Introduction

At Bennett Potatoes, we collect and process information about individuals (i.e. ‘personal data’) for business purposes, including employment and HR administration, provision of our services, marketing, and business administration. This includes personal data relating to our staff, customers, suppliers and other third parties.

Compliance with data protection law is essential to ensure that personal data remains safe, our business operations are secure and the rights of individuals are respected. Bennett Potatoes is a controller under data protection law, meaning it decides how and why it uses personal data. This Policy explains our procedures for complying with data protection law in relation to personal data. It also sets out your obligations whenever you are processing any personal data in the course of your employment.

If you routinely handle individuals’ personal data, you will be given specific instructions regarding data protection procedures in relation to your particular role / department. These instructions will supplement your obligations as set out in this Policy.

There will also be other policies which will impact on how you deal with personal data and data protection. The main ones are our Electronic Information and Communications Systems Policy, and we expect you to comply with these where relevant.

This Policy does not give contractual rights to any Employees. It may be updated at any time.

Who does this Policy apply to?

This Policy applies to all Bennett Potatoes employees, workers, [contractors, agency workers, consultants, and directors], (together referred to as ‘Employees’ or ‘you’).

Who is responsible for data protection at Bennett Potatoes?

The Directors are ultimately responsible for Bennett Potatoes compliance with applicable data protection law. Bennett Potatoes has appointed a Data Protection Lead who is responsible for overseeing and advising Bennett Potatoes on and administering compliance with this Policy and data protection law.

All Employees at Bennett Potatoes have some responsibility for ensuring that personal data is kept secure and processed in a lawful manner although certain Employees will have particular responsibilities, of which they will be aware and in respect of which they may receive specific instructions.

If you are in any doubt about how you should handle personal data, or if you have any concerns or questions in relation to the operation (or suspected breaches) of this Policy, you should seek advice from the Data Protection Lead.

Why is data protection compliance important?

Data protection law in the UK is regulated and enforced by the Information Commissioner’s Office (ICO). Failure to comply with data protection law may expose Bennett Potatoes and, in some cases, individual Employees to serious legal liabilities. These can include criminal offences and fines of up to EUR20 million (approximately £18 million) or 4% of total worldwide annual turnover, whichever is higher. In addition, an individual may seek damages from us in the courts if we breach their rights under data protection law. Breaches of data protection law can also lead to serious damage to our brand and reputation.

In addition to the legal liabilities, failure to comply with your obligations under this Policy could lead to disciplinary action and, in serious cases, it could result in the termination of your employment.

What is personal data?

Personal data means any information relating to any living individual (also known as a ‘data subject’) who can be identified (directly or indirectly) in particular by reference to an identifier (e.g. name, NI number, employee number, email address, physical features). Relevant individuals can include your colleagues, consumers, members of the public, business contacts, etc. Personal data can be factual (e.g. contact details or date of birth), an opinion about a person’s actions or behaviour, or information that may otherwise impact on that individual. It can be personal or business related.

Personal data may be automated (e.g. electronic records such as computer files or in emails) or in manual records which are part of a filing system or are intended to form part of a filing system (e.g. structured paper files and archives).

What does ‘processing’ personal data mean?

‘Processing’ personal data means any activity that involves the use of personal data (e.g. obtaining, recording or holding the data, amending, retrieving, using, disclosing, sharing, erasing or destroying). It also includes sending or transferring personal data to third parties.

Data Protection Obligations

Bennett Potatoes is responsible for and must be able to demonstrate compliance with data protection law. To ensure that Bennett Potatoes meets its responsibilities, it is essential that its Employees comply with data protection law and any other Bennett Potatoes policies, guidelines or instructions relating to personal data when processing personal data in the course of their employment.

We have set out below the key obligations under data protection law and details of how Bennett Potatoes expects Employees to comply with these requirements.

1. Process personal data in a fair, lawful and transparent manner

Legal grounds for processing

Data protection law allows us to process personal data only where there are fair and legal grounds which justify using the information.

Examples of legal grounds for processing personal data include the following (at least one of these must be satisfied for each processing activity):

• complying with a legal obligation (e.g. health and safety or tax laws);
• entering into or performing a contract with the individual (e.g. an Employee’s terms and conditions of employment, or a contract for services with an individual customer);
• acting in Bennett Potatoes’ or a third party’s legitimate interests (e.g. maintaining records of business activities, monitoring business productivity); and
• obtaining the consent of the individual (e.g. for sending direct marketing communications).

Where consent is relied upon, it must be freely given, specific, informed and unambiguous, and Bennett Potatoes must effectively demonstrate that consent has been given.

