1       PURPOSE

At Keysoe International Limited and Keysoe Cuddle Therapy Ponies CIC (collectively referred to as Keysoe International Ltd.), we are committed to compliance with the requirements of the Data Protection Act 2018, the UK GDPR and all other data protection legislation currently in force.

This policy is designed to ensure that Keysoe processes personal data responsibly and in compliance with these laws, demonstrates accountability, establishes data security standards, and builds trust with those whose data they process.

If you have any questions or comments about the content of this policy or if you need further information, you should contact our Data Protection Officer (who has overall responsibility for data protection), Jan Mirecki, Head of IT, at jmirecki@fullsupportgroup.com or Head of IT, Keysoe International, Church Rd, Keysoe, MK44 2JP.

2       REFERENCE DOCUMENTS

KIP-0023              Data Breach Policy

KIP-0025              Data Subject Request Policy and Procedure

KIP-0026              Privacy Notice for Employees and Contractors

3       ICO REGISTRATION

Keysoe International Limited                       Registration Reference: ZB057924

Keysoe Cuddle Therapy Ponies CIC           Registration Reference: ZB572803

4       WHO AND WHAT THIS POLICY APPLIES TO

This policy applies to all team members (including employees, agency staff, self-employed colleagues, student learners, etc.) and to any personal (or sensitive personal) information and criminal records information processed by Keysoe.

5       DEFINITIONS

Controller
A controller is a natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Subject
Means the individual to whom the personal information relates.

Participant

Those who engage with Keysoe services are referred to as participants.

Personal Information
Sometimes known as personal data means information relating to an individual who can be identified (directly or indirectly) from that information.

Processing Information
Means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it.

Processor
The UK GDPR defines a processor as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Pseudonymised
This is the process by which personal information (or sensitive personal information) is processed in such a way that it cannot be used to identify an individual without the use of additional information, which is kept separately and subject to technical and organisational measures to ensure that the personal information cannot be attributed to an identifiable individual.

Sensitive Personal Information
Sometimes known as ‘special categories of personal data’ or ‘sensitive personal data’, means personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetics information, biometric information (where used to identify an individual) and information concerning an individual’s health, sex life or sexual orientation.

6       POLICY

6.1      Data Protection Principles

Keysoe endorses fully and adheres to the Data Protection Principles listed below. When processing data, we will ensure that it is:

• processed lawfully, fairly and in a transparent way
• processed no further than the legitimate purposes for which that data was collected
• limited to what is necessary in relation to the purpose
• accurate and kept up-to-date
• kept in a form which permits identification of the data subject for no longer than is necessary
• processed in a manner that ensures the security of that personal data and protects against unauthorised or unlawful processing and accidental loss, destruction, or damage
• processed by a controller who can demonstrate compliance with the principles

These principles must be observed at all times when processing or using personal information.

6.2      The Basis for Processing Personal Information

Concerning any processing activity, we will, before the processing starts for the first time, and then regularly while it continues:

• Review the purposes of the processing activity and select the most appropriate lawful basis (or bases) for that processing, for example:
  • That the data subject has consented to the processing;
  • That the processing is necessary for the performance of a contract to which the data subject is a party;
  • To take steps at the request of the data subject before entering into a contract;
  • That the processing is necessary for compliance with a legal obligation to which Keysoe is subject;
  • That the processing is necessary for the protection of the vital interests of the data subject or another natural person;
  • That the processing is necessary for the performance of a task carried out in the public interest or exercise of official authority; or
  • That the processing is necessary for the legitimate interests of Keysoe or a third party, except where those interests are overridden by the interests of fundamental rights and freedoms of the Data Subject
• Document our decision as to which lawful basis applies to help demonstrate our compliance with the data protection principles
• Include information about both the purposes of the processing and the lawful basis for it in our relevant privacy notice(s)
• If processing is based on legitimate interests, determine whether Keysoe’s legitimate interests are the most appropriate basis for lawful processing, and:
  • Conduct a Legitimate Interest Assessment (LIA) and keep a record of it to ensure that we can justify our decision;
  • If the LIA identifies a significant privacy impact, consider whether we also need to conduct a data protection impact assessment (DPIA);
  • Keep the LIA under review and repeat it if circumstances change; and
  • Include information about our legitimate interests in our relevant privacy notice(s)

6.3      Sensitive Personal Information

Keysoe may need to process sensitive personal information. We will only process sensitive personal information if:

• We have a lawful basis for doing so set out above; and
• One of the special conditions for processing sensitive personal information applies, for example:
  • The data subject has given explicit consent so that Keysoe can provide its services
  • The processing is necessary for exercising the employment law rights or obligations of Keysoe or the data subject
  • The processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent
  • The processing relates to personal data, which are manifestly made public by the data subject
  • The processing is necessary for the establishment, exercise, or defence of legal claims; or
  • The processing is necessary for reasons of substantial public interest
• The individual has been properly informed of the nature of the processing, the purposes for which it is being carried out, and the legal basis for it

6.4      Criminal Records Information – Team Members

Criminal records information will be processed lawfully and following Keysoe’s requirements for DBS (Disclosure and Barring Service) checks as per the DBS checks: guidance for employers.

