Fir Tree Fishery CIC Data Protection Policy


The EU General Data Protection Regulation (GDPR) is effective from 25th May 2018. GDPR signals the single biggest change in data protection in decades in that it replaces the Data Protection Act (DPA) 1998.

The main GDPR Principles

The data protection principles, as set out in the DPA, remain but they have been condensed into six as opposed to eight principles. Article 5 of the GDPR states that personal data must be:

  1. Processed fairly, lawfully and in a transparent manner in relation to the data subject.
  2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.
  4. Accurate and, where necessary, kept up to date.
  5. Kept in a form that permits identification of data subjects (Usually members of the public) for no longer than is necessary for the purposes for which the personal data is processed.
  6. Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The principles are flexible and do not prevent effective working. Personal data can be obtained, used, shared and kept to provide services, look after our clients’ interests.

This policy sets out how GDPR and other data protection legislation applies to Fir Tree Fishery CIC and sets out some specific measures to assist compliance.

Summary of Specific Measures

  • We have a nominated accountable person for managing information risk and for controlling the use, protection, sharing and timely disposal of personal information. Our SIRO (Senior Information Risk Officer) is Ms. Shirley Parkinson.
  • We will ensure that all our staff attend training on data protection.
  • All staff will report all losses, suspected losses, thefts or breaches of security involving personal data to the (SIRO) as quickly as possible.
  • We will undertake a Data Protection Impact Assessment (DPIA) on existing and new projects and processes which involve the use of personal data, or of significant changes to existing ones. In certain cases it may be necessary to undertake for ‘high risk’ data processing.
  • We will take steps (where practical) to anonymize personal data to mitigate against data security breaches.
  • We will undertake data protection audits and keep an information asset register. This will help us to apply the Data Protection Principles and compliance to our everyday practice.

Responsibility & Professional Conduct

Fir Tree Fishery CIC holds information about our employees and service users. We are required to protect the personal data that we use, and make everyone aware of their legal obligations. The use of personal data must be fair, legal and proportionate. Staff cannot use personal data obtained at work for their own purposes. It is a criminal offence to knowingly or recklessly disclose personal data and information without explicit and purposeful permission. Anyone who uses, discusses or discloses personal data held by Fir Tree Fishery CIC without lawful authority may be committing an offence.

Staff who knowingly disclose or misuse data for their own purposes, or who knowingly ignore the requirements of this policy may face disciplinary action, regardless of any possible criminal sanction. This could lead to dismissal in some cases.

Under GPDR fines can be issued where an organisation cannot demonstrate compliance with any of the principles. Fines could be up to €20million.

Our named SIRO is the officer responsible for data protection compliance and the primary point of contact for all data protection issues. The SIRO has the responsibility to ensure that all required information, copyright information and school licences concerned with data protection are up to date.

The SIRO will ensure that staff understand and comply with this policy & raise their awareness of good practice in relation to data protection. All staff are reminded of their duty on the first INSET day of each new academic year. Setting the expectation of putting policy into practice also forms part of the induction programme for new members of staff.

Managers are responsible for regularly reviewing data protection procedures and guidelines within their immediate team.

The following expectations apply to all staff:

To refer to and use this policy to assist with identifying how data subjects’ rights can be appropriately exercised.

Always to process the personal information of any individual in accordance with the six principles of the Act.

To keep personal data securely for appropriate retention periods.

To implement the following security measures to protect personal data:

  1. ‘Logging off’ from a computer if it is left unattended.
  2. Not sharing passwords with other members of staff, friends or family if they can then access the personal information of others.
  3. Changing passwords at least once every half term.
  4. Putting an encryption password on confidential files passed as emails as an added security.
  5. Ensuring that confidential records are locked away securely.
  6. Ensure that Personal Data is never stored on mobile devices.
  7. Not leaving pupil/personal information in sight of others.
  8. Not using ‘copy & paste’ approaches to developing reports, documents that have sensitive information in.
  9. Ensuring key pad doors are always shut to prevent access to data by prohibited parties.
  10. Making clear on email and letter correspondence whether or not the information is confidential to named parties only.
  11. Storing sensitive data in secure cabinets, which are locked when unattended.
  12. That any internal / external investigations that are deemed as confidential are not discussed outside of the formal meeting with others.
  13. Ensure that all data, physical or electronic, will be disposed of securely.

Fir Tree Fishery CIC Website

The Fir Tree Fishery CIC website shows a range of work, is a source of information and helps us to develop links with the wider community. Safety issues associated with the website have been considered and put into practice.

  • Care has been taken to protect the identity of pupils: where a child’s image appears, the name should not, and vice versa.
  • Permission is obtained before using images on the website. Consent will be gained from the young person (13yrs plus) and the parent / carer.
  • Members of staff have the option of having their photograph included.

