PRIVACY POLICY

1.              Introduction

This policy governs the use of personal information within Rcapital Partners LLP (the company) and its associated companies[1] so that all of our staff (Personnel) will have a clear idea of the limits of use of personal information, and, if necessary, where to go for further advice.

1.1           Purpose

This policy lays down the principles for the processing of personal information, whether it relates to team members, suppliers, guests, customers or other persons.  Personal information means any information relating to a living, natural person, who can be identified either directly or indirectly.  Processing personal information includes the obtaining, handling, processing, transporting, storing, destruction and disclosure of personal information.

This policy is not designed to replace practical advice from the Data Manager.  Nor is this policy intended to provide all the answers to questions concerning the use of personal information in particular areas, such as HR, IT or marketing.

Additional guidance notes on specific issues (e.g. Subject Access Rights) are also available from the company’s intranet.

1.2           Summary

The company and its associated companies will use the personal information fairly, lawfully, transparently and in a manner consistent with its valid business interests and at the same time, respecting the fair and lawful privacy requirements of those individuals concerned.

1.3           Status of this policy

This policy has been approved by the board of the company.  Personnel who process personal information on behalf of the company and/or any of its associated companies must adhere to the terms of this policy and any breach will be taken seriously and may result in formal disciplinary action.

Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with their line manager (or such other relevant person), or the Data Manager.

Any Personnel who consider this policy has not been followed should raise this matter with the Data Manager.

1.4           Further advice

Further advice may be obtained from the Data Manager at compliance@rcapital.co.uk, 0845 293 9888 or 5th Floor, 24 Old Bond Street, London W1S 4AW.

2.              Governing Principles

2.1           Principles

Personal information will be used within the company and its associated companies by the relevant Personnel according to the principles of applicable data protection legislation (the “DP Legislation”), meaning the General Data Protection Regulation (EU 2016/679)(“GDPR”), the Data Protection Act 1998 (as amended) (“DPA”), the Privacy and Electronic Communications Regulations (2003/2426) (as amended) and the Data Protection (Processing of Sensitive Personal Data) Order 2000.  The principles require that personal information will be:

1.  Lawfulness, fairness & transparency

The DP Legislation seeks to ensure that processing is carried out lawfully, fairly and transparently without adversely affecting the freedoms, interests and rights of the individual concerned.For personal information to be processed lawfully, certain conditions have to be met.  These may include, among other things, requirements that the individual data subject has consented to the processing, or that the processing is necessary for the performance of the contract with the individual, for compliance with a legal obligation, the vital interest of the data subject, or the legitimate interest of the company and its associated companies or the party to whom the information is disclosed.

DP Legislation imposes specific requirements in relation to electronic marketing (e.g. email, apps, social media and SMS), telephone marketing and the use of tracking or profile analysis technology (e.g. to deliver targeted online advertising).  It is very important that you seek advice from internal teams, including the Data Manager before undertaking such activities on behalf of the company or any of its associated companies.

2. Purpose Limitation

Personal information may only be processed for the specific purposes notified to the individual when the information was first collected or for any other purposes specifically permitted by the DP Legislation.  This means that personal information must not be collected for one purpose and then used for another, unless the other purpose is also specified.

3. Data minimisation

Only personal information that is necessary for the purposes specified should be collected. Any data which is not necessary for that purpose should not be collected in the first place.

4. Accuracy

Information which is incorrect, or misleading is not accurate, and steps should therefore be taken to check the accuracy of any personal information at the point of collection and at regular intervals afterwards.  Inaccurate or out-of-date information should be securely destroyed.

5. Storage limitation

Personal information should not be kept longer than is necessary for the purpose for which it was collected.  This means that data should be destroyed or erased from our systems when it is no longer required.

6. Integrity and confidentiality

We must ensure that appropriate safeguarding measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.  Individual data subjects may apply to the courts for compensation if they have suffered damage or distress from such a loss.

From 25 May 2018 tough new obligations to notify, in certain situations, regulators (and affected individuals) will be introduced if the above-mentioned safeguarding measures fail to protect personal information.  It is therefore very important that you immediately report any suspected incident to the Data Manager.

The DP Legislation requires us to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction, be it paper-based or in electronic format.

