Home > The Skinners Company Data Protection Policy

The Skinners Company Data Protection Policy

Introduction

The Skinners' Company takes its responsibility towards its stakeholders' personal privacy seriously.

Stakeholders are defined as:

  • The Company membership
  • Applicants and residents of the Company's Almshouse schemes
  • Grant applicants and beneficiaries of the Company's grant making charities
  • School Governorship and links to the Company's schools
  • Current and former members of Skinners' Company staff

Loan Hall client details are handled by The Approved Catering Provider and are not shared with the Skinners' Company.

The General Data Protection Regulation (GDPR) (2018) regulates the way in which personal data relating to the aforementioned is stored and for what purpose it is kept. Data comprises identifiable information held both electronically and as hard copy.

1. Purpose

The purpose of this policy is to enable the Company to:

  • demonstrate an open and honest approach to the handling of personal data.
  • comply with the law in respect of the data it holds about individuals.
  • follow good practice.
  • protect all personal data.
  • protect the Company from the consequences of a breach of its responsibilities.

The purpose of the GDPR is to protect the rights and privacy of individuals and to ensure that data about them is not processed without their knowledge and is processed with their consent wherever possible. The previous Data Protection Act (1998) set out eight principles, which remain now that GDPR has been introduced.

These eight principles are that data must:

  1. be processed fairly and lawfully.
  2. be obtained only for specified and lawful purposes.
  3. be adequate, relevant and not excessive.
  4. be accurate and up to date.
  5. not be kept for longer than is necessary.
  6. be processed in line with individuals' rights.
  7. be securely kept.
  8. not be transferred to other countries without adequate protection.

The Company's stakeholders/data subjects have the following rights under GDPR:

  1. the right to be informed.
  2. the right of access.
  3. the right to rectification.
  4. the right to erasure.
  5. the right to restrict processing.
  6. the right to data portability.
  7. the right to object.

2. Policy

Under GDPR, personal data means 'any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'.

Personal data should only be kept where there is a legitimate interest to do so. Once obtained it should be used for a specific and lawful purpose without being processed any further. Any personal data should be limited to only that which is relevant. GDPR states that the data should be kept for no longer than is necessary for the purposes for which the personal data is processed.

The Skinners' Company will ensure that all personal data is fairly and lawfully obtained and processed and securely held, in accordance with these principles. It will:

  • comply with both the law and good practice.
  • respect individuals' rights.
  • be open and honest with individuals whose data is held.
  • provide training and support for staff who handle personal data, so that they can act confidently and consistently.

3. Key Risks

The Skinners' Company has identified the following potential key risks:

  • breach of confidentiality (information being given out inappropriately).
  • misuse of personal information.
  • individuals being insufficiently informed about the use of their data.
  • breach of security by allowing unauthorised access.
  • harm to individuals if personal data is not up to date.

4. Roles and Responsibilities

The Skinners' Company recognises its overall responsibility for ensuring that each entity complies with its legal obligations.

The Clerk/ Chief Executive Officer acts as the Data Protection Officer. The Clerk will:

  • ensure Data Protection and related policies remains under constant review.
  • ensure Data Protection training takes place for all administrative staff.
  • identify and log the personal data kept and ensure its security.
  • ensure that only data which is necessary for the Company to fulfil its role is processed.
  • keep under review the data which is processed to ensure it remains necessary.
  • undertake a Legitimate Interests Assessment and keep this under review.
  • inform stakeholders of personal data that the Company holds, the reason that the data is held, for how long the data will be held, how to make a subject access request, their right to rectification and their right to erasure;
  • deal with access requests. Requests by an individual for access to their data should be made in writing to the Clerk. Depending on the specific requirements of any request, and on resource availability, the Clerk will endeavour to meet any request within 10 working days.
  • ensure staff know how to report a data breach.
  • destroy personal data when it no longer needs to be processed.

(The Clerk's/CEO contact details are shown under section 7: Data Breach)

5. Retention

The Skinners' Company will only process information necessary to carry out its work and to provide or administer activities for Company members, Almshouses schemes, grant giving charities, School Governance and administration of staff.
Retention of data is determined by the following lead processors:

  • Director of Membership- Members details
  • Director of the Skinners' Almshouse Charity
  • Grants Manager - Grant giving charities
  • Director of Education- School Governorship
  • Finance Director- Staff records

The Hall Director ensures the Company has the means to destroy data by shredding hard copy (aided by an off-site shredding company) and deleting electronic files as soon as they are no longer relevant. The Skinners' Company will only keep the information while an individual is a member, Almshouse resident, grant beneficiary or school governor, or as long as necessary for administration purposes up to a maximum of 2-3 years. Past employee details are kept for as long as pension liabilities exist.

