Sears Group Trust Data Protection Policy – October 2018
Introduction
This Policy sets out the obligations of Sears Group Trust (the “Trust”), a Charity registered under number 1022586, whose registered address is 6 Trull Farm Buildings, Trull, Gloucestershire, GL8 8SQ, regarding data protection and the rights of its staff and other individuals in relation to their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”), effective from 25 May 2018 in the UK.
The Trust takes its responsibilities to look after your data very seriously and will always process data fairly and in accordance with the purpose for which it was obtained and maintained. Please read the following carefully to understand the Trust’s practices in this area.
Processing personal data
The Trust will ensure all personal data is processed lawfully, fairly and transparently, without adversely affecting an individual’s rights. In May 2018, all individuals were issued with the Trust’s Privacy Notice.
Data Controllers, Data Processors and sub-processors
The Directors of the Trust are a Data Controller for the purposes of data protection/GDPR legislation and they decide the purpose for and how an individual’s personal data is processed. The Trust’s third parties are identified as Data Processors, with whom individuals’ personal data is shared for the Trust’s administrative and operational purposes. These third parties are identified below: -
Third Party |
Function |
The Trust Partnership |
Trust Administrator |
Dunkley's |
Trust Auditor |
Premier Pensions |
Sears Retail Pension Scheme Administrator |
Goodman Jones |
Payroll Provider for the Trust’s employees |
The following third parties associated with the Trust are not considered to be Data Processors or Data Controllers, since no personal data is shared with them (other than data about individual Trustee Directors for the purposes of Anti-Money Laundering and Know Your Client checks): -
Third Party |
Function |
BlackRock |
Investment manager |
Lloyds |
Trust bankers |
Some Data Processors use sub-processors to carry out certain tasks on their behalf for instance archiving, printing or tracing member addresses. The sub-processors that are appointed by the Trust’s Administrator will only be used as permitted and with the express consent of the Trust.
Binding contracts with the Data Processors have been put in place by the Trust.
Your personal data
The Trust is responsible for compliance with its obligations as a Data Controller under data protection legislation; it must keep records of personal data held and processing activity and ensure personal data is processed in accordance with the data protection principles set out in legislation as well as taking steps to demonstrate the Trust’s accountability.
Personal Data held by the Trust includes: -
Data held in relation to those who currently receive Grants or financial assistance from the Trust
· Name, address, telephone number, email and national insurance number – so that the Trust can identify them;
· Date of birth, marital/partnership and family arrangements – so that the Trust can inform individuals of other benefits or support they may be entitled to;
· Which Sears company the individual/their relative worked and for how long – so that the Trust knows the individual qualifies for support from the Trust;
· Details on income and expenses – so that the Trust can determine how much any regular Grant payments should be and any other support the Trust can provide;
· Bank/building society account details – so that the Trust can make payments safely and efficiently; and
· Details of past and future planned visits with the individual: sometimes the data will include sensitive personal data that has been passed on to us in confidence and this will be kept extra safe and secure.
Data held for individuals who are eligible for visits by the Trust’s Welfare Visitors and who may or may not receive Grants/financial assistance from the Trust in the future.
· Name, address, telephone number, email and national insurance number – so that the Trust can identify them;
· Date of birth, marital/partnership and family arrangements – so that the Trust can inform individuals of other benefits or support they may be entitled to;
· Which Sears company the individual/their relative worked and for how long – so that the Trust knows the individual qualifies for visits and, potentially, further support from the Trust; and
· Details of past and future planned visits with the individual; this data could include sensitive personal data and, if so, this will be kept extra safe and secure.
Individual consents
All individuals supported by the Trust have been issued with a Privacy Notice; this will be continually revised over time to keep it up-to-date. Individuals’ consents to hold their data and a copy of the Privacy Notice was exchanged with those receiving Grants, support or financial assistance from the Trust in May 2018.
All those becoming eligible for support from the Trust in future will be given a copy of the then current Privacy Notice and their consent will be sought to hold their personal data at the appropriate time.