Personal data may only be transferred to a third-party data processor (such as a supplier or service provider to the company, any associated companies or a group company) if they agree to comply with those procedures and policies, or if they put in place adequate measures.

DP Legislation also requires the company and its associated companies to have a written contract in place with all suppliers or service providers who will process their personal information.

It is therefore important that procurement is involved in all such arrangements, that the correct procurement templates are used and/or that internal legal teams are consulted prior to the engagement of suppliers and partners who will either process personal information per our instructions or jointly process personal data.

7. Accountability

We must ensure that we are able to evidence that we comply with DP Legislation.

For example, that all the above principles have been applied, documentation is up to date, training on data protection and privacy has been completed, and security measures are complied with.

Before personal information is passed to third parties, including law enforcement agencies, government bodies, investigators or anyone else, it is important that full consideration is made of the possible data protection implications of doing so.  Again, please contact the Data Manager if you have any questions or are in any doubt regarding a particular request.

2.2           Compliance with the principles

  • In order to meet the requirements of the principles the company and its associated companies must:
  • observe the conditions regarding the fair, lawful and transparent collection and processing of personal information;
  • meet its obligations to specify the purposes for which personal information is used;
  • collect and process personal information only to the extent it is required for the company and its associated companies’ valid business interests and where there is a legal basis for doing so;
  • ensure the quality of the personal information used;
  • adopt a data retention and disposal policy that includes the length of time personal information is held;
  • ensure that the rights of individuals about whom personal information is held can be fully exercised under the relevant DP Legislation;
  • take appropriate technical and organisational safeguarding measures (which include strict Personnel access controls) to protect personal information including following the policy guidelines set out in the company’s IT security policy and the acceptable use policy;
  • that any contractor, agent or other third party who processes personal information on the company and/or any associated company’s behalf does so under a written contract requiring that third party to:
    • only process the personal information in accordance with the company’s instructions;
    • take appropriate technical and organisational security measures to safeguard personal information;
    • ensure that personal information is not transferred outside the European Economic Area without suitable safeguards;
    • where appropriate, confirms destruction of all information.  This should include paper, electronic and consideration should be given to backup media; and
    • which contains additional data processing clauses which are specified in the DP Legislation.

2.3           Responsibility for compliance

The company is a data controller (and, in certain circumstances, also a processor and joint controller) responsible for complying with the DP Legislation as are its associated companies.  It is the responsibility of each member of Personnel to comply with this policy when using personal information relating to team members, customers or others.

The Data Manager has responsibility for this policy and its review.

3.              LEGAL BASIS

All processing must be lawful, which means that there must be one of the following legal grounds established before processing can take place:

3.1           Consent

When using consent as the legal basis, the company and its associated companies must be able to demonstrate that consent has been unequivocally given, not just implied.

Consent cannot apply to children under 13 vis-à-vis online unless the holders of parental responsibility have provided it. Nor can consent be coerced, for example, forced consent as part of a contract.  Consent is a valid legal basis for processing of special categories of personal information.

Consent must be prominent in any privacy statement:

  • freely given, specific, informed and unambiguous
  • a clear affirmative action, signifying agreement to the processing of their personal information

When consent is given in the context of a statement which also concerns other matters, the request for consent needs to be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

When consent is provided, it must be able to be withdrawn at any time with as much ease as it was originally given.  If withdrawn, the information must be erased.

When carrying out any direct marketing using personal information the company and its associated company must:

  • only market to those individuals under the correct legal basis, such as consent, and for the specific purposes notified to the guest or customer when the personal information was collected;
  • use safeguarding measures such as the Telephone Preference Service, Mailing Preference Service and other third-party suppression lists where appropriate;
  • use standard Rcapital consent wording; and
  • require our third-party partners to use an approach compatible with this document when capturing consents on our behalf.

Any use of personal information for direct marketing purposes which is not in accordance with the requirements set out above must be approved in advance by the Data Manager.

3.2           Legitimate Interests

It is always important to demonstrate the necessity for the company and its associated companies to process personal information for its legitimate interests if relying on this legal basis.

When using legitimate interests, the company and its associated companies must be able to demonstrate that there are no over-riding risks to the individuals’ interests, rights or freedoms.