6. Access and security

Access to data stored by the Company is restricted to those with a need to know or those data subjects who formally request access to their personal file.

The following security measures will be used to protect data:

  • All hard copies of data are protected in locked storage cabinets in locked offices with restricted access controlled by the Hall Director.
  • All electronically stored data is held on a password protected network and on password protected mobile phones. Backups occur daily. Employees set strong passwords and change them regularly.

If a breach of data security is suspected or occurs the Clerk should be informed.

7. Data breach

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Any known breach will be reported by the Skinners' Company to the Information Commissioner's Office (ICO) within 72 hours of its discovery. In the event of a data breach, the Clerk must be informed and the individual(s) whose data is involved in the breach will also be notified. The ICO can apply a fine.

If you suspect a data breach, please contact the Clerk:

by email:

clerk@skinners.org.uk

by telephone

020 7236 5629

by post

The Clerk-The Data Controller
The Skinners' Company
Skinners' Hall
8 Dowgate Hill
LONDON
EC4R 2SP

 

8. Identified use of personal information-

Quick Select


The Company Membership

Use of members personal Information

The personal information will only be used for the purposes outlined below.

  • Administration of membership(s)
  • Fulfilment of orders for goods and services requested
  • In-house research and statistical analysis
  • Communication about campaigns, membership, events and other activities

Processing personal data for the above purpose's entails sharing your information with the Company's trading subsidiary Pellipar Services Company Limited, employees and main contractors. Agreements exist between the Skinners Company and such parties that seek to ensure there must be no further disclosure of such personal data.

Members of the Court and Livery: Pocket book diary.

It is customary for members of the Court and Livery to have their names and home addresses published in the Company diary.

The diary is posted to members of the Company - including those members who reside oversees.

Members may opt out of this practice by contacting the Clerk - clerk@skinners.org.uk

The City of London Chamberlain's Court

It is necessary upon taking up Freedom of the City of London via the Skinners' Company, for the Company to provide the City of London's Chamberlain's Court with the recipient's name address and their long format birth certificate, which may also contain identifiable parental information. This information is stored in the Common Hall Register.

The City of London state:

In order to meet our obligations in relation to the register of electors for Common Hall each year, we will share your personal data (name, address, title and livery membership) with the Town Clerk & Chief Executive of the City of London Corporation for electoral purposes pursuant to the City of London Ballot Act 1887.  A separate privacy notice setting out how your personal data will be processed by the City of London Corporation is available via: https://www.cityoflondon.gov.uk/footer/privacy-notice 

If you have any concerns or questions about how The City of London look after your personal information, please contact the City of London's Data Protection Officer via e-mail: Information.Officer@cityoflondon.gov.uk

Verifying, updating and amending your Skinners' Company Membership Profile

Your Membership Profile contains:

  • Your contact details 
  • the details of your submitted CV

You can edit and update your details in real time.

Access your Membership Profile at any time via the Members Area of the Skinners' Company website: www.skinners.org.uk

Then click onto the Edit My Profile button.  

If you experience any difficulties logging in to the Members Area of the website or updating your profile please contact the membership team.

By e-mail: membership@skinners.org.uk

By telephone: 0207 2130551

Please note that the Skinners' Company will not be responsible for any errors you might make. 


Applicants and residents of the Skinners' Company's Almshouse Schemes.

Prescribed use of almshouse applicant and resident personal Information

Applicants applying for accommodation will disclose personal data on their application form. The revised 2018 application form will contain the following clause:

It is part of the trustees' responsibilities to ensure that applicants for almshouses are suitably qualified under the terms of the charity's governing document. Trustees therefore need to investigate the personal circumstances of applicants. If your application for accommodation is successful, the personal data supplied on this form and other information relating to an almshouse appointment will be held on file for the duration of your appointment as a resident and for up to three further years. Some details may be checked with relevant organisations, but none will be disclosed for any inappropriate purpose. You may have access to your personal information on request. If your application is unsuccessful, your application form and all other personal data supplied will be destroyed.