In line with ICO guidance regarding the Employer/Employee relationship, Bennett Potatoes does not use consent as a legal ground for processing Employee data unless the data processing activities concerned are genuinely optional.

In most cases, consent is also not required for other standard business activities involving use of customer or supplier data, but it may be needed for activities which are not required to manage the main business relationship, such as direct marketing activities.

Transparency

Data protection law also requires us to process personal data in a transparent manner by providing individuals with appropriate, clear and concise information about how we process their personal data.

We usually provide individuals with basic information about how we use their data on forms which collect data (such as application forms or website forms), and in longer privacy notices setting out details including: the types of personal data that we hold about them, how we use it, our legal grounds for processing the information, who we might share it with and how long we keep it for. For example, we provide information about our processing of Employees’ personal data in the Bennett Potatoes Employee Privacy Notice.

We supplement these notices, where appropriate, with reminders or additional information at the time particular processing activities take place or become relevant for an individual (for example when they sign up for a new service or event).

What you need to do:

By processing personal data only in accordance with your lawful job duties and Bennett Potatoes instructions, ordinarily, you will be processing personal data fairly and lawfully.

The standard privacy notices and statements that we issue, for example, to Employees, customers and the public, should normally be sufficient to ensure that individuals have appropriate information about how you are handling their personal data in the course of your employment. However, you should consider whether reminders or additional information may be appropriate at the time particular processing activities take place. This is particularly important if you think that individuals may need further assistance to understand clearly how their data will be used as part of such activities.

Any new forms which collect personal data and any proposed consent wording must be approved in advance by the Data Protection Lead.

If you have any concerns about the legal grounds for processing personal data or if you are unsure whether individuals have been provided with appropriate information (in particular in relation to any new processing activities), please check with the Data Protection Lead.

2. Take extra care when handling sensitive or special categories of personal data

Some categories of personal data are ‘special’ because they are particularly sensitive. These include information that reveals details of an individual’s:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• physical or mental health;
• sexual life or sexual orientation;
• biometric or genetic data (if used to identify that individual); and
• criminal offences or convictions.

Where special category personal data is concerned, data protection law requires us to have (as well as one of the legal grounds described in section 1), an additional legal ground to justify using this sensitive information. The appropriate legal ground will depend on the circumstances.

Additional legal grounds for processing special category data include the following. Those marked with an asterisk (*) would be particularly relevant to processing Employees’ special category personal data:

• complying with a legal obligation/exercising a legal right in the field of employment*;
• assessing working capacity (based on expert medical opinion, and subject to obligations of confidentiality)*;
• carrying out equalities monitoring in relation to racial or ethnic origin, religious beliefs, health or sexual orientation*;
• exercising, establishing or defending legal claims*;
• preventing or detecting unlawful acts; or
• explicit consent of the individual. (As well as the requirements for consent outlined in section 1 above, this requires an express statement from the individual that their special category of data may be used for the intended purposes.)

What you need to do:

If you are handling special category personal data in the course of your employment, you need to take extra care regarding compliance with data protection law. In particular, try to ensure that:

• any processing activities are strictly in accordance with your lawful job duties and Bennett Potatoes instructions;
• there are appropriate legal grounds for processing the data (both basic grounds under section 1 and additional grounds under this section) which have been assessed for your specific activities;
• individuals have received adequate information regarding how their data is being handled. In some cases, an existing privacy notice may need to be supplemented with more specific information regarding special category data (e.g. when Bennett Potatoes is managing sickness absence and/or making adjustments to job duties for Employees with disabilities or serious illness, we may provide additional ad hoc privacy notices to supplement the Employee Privacy Notice);
• you apply additional security and confidentiality measures, taking into account that the impact on individuals of loss or misuse of their special category data may be greater than with other types of data. See also section 7 below; and
• if you are relying on consent as a legal ground for processing, you obtain advance approval of any consent wording from the Data Protection Lead.

If you are routinely handling special category data as part of the requirements of your role and job duties, Bennett Potatoes will ordinarily have put in place procedures which ensure that your processing activities satisfy the requirements above.

However, if alternative circumstances apply (e.g. you are involved in a new project or updating an existing system which involves new types of processing of special category data), please contact the Data Protection Lead to ensure that the correct compliance procedures are followed.

Similarly, if you have any concerns over the legal grounds that apply when you are processing special category data or the appropriate information to be provided to individuals, please get in touch with the Data Protection Lead.

3. Only process personal data for specified, explicit and legitimate purposes

Bennett Potatoes will only process personal data in accordance with our legitimate purposes to carry out our business operations and to administer employment and other business relationships.

