Nightingale Tutors Ltd.

Data Protection & Personal Data Policy

Updated in accordance with GDPR 2021

Introduction

This Policy covers refers to both General Data Security and Personal Data Security and usage and is designed to reflect our commitment to uphold both the Data Protection Act 1998 and General Data Protection Regulations (GDPR) 2018.

Nightingale Tutors needs to gather and use certain information about individuals.

These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This Policy describes how this Personal Data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.

This document further outlines our understanding of our obligations under General Data Protection Regulation (GDPR) and provides detail as to how we fulfil these requirements.

This Data Protection Policy ensures that Nightingale Tutors

• Complies with Data Protection Law and follow Good Practice
• Protects the rights of staff, customers and partners
• Is open about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach

Responsibilities

Everyone who works for or with Nightingale Tutors has some responsibility for ensuring data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

The Managing Director [Sarah Douglas], is responsible for:

• Ensuring that Nightingale Tutors meets its legal obligations.
• Reviewing all data protection procedures and related policies, in line with an agreed schedule.
• Arranging data protection training and advice for the people covered by this policy.
• Handling data protection questions from staff and anyone else covered by this policy.
• Dealing with requests from individuals to see the data Nightingale Tutors holds about them (also called ‘subject access requests’).
• Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
• Performing regular checks and scans to ensure security hardware and software is functioning properly.
• Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.

Staff Guidelines

• The only people able to access data covered by this policy should be those who need it for their work.
• Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
• Nightingale Tutors will provide training to all employees to help them understand their responsibilities when handling data.
• Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
• In particular, strong passwords must be used and they should never be shared.
• Personal data should not be disclosed to unauthorised people, either within the company or externally.
• Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
• Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.

Policy Scope 

This Policy applies to:

• All staff of Nightingale Tutors
• All contractors, suppliers and other people working on behalf of Nightingale Tutors

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998.

This can include:

• Names of individuals
• Postal addresses
• Email addresses
• Telephone numbers
• …plus any other information relating to individuals

Personal Data Definition under GDPR

Personal Data:  “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”;

Data Protection Law

The Data Protection Act 1998 describes how organisations — including Nightingale Tutors — must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles.

These say that Personal Data must:

• Be processed fairly and lawfully
• Be obtained only for specific, lawful purposes
• Be adequate, relevant and not excessive
• Not be held for any longer than necessary
• Processed in accordance with the rights of data subjects
• Be protected in appropriate ways
• Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

Personal Data held by Nightingale Tutors

Nightingale Tutors holds the following categories of Personal Data:

• Employee, Client, Contractor and Supplier contact and payment details.
• Artwork and source materials for personalised projects (eg business cards, participants lists and invitations)
• Project based administration such as Estimates, Invoices, Status Sheets, Job Lists.

We hold and process this data on the lawful basis that it is necessary for us to comply with our contract obligations, and that it is in our legitimate interest to do so.

All data is stored securely and is processed for the purpose it was collected only.

Data Use 

Personal data is of no value to Nightingale Tutors unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

• When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
• Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
• Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.
• Personal data should never be transferred outside of the European Economic Area.
• Employees should not save copies of personal data to their own computers.
• Always access and update the central copy of any data.

Data Storage 

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

• When not required, the paper or files should be kept in a locked drawer or filing cabinet.
• Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
• Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

• Data should be protected by strong passwords that are changed regularly and never shared between employees.
• If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
• Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
• Servers containing personal data should be sited in a secure location, away from general office space.
• Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
• Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
• All servers and computers containing data should be protected by approved security software and a firewall.

Data Accuracy 

The law requires Nightingale Tutors g to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort Nightingale Tutors should put into ensuring its accuracy.

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

• Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
• Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
• Nightingale Tutors will make it easy for data subjects to update the information Nightingale Tutors holds about them. For instance, via the company website.
• Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
• It is the marketing manager’s responsibility to ensure marketing databases are checked against industry suppression files every six months.

Data Protection Risks 

This policy helps to protect Nightingale Tutors from some very real data security risks, including:

• Breaches of confidentiality. For instance, information being given out inappropriately.
• Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
• Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

Individuals’ Rights under GDPR

In addition to specifying the criteria under which we can hold your Personal Data, GDPR provides rights for the individual in relation to the use of this Personal Data.

Nightingale Tutors understands these rights, and we ensure that the following are upheld.

To be informed

You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights.

We fulfil this right by giving you this notice.

Access to your Personal Data 

You can request access to a copy of your Personal Data which we process as a Data Controller, together with details of why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making.

Nightingale Tutors recognise that EU citizens have the right access the Personal Data we hold on them.

We understand that we must make it possible to honour these requests (read ‘demands’) within one month.

