevant organisations, but none will be disclosed for any inappropriate purpose. You may have access to your personal information on request. If your application is unsuccessful, your application form and all other personal data supplied will be destroyed.

Almshouse Residents

The Skinners’ Company Almshouse trustees and its management Company Hanover Housing have carried out a Legitimate Interests Assessment which shows that we feel that it is in the interests of both residents and the charity to hold the following data about residents, and if the charity did not hold this data, it would not be able to fulfil its function with regard to support of residents:

  1. Full name and address, phone numbers and email address
  2. Date of birth
  3. Gender
  4. Marital status
  5. NI number
  6. Name and address of GP
  7. Name, address and contact details of 1st next of kin and 2nd next of kin
  8. Name and address of location where their Will is kept (if the resident has one)
  9. Details of their funeral planning arrangements and pre-paid plan (if the resident has one)
  10. Details of bank account (for processing direct debits for WMC collection)
  11. Details of income and savings at the time of application for accommodation
  12. Details of current medical conditions and past operations / hospital admissions / previous conditions
  13. Details of current medication including dosage amount
  14. Details of allergies to medicine, e.g. antibiotics

Residents have the right to make a Subject Access Request direct to the Charities Officer, to ask to view the personal data which we hold. Residents have the right to rectification, i.e. to have incorrect information amended. Every 3 months when Scheme Managers review the information on your Resident Record Sheet with you, you are asked to amend any data and to sign to say that the data is accurate. Residents also have the right to erasure, i.e. the right to be ‘forgotten’, if you object to the processing of personal data for legitimate interests. However, you need to be aware that if you exercised the right to erasure, the charity would not be able to fulfil its role in supporting you and ensuring you received the care you need, for example liaising with your family/friends/next of kin, liaising with your GP/consultants/social services/carers about your health and well-being and enabling the charity’s staff to signpost residents to appropriate external care. If a resident requested that their personal data was erased, the charity would make a compelling case for why it needs to process that data.

Residents’ personal data is held for a maximum of 2 years after a resident dies or leaves their almshouse. This is so that the charity can liaise where necessary with a resident’s next of kin and/or with a nursing home or care home. All personal data is then destroyed.

Verifying, updating and amending your personal information

In addition to the aforementioned procedures if, at any time, you want to verify, update or amend your personal data or preferences please contact us.

Please provide your full name and date of birth, to help us track your application/resident record. You can contact us as follows:

by post

Charities Officer
The Skinners’ Company
Skinners’ Hall
8 Dowgate Hill
LONDON
EC4R 2SP

by telephone

020 7236 5629

by email:

carmel.miedziolka@skinners.org.uk

Please allow up for 10 working days for us to amend your details.


Grant applicants and beneficiaries of the Company’s grant making charities

The Lawrence Atwell Charity-The Lady Neville Charity-The Skinners Benevolent Trust-The Thomas Smythe Charity-and the administration of The Thomas Wall Trust

Applicants applying for grants will disclose personal data on their application form. The revised 2018 application forms will contain the following clause:

It is the trustees’ responsibility to ensure that applicants for grants are eligible according to the (named) charity’s funding criteria. Trustees therefore need to understand the personal circumstances of applicants. If your application for a grant is successful, the personal data supplied on this form and other information relating to a grant will be kept for two further years. Some details may be checked with relevant organisations, but none will be shared for any purpose not linked to grant assessment or administration. You may have access to your personal information on request. If your application is unsuccessful, your application form and all other personal data supplied will be anonymised or destroyed.

Verifying, updating and amending your personal information

In addition, if, at any time, you want to verify, update or amend your personal data or preferences please contact us.

Please provide your full name and date of birth, to help us track your application record. You can contact us as follows:

by post

Charities Officer
The Skinners’ Company
Skinners’ Hall
8 Dowgate Hill
LONDON
EC4R 2SP

by telephone

020 7236 5629

by email:

carmel.miedziolka@skinners.org.uk

Please allow up for 10 working days for us to amend your details.


School Governors and links to the Company’s schools

Tonbridge School-Judd School-Skinners’ School-The Skinners’ Academy-The Skinners Kent Academy-The Marsh Academy and Skinners Kent Primary School

Use of non-member school governors’ personal information

Personal information will be used for the purposes outlined below.

