Coote O’Grady is committed to protecting the rights and freedoms of individuals in accordance with the provisions of the Data Protection Act 2018. This Policy sets out the obligations of Coote O’Grady with regards to data protection and the rights of the data subject (e.g. clients, business contacts, website users,) in respect of their personal data under the Data Protection Act 2018.
This Policy relates to the Data Protection Act 2018 and sets out Coote O’Grady’s internal procedures for processing personal data. This Policy must therefore by adhered to by the Company, its employees, contractors, or other parties employed by the Company. This Policy applies to data held either manually or within electronic systems that are employed for the processing of personal and sensitive personal data. THE DATA PROTECTION PRINCIPLES The Policy aims to ensure compliance with the Data Protection Act 2018, which requires that organisations (data controllers) process personal data in accordance with the eight Data Protection Principles.
All Coote O’Grady employees who process personal data must comply with them. Personal data shall:
1. be processed fairly and lawfully.
2. be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. be accurate and, where necessary, kept up to date.
5. not be kept for longer than is necessary for that purpose or those purposes.
6. be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The Act defines personal data as "data which relates to a living individual” who can be identified a. from those data, or b. from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, The Act also defines sensitive personal data, which relates to personal data relating to the racial or ethnic origin of the data subject, their sexuality, beliefs, trade union membership and other protected characteristics. Coote O’Grady only collects information that is relevant to its dealings with a given data subject. The data is collected in accordance with the data protection principles mentioned above.
PROCESSING OF PERSONAL DATA
Any and all personal data collected is collected in order to ensure the best possible service for our clients, and so we can effectively and efficiently manage our employees and contractors. Coote O’Grady may also use personal data in meeting certain objectives. We will only collect and process personal and sensitive data that has been obtained fairly and lawfully and for a specific set of purposes or where we have a legitimate purpose(s) under the law to do so. Data will be adequate and relevant and only used for the purposes collected. It will be maintained, kept accurate with the help of the individual and not retained for any longer than is necessary. Data collected by the Company gathered by Cookies and other forms of encryption will be processed to the same standard. We will ensure personal or sensitive personal data is processed in line with the law, kept both secure and confidential at all times and ensure all individuals governed by this policy will:
• Only access and process data that they are authorised to on behalf of Coote O’Grady
• Adhere to all Information Security frameworks and Data Protection procedures supporting this policy
• Only share information with third parties where it is fair and legal to do so and in accordance with published fair processing notices
• Apply the ICO good practice codes in Subject Access Request, Data Sharing, Privacy Impact Assessments and Employment Practice Code.
We will ensure that all individuals to whom we collect and process personal information are made aware via a privacy statements/notices etc. of the identity of the data controller and data processor and the reasons why personal and sensitive personal data are required to be processed by the respective parties and how their information will be processed, securely stored, disposed of and when we need their consent to collect and to share this information. Coote O’Grady will not share or sell your data to other third-party organisations for the purposes of marketing or promotion of goods and services. However, Coote O’Grady may contact you with information about other services which are relevant, similar or complement existing services which you already receive.
DATA PROTECTION PROCEDURES
Coote O’Grady will ensure that its employees, contractors or other parties working on behalf of the company will undertake data protection and Information Security training. As part of this they will be accountable to embed and promote good information handling and security, and apply the eight data protection principles. All new starters of the Company will undertake training within three months of starting and as and when the law requires. We are committed to ensuring that all appropriate technical and organisational measures are taken to protect the confidentiality, security and integrity of the personal data we hold.
Coote O’Grady will take all reasonable measures and actions to meet its obligations under the Act as data controllers. It will ensure correct data processing requirements are in place to protect individual’s personal data where it is shared with third parties, (data processor) who are acting under our instruction to process individual’s personal data on our behalf. We will ensure that all personal or sensitive personal data is only shared when legally required except as required by law. We will ensure that all individuals to whom we collect and process personal information are made aware via a privacy statements/notices etc. of the identity of the data controller and data processor and the reasons why personal and sensitive personal data are required to be processed by the respective parties and how their information will be processed, securely stored, disposed of and when we need their consent to collect and to share this information.
RIGHTS OF DATA SUBJECTS
Coote O’Grady recognises that data subjects (including employees) have a number of rights under the Data Protection Act 1998, including:
• The right to access personal data (subject access requests): Individuals can make a request in writing and be provided with a copy of their personal data that they are entitled to under the Act. Coote O’Grady will charge a £10 administration fee per subject access request and will respond within 40 calendar days as defined in the Act.
• To request that personal data is not processed for one or more purposes by a data controller. • To request that their personal data is deleted or corrected if they believe the information is excessive or out of date. We will abide by the applicable requirements of the Act and respond within 21 calendar days of receiving the request.
• To opt out of processing for direct marketing purposes
• Disclosure of personal data shall be assessed in line with the exemptions of disclosure s defined in the Act. Third party data will be deemed confidential and will only be disclosed or shared with the consent of the individual or where we are legally obliged to under the Law.
PRIVACY NOTICES AND CONSENT
Coote O’Grady recognises that data subjects (including employees) have the right to be provided with information about how and why we process your personal data. Where you have the choice to determine how your personal data will be used, we will ask you for consent. Where you do not have a choice (for example, where we have a legal obligation to process the personal data), we will provide you with a privacy notice. A privacy notice is a verbal or written statement that explains how we use personal data. Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time.
RIGHT TO RESTRICTION OF PROCESSING
You can ask us to restrict the processing of your personal data in the following circumstances:
• You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
• The processing is unlawful and you want us to restrict processing rather than erase it • We no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim and
• You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection. Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.
NOTIFICATION TO THE INFORMATION COMMISSIONER
Under the Data Protection Act 1998 Coote O’Grady is required to notify the Information Commissioner of the purposes for which it processes personal data. This notification is renewed annually and recorded in the Data Protection Public Register. Coote O’Grady’s registration number is A8257515. The Partners of Coote O’Grady are responsible for reviewing the annual notification and ensure they report changes or new forms of processing to the designated Data Controller who will make the necessary arrangements to notify the Information Commissioner Office (ICO) on behalf of the company. Any changes should be notified within 28 days of them taking place. The Data Controller or each company should periodically check their registration to ensure it continues to meet all their data processing activities.
MAKING A COMPLAINT
If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right immediately. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at: Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Telephone: 0303 123 1113
Copyright © 2020 Coote O'Grady™ - All Rights Reserved.
Coote O’Grady™ is a limited company registered in England and Wales.
Registered number: 10169973. Registered office: 14 Station Road, East Boldon, NE36 0LD
Winner European Women of Legal Tech 2020 – Caroline O’Grady
Runner-up in Legal Procurement Awards 2019 – Process Improvement Award
Winner of World Procurement Awards 2018 - Best New Consultancy Project
Winner Best Independent Financial Management Services 2021 - North East - SME News Legal Awards 2021!
Members of the North East Chamber of Commerce
We manage legal spend for some of the largest global organisations allowing us to provide unique insights into your spend - Find out how we can help you!