Leep Utilities Privacy Notice Policy
The first principle of data protection in the GDPR states that personal information must be processed fairly and lawfully. For the processing to be fair, the Controller (the organisation in control of processing the data) must communicate certain information to the individual whose data is being collected. This applies whether the personal information was acquired directly from the individuals, or indirectly via a third party.
The GDPR also states that the information provided to people about how the organisation processes their personal data must be:
· concise, transparent, intelligible and easily accessible
· written in clear and plain language, particularly if addressed to a child
· provided free of charge
The Privacy Notice (PN) delivered to the individual is the vehicle for communication and is an important element of “fair” processing, describing who the organisation is and what is being done with the data. However, providing a PN does not by itself mean that the processing is necessarily fair. The organisation must also consider the effect of collecting, holding and processing their personal data on the individuals concerned.
Fairness must, therefore, also include:
· using information in a way that individuals would reasonably expect
· considering the impact of the processing and if it will have any unjustified negative effects on them
The way in which the PN is delivered will depend on the way in which the data is collected, from a paper form to an email or online privacy settings.
It is the policy of Leep Utilities and its subsidiary companies (Leep) to fully comply with the GDPR, and other applicable legislation, in relation to the use of PNs to inform individuals of the use of their personal information, and of their rights.
2. Collecting Personal Data
Personal data acquired to manage the business operation can be obtained either directly from the individuals or indirectly, for example from an agency selling prospect lists or social media data. In both cases, we will deploy a PN. The organisation must be certain that all individuals have all the information and where applicable, document their justification for not communicating a PN.
Personal data can be collected directly, for example in the following circumstances where an individual person can be identified:
· Through a telephone call, which may also be recorded and securely stored
· Via an online form
· Through a paper form
· From an email
In these cases, the PN will be provided at the point of collection.
Where personal data is not acquired directly, there are some additional circumstances whereby the PN information does not necessarily have to be provided, such as:
· If it is impossible to provide the information, or it would require disproportionate effort
· If it is covered by other applicable laws that protect the interests of the individual
· Where the data is legally confidential
Again, and as above, the justification for not deploying a PN will be documented.
Where personal information is collected from a third party, the privacy information (PN) will be delivered to the individuals:
· Within a reasonable time; maximum one month after acquiring it
· If used for communication, at the latest when the first communication takes place
· At the point where the information is disclosed to another recipient
3. The Privacy Notice
The table below summarises the information that we will provide, within the timeframes stipulated, for data collected directly and indirectly. It will be fine-tuned according to the nature of the personal data processing activities. In all cases, we will ensure that the PN:
· uses clear, straightforward language
· has a simple style and language that individuals find easy to understand, in particular vulnerable groups like children
· avoids complex terminology and legal terms
· does not assume that all citizens share the same level of understanding of the service as the busines
In order to define exactly what specific information Leep requires to communicate for a specific processing purpose, we carry out a data mapping exercise. This identifies:
· what information is held that constitutes personal data
· what we do with the personal information we collect, hold and process
· what data are required to carry out these processes
· whether we are collecting the information we need
· whether we are creating data about individuals, for example by building profiles of their behaviour and habits
· whether we are transferring data to third countries and the controls we have put in place to protect this data
· whether it is likely that other things will be done with the data in future, so that we can anticipate requirements that can be built into the PN
If there is doubt, we will take an approach that gives more, rather than less, information on the PN than may appear to be required. This ensures a fair and transparent approach that maximises trust and minimises the risks associated with non-compliance.
4. Communicating the Privacy Notice
The PN will be delivered in any one of a number of ways to provide the privacy information required, depending on the way in which the data is collected. For example:
· Verbally - face to face or on the telephone (where it should also be documented)
· In writing – letters, forms, advertisements, application forms
· Electronically - text messages, emails, interactive forms on websites, mobile apps
· Through signs - for example, a public information poster relating to CCTV monitoring
We follow best practice and use the same method to deliver the PN as is used to collect the personal data. For example, when information is collected through a website form, an email link to a PN will be sent, so the two activities can be combined.
Where we are constrained by the space on our website, email or paper form, we may find it appropriate to take a multi-layered approach. In this scenario, the key privacy information is delivered in a short PN, with links to the full version. The information that appears first in a PN usually relates to the identity of the organisation, what data is being collected and for what purpose.
Leep also designs PNs in accordance with the medium used by the individual. In the case of mobile phones and tablets, the PN will still be clear and readable and fit on the screen. We will use responsive web design to help us to achieve this aim by changing the information on the screen according to the device used. A layered approach, with privacy information headings that link to greater detail will also be considered in such cases.
Where we share data with a Joint Controller, we will ensure that contractual agreements are in place to ensure that each party is aware of its obligations around delivering privacy information to the citizens whose data are shared, in accordance with GDPR.
5. Updating Privacy Notices
Leep regularly reviews its PNs to ensure that they reflect new and modified processing activities, as well as changes in legislation. PNs are updated following these reviews.
If the nature of the processing changes and this change was not included in the original PN, we will contact the individuals in question to actively seek their consent and update the PN. For example, if we have assured individuals that we will not share information with a third party, but now wish to do so.
In particular, where personal data is already processed for individuals who did not receive privacy information when the data was collected, we will provide the PN retrospectively.