Where criminal offence information is processed, Keysoe will also identify a lawful condition for processing that information and document it.

6.5      Data Protection Impact Assessments (DPIAs)

Before any new form of technology is introduced and where data processing is likely to result in a high risk to an individual’s data protection rights, we will, before commencing the processing, carry out a DPIA to assess:

• Whether the processing is necessary and proportionate concerning its purpose
• The risks to individuals
• What measures can be put in place to address those risks and protect personal information

During any DPIA, the Data Protection Officer will seek appropriate advice from data protection experts and/or the relevant governing bodies/authorities (for example, the ICO).

6.6      Documentation and Records

We will keep records of processing activities, including:

• A description of the categories of individuals and categories of personal data;
• Categories of recipients of personal data;
• The purposes of the processing;
• Where relevant, details of transfers to third countries, including documentation of the transfer mechanism safeguards in place;
• Where possible, retention schedules; and
• Where possible, a description of technical and organisational security measures

As part of our record of processing activities, we document, or link to documentation, on:

• Records of consent
• Controller-processor contracts
• The location of personal information
• DPIAs; and
• Records of data breaches

If we process sensitive personal information or criminal records information, we will keep written records of:

• The relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for that purpose;
• The lawful basis for our processing; and
• Whether we retain and erase the personal information following our policy document and, if not, the reasons for not following our policy

We will regularly review the personal information we process and update our documentation accordingly. This may include:

• Carrying out information audits to find out what personal information Keysoe holds and how we process it
• Reviewing our policies, procedures, contracts, and agreements to address areas such as retention, security, and data sharing

6.7      Privacy Notices

Keysoe will issue privacy notices from time to time, informing individuals about the personal information that we collect and hold relating to them, how they can expect their personal information to be used and for what purposes.

We will take appropriate measures to provide information in privacy notices in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

6.8      Individual Rights

Individuals have the following rights concerning their personal information:

• The right to access personal data held about them (the right of subject access);
• The right to be informed about how and why their data is used – and you must give them privacy information;
• The rights to have their data rectified, erased or restricted;
• The right to object;
• The right to portability of their data; and
• The right not to be subject to a decision based solely on automated processing

Note: Some exemptions and restrictions can, in some circumstances, be legitimately applied to exempt or qualify the right of individuals to exercise their rights.

For example:

• If fulfilling the request would undermine the prevention, investigation, detection, or prosecution of criminal offences
• If the processing of personal data is necessary for the establishment, exercise, or defence of legal claims
• If fulfilling them would infringe upon the rights and freedoms of others, including trade secrets or intellectual property

 

6.9      Team Member Training

All Keysoe team members with access to personal or sensitive data will be required to complete our data protection training module on iHasco. Updates will also be provided during team meetings.

6.10    Individual Team Member Obligations

6.10.1   Updating Personal Information

Team members are responsible for helping Keysoe keep their personal information up to date and must let us know if the information they have provided to us changes, for example, if they move to a new house or change their bank account.

6.10.2   Accessing Other’s Data

You may have access to the personal information during your employment or engagement.

If you have access to personal information, you must:

• Only access the personal information that you have authority to access, and only for authorised purposes
• Only allow other team members to access personal information if they have appropriate authorisation
• Only allow individuals who are not Keysoe team members to access personal information if you have specific authority from the Data Protection Officer to do so
• Keep personal information secure, for example, by complying with rules on computer access, password protection, secure file storage and destruction, etc
• Not store personal information on personal devices

You should contact the Data Protection Officer if you are concerned or suspect that one of the following has taken place (or is taking place or is likely to take place):

• Processing of personal data without a lawful basis for its processing or, in the case of sensitive personal information, without one of the conditions being met;
• Any data breach as set out below;
• Access to personal information without the proper authorisation;
• Personal information not kept or destroyed securely;
• Removal of personal information, or devices containing personal information (or which can be used to access it), from Keysoe’s premises without appropriate security measures being in place;
• Any other breach of this policy or any of the data protection principles set out above

 

 

6.11    Information Security

Keysoe will use appropriate technical and organisational measures to keep personal information secure and to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage. These may include:

• Ensuring that team members are aware of their responsibilities in relation to data security;
• Ensuring that, where possible, personal information is pseudonymised or encrypted;
• Ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