  • Administration of nominated School related business
  • Recording of training taken/required
  • In-house research and statistical analysis

Processing personal data for the above purposes entails sharing personal information with fellow governors the governed school, Companies House and local authority.

Information is held for the duration of the governors’ term of office and for four years or beyond in case Ofsted or Companies House required evidence.

Sharing of school pupil/ guardian information

Under normal circumstances schools do not share the personal data of its pupil or staff population.

However, individuals’ data may be required by the Skinners’ Company to work in support of exclusions, complaints and appeals processes.

A Data Sharing Agreement exists between each of our schools and the Company in order to regulate this flow of personal data and this forms part of the Privacy Agreement between the schools and the parents.

In these cases, the Skinners Company will obtain permission via the School to access specific information.

No personal data is withheld beyond the scope of any inquiry/ process.

Verifying, updating and amending your personal information

In addition to the aforementioned procedures if, at any time, you want to verify, update or amend your personal data or preferences please contact us.

Please provide your full name and date of birth, to help us track your record. You can contact us as follows:

by post

Director of Education
The Skinners’ Company
Skinners’ Hall
8 Dowgate Hill
LONDON
EC4R 2SP

by telephone

020 7236 5629

by email:

education@skinners.org.uk

Please allow up for 10 working days for us to amend your details.


Skinners’ Company staff – including staff GDPR working practices

The Skinners’ Company holds the following personal data on staff:

  1. Full name and address, phone numbers and email address
  2. Date of birth
  3. Gender
  4. NI number
  5. Name, address and contact details of next of kin
  6. Details of their bank account (for processing payment)

The Clerk/ Chief Executive has carried out a Legitimate Interests Assessment which shows that the Skinners’ Company believes it has a legitimate interest to hold the above personal data for staff and that we would not be able to perform our job in supporting staff without this information.

The Skinners Company must ensure that it only holds data for staff that is absolutely necessary; the Company must not hold inaccurate data, nor hold data for longer than is necessary; the Company must have a procedure for destroying data and must ensure that staff data (both hard copy and electronic) is protected.

Past employee details are kept for as long as pension liabilities exist.

Staff GDPR working practices

All computers and laptops must always be password protected. The passwords must be STRONG (comprising letters - some uppercase some lowercase, numbers and ideally other characters as well). All staff must change their computer or laptop sign on password on receipt of this protocol and change it regularly.

  1. Laptops and computers must be either switched off or logged off when not in use.
  2. Staff must ensure that, when their computer goes into ‘sleep’ mode, the password has to be re-entered to wake the computer up again.
  3. Block send e-mails- e-mail addresses should be entered into the Bcc address box to ensure e-mail addresses are not shared. Alternatively block send e-mails can be posted via the database to ensure e-mail addresses are not shared.
  4. Staff must ensure that, no unauthorised persons have sight of personal data displayed on screens
  5. Mobile phones onto which are downloaded Personal data must be password protected and passwords must be STRONG.
  6. Staff must ensure that paper files which contain personal data are kept in a locked filing cabinet.
  7. Old diaries should be kept in a locked cabinet or shredded.
  8. Staff must ensure that no hard copies of personal data on is left out on desks overnight.
  9. No personal data must be put on noticeboards in the offices.
  10. All staff must go through their computer files by May 25th, 2018 and delete all documents with personal data which are no longer needed or out of date.

Other important things to note in relation to the new GDPR policy:

  1. All data subjects have the right to erasure, i.e. the right to ‘be forgotten’ and legally the Skinners’ Company has to make them aware of this. Documentation should make it clear to all data subjects that if they were to exercise this right, the Company would not be able to do their job properly.
  2. All company related data subjects have the right to make a Subject Access Request – i.e. to ask to see all their personal data/correspondence with them or about them that the Company holds and to have copies of everything. If a Data Subject asked for this, the Company would be legally obliged to show them everything. Therefore, it is vital that staff have nothing written down that staff would not wish the data subject to read.
  3. When disposing of hard copies of personal data, it must be shredded.
  4. Staff need to be vigilant about possible data breaches which could occur through hacking/phishing. If in doubt about the source of an email or whether it is genuine, please do not open it and check with the Hall Manager or Virtual IT support first. If staff suspect a data breach (e.g. that personal data has got into the public domain) please report it to the Clerk asap., who will report it to the Information Commissioner’s Office within 72 hours. Staff must ensure that they always complete Windows updates when prompted.