Obtaining information

Fir Tree Fishery CIC will inform our employees and clients when we record information about them, unless there is a specific legal reason for not doing so. Any process involving the collection and use of personal data must conform to the GDPR principles. Staff must ensure that the use of personal data meets these conditions.

If third parties provide personal data to us our staff should inform the person concerned unless there is a valid legal or safety reason not to do so.

Consent (of our employees and clients) is fundamental to compliance with GDPR and staff should ensure that consent is “Opt-in” with an option for consent to be withdrawn at any time. One caveat to this however is that where data processing is for a statutory purpose, consent will not be required.

The Data Protection Act 2018 lowers the age at which a child can provide consent (to data processing) from 16 to 13 years. It is essential that staff ensure that any necessary parental consent is obtained where appropriate.

Data collection informed consent is when

  • A client clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data and then gives their consent.
  • Fir Tree Fishery CIC will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.

When collecting data, FTF will ensure that the client:

  • Clearly understands why the information is needed
  • Understands what it will be used for and what the consequences are should the client decide not to give consent to processing
  • As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
  • Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
  • Has received sufficient information on why their data is needed and how it will be used


Fir Tree Fishery CIC may share data with other agencies such as the local authority, funding bodies and other voluntary agencies. Clients will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows us to disclose data without the data subject’s consent for example: Carrying out a legal duty, protecting the vital interests of a client or other person or monitoring for equal opportunities purposes – i.e. race, disability or religion.

Fir Tree Fishery CIC intends to ensure that personal information is treated lawfully and correctly.

Fir Tree Fishery CIC will, through appropriate management and strict application of criteria and controls:

  • Observe fully conditions regarding the fair collection and use of information
  • Meet its legal obligations to specify the purposes for which information is used
  • Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements
  • Ensure the quality of information used
  • Ensure that the rights of people about whom information is held, can be fully exercised under the Act.

These include:

The right to be informed that processing is being undertaken,

The right of access to one’s personal information

The right to prevent processing in certain circumstances and the right to correct, rectify, block or erase information which is regarded as wrong information

Take appropriate technical and organisational security measures to safeguard personal information

Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information

Set out clear procedures for responding to requests for information

Client forms and the way we gather information

Fir Tree Fishery CIC will ensure that any form or process we use to gather information will include a simple explanation about why that personal data is needed, and what we will do with it. Our Privacy Notice explains where data will be shared and the purpose for this.

Record Keeping & Storage

Fir Tree Fishery CIC will ensure that it has adequate records management procedures, including measures to ensure that records about our employees and clients are fair, accurate, up-to-date and not excessive. These must be secure, traceable and accounted for at all times. We will maintain and operate a retention and disposal schedule as part of our Records Management. Our records will be disposed of securely in accordance with the disposal schedule. Records management applies equally to paper and electronic records including emails.

It is the responsibility of Fir Tree Fishery CIC to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.

Data Access and Accuracy

All clients, young people and employees have the right to access information that FTF holds about them. The right of access, commonly referred to as subject access, (SAR) gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why we are using their data, and to check that we are doing it lawfully. Our privacy notice provide details of why we are using their data, who we share it with and the legal conditions for doing so.

If a client, young person or employee wants to access their information they can contact our SIRO to undertake this request. We will do this within 28 days and it will normally be free of charge. If however, the request is deemed to be ‘excessive or multiple copies of information’ are asked for we will apply a modest charge to cover the administrative costs.

Fir Tree Fishery CIC will also take reasonable steps ensure that personal information is kept up to date by asking data subjects whether there have been any changes.

Need to Know

Fir Tree Fishery CIC will ensure that access to personal data must only be available to those who need it. If access to data is needed only some of the time, it should only be available some of the time. Data should be used when necessary, and not purely because it is convenient to do so. This applies to all of our staff.

Complaints about Personal Data

If any employee, client or young person identifies errors or inaccuracies in the data we hold about them, or points out unfair uses of their data these will be rectified immediately. We will immediately implement recommendations or instructions received as a result of an assessment or decision made by the Information Commissioner unless the SIRO believes the assessment to be incorrect.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Legislation.

In case of any queries or questions in relation to this policy please contact our SIRO:

Enforcement of GDPR & the Data Protection Act

If an individual believes they have been the victim of a breach of the Data Protection Act they can complain to the ICO. The ICO will make a judgement as to whether it is ‘likely’ or ‘unlikely’ that the Data Protection Act has been breached. They can be contacted by the following means:

Tel: 0303 123 1113

Fax: 01625 524510


By Post: Head office

Information Commissioner’s Office

Wycliffe House

Water Lane


Cheshire SK9 5AF

Breach of the Data Protection Policy

Breach of this policy will result in disciplinary action of misconduct or gross misconduct, due to the importance of the Data Protection Act.


This policy will be reviewed in March 2019.