Full policy, privacy statement and fair processing notice

Temple Consultants (Nottingham) Limited

Euan Temple is  data controller of the Personal Data collected by us.

In this Privacy Policy, references to "we", "us" or "our" means Temple Consultants (Nottingham) Limited.  References to "you" and "your" are to users of our Website and to clients and staff.

All of these disclosures may involve the transfer of Personal Data to countries or regions without data protection rules similar to those in effect in your area of residence.

This website may, from time to time, contain links to other websites which are provided for your interest and convenience. We are only responsible for our own privacy and security practices and suggest that you check the privacy and security policies and procedures on each website you visit.

The law requires us to tell you about your rights in regards to processing and control of your Personal Data. We do this now by requesting that you read the information provided at www.knowyourprivacyrights.org

A.  APPLICATION OF OUR PRIVACY POLICY

This Privacy Policy describes how we collect, use and otherwise handle "Personal Data" we receive from you when you use this Website and use our services. It explains the circumstances in which we may transfer this to others. 

"Personal Data" is information about you which can be used alone, or combined with other information, to identify you personally. Where we refer to the fact that Personal Data Processing is necessary for the purposes of our Legitimate Interests, we will have assessed and checked before processing that those interests of ours are not overridden by your interests or by your fundamental rights and freedoms and you may object at any time, see section J below.

Our Privacy Policy must be read together with any other legal notices or terms and conditions available on other pages of our Website.

B. HOW, WHEN AND WHY DO WE COLLECT AND USE PERSONAL DATA?

1. Legal grounds for collection of your Personal Data

We will only collect, use, retain and destroy your Personal Data when:

• it is necessary for our Legitimate Interests, in particular:

•responding to your queries;

•carrying out direct marketing;

•providing services and/or information to you and for you;

•transmitting Personal Information between staff for internal administration purposes;

•providing technical support to you;

•preventing and detecting fraud and other criminal offences; and/or

•ensuring network and information security,

as long as, in each case, these interests are in line with applicable law and your legal rights and freedoms;

• where you have given consent  for processing your data for one or more specific stated purposes; and/or

• where this is necessary for compliance with Legal Obligations which apply to us and /or

* where this is necessary for the performance of our contract with you

2. How we collect your Personal Data

Contact Forms - we may collect your Personal Data which you provide when you fill in forms on our Website / in correspondence / face to face with us. This may include, for example, your name, position, company, contact details (such as business and personal emails, telephone number and business / home address), contents of your business card,  and your personal preferences, choices and requirements specific to particular requests or services. In order to provide you with our services, we may collect Personal Data about you from telephone conversations, emails, SMS’s, and written and verbal communications. We may supplement the information that you provide, with other information that we obtain from our dealings with you.

Where permissible under applicable local laws, we may combine information that you have provided to us with other information that we already hold, or may come to hold, about you and which we have collected for our Legitimate Interests.

We may also require your payment details to facilitate the collection of authorised payments, and/or process any refunds due to you, and/or to repay any residual balances to you.

We would usually expect to keep a record of your contact details and details of any services we provide to you.

We may also record (provided we have your prior explicit consent) details of any disability, health needs or dietary requirements (ie Special Categories of Personal Data) that you may have at the time of booking a place or accepting an invitation to one of our events to enable us to ensure your safety.

How we use your Personal Data

We may  use any Personal Data that you provide to us in a way that is adequate, relevant, and not excessive:

* where legally required or permitted for specific stated purposes made clear at the point of collection; and/or where we otherwise have legal bases  for collection and use of your Personal Data as explained in more detail above.

*Personal Data may also be disclosed to law enforcement, regulatory, or other government agencies, or to other third parties, in each case to comply with legal or regulatory obligations or requests.

*  Personal Data may be used to respond to your queries, and/or provide our services and/or information that you have requested.

If you choose not to provide Personal Data requested by us, we may not be able to provide you with the information and/or services you have requested or otherwise fulfil the purpose(s) for which we have asked for the Personal Data. Aside from this, your access to our services will remain unaffected.

• Events - if you register for one of our events, we will share your name, professional title and your business’s name with other people that are attending the same event, if you have signed a consent form to that effect.

• Marketing Opt-In– where you have provided us with your contact details, and have opted in to receive marketing or professional information from us, we may contact you by telephone, by email, by SMS, or by post, for any of these purposes relating to our services, our Website, proposed or actual legal or business developments and/or to research opinions on any of these where legally permitted to do so. We will only contact you for these purposes where you have opted in to this. Your agreement to the use of your Personal Data for these purposes is optional and if you fail to provide your consent, your visit to and use of our services will not be affected.

Opt-in must cover both your particular organisation and the type of communication you want us to use (eg call, automated call, fax, email, text).