Therefore, the company and its associated companies’ legitimate interests when weighed up against the risks to individuals must always be taken into account when conducting a data protection impact assessment (required for any new system or process – or a significant change).  Similarly, the mitigating measures that are applied need to be documented.

3.3           Contract

When using contract as the legal basis, the company and its associated companies must be able to demonstrate that the necessity of the performance of a contract (or negotiation of a contract) with the individual, for example, employee, supplier or customer / guest[1]

3.4        Legal Obligation

When there is a statutory obligation, the company and its associated companies must be able to demonstrate for the specific purposes of processing personal information what that legal obligation is, third parties who receive the personal information pursuant to the basis of such obligation, and any retention obligations required.

3.5          Vital Interests

When using vital interests as the legal basis, the company and its associated companies must be able to demonstrate that there is a necessity to process personal information in the vital interests of the individual concerned.  For example, capturing allergy information when taking a table booking.

3.6           Public Interest

When using public interest as the legal basis, the company and its associated companies must be able to demonstrate that there is a need to store personal information in the interests of the public.  For example, for public safety and security purposes, retaining staff information to pass to emergency services personnel given some event.

4.              REQUIREMENTS

4.1           Notices

Individuals have the right to be informed regarding the specific purposes that their personal information is being processed before processing takes place, for how long the information will be stored and processed, who it is being shared with (including internationally), and if there is automated decision-making, including profiling.

An example of how an individual could be notified of the above is set out below:

Rcapital standard wording (based on the above)
 

< . . . illustrative purposes only . . . >

 

Rcapital Partners LLP is the controller. Our contact details are:

 

Rcapital Partners LLP
5th Floor,

24 Old Bond Street,

London

W1S 4AW

 

For queries related to this notice please contact:  compliance@rcapital.co.uk

 

Your dietary information will not be kept longer than is necessary for the purpose for which it was collected.

 

If you consent to this use of your data we will retain a record of your consent.

 

DECLARATION OF CONSENT

I agree to my data being processed as described above.  Please tick

 

Signature . . . . . . . . . . . . . . . . . . . . . . .

 

Date . . . . . . . . . . . . . .

 

You have the right to withdraw consent at any time by contacting us or our Data Manager at the email address above.

 

You have the qualified right to request: access to and port your data, rectification or erasure of the data, restriction of processing, to object to the processing.

 

You also have a right to lodge a complaint with a Supervisory Authority, for example the Information Commissioner’s Office or http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

 

4.2           Transfers

The DP Legislation prohibits us from transferring personal information to countries outside the European Economic Area (EEA) unless we first put in place additional safeguards.

For example, before transferring personal information, we may need to enter into contracts with recipients in non-EEA countries which incorporate standard contractual clauses approved by the EU Commission that deal with the transfer of personal information to recipients in non-EEA countries.

Before making any such transfers, the Data Manager should be notified and be informed of who the data is being shared with, and if it is subject to any automated decision-making, including profiling.

4.3          Data Protection by Design / Data Protection by Default – Approach

We must ensure that our policies reflect processes and a culture of respecting privacy.  This includes ensuring that we are each accountable for the security and other safeguarding measures are adhered to, as well as collecting, processing, storing and only sharing it with those authorised and required to use it, only the personal information that is required, and only for as long as it is required for.

4.4           Data Protection Impact Assessment (DPIA)

DPIA guidance is to undertake an assessment from a risk-based perspective.

A DPIA should be undertaken in respect of any new process or system that includes innovative technologies or processing personal information or monitoring individuals on a large scale, where there is a higher risk to rights and freedoms of individuals affected.

5.              DATA SUBJECT RIGHTS

5.1           Summary of Rights

The subjects of personal information held by, or on behalf of, the company (Data Subjects) have a wide range of rights granted to them under the DP Legislation. Whilst we can make use of personal information for specific purposes and where we can lawfully justify such use, an individual can still exercise significant control over what we do with his/her personal information.  We need to operate our business and process personal information in a way which facilitates the rights of individuals to exercise this control.

DP Legislation significantly enhances the rights available to individuals.  A summary of each of the rights is set out below.

It is important that requests from individuals wishing to exercise any of the rights below are quickly identified and sent to the appropriate person for preparing a response.

Personnel should not respond to such requests without first discussing the matter with their line manager or such other relevant person, who may refer the matter to the Data Manager.