In rare cases where Keysoe uses external organisations to process personal information on its behalf, additional security arrangements need to be implemented in contracts with those organisations to safeguard the security of personal information. In particular, contracts with external organisations must provide that:

• The organisation may act only on the written instructions of Keysoe;
• Those processing the data are subject to a duty of confidence;
• Appropriate measures are taken to ensure the security of processing;
• Sub-contractors are only engaged with the prior consent of Keysoe and under a written contract;
• The organisation will assist Keysoe in providing subject access and allowing individuals to exercise their rights under the GDPR;
• The organisation will assist Keysoe in meeting its GDPR obligations concerning the security of processing, the notification of data breaches and data protection impact assessments;
• The organisation will delete or return all personal information to Keysoe as requested at the end of the contract; and
• The organisation will submit to audits and inspections and provide Keysoe with whatever information it needs to ensure that they are both meeting their data protection obligations.

6.12    Storage and Retention of Personal Information

Personal information (and sensitive personal information) will be kept securely following Keysoe’s principles below:

• Personal information (and sensitive personal information) should not be retained any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal information was obtained.
• Personal information (and sensitive personal information) that is no longer required will be deleted permanently from our information systems, and any hard copies will be destroyed securely.

 

 

6.13    Data Breaches

A data breach may take many different forms, for example:

• Loss or theft of data or equipment on which personal information is stored;
• Loss of data resulting from an equipment or systems failure;
• Human error, such as accidental deletion or alteration of data;
• Unforeseen circumstances, such as a fire or flood;
• Deliberate attacks on IT systems; and
• ‘Blagging’ offences, where information is obtained by deceiving the organisation which holds it.

In the event of a Data Breach, Keysoe will:

• Immediately take such steps as are necessary to minimise the risk to team members, participants, and the organisation
• Risk assesses the situation and determine what steps need to be taken
• Make the required report of a data breach to the Information Commissioner’s Office without undue delay and, where possible, within 72 hours of becoming aware of it if it is likely to result in a risk to the rights and freedoms of individuals;
• Notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms, and notification is required by law
• Take steps as necessary to ensure that similar breaches cannot happen again

6.14    International Transfer of Data

Keysoe does not intend to transfer personal information outside the UK or European Economic Area (EEA). However, some of the software we may use to store personal data (email, HR Software) may be hosted in either the EEA or the USA.

We have determined that this data is secure on the basis that that country, territory and/or organisation is designated as having an adequate level of protection and has provided adequate safeguards by way of acceptable data protection clauses.

6.15    Selling Data

At Keysoe, we are committed to upholding the highest standards of data protection and privacy and want to assure all individuals that we will never sell or trade personal data to any third parties.

The personal information of our team members and participants is treated with the utmost respect and confidentiality and is used solely for the purposes described below.

 

 

6.16    Children’s Data Protection

At Keysoe, we are committed to ensuring that children’s personal data is processed legally and in compliance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

We will implement robust procedures to safeguard the collection, storage, and use of children’s personal data, ensuring that it is only processed for legitimate purposes.

If we are relying upon parental consent (usually where a child is under 16 years of age or is not Gillick competent), we will provide the parent or guardian with clear privacy information on how their child’s data will be processed. However, we will ensure that children do not lose their rights as data subjects to transparency just because consent has been given by a holder of parental responsibility.

Therefore, where a child or young person has the capacity to understand, we will inform them about how their personal data will be processed, the purposes of that processing, and their rights under data protection law. This includes the right to access their data, request corrections, and withdraw consent where applicable.

6.17    Non-Compliance

Keysoe takes compliance with this policy very seriously. Failure to comply with the policy:

• Puts data subjects at risk
• Carries the risk of significant civil and criminal sanctions for the individual and Keysoe
• May, in some circumstances, amount to a criminal offence by the individual

Because of the importance of this policy, a team member’s failure to comply will usually be treated as gross misconduct and will result in their working or volunteering agreement or contract being terminated without notice.

If you have any questions or concerns about this policy, do not hesitate to contact the Data Protection Officer.

7       MONITORING AND REVIEWING

Keysoe International Ltd. is committed to ensuring our policies and procedures are effective and up-to-date. To do this, we have a process for regularly monitoring and reviewing them.

The Senior Management team are responsible for this process and will review the policies at least once a year or more frequently if needed due to changes in laws or our practices.

8       DATA PROCESSING INFORMATION

8.1      Internal Systems Used and Data Stored

The following core systems are used to store day-to-day operational information. Access is only provisioned to individuals with a legitimate need to know, and software access controls are managed internally under guidance from the Senior Management Team.

The systems typically used are:

• Microsoft (Word, Excel, Outlook, etc.)
• Bamboo HR (Team Member data)
• Sage Banking/Accountancy Software
• The Keysoe website (WordPress)
• The Keysoe on-site server

8.2      Physical Data Storage

At present, all participant data is stored in hard copy format and stored in locked filing cabinets in secure (locked) offices on the Keysoe site.