Almshouse Residents

The Skinners' Company Almshouse trustees have carried out a Legitimate Interests Assessment which shows that we feel that it is in the interests of both residents and the charity to hold the following data about residents, and if the charity did not hold this data, it would not be able to fulfil its function with regard to support of residents:

  1. Full name and address, phone numbers and email address
  2. Date of birth
  3. Gender
  4. Marital status
  5. NI number
  6. Name and address of GP
  7. Name, address and contact details of 1st next of kin and 2nd next of kin
  8. Name and address of location where their Will is kept (if the resident has one)
  9. Details of their funeral planning arrangements and pre-paid plan (if the resident has one)
  10. Details of bank account (for processing direct debits for WMC collection)
  11. Details of income and savings at the time of application for accommodation
  12. Details of current medical conditions and past operations / hospital admissions / previous conditions
  13. Details of current medication including dosage amount
  14. Details of allergies to medicine, e.g. antibiotics

Subject access request

Residents have the right to make a Subject Access Request direct to the Skinners' Almshouse Charity Director, to ask to view the personal data which we hold. Residents have the right to rectification, i.e. to have incorrect information amended.

Every 3 months when Scheme Managers review the information on your Resident Record Sheet with you, you are asked to amend any data and to sign to say that the data is accurate.

Right to erasure of personal data

Residents also have the right to erasure, i.e. the right to be 'forgotten', if you object to the processing of personal data for legitimate interests. However, you need to be aware that if you exercised the right to erasure, the charity would not be able to fulfil its role in supporting you and ensuring you receive the care you need, for example liaising with your family/friends/next of kin, liaising with your GP/consultants/social services/carers about your health and well-being and enabling the charity's staff to signpost residents to appropriate external care. If a resident requested that their personal data was erased, the charity would make a compelling case for why it needs to process that data.

Retention of Personal information

Residents' personal data is held for a maximum of 2 years after a resident dies or leaves their Almshouse. This is so that the charity can liaise where necessary with a resident's next of kin and/or with a nursing home or care home. All personal data is then destroyed.

Verifying, updating and amending your Almshouse Charity personal information.

In addition to the aforementioned procedures if, at any time, you want to verify, update or amend your personal data or preferences please contact us.

Please provide your full name and date of birth, to help us track your application/resident record. You can contact us as follows:

by email: caroline.hamilton@skinners.org.uk

by telephone: 020 7213 0576

by post:

Director of the Skinners' Almshouse Charity
The Skinners' Company
Skinners' Hall
8 Dowgate Hill
LONDON
EC4R 2SP

Please allow up for 10 working days for us to amend your details.


Grant applicants and beneficiaries of the Company's grant making charities

  • The Lawrence Atwell Charity
  • The Lady Neville Charity
  • The Skinners Benevolent Trust
  • The Thomas Smythe Charity
  • The Skinners' Malmesbury Foundation-
  • The Sir Andrew Judd Foundation 
  • The administration of The Thomas Wall Trust.

Applicants applying for grants are required to disclose personal data on their application form. The application forms contain the following clause:

It is the trustees' responsibility to ensure that applicants for grants are eligible according to the (named) charity's funding criteria. Trustees therefore need to understand the personal circumstances of applicants. If your application for a grant is successful, the personal data supplied on this form and other information relating to a grant will be kept for two further years. Some details may be checked with relevant organisations, but none will be shared for any purpose not linked to grant assessment or administration. You may have access to your personal information on request. If your application is unsuccessful, your application form and all other personal data supplied will be anonymised or destroyed.

Verifying, updating and amending your grant application personal information.

In addition, if, at any time, you want to verify, update or amend your personal data or preferences please contact us.

Please provide your full name and date of birth, to help us track your application record. You can contact us as follows:

By email: charities@skinners.org.uk

By telephone: 020 7213 0561

By post:

The Grants Manager

The Skinners' Company
Skinners' Hall
8 Dowgate Hill
LONDON
EC4R 2SP

Please allow up for 10 working days for us to amend your details.


School and Academy Governors, and links to the company's schools and academies

  • Tonbridge School
  • The Judd School
  • The Skinners' School
  • Skinners' Academy
  • The Skinners' Kent Academy and Skinners' Kent Primary School
  •  The Marsh Academy

Use of non-member school governors' personal information

Personal information will be used for the purposes outlined below.

  • Administration of nominated School/academy related business
  • Recording of training taken/required
  • In-house research and statistical analysis

Processing personal data for the above purposes entails sharing personal information with fellow governors, the governed school, Companies House, the Charities Commission and related local authorities.