What you need to do:

You must only use the personal data that you process in the course of your duties for Bennett Potatoes legitimate and authorised purposes. You must not process personal data for any purposes which are unrelated to your job duties.

Processing personal data for any incompatible or unauthorised purposes could result in a breach of data protection law (e.g. using the company contacts database to find out a colleague’s home address for private, non-work related purposes). This may have potentially damaging consequences for all parties concerned, including disciplinary action.

If you find that you need to process personal data for a different purpose from that for which it was originally collected, you must check whether the individuals have been informed and, if not, consider whether the additional purpose is legitimate (in the context of Bennett Potatoes’ business activities) and compatible with the original purpose.

If you are unsure about whether the purposes for processing are legitimate, you should contact the Data Protection Lead before going ahead with processing the data for the additional purpose.

4. Make sure that personal data is adequate, relevant and limited to what is necessary for your legitimate purposes

Data protection law requires us to ensure that, when we process personal data, it is adequate, relevant to our purposes and limited to what is necessary for those purposes.  We will ask for the information we need for our legitimate business purposes, but we won’t ask for more information than we need in order to carry out our business operations.

What you need to do:

You should try to ensure that you only acquire and process the personal data that you actually need for Bennett Potatoes’ legitimate and authorised purposes within the scope of your role.

You must ensure that you have sufficient personal data needed to be able to use it fairly and to take into account all relevant details.

If you are creating forms that collect personal data, you should be able to justify why each specific category of data is being requested.

You must also comply with Bennett Potatoes’ instructions about data retention and storage, ensuring that personal data is only kept for as long as it is needed for any intended purpose.

5. Keep personal data accurate and (where necessary) up-to-date

Bennett Potatoes must take steps to ensure that personal data is accurate and (where necessary) kept up-to-date.

What you need to do:

When you process individuals’ personal data in the course of your employment, you must make reasonable efforts to be accurate and, where necessary, keep the relevant information updated.

When collecting any personal data, try to confirm its accuracy at the outset. If you subsequently discover any inaccuracies in the personal data that you are handling, these need to be corrected or deleted without delay.

Personal data should be held in as few places as possible to avoid the risk that duplicate copies are not updated and become out of sync. You should not create additional copies of personal data, but should work from and update a single central copy where possible.

6. Keep personal data for no longer than is necessary for the identified purposes

Records containing personal data should only be kept for as long as they are needed for the identified purposes. Bennett Potatoes has in place data retention, storage and deletion policies and internal processes/guidelines regarding various types of company records and information that contain personal data.

We take appropriate steps to retain personal data only for so long as is necessary, taking into account the following criteria:

• the amount, nature, and sensitivity of the personal data;
• the risk of harm from unauthorised use or disclosure;
• the purposes for which we process the personal data and how long we need the particular data to achieve these purposes;
• how long the personal data is likely to remain accurate and up-to-date;
• for how long the personal data might be relevant to possible future legal claims; and
• any applicable legal, accounting, reporting or regulatory requirements that specify how long certain records must be kept.

What you need to do:

Please familiarise yourself with our retention policies, processes, guidelines and instructions that are relevant to your job. Ensure that, where it falls within your responsibility, you destroy or erase all information that you no longer require in accordance with these.

If you are not sure what retention guidelines/instructions apply to you in your role, or you are unsure of how to apply them to a particular type or item of personal data, please contact the Data Protection Lead.

7. Take appropriate steps to keep personal data secure

Keeping personal data safe and complying with Bennett Potatoes’ security procedures to protect the confidentiality, integrity, availability and resilience of personal data is a key responsibility for Bennett Potatoes and its workforce.

Bennett Potatoes has an Information Security Measures Policy, which includes physical security measures, access controls and technological and organisational measures

What you need to do:

To assist Bennett Potatoes in maintaining data security and protecting the confidentiality and integrity of the personal data you handle in course of your employment, we require you to comply with this Policy, our Electronic Information and Communications System Policy and any Bennett Potatoes instructions regarding the processing and security of personal data

Physical Security Measures

• Locked offices where current & live data is held
• Limited restricted access to buildings via keycode locks
• Collation of like subject material in one location, filed in locked cabinets
• Archiving of old records into a locked restricted access area
• Destruction of old archive records after 6 years with proof of destruction certificates
• On site perimeter electronic security system and CCTV in operation
• Shredding of unnecessary and duplicated confidential information

Access Controls

• IT system access by password and access limited to area of job relevance only
• Old IT system records archived to a restricted access area and deleted after 6 years

Technological & Organisational Measures

• Regular check and confirmation of accuracy of personal information held on employees
• Confidentiality agreement within employee contacts
• Antivirus, firewall and ransomware software running on the IT system with constant updates implemented
• Encrypted backups both local and offsite on NAS system
• Restricted access to websites via UTM system
• Asset register of all IT equipment & users associated.
• Password protected portable devices etc laptops, tablets and iphones
• CCTV – rolling record of images stored in locked cabinet, accessed by password with limited access to restricted users

8. Take extra care when sharing or disclosing personal data

The sharing or disclosure of personal data is a type of processing, and therefore all the principles described in this Policy need to be applied.

