Yeomans Press Limited (The Company) includes all trading names associated with it such as Yeomans Mailing.
The Company is committed to protecting the rights and privacy of individuals in accordance with the Data Protection Act 1998. (‘the Act’)
The Company’s business requires that it process certain information about individuals, both in using its own data sets and those of its clients and other third parties.
To comply with the Act itself, the Company has to be open about how personal information is used and must follow the eight data protection principles of good information handling. This is a requirement in law and applies to all personal data for which the Company is the data controller or processor.
Personal data about individuals must be collected and used fairly, stored securely and not unlawfully disclosed; the data protection principles are summarised below.
The principles state that personal data shall:
All staff, or any other person appointed by the Company to process personal data on its behalf, must ensure that they observe the data protection principles at all times.
Data that relates to a living individual who can be identified from that information or from that data and other information in possession of the data controller or processor. For example name, address, telephone number. Personal data includes any expression of opinion about the individual and any indication of the intentions of the data controller or processor in respect of that individual.
Sensitive Personal Data:
This is distinct from non-sensitive personal data and is specifically listed in the Act. It entails race or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. To legitimise the processing of sensitive personal data the Act demands a stricter conditional requirement.
Any person (an individual or legal person) who either alone or in common with other persons determines the purposes for which and the manner in which any personal data are to be processed. Most clients providing data for use by the Company are Data Controllers.
In relation to personal data, means any person who processes the data on behalf of the data controller. The Company act as Data Processor for all of its’ clients.
A living individual who is the subject of personal data.
In relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data.
In relation to personal data, means any person other than a) the data subject b) the data controller or c) the data processor or other person authorised to process data on behalf of the data controller.
Relevant Filing System
Any paper filing system or other manual filing system which is structured in such a way that information about an individual is readily accessible.
This document was adopted as a policy on Monday 2nd February 2009 and is effective as of that date.
The policy will be subject to review at not less than two-yearly intervals.
A breach in the Company’s Data Protection policy can result in disciplinary action.
Data Protection Officer:
The Company’s Data Protection Officer is responsible for drawing up guidance for best practice and for promoting policy compliance.
Senior Managers & Directors:
Senior Managers and Directors have a responsibility to ensure that data protection issues within their areas are managed in a way that meets the provisions of the Company’s data protection policy.
Compliance with the provisions of the Act is the responsibility of all members of the Company’s staff or employ who process personal information.
6. Confidentiality, Storage & Data Security:
The confidentiality of all personal information, either as Data Controller or Data Processor is a matter that the Company takes very seriously. The Company will ensure all reasonable steps are taken to comply with the principles of the Data Protection Act 1998.
Personal data referring to staff will be kept securely and access will only be permitted by authorised personnel.
Third party data upon which the Company is acting as Data Processor will be kept suitably safe as to comply with the principles of the Data Protection Act 1998.
All staff are responsible for ensuring that any personal data they hold or have been charged with responsibility for (in the role of data processor) is always maintained securely and not disclosed to any unauthorised third party.
All data storage systems will be at least password protected. Rights of access will only be granted to those persons with a legitimate need to process the data.
Any manual storage systems will not be left where they can be accessed by unauthorised personnel.
All staff should take the greatest care to ensure that personal data is not disclosed either orally or in writing to any unauthorised third party.
Staff should note that unauthorised or unlawful processing of personal data is a disciplinary matter, and in some cases may be considered as gross misconduct.
Data should not be kept for longer than is necessary for the purpose for which it was collected. In the instance of data where the Company is acting as Data Processor the data will be stored for a maximum of six months. This period is determined as the time in which clients can make a query in regard to the use of the data and the Company shall retain the data for checking purposes. Following six calendar months the data and all associated articles will be removed from all data storage systems.
Any Data Controller can request in writing that their data be kept for longer than the period as set out in section 6.9. This application should be made to the Data Protection Officer and should in all cases be reviewed on an annual basis.
Where the Data Controller is renting the data to a third party or client of the Company and the Company is entrusted with the data for a specific purpose or purposes extra care will be taken to ensure that the third party or client cannot obtain access to the data without the Data Controllers express permission.
The Company shall recommend where appropriate the cleansing of databases obtained by Data Controllers to ensure that data subjects are protected from mis-use of the data. In particular the screening of data against the relevant Preference Service (MPS, FPS, TPS) the removal of individuals classed as “goneaway” and those persons notified as deceased.
An individual or organisation may contact the Company to ask for corrections to their information or removal from databases. This request should be acted upon within 60 days of receipt of the request.
In the instance on point 7.2 where the Company is acting as Data Processor the Data Controller will be notified in writing not less than 45 days from receipt of the request.
8. Data Collection
Where the Company is acting as data collector or has been asked to retrieve or collate data from a data collection source the Company shall make all reasonable efforts as to ensure itself that the data has been collected lawfully.
Any physical form on which data has been collected should bear a clear and prominent data protection statement explaining the purpose for which the collected data will be used and to whom the data may be disclosed.
Where collected data is to be used by third parties the Company shall advise the collector on best practice. Best practice advises that individuals shall be required to opt-in to allow data sharing.
9. The Right to Access Personal Data:
The Data Protection Act 1998 gives individuals who are subject of personal data (known in the Act as ‘data subjects’) a general right of access to personal data that relates directly to them. Consequently, under the provisions of the Act, a data subject can ask the Company to provide him/her with any information that relates directly to them as an individual.
The Company will charge a £10.00 administration fee for servicing a data subject access request, and needs to be in receipt of the written request, proof of identity and the administration fee before any such information will be released. The maximum 40 day time limit for servicing a request (prescribed in the Act) will be calculated from the day on which the Company receives the written request.
All data subject access requests must be in writing.
All requests should be addressed to:
The Data Protection Officer
Yeomans Press Ltd
12 Branbridges Industrial Estate
10.1 The Data Protection Act 1998 requires the Company to notify the Information Commissioner of the personal data it is processing and the purposes for which it is being processed – this exercise takes place in February of each year when the Company reviews its notification.
10.2 The Notification exercise is the responsibility of the Company’s Data Protection Officer.
10.3 Details of the Company’s notification are published on the Information Commissioner’s website.