5.2           Right to be informed

Individuals have the right to be informed of how their personal information is being processed.  This right to be informed must be satisfied in the form of a privacy notice that is provided to the individuals.

The privacy notice may be in the form of:

  • a privacy statement or privacy policy, separate to a cookie policy (which is also required);
  • an email signature, other correspondence, or information board in a public area;
  • a privacy clause in an employee handbook; or
  • a clause within the terms and conditions of a contract.

In general, individuals must be informed about:

  • the purpose for processing their personal information,
  • what information is processed, and
  • for how long.

The notice should also include the contact details of the company and the Data Manager.

Within the privacy notice, individuals also have the right to be informed whether any third parties are to be recipients of their personal information.

In addition, within the privacy notice, individuals have the right to be informed whether their personal information will be transferred to third countries (i.e. when personal information moves from an EEA country to a country or territory outside the EEA (the latter being a third country)) or international organisations.  This right is important especially as countries generally outside the European Economic Area not covered by the ‘adequacy’ regime or other safeguards, such as binding corporate (pursuant to DPA) rules or standard contract clauses (as adopted by the European Commission which would enable a data controller to transfer personal data to countries outside of the EEA if the binding corporate rules or standard contract clauses were complied with by the data controller.

5.3           Right of access (‘Subject Access Requests’)

Individuals have the right to request that we:

(i)    confirm, amongst other things, whether we are holding their personal information;

(ii)   provide them with a copy of that information, and

(iii)  provide them with supporting (and detailed) explanatory materials.

We must comply with Subject Access Requests without undue delay and at the latest within one month of the request (although this can be extended in limited circumstances), and we cannot charge individuals for making a request (except in specific situations).

Particular care should be taken if a request from one individual would result in personal information of another individual being disclosed.  Seek advice from the Data Manager about whether such information should be redacted, or its disclosure justified.

Please contact the Data Manager if you receive a request for the release of personal information.

5.4           Right to rectification

Individuals have the right to require us to rectify inaccuracies in personal data held about them.  In some circumstances, if personal information records are incomplete or inconsistent, individuals have the right to require us to complete the data, make it consistent, or to record a supplementary statement correcting it.

Advice should be sought from the Data Manager if uncertain.

5.5           Right to erase (‘the right to be forgotten’)

Individuals have the right to have their personal information erased in certain specified situations – in essence where the continued processing of it does not comply with DP Legislation.

Where an individual makes an erasure request, we must respond without undue delay and in any event within one month (although this can be extended in limited circumstances).

There are a number of exemptions which apply to such requests, and you should not assume that you should delete personal information simply because you have received a request of this nature.

Such a request should be referred to the Data Manager as soon as it is received.

5.6           Right to restriction

This right allows individuals, in certain situations, to restrict our use of their personal information.  This might result in our use of it being limited to storage only and could mean we have to move personal information to separate IT systems, or temporarily block access to it.

This issue could arise in a situation where an individual is disputing the accuracy of information we hold, or where they are objecting to our right to continue to use their information and we need to take some time to establish whether we have a right to continue to do so.

Such a request should be referred to the Data manager as soon as it is received.

Advice should be sought from the Data Manager if uncertain.

5.7          Right to data portability

Data portability goes beyond rights of access and requires us to provide, on request, information to individuals in a structured, commonly used and machine-readable format. We could also be asked by an individual to transmit personal information directly to another data controller in the same format.

This right only applies to electronic records which have been provided to us by the individual themselves or generated from their activity or are our observations of their activity (but not subsequent analysis of such activity), and only where we hold the personal information because we have the individual’s consent or because we are fulfilling a contract with them.

Such a request should be referred to the Data manager as soon as it is received.

5.8          Right to object

Individuals have an absolute right to object to their personal information being processed for the purpose of direct marketing. If we receive any such objection we must immediately cease such marketing activities in respect of that individual.

Individuals have a wider right to object to processing we undertake which is justified on the basis that it is in our legitimate interests (rather than because we have their consent).  If we receive an objection of this nature we must assess the objection and carefully consider if we can demonstrate compelling legal grounds to continue to process the personal information.

Such a request should be referred to the Data Manager as soon as it is received.