Right to withdraw consent

If you have given us your consent, you can withdraw that consent at any time.   Please contact us if you want to do so.

If you withdraw your consent, we may not be able to provide certain products or services to you. If this is the case, we will tell you.

Right to object

You may object to our processing of your Personal Data by us, where this processing is based on our legitimate interests or in the public interest.

We will assess whether our interest in continuing to process your Personal Data overrides your rights and freedoms. If not, we will stop processing your Personal Data.

Either way, we will inform you of the outcome.

You have the right to object to direct marketing (including marketing-related profiling) and if you do so, we must stop these types of activities.

Nightingale Tutors only processes your Personal Data for the fulfilment of our contract to you, and for our legitimate interest. We do not at this time perform direct marketing.

Rectification

You can ask us to change or complete any inaccurate or incomplete personal data held about you.

Nightingale Tutors recognise that EU citizens have the right to request that we amend their Personal Data.

We understand that we must make it possible to honour these requests (read ‘demands’) within one month.

Erasure

This is also known as “the right to be forgotten” and this means that you can ask us to delete your Personal Data where it is no longer necessary for us to use it, you have withdrawn consent (where applicable), or where we have no lawful basis for keeping it or otherwise using it.

There are limited exceptions, for example where we need to use the information to bring or defend a legal claim.

Nightingale Tutors recognise that EU citizens have the right to request that we delete their Personal Data.

We understand that we must make it possible to honour these requests (read ‘demands’) within one month.

Portability

You can ask us to provide you or a Third Party with some of the Personal Data that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.

This is limited to Personal Data you have provided with your consent or in relation to the products you have with us, and which we process by automated means, such as your account transaction data.

Nightingale Tutors recognise that EU citizens have the right to request that their Personal Data is able to be supplied in an easily transferable format.

We understand that we must make it possible to honour these requests (read ‘demands’) within one month.

Restriction

You can ask us to restrict the Personal Data we use about you when:

• it is inaccurate;
• you have asked for it to be erased;
• you have objected to our use of it; or
• where you need this for the bringing or defending of legal claims.

When you have asked us to restrict the use of your Personal Data we may still store your information but will not use it further without your consent, unless we need to process it:

• to bring or defend legal claims;
• to protect the rights and freedoms of other individuals; or
• for other important public interest reasons.

Nightingale Tutors recognise that EU citizens have the right to request that the use of their Personal Data is restricted.

We understand that we must make it possible to honour these requests (read ‘demands’) within one month.

Personal Data and Third-Parties

We do not share Personal Data with Third-Parties for any reason other than fulfilling our contractual, legal and business obligations (eg. our bank, accountants, and insurers).

The Third-Parties with whom we share our information understand their obligations and your rights according to GDPR.

Nightingale Tutors does not engage in the following:

• We do not use ‘cookies’, or collect Personal or Device Data from visitors to our website
• We do not share your Personal Data for promotional or advertising purposes.
• We do not sell your Personal Data for promotional or advertising purposes.

Personal Data Process Record Keeping

According to Article 30, companies with fewer than 250 employees, who only process EU residents occasionally, are not required to hold internal records of processing activities unless the processing of data could risk an individual’s rights or freedoms, or if it pertains to criminal activity.

As Nightingale Tutors and our activities meet these criteria we do not currently hold Records of this kind.

Data Protection Officer

As a small business we do not have a requirement for a formal Data Protection Officer.

This is on the basis that we not engage in “regular and systematic monitoring of data subjects on a large scale”, and do not collect information relating to any of the following:

• criminal convictions
• ethnicity
• religious or philosophical beliefs
• political opinions
• trade union membership details
• health
• sex life, or sexual orientation

We understand that the role of Data Protection Officer is to “inform and advise” on data collection practices and monitor compliance, as well as acting as the point of contact with the data protection authority, which in the UK is the Information Commissioner’s Office.

Senior employees are aware of our obligations under GDPR, and work in collaboration with the Managing Director to ensure that we are compliant at all times.

Data Breach Policy

Any breach of Data Security should be reported to the Managing Director immediately upon discovery.

Serious breaches (that is, any breach which has an impact on the rights of data subjects) must be reported immediately to the regulator (in the UK this is the Information Commissioner’s Office (ICO)). This should be within 24 hours where possible, but at least within 72 hours.

EU Citizens GDPR Data Requests

Nightingale Tutors recognise that EU citizens have the right to request that we delete, amend, or move their data to a different organisation.

We understand that we must make it possible to honour these requests (read ‘demands’) within one month.

Such requests should be made in writing to:

Sarah Douglas

Managing Director, Nightingale Tutors Ltd.