Data protection policy

Introduction

The EU General Data Protection Regulation has been incorporated in UK legislation by the Withdrawal Act as the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018 and 1998.

Scope

The UK GDPR applies to ‘data controllers:’ any person who processes personal data, including third party companies acting on behalf of Words of Wonder Ltd. It also applies to ‘data subjects’: the individuals to whom the data relates. As a company, we are responsible for meeting the UK GDPR obligations and have committed to adopt the best practices of the UK GDPR.

Words of Wonder Ltd is registered with the Information Controller’s Office (ICO), with Data Protection Act Register number CSN8608780.

While responsibility for ensuring confidentiality and protection of data held by Words of Wonder Ltd lie with all staff, the Director of Words of Wisdom Ltd is overall responsible for implementing measures to ensure compliance with the UK GDPR. This includes carrying out Data Protection Impact Assessments, assigning and overseeing the execution of all tasks and responsibilities derived therefrom.

Personal data

Personal data consists of information which relates to an individual who can be identified from that information.

As part of its work, it is essential that certain personal information is available to Words of Wonder Ltd. The company therefore captures and processes personal data, in accordance with UK GDPR regulations. Words of Words Ltd is transparent about how, why and when that data is collected, processed and transferred, as required by this legislation (and its ethical foundation in terms of the right to privacy). We only request, store and share personal data where there is a relevant legal basis and operational requirement. 

We seek consent in respect of all personal data held, stored or shared by the company about any person (employee or engaged personnel; partner, client or their affiliates; fan, follower or other persons or entity interested in our work). Where a data controller wishes to process existing data for a new purpose, that person or entity (‘data subject’) is notified and further approval sought.

The company, and others acting on its behalf, will collect, retain and process information about employees and other personnel. The type of information which we may obtain and store about employees and other personnel includes (but is not limited to) name, dates of birth, gender, next of kin, home and email address and other contact information. In the case of other data subjects (e.g. fans, supporters, or others who take an interest in our work), we only collect names and email addresses.

The types of information we obtain and store, and who has access to this information, is documented in the Data Register. This information will be used for payroll and personnel management purposes in connection with each individual’s engagement with the company. An expanded data set (to include information as to disability status, religious or ethnic affiliation) may be obtained and used to monitor compliance with equal opportunities and non-discrimination legislation. Personnel data held may be validated and updated from time to time, to ensure accuracy. Employees who become aware of a material change to this data, such as maiden names, home address, next of kin or any contact phone numbers should notify the Data Controller (or their delegate) as soon as practicable. 

Data subjects have the right to exclude themselves from a decision-making process by ‘automated processing’ where the decision significantly affects them (recruitment, triggers for sickness/absence, attendance bonuses, shift rostering, employee monitoring). Where exceptions are made, additional safeguarding such as the right to human intervention applies.

Data may be sourced from social media sites in respect of employees or third parties only where there is a legitimate and lawful reason for so doing.  We may also collect and store data on any other persons associated with carrying out our business, including recruitment and/or training programmes. Any information stored will be verified as correct and will be regularly audited for accuracy by the Data Controller.  

These same principles of legitimacy, proportionality and legality of data sourcing, validation for accuracy (including through regular auditing) applies to cross border third party service providers as appropriate under EU GDPR and the UK GDPR regulations.

Data security

A data breach is a breach of security leading to destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data. It may include a breach of data protection principles, conditions for consent, the rights of data subjects, and international data transfers. All breaches identified must be documented and reported immediately, and not later than 72 hours after becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals. Significant fines can be applied if this is not done, therefore any data breach must be reported to the Data Controller as soon as possible.

To limit the likelihood of data breaches, Words of Wonder Ltd utilises best practice security measures within its technical and IT policies. The company’s Technical Programme Manager maintains, and supports all staff and engaged personnel to use, these measures.

Confidentiality

All data or information stored or processed on our systems; transmitted within or from the company (e.g. e-mail, voice-mail) is considered company property, to the extent that it  may be accessed, read or monitored as part of business operations. It must, however, remain within the company, as a confidential resource. This means that anyone with access to our IT resources must act to ensure the confidentiality and appropriate use of any accessible data. This includes being aware of the security requirements of equipment where such information may be held or displayed, and protecting any access rights (such as passwords).

Privacy

All staff and engaged personnel have ethical and legal responsibilities to respect the right to privacy. This means, no person engaged with Words of Wonder Ltd may disclose personal information that is not their own. Disclosure of confidential information to unauthorised persons or entities, or the use of such information for self-interest or advantage, is strictly prohibited; as is access to non-public areas of any network drive without the consent and knowledge of the Data Controller. Breaches will be treated severely under the company’s disciplinary rules.

All users of our IT resources are advised to consider the open nature of information disseminated electronically, and should not assume any degree of privacy or restricted access to such information. We strive to provide the highest degree of security when transferring data, but cannot be held responsible if these measures are circumvented and information is intercepted, copied, read, forged, destroyed or misused by others.

Though it is not our intention to monitor Internet and e-mail communications, or access data files held by an employee or engaged personnel; the company reserves the right to do so at any time, including without first requesting permission necessary. This right is reserved because it may be a necessary measure to ensure business continuity in the case of the illness of departure of personnel; to enable investigations pursuant to disciplinary action; or on the request of a Government Agency, as a result of litigation against an individual or the company. For the same reason, the company also reserves the right to read and/or delete any data stored on company owned or leased equipment. Staff and engaged personnel should therefore be aware that they have no right of privacy in respect to Internet and e-mail communications, or data stored on company owned or leased equipment.

It should be noted that any such access to data or communication would be exceptional, based on force majeur to ensure business continuity, legal or ethical compliance. Normally, no such monitoring or access would occur, and permission to do so would be sought.  

 

 

Annex: Privacy Notice

What information we collect, use, and why: We collect and use personal information limited to names and (email) contact details for the purpose of sharing information updates, or marketing purposes. 

Lawful bases and data protection rights: Under UK data protection law, we must have a ‘lawful basis’ for collecting and using your personal information. Possible lawful bases are provided in the UK GDPR (General Data Protection Regulation). You can find out more about these lawful bases from the Information Commissioner’s Office (ICO), here. You can also find out more about your data protection rights and the exemptions which may apply, from the ICO. Here is a summary of your data protection rights, as it relates to Words of Wonder Limited:

  • Your right of access: You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
  • Your right to withdraw consent: When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here. If you make a request, we must respond to you without undue delay and in any event within one month. To make a data protection rights request, please contact us at: valentina@lucyturner.org

We have permission to collect and use your data on the basis of consent: you gave us the data. All of your data protection rights apply, except the right to object. You have the right to withdraw your consent at any time.

We retain your data for a period of three years, except if you ask us to delete it.

If you have any concerns about our use of your personal data, you can make a complaint to us by contacting valentina@lucyturner.org. If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO. If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice. If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO

The ICO’s address:           

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

 

  

Updated: January 2025

Date of next review: January 2027