Information is held for the duration of the governor's term of office and for four years or beyond in case Ofsted or Companies House required evidence.

Sharing of school pupil/ guardian information

Under normal circumstances schools and academies do not share the personal data of its pupil or staff population.

However, individual's data may be required by the Skinners' Company to work in support of exclusions, complaints and appeals processes.

A Data Sharing Agreement

A Data Sharing Agreement exists between each of our schools/ academies and the Company in order to regulate this flow of personal data and this forms part of the Privacy Agreement between the schools and the parents.

In these cases, the Skinners' Company will obtain permission via the School to access specific information.

No personal data is held by the Skinners' Company beyond the scope of any inquiry/ process. (This may mean once an inquiry is finished or beyond for required legitimate- legal purposes).

Verifying, updating and amending your personal information

In addition to the aforementioned procedures if, at any time, you want to verify, update or amend your personal data or preferences please contact us.

Please provide your full name and date of birth to help us track your record. You can contact us as follows:

By email: education@skinners.org.uk

By telephone: 020 7213 0556

By post:

Director of Education
The Skinners' Company
Skinners' Hall
8 Dowgate Hill
LONDON
EC4R 2SP

Please allow up for 10 working days for us to amend your details.


Skinners' Company staff - Including staff GDPR working practices

The Skinners' Company holds the following personal data on staff:

  1. Full name and address, phone numbers and email address
  2. Date of birth
  3. Gender
  4. NI number
  5. Name, address and contact details of next of kin
  6. Details of bank accounts (for processing payment)

The Clerk/ Chief Executive has carried out a Legitimate Interests Assessment which shows that the Skinners' Company believes it has a legitimate interest to hold the above personal data for staff and that we would not be able to perform our job in supporting staff without this information.

The Skinners Company must ensure that it only holds data for staff that is absolutely necessary; the Company must not hold inaccurate data, nor hold data for longer than is necessary; the Company must have a procedure for destroying data and must ensure that staff data (both hard copy and electronic) is protected.

Past employee details are kept for as long as pension liabilities exist.

Staff GDPR working practices

All computers and laptops must be password protected. The passwords must be STRONG (comprising letters - some uppercase some lowercase, numbers and ideally other characters as well). All staff must change their computer or laptop sign on password on receipt of this protocol and change it regularly.

  1. Laptops and computers must be either switched off or logged off when not in use.
  2. Staff must ensure that, when their computer goes into 'sleep' mode, the password has to be re-entered to wake the computer up again.
  3. Block send e-mails- e-mail addresses should be entered into the Bcc address box to ensure e-mail addresses are not shared. Alternatively block send e-mails can be posted via the CRM system to ensure e-mail addresses are not shared.
  4. Staff must ensure that, no unauthorised persons have sight of personal data displayed on screens
  5. Mobile phones onto which are downloaded Personal data must be password protected and passwords must be STRONG.
  6. Staff must ensure that paper files which contain personal data are kept in a locked filing cabinet.
  7. Old diaries should be kept in a locked cabinet or shredded.
  8. Staff must ensure that no hard copies of personal data on is left out on desks overnight.
  9. No personal data must be put on noticeboards in the offices.
  10. All staff must regularly go through their computer files and delete all documents with personal data which are no longer needed or out of date.

Other important things for Company staff (data processors) to note in relation to the Skinners' Company's GDPR policy:

1. The Right to Erasure

All data subjects have the right to erasure, i.e. the right to 'be forgotten' and legally the Skinners' Company has to make them aware of this. Documentation should make it clear to all data subjects that if they were to exercise this right, the Company would not be able to do their job properly.

2. Subject Access Requests

All Company related data subjects have the right to make a Subject Access Request - i.e. to ask to see all their personal data/correspondence with them or about them that the Company holds and to have copies of everything. If a Data Subject asked for this, the Company would be legally obliged to show them everything. Therefore, it is vital that staff have nothing written down that staff would not wish the data subject to read.

3. Data disposal

When disposing of hard copies of personal data, it must be shredded.

4. Data breach

Staff are required to be vigilant about possible data breaches which could occur through hacking/phishing. If in doubt about the source of an email or whether it is genuine, please do not open it and check with the Hall Director or IT support first.

 If staff suspect a data breach (e.g. that personal data has got into the public domain) please report it to the Clerk asap., who will report it to the Information Commissioner's Office within 72 hours. Staff must ensure that they always complete Windows updates when prompted.

 

The Skinners' Company GDPR Policy- Revised November 2020