If you want a copy of the Privacy Notice, please email the Trust at admin@searsgrouptrust.co.uk or write to the Trust at the registered address. It is also available on the Trust’s website http://www.searsgrouptrust.org.uk
Accuracy of data and keeping data up-to-date
The Trust ensures that all personal data collected, processed and held by it is kept accurate and up-to-date. The accuracy of personal data will be checked at the point of collection and at regular intervals thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
If your personal data changes, please notify the Trust; see the Section headed “Contact Us”.
Using your personal data
The Trust will only process your personal data for the purposes of meeting the Trust’s objectives and we do so provided that our interests do not override any of your own interests, rights and freedoms which require the protection of personal data. You have the right to request the deletion of your personal data at any time and the Trust will comply straightaway.
Sharing your data
We will only share your personal data with other third-party providers where this is necessary to administer the Trust and such third-parties are identified above in the section headed “Data Controllers, Data Processors and sub-processors”. All the Trust’s third-party providers are required to take appropriate security measures to protect your personal data. The Trust only permits our third-party providers to process your personal data for specified purposes and in accordance with our instructions.
We do not store, share or transfer any personal data we collect about you outside the EEA.
Data retention
We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is was originally collected, held and processed. The Directors have agreed a data retention policy with the Trust’s Administrators such that data will be stored for the term of appointment and seven years thereafter, or as required by applicable law and then the data will be destroyed. Bank details held for making Grant payments will be stored only so long as payment are made, after which time it will be destroyed. When personal data is no longer required, all reasonable steps will be taken to erase or otherwise safely dispose of it without delay.
Data security
Protecting your data is an ongoing priority for the Trust and effective protections will continue to be made to prevent your personal data from being accidentally lost, corrupted or accessed in an unauthorised way.
As well as focussing on the existence of appropriate measures and the controls of third-parties, the Trust’s Directors have also considered their own business protocols when receiving/sending personal data and these incorporate always sending data via a secure data-sharing platform and/or are password protected.
The Trust has implemented procedures to deal with any suspected data security breaches and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. Our Personal Data Breach Policy is available from the Secretary
Your rights
The law provides you with rights in relation to the personal data which we hold and process; these rights are: -
· to be informed about the personal data being processed;
· to be given access to your personal data;
· to object to the processing of your personal data;
· to restrict the processing of your personal data;
· to rectify errors in your personal data;
· to erasure of your personal data (See section below); and
· to receive an electronic copy of your personal data.
If you wish to exercise any of the above rights, email the Trust at admin@searsgrouptrust.co.uk or write to the Trust’s registered address and we will forward further information; we may need to confirm your own identify.
There is no fee to access your personal data or to exercise any of your other rights. If your request for access is clearly repetitive, unfounded or excessive, we are entitled to charge a reasonable administration fee.
Erasure of personal data
You have the right to request that the Trust erases the data it holds about you in the following circumstances: -
· It is no longer necessary for the Trust to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;
· You wish to withdraw your consent to the Trust holding and processing your personal data;
· You object to the Trust holding and processing your personal data and there is no interest to allow the Trust to continue doing so;
· The personal data has been processed unlawfully; and
· The personal data needs to be erased for the Trust to comply with a legal obligation.
Unless the Trust has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with and the individual informed of the erasure within one month of receipt of the request. The period can be extended by up to two months in the case of complex requests and, if such additional time is required, the individual will be informed. If any personal data being erased in response to an individual's request has been disclosed to third-parties, those hird-parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
If you wish to exercise this right, please email the Trust at admin@searsgrouptrust.co.uk or write to the Trust at the registered address and we will forward further information we may require to confirm your identify.
Website and cookies
We do not use cookies (small text files) on our website. Our website also contains links to other external websites. If you click any such links, you will be taken to websites controlled by other parties and will be subject to their own privacy and data policies.
Contact us
The Trust regularly reviews its Privacy Policy to ensure it is up-to-date with changing legislation and its own working practices as well as the working practices of its third-parties.
If you have any questions regarding this Policy or about how we process your personal data, email admin@searsgrouptrust.co.uk or write to the Trust’s administrators at 6 Trull Farm Buildings, Trull, Gloucestershire, GL8 8SQ.
You also have the right to refer any complaints to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues, at any time. The ICO’s contact details are as follows:
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow
CHESHIRE SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510 Website - https://ico.org.uk/concerns
Our Privacy Policy will be kept under regular review; this version was created in October 2018 and was reviewed in January 2019.