Internal data sharing

Bennett Potatoes ensures that personal data is only shared internally on a ‘need to know’ basis.

External data sharing

We will only share personal data with other third parties where we have a legitimate purpose, and an appropriate legal ground under data protection law which permits us to do so. Commonly, this could include situations where we are legally obliged to provide the information (e.g. to HMRC for tax purposes) or where necessary to perform our contractual duties to individuals (e.g. provision of information to our occupational pension providers).

9. Report any data protection breaches without delay

Bennett Potatoes takes any data protection breaches very seriously. These can include lost or mislaid equipment or data, use of inaccurate or excessive data, failure to address an individual’s rights, accidental sending of data to the wrong person, unauthorised access to, use of or disclosure of data, deliberate attacks on Bennett Potatoes’ systems or theft of records, and any equivalent breaches by Bennett Potatoes’ service providers.

Where there has been a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to individuals’ personal data, Bennett Potatoes will take immediate steps to identify, assess and address it, including containing the risks, remedying the breach, and notifying appropriate parties (see below).

If Bennett Potatoes discovers that there has been a personal data security breach that poses a risk to the rights and freedoms of individuals, we will report it to the ICO within 72 hours of discovery.

We also keep an internal record of all personal data breaches regardless of their effect and whether or not we report them to the ICO.

If a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, we will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures we have taken.

What you need to do:

If you become aware of any breach (or suspected breach) of this Policy (including, in particular any security breach), you must report it to the Data Protection Lead immediately to ensure that the breach is effectively assessed and addressed, and that we comply with Bennett Potatoes data breach reporting obligations.

10. Integrate data protection into operations

Data protection law requires Bennett Potatoes to build data protection considerations and security measures into all of our operations that involve the processing of personal data, particularly at the start of a new project or activity which may impact on the privacy of individuals. This involves taking into account various factors including:

• the risks (and their likelihood and severity) posed by the processing for the rights and freedoms of individuals;
• technological capabilities;
• the cost of implementation; and
• the nature, scope, context and purposes of the processing of personal data.

We also seek to assess data protection risks regularly throughout the lifecycle of any project or activity which involves the use of personal data.

What you need to do:

If you are involved in the design or implementation of a new project or activity that involves processing personal data, you must give due consideration to all the principles of data protection set out in this policy.

You should assist the Data Protection Lead with regular reviews of projects or activities to ensure data protection risks continue to be addressed.

A useful tool for assessing data protection and privacy considerations is a Data Protection Impact Assessment or ‘DPIA’. A DPIA will consider the necessity and proportionality of a processing operation, and assess the risks to individuals and the measures that can be put in place to mitigate those risks. A DPIA must be carried out if a data processing operation is likely to give rise to a high risk to individual rights and freedoms.

If you are involved in the design or implementation of a new project that involves processing personal data, you must check whether it is necessary to conduct a DPIA or similar risk or compliance assessment by contacting the Data Protection Lead. They will also be able to advise you on how we expect you to conduct, or otherwise contribute to, a DPIA or similar risk assessment.

Individual Rights and Requests

Under data protection law, individuals have certain rights when it comes to how we handle their personal data. For example, an individual has the following rights:

• The right to make a ‘subject access request’. This entitles an individual to receive a copy of the personal data we hold about them, together with information about how and why we process it and other rights which they have (as outlined below). This enables them, for example, to check we are lawfully processing their data and to correct any inaccuracies.
• The right to request that we correct incomplete or inaccurate personal data that we hold about them.
• The right to withdraw any consent which they have given.
• The right to request that we delete or remove personal data that we hold about them where there is no good reason for us continuing to process it. Individuals also have the right to ask us to delete or remove their personal data where they have exercised their right to object to processing (see below).
• The right to object to our processing of their personal data for direct marketing purposes, or where we are relying on our legitimate interest (or those of a third party), where we cannot show a compelling reason to continue the processing.
• The right to request that we restrict our processing of their personal data. This enables individuals to ask us to suspend the processing of personal data about them, for example if they want us to establish its accuracy or the reason for processing it.
• The right to request that we transfer to them or another party, in a structured format, their personal data which they have provided to us (also known as the right to ‘data portability’). The applicability of this right depends on the legal grounds on which we process it.
• The right to challenge a decision based solely on profiling/automated processing, to obtain human intervention, and to express their point of view.

