Data Protection Policy
KCA is an ethical business which is committed to the correct handling, processing and use of any personal data which is shared with us by our customers. We recognise the highly sensitive nature of information retained about staff, carers and children in the organisations with which we work. We are committed to transparency in what personal data we collect and the purposes it is used for. This data protection policy sets out the clear principles we promise to uphold when you share data with our company.
- KCA recognises confidential information including personal data must be treated with the greatest of care and not divulged to anyone without authority to receive it
- KCA will only collect personal data necessary for the purposes of delivering services
- All electronic information held by KCA will be password/user profile protected at all times. KCA Staff and Associates ensure that third parties cannot access private information on the computer or from disks
- Written information assessed as confidential will be clearly marked as such to ensure it is only shared with the appropriate staff within KCA
- KCA does not sell or barter the personal data it holds to third parties for any commercial purposes
- Information obtained in the course of work carried out by KCA is confidential to the customer agency. However, if we feel an adult or child is at risk of significant harm, then we may need to communicate with statutory agencies outside of KCA
- KCA will take reasonable steps to delete and/or destroy personal data which is no longer required
- Anyone may access all personal data held about them by KCA on written request at any time. KCA will supply, correct, amend or delete any personal data about an individual or organisation at their request
- All breaches of information security, actual or suspected, will be reported to and investigated by the appropriate KCA personnel
Complying with the Law
KCA complies with the General Data Protection Regulations (GDPR) covering anyone processing personal data. As such we will ensure that data is:
- processed fairly, lawfully and in a transparent manner
- collected for specified, explicit and legitimate purposes and any further processing is completed for a compatible purpose
- adequate, relevant and limited to what is necessary for the intended purposes
- accurate, and where necessary, kept up to date
- kept in a form which permits identification for no longer than necessary for the intended purposes
- processed in line with the individual's rights and in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
- not transferred to people or organisations situated in countries without adequate protection and without firstly having advised the individual
The Data Protection Requirements are not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the individual. In accordance with the Data Protection Requirements, KCA will only process personal data where it is required for a lawful purpose. Lawful purposes include (amongst others): processing necessary for performing a contract with the individual, for compliance with a legal obligation, or for the legitimate interest of the business.
Except in circumstances where we are required to by law, or where we feel an adult or child is at risk of significant harm and we need to communicate with statutory agencies outside of KCA, KCA will not process or share sensitive personal data without explicit consent and agreement from the person(s) involved.
We will process all personal data in line with data subjects' rights, in particular their right to:
- confirmation as to whether or not personal data concerning the individual is being processed
- request access to any data held about them by a data controller (see also Clause 15 Subject Access Requests)
- request rectification, erasure or restriction on processing of their personal data
- lodge a complaint with a supervisory authority
- data portability
- object to processing including for direct marketing
- not be subject to automated decision making including profiling in certain circumstances
What personal data does KCA collect and why?
It is assumed that all information shared with KCA may be recorded - we will not automatically hold 'off the record' discussions unless explicitly requested. This is in order to ensure that we have appropriate records to deliver the quality of bespoke service our customers have come to expect.
There are two general categories of personal data we collect from our customers:
- the information you give us - for example contact details, survey responses, organisational or strategic background
Generally this data is either requested from our customers directly by KCA or provided in the course of us providing services. At the simplest level this allows us to deliver effective services, for example by being able to contact participants for a training session or helping us tailor a presentation to an organisation's needs. We will only seek the basic information we need to deliver services. It should be noted though, that KCA staff are expected to record all contact with customers (such as written e-mails or verbal phone conversations) in our database to ensure we have a clear background to improve our service to customers.
Information provided for feedback such as through surveys may be used by KCA or the relevant customer agency for evaluation purposes. In most circumstances data will be anonymised and collated to avoid identification of specific individuals. In any circumstance where this is unavoidably not the case, KCA will make seek clear explicit consent to use or share any such data.
All information shared will be treated as confidential to the customer agency until we are told otherwise. Information will be held within our secure KCA Connected database and is accessible only via password/user profile protected means.
Where KCA collects personal data directly from an individual we will endeavour to minimise its use as much as possible. We will not disclose personal data to any third parties.
We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
If you do not wish your personal data to be recorded or held by KCA you may withdraw your consent at any time by contacting us (see Our Pledge below).
information automatically generated - for example personal data collected by our systems, such as the KCA Training website
When you access KCA via the internet certain data will be collected, such as your IP address or your internet browser type and settings. This may be through visiting our website, or for many of our customers by accessing the online services supplied through our KCA Connected platform. Occasionally KCA will use this data for the purposes of making its systems more efficient. Data used in this way will be anonymised and collated so that individuals are not identified.
Our pledge to transparency
KCA wishes to make sure that our customers are in control of the personal data held on our systems about them. If you would like to make a request for any personal data KCA holds on you or from your organisation then please contact us at firstname.lastname@example.org . We will endeavour to respond to requests as quickly as possible and in any instance within one month.
We take personal data security seriously - the KCA Board will investigate all allegations of personal data misuse immediately. If you suspect KCA of a breach of data security please contact the organisation immediately at email@example.com or by calling 01453 488400.
KCA reserve the right to change this policy at any time. Where appropriate, we will notify changes by mail or email.