1.1 As part of the function of this Website eShop, the IKC is required to receive and process relevant Personal Data for customers that is related to the ordering and shipping of merchandise.
Shipping of merchandise
1.2 This policy sets out the IKC’s commitment to protecting the Personal Data of its clients, and particularly, how it ensures that IKC staff understand how to handle data they have access to, as part of their work when managing orders.
1.3 There are no customer accounts on this IKC eShop. Personal Data must be entered for each order, which helps to promote Data Protection.
1.4 This policy applies to anyone who has access to Personal Data that is controlled or processed by or on the behalf of the IKC. This includes, but is not limited to,
IKC employees and IKC members
1.5 This policy applies regardless of where the Personal Data is held or whether it is held manually or electronically.
1.6 “APA” means Privacy Act, 1988 (Aust).
1.7 “DPA” means Data Protection Act, 1998 (UK).
1.8 “Data Sharing Agreement”, means and agreement that sets out the framework for the sharing of Personal Data.
1.9 “GDPR” means General Data Protection Regulation, 2016 (EU)
1.10 “Information Governance Team” means persons designated by the IKC to oversee data protection compliance.
1.11 “Personal Data” means any data or information, in paper or digital format, relating to a living individual. It includes, but is not limited to, names, contact details, financial details, as well as Sensitive Personal Data. It does not include information that is already in the public domain.
1.12 “Personnel” means IKC employees, IKC members or anyone else who obtains Personal Data that is controlled or processed by or on the behalf of the IKC.
1.13 “Privacy Impact Statement” means an analysis of the likely impacts of a project upon the privacy rights of individuals.
1.14 “Sensitive Personal Data” is defined in the DPA and includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership as well as criminal records and proceedings.
1.15 “Subject Access Request” means a request by an individual for access to Personal Data.
1.16 “Processing” or “processed” in relation to information or data, means obtaining, recording or holding the information or data or carrying out an operation or set of operations on the information or data, including:
1.16.1 Organisation, adaptation or alteration of the information or data;
1.16.2 Retrieval, consultation or use of the information or data;
1.16.3 Disclosure of the information or data by transmission, dissemination or otherwise making it available; or
1.16.4 Alignment, combination, blocking, erasure or destruction of the information or data.
Data Protection Principles
1.17 The IKC will comply with the DPA and GDPR principles as well as the Information Privacy Principles of the APA.
1.18 Any Personal Data received by this IKC Website will be used solely for the Website’s internal database, and other lawful purposes.
1.19 The IKC will not disclose, sell or share any Personal Data with any third party or external agency on any occasion without the express consent of the individual to whom the Personal Data relates.
1.20 For the purposes of GDPR, the IKC will ensure that Personal Data is:
1.20.1 Processed fairly and lawfully and in a transparent manner;
1.20.2 Obtained for one or more specified, explicit and lawful purposes;
1.20.3 Adequate, relevant and only limited to what is required;
1.20.4 Accurate and where necessary, kept up to date;
1.20.5 Not kept in a form which permits identification of data subjects for longer than is necessary;
1.20.6 Processed in accordance with the rights of data subject;
1.20.7 Processed in a manner that ensures appropriate security of the Personal Data; and
1.20.8 Not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of Personal Data.
1.21 The IKC will comply with general requirements under the DPA and GDPR, including that;
1.21.1 Personal Data should only be accessed by those who need to, for work or legitimate business purposes;
1.21.2 Personal Data should not be divulged or discussed except when performing normal work duties or providing normal professional service;
1.21.3 Personal Data must be kept safe and secure at all times, including at the office, public areas, home or in transit;
1.21.4 Personal Data should be regularly reviewed and updated; and
1.21.5 Queries about data protection, internal and external, to the IKC must be dealt with effectively and promptly.
1.22 The IKC will take appropriate technical and organizational steps to ensure the security of Personal Data.
1.23 All Personnel (who are known to the IKC) will be made aware of this policy and their duties under the DPA.
1.24 The IKC and all Personnel are required to respect the Personal Data and privacy of others. They must ensure that appropriate protection and security measures are taken against unlawful or unauthorized processing of Personal Data, and against the accidental loss of, or damage to Personal Data.
1.25 An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, Personal Data must be stored in appropriate systems.
1.26 Personal Data may need to be shared with other organisations in order to deliver services or perform our duties. This can only be done where we have permission or there is legal obligation for us to share.
1.27 Personal Data can be shared within the IKC or with other third parties and the sharing can be:
1.27.1 “Systematic” or routine information sharing where there is an established purpose; or
1.27.2 “Exceptional” or one-off decisions, for example in conditions of real urgency.
1.28 Data Sharing Agreements should be completed when setting up ‘on-going’ or ‘routine’ information sharing arrangements with third parties. They are not needed when information is shared in one-off circumstances but a record of the decision and the reasons for sharing information should be kept.
1.29 All Data Sharing Agreements must be signed off by a member of the Information Governance Team. The IKC will keep a register of all Data Sharing Agreements.
2 Privacy Impact Assessments
2.1 Privacy Impact Statements will be completed in the following situations that involve Personal Data:
2.1.1 At the beginning of a new business project or when implementing a new system that may affect the processing of Personal Data;
2.1.2 Before entering into a Data Sharing Agreement; and
2.1.3 When major changes are introduced into a privacy system or process.
3 Subject Access Requests
3.1 The IKC recognizes that access to Personal Data held about an individual is a fundamental right provided in the DPA.
3.2 The IKC will ensure that all requests from individuals to access their Personal Data are dealt with as quickly as possible and within the timescales allowed in relevant legislation.
3.3 Individuals must submit Subject Access requests in writing (including by electronic methods) and provide any necessary proof of identification and required fee as part of the request.
4.1 Anyone who feels that the IKC has broken data protection law in any way, can file a complaint. Examples of this are when they believe their information has not been obtained fairly, it has not been handled securely or they have asked for a copy of their information and they are not happy with the IKC’s response.
4.2 The IKC will endeavour to ensure that all Personal Data held in relation to an individual is accurate. Individuals who consider that data is inaccurate or out of date may also request, in writing, that the information be corrected or erased. They will receive a written response indicating whether or not the IKC agrees and if so, the action to be taken. The IKC will rely on individuals to provide accurate and complete Personal Data when completing any forms on this Website or otherwise providing information to IKC or Personnel.
4.3 Individuals can also ask the IKC to stop handling their Personal Data if they believe this will cause them harm or distress. The IKC will act reasonably in relation to such requests.
4.4 Data Protection training is important so that all Personnel understand their responsibilities.
4.5 All IKC employees (including temporary employees) will receive mandatory internal training annually.
4.6 Other Personnel are encouraged to attend online training.
4.7 Serious breaches of this policy caused by deliberate, negligent or reckless behaviour could result in disciplinary action and may even lead to criminal prosecution.
4.8 Where those breaching this policy are not employees, this may be regarded as a serious breach of contractual obligations.
4.9 The IKC has established an Information Governance Team.
4.10 Information Governance Team comprises the IKC President, IKC Registrar and any officer of member of IKC to whom data protection functions are delegated from time to time.
4.11 Information Governance Team has direct responsibility for coordinating the maintenance and review of this policy annually.
4.12 Reviews will take into account changes in legislation, best practice, lessons learnt and may be in consultation with any relevant IT service providers or industry professionals.
Further Information and Guidance
4.13 Enquiries regarding this policy should be directed to the Information Governance Team by using any of the contact details of the IKC set out in its websites.