8.3      Data Sharing

Team member and participant data is only shared when required with the following individuals and organisations:

• HMRC and other Government Departments (e.g., to verify right to work, claim statutory benefits, etc.)
• Disclosure and Barring Service (team members only)
• Pension Providers (team members only)
• Other employers (where a reference for a team member is requested)
• Referring organisations (e.g., a school, college, Social Workers, etc., who refer participants to us)
• British Horse Society & Haddon Training (to track participant learning)
• Local Authority departments such as Safeguarding Teams and Social Services

8.4      Team Member Data Stored

This table details the specific data types that may be collected, the reason the data is processed, the legal/legitimate reason, and the expected retention period.

Information Type

Team Member Data

Data Stored

o        Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses o        Emergency Contact Details o        Date of Birth o        Gender o        Marital Status o        Evidence of right to work in the UK/immigration status (as required), which may include a Passport or other Identity Documents o        National Insurance Number o        Bank account details o        Work history o        Formal qualifications o        Professional registration o        Criminal Records Certificate (via the as required) o        Health data (e.g., allergies, disabilities, sickness records, etc., as required) o        Salary o        Pension information o        Benefits information o        Driving Licence o        Images and Video Surveillance (Please refer to our CCTV and Photographic and Marketing policies for further details)

Processing Reason

o        To manage employment, including recruitment, onboarding, training, and performance evaluations o        To process payments for salary/expenses, manage deductions, and administer benefits such as pensions o        To fulfil legal or sector requirements, e.g., completing criminal records checks, identity checks, right-to-work checks, driving and vehicle checks, etc., and reporting incidents to authorities o        To ensure compliance with health and safety regulations, including managing occupational risk assessments and monitoring workplace safety

Legal Interest/Legitimate Reason

o        Consent o        Contract o        Legal Obligation o        Public Task o        Legitimate Interests

Retention Policy

At least 5 years after the end of employment or working agreement, with the exception of DBS certificates, which will be securely destroyed within 6 months

8.5      Participant Data Stored

This table details the specific data types that may be collected, the reason the data is processed, the legal/legitimate reason, and the expected retention period.

Information Type

Participant Data

Data Stored

o        Personal contact details such as name, title, home addresses, telephone numbers, and personal email addresses o        Emergency Contact/Next of Kin/Parent/Guardian Details such as name, title, home addresses, telephone numbers, and personal email addresses o        Date of Birth o        Gender o        Religion o        Vulnerable groups o        Health data (e.g., allergies, disabilities, medication required and related medical condition, etc., as required) o        School/College o        Social Worker or other Professional Involvement o        Images and Video Surveillance (Please refer to our CCTV and Photographic and Marketing policies for further details)

Processing Reason

o        To deliver tailored alternative education provision based on individual needs o        To comply with health and safety regulations, ensuring the safety and well-being of our participants and team members o        To meet legal requirements, such as record-keeping for regulatory purposes or reporting incidents to authorities o        To ensure that appropriate action can be taken in emergencies, such as contacting medical professionals or emergency contacts o        To provide requested information to British Horse Society & Haddon Training (to track participant learning)

Legal Interest/Legitimate Reason

o        Consent o        Contract o        Legal Obligation o        Legitimate Interests

Retention Policy

At least 5 years following the end of service provision

 

9       SUBJECT ACCESS REQUESTS AND DATA RIGHTS

Data subjects have the right to access any personal data that is being kept about them by Keysoe. To do this, the data subject must make a ‘subject access request’.

To make a subject access request, the data subject should contact the Bata Protection Officer (their contact details can be found in the Purpose section of this policy).

Keysoe aims to deal with the subject access request as quickly as possible, and all requests will be completed within 30 days unless defined as complex. If the time exceeds 30 days, the requestor will be notified in writing.

Subject Access Requests coming directly from the data subject will be free. However, Keysoe can charge a fee if requests become unfounded or excessive.

Alternatively, we can refuse to comply with the request, for example, if the request is manifestly unfounded or manifestly excessive.

Please Note: We sometimes need to request specific information from a requestor to help us confirm their identity and ensure their right to access the information (or to exercise any of their other rights). This is an appropriate security measure to ensure that personal information is not disclosed to anyone with no right to receive it.

10     DATA PROTECTION EXPLAINED RESOURCES

NHS: How we use your information: easy read

The Information Commissioner’s Office: Data protection explained in three minutes

BBC: General Data Protection Regulation (GDPR)

BBC: The law and ethics, Data Protection Act.

BBC: What are my rights?

The Wall Street Journal: GDPR: What Is It and How Might It Affect You?

 

KIP-0024 Revision 2
Last updated November 2024