We are required to comply with these rights without undue delay and, in respect of certain rights, within a one month timeframe.

Individuals also have rights to complain to the ICO about, and to take action in court to enforce their rights and seek compensation for damage suffered from, any breaches.

What you need to do:

If you receive a request from an individual seeking to exercise a right in relation to their personal data, or making an enquiry or complaint about our use of their personal data, you must forward the request, enquiry or complaint to the Data Protection Lead immediately so that it can be dealt with appropriately and within the applicable time limit as outlined in the Bennett Potatoes’ Employee Handbook. Your assistance may be needed to address and respond to the request, enquiry or complaint.

Record Keeping

In order to comply, and demonstrate our compliance, with data protection law, Bennett Potatoes keeps various records of our data processing activities. These include a Record of Processing which must contain, as a minimum: the purposes of processing; categories of data subjects and personal data; categories of recipients of disclosures of data; information about international data transfers; envisaged retention periods; general descriptions of security measures applied; and certain additional details for special category data.

What you need to do:

You must also comply with our applicable processes/guidelines and any specific instructions you are given concerning the keeping of records about our processing of personal data.

If you are processing individuals’ personal data in the course of your employment and you collect any new types of personal data or undertake any new types of processing activities, either through the introduction of new systems or technology or by amending existing ones, please inform the [Data Protection Lead/Data Protection Officer/Data Protection Team] so that we are able to keep our records up-to-date.

Instruction / Training

We require Employees to undergo some basic instruction to enable them to comply with data protection law and this policy. Additional instruction / training may be required for specific roles and activities involving the use of personal data.

To this end, we provide instructions as part of our induction process for new joiners to Bennett Potatoes and operate an ongoing instruction programme to make sure that Employees’ knowledge and understanding of what is necessary for compliance in the context of their role is up-to-date.

Departures from this Policy

There are some very limited exemptions from data protection law, which may permit departure from aspects of this Policy in certain circumstances.

You will be given specific instructions if any exemptions are relevant to your role.

If you think you should be able to depart from this Policy in any circumstances, you must contact the Data Protection Lead before taking any action.

The use of cookies and beacons

We use cookies and web beacons (‘Website Navigational Information’) to collect information as you navigate the company’s websites. Website Navigational Information includes standard information from your web browser, such as browser type and browser language; your Internet Protocol (“IP”) address; and the actions you take on the company’s websites, such as the web pages viewed and the links clicked.

This information is used to make websites work more efficiently, as well as to provide business and marketing information to the owners of the site, and to gather such personal data as browser type and operating system, referring page, path through site, domain of ISP, etc. for the purposes of understanding how visitors use a website. Cookies and similar technologies help us tailor our website to your personal needs, as well as to detect and prevent security threats and abuse. If used alone, cookies and web beacons do not personally identify you.

Use of Cookies

What is a Cookie?

A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile phone (referred to here as a “device”) browser from a website’s computer and is stored on your device’s hard drive. Each website can send its own cookie to your browser if your browser’s preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites. Many websites do this whenever a user visits their website in order to track online traffic flows.

How do we use Cookies?

Information supplied by cookies can help us to analyse the profile of our visitors and help us to provide you with a better user experience. For example, if on a previous visit you went to our blog pages, we might find this out from your cookie and highlight similar stories on your second and subsequent visits.

Third Party Cookies

Please note that during your visits to our website you may notice some cookies that are not related to directly to us. When you visit a page with content embedded from YouTube, or one which has a “Share” button, you may be presented with cookies from these websites. We have no control of these cookies and you should check the third party websites for more information about these.

Don’t want us to use cookies?

We will not use cookies to collect personally identifiable information about you. However, if you wish to restrict or block the cookies which are set by this site, or indeed any other website, you can do this through your browser settings. The Help function within your browser should tell you how.

Alternatively, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies. For information on how to do this on the browser of your mobile phone you will need to refer to your handset manual.

Cookies used by https://www.bennettpotatoes.co.uk

_utma, _utmb, _utmc, _utmz We use Google Analytics to monitor traffic levels, search queries and visits to this website. Google Analytics stores IP address anonymously on its servers in the US, and neither Bennett Potatoes or Google associate your IP address with any personally identifiable information. These cookies enable Google to determine whether you are a return visitor to the site, and to track the pages that you visit during your session.