5.9           Rights in relation to automated decision-making, including profiling

Individuals have rights which apply if we take decisions about them which are based solely on automated processing (i.e. without human intervention) and which produce significant or legal effects on the individuals. An example of this would be the use of an algorithm to analyse alumni data and decide which groups of people receive preferential promotional offers.

We can use such automated decision making in circumstances where we need to do so in order for us to enter into a contract with the individual, or where we have their explicit consent.  However, we need to be transparent with individuals about what decisions are taken in this way, and we may need to put in place additional protective measures to protect the individuals concerned.

Such a request should be referred to the Data Manager as soon as it is received.

5.10         Right to complain

Individuals have the right to bring a complaint to the Information Commissioner, or other supervisory authority.

5.11          Right to bring legal proceedings

Individuals have the right to seek judicial remedy through the courts.

5.12           Requests

Team members, customers and other subjects of personal information held by, or on behalf of the company and/or any of its associated companies may exercise any of the rights specified above.  These rights are subject to certain exemptions which are set out in the DP Legislation.

Any team member, customer or other subject of personal information wishing to exercise any of these rights should make the request in writing to the Data Manager.

The company aims to comply with any requests in relation to personal information as quickly as possible and in any event within the time specified by the DP Legislation.

5.13           Personnel responsibilities

All Personnel are responsible for:

  • checking any personal information which they provide to the company is accurate and up to date;
  • informing the company of any changes to personal information which they have provided, for example change of address; and
  • checking any information that the company may send out from time to time, for example giving details of personal information that is held by the company.

If, as part of their responsibilities, Personnel have access to or use personal information about other people as part of their employment duties (for example, customer or guest personal information) they must comply with this policy and in the company’s other policies and procedures for processing personal information.

All Personnel are responsible for ensuring that any personal information which they hold, or process is kept secure and is not disclosed either orally or in writing or otherwise to any unauthorised third party and transferred internationally without checking first that the right safeguards are in place.

Only those Personnel who strictly require access to personal information for their role should have such access, and all Personnel must make sure that personal information is not shared with Personnel who do not need to see it.

Personal information about any member of Personnel and others may include special categories of personal information or other information that needs to be treated sensitively.  This is personal information relating to an individual’s:

  • racial or ethnic origin;
  • political opinions;
  • religious beliefs or other beliefs of a similar nature;
  • membership of a trade union;
  • physical or mental health or condition;
  • sexual life;
  • biometric or genetic data (e.g. facial or iris imaging, or biological sample information)
  • commission or alleged commission of an offence; or
  • any proceedings for any offence or alleged offence, the disposal of such proceedings or any sentence imposed by a court.

Particular care must be taken when dealing with any personal information falling under one or more of these headings.  If in doubt, do take advice from the Data Manager.  In general, such personal information must be kept very secure and must only be allowed to be seen by a restricted number of people who need to know it.  The Data Manager will act as an intermediary between The company and its associated companies, employees, suppliers, customers, partners and others.

5.14          Email

Due to the ease with which large quantities of personal data can be accidentally or inappropriately exposed when using email Personnel should be particularly careful to use email in a considered manner. In particular:

  • email to addresses outside the “@rcapital.co.uk” domain should not include personal data beyond simple contact information (name, email, telephone, address, job title and place of work). If more extensive data needs to be provided an encrypted attachment can be used (MS Office encryption is adequate for low risk data) or a specialised secure transfer option may be used in high risk cases;
  • if using an encrypted email attachment to send personal data, do not include the password in the same email and preferably use a different communication method to send the password (eg SMS);
  • emails sent from “@rcapital.co.uk” addresses to “@rcapital.co.uk” addresses are restricted to the secure environment and may include personal data.
  • do not include any personal information in the “Subject” field of email regardless of the recipient, in particular do not include pupil’s names or other potential identifiers;
  • Personnel should make it a habit to preferentially use “Bcc” rather than “Cc”. “Cc” should only be used where it is necessary for all recipients to see replies;
  • when using Distribution Lists to send emails to those outside the company, ensure that email addresses are not shared. Use the “Bcc” facility so that email addresses are not displayed.

[1] For further details on Rcapital Partners LLP’s associated companies please contact the Data Manager

[2] The right to not being subject to automated decision-making, including profiling, does not apply where there is a necessity for the purposes and legal basis of a contract (or entering into a contract).