Opt-in must involve some form of positive action – for example, ticking a box, clicking an icon, sending an email, or subscribing to a service – and you should fully understand that you are giving us consent.

Marketing Opt-Out – if you have opted in, you are entitled to opt-out from receipt of marketing communication at any time and free of charge by using the contact details provided in this Privacy Policy or by using the "unsubscribe" option included in any marketing e-mail or other marketing material received from us. .

Children's privacy protection

We understand the importance of protecting children's privacy in the interactive online world. It is not our policy to collect or maintain intentionally any information (including photographs)  about anyone under the age of 16 without the express specific consent of the parent or guardian.

C. HOW LONG DO WE RETAIN PERSONAL DATA? WHEN IS IT DELETED?

It is our policy to retain your Personal Data  for no longer than absolutely necessary and only for the length of time required for the specific purpose or purposes for which it was collected after which it will be deleted. However, on occasion we may be obliged to store some data for a longer time, for example, where a longer time period is required by applicable laws. In this case, we will ensure that your Personal Data will continue to be treated in accordance with this Privacy Policy.

 After finishing your case, we will store files and any other papers about it for whatever time period we consider reasonable in the circumstances; or as we have to do by law or any regulatory authority; whichever is longest.

This destruction policy does not apply to any papers that you ask us to hold or return to you (as long as you have paid all charges and expenses due to us).  We will not destroy title deeds, tax records, wills and probates, original trademarks, registered designs or Companies House certificates or similar items or documents if you ask us to keep them in safe custody.

D. HOW AND WHEN DO WE SHARE PERSONAL DATA WITH THIRD PARTIES?

1.Some services that we provide, require the involvement of third parties. We have carefully selected these third parties and taken steps to ensure that your Personal Data is adequately protected.

2. Sharing within our organisation

Where you ask or indicate that we should do so (e.g. in an online form) or where we are otherwise legally permitted to do so in accordance with this Privacy Policy, we may share the information with such of our staff and affiliates as need to see it. We may use the information you provide to us in relation to your matters and for our administration.

When we intend to use your Personal Data for a new purpose, we will let you know about this.

3. Sharing with Service Providers

a) Unless otherwise provided in our Privacy Policy or our Terms of Use, we will not sell, rent or trade or make your Personal Data commercially available to third parties without your express written consent. We will only pass your Personal Data to other third parties in accordance with

*this Privacy Policy,

*our Terms of Use Policy,

*any other terms and conditions of supply (ie, our letter of engagement and terms of business),

*third party service providers,

*our own professional advisers who are bound by confidentiality codes, and

*when we are legally obliged by law or by any appropriate regulatory authority to disclose your Personal Data including, where necessary,  for the purposes of preventing and detecting fraud, other criminal offences and/or to ensure network and information security

b) We will not normally share your Personal Data with any other organisation, however, some of your chosen services and events may be provided by or held at premises of third parties and we may need to provide limited information to them to enable you to take part.

c) We will keep all information about you, your business and affairs confidential at all times unless you tell us to release information, or we have to release information by law or any regulatory authority or we must release information because of the nature of the work that we are carrying out for you.

d) Personal Data may also be disclosed to other third parties in order to respond to your requests or inquiries, as part of a corporate transaction such as a sale, divestiture, reorganization, merger or acquisition, or where those parties handle information on our behalf.

e) In order to carry out work for you, we may need to collect information about you to pass to third parties (e.g. to HMRC, Companies House, Banks,  the Land Registry, payroll providers,  the Court Service, other service providers) for the purposes of supplying services to you.  This may involve the transfer of information outside the European Economic Area ("EEA"). We will let you know if we need to transfer your Personal Data to any third party service providers located outside the EEA.

f) We may share your Personal Data with our third party service providers based in the European Economic Area ("EEA") who we engage to process the information that we collect from you, and/or to host and maintain our Website, content or services, on our behalf and in accordance with this Privacy Policy, including (but not limited to) payroll and call-answering services.

g) Where we employ third party companies or individuals to process Personal Data provided by us (and not collected by them), they only use this Personal Data on our behalf and in line with our express written instructions and this Privacy Policy. Occasionally, we may need to appoint other organisations to carry out some activities on our behalf. These will include, for example, courier services. In these circumstances, we will ensure that your Personal Data is properly protected and that it is only used in accordance with this Privacy Policy.

h)To provide a high-quality service to you, we do our best to meet quality standards set by other organisations. So that we can make sure that we keep to these quality standards, we use an external "auditor" to occasionally assess our performance. When these audits take place, we need to allow the external "auditor" to choose randomly a sample of files to audit. If the external "auditor" chooses a file relating to your case, we will protect your confidentiality.

4.Derogations

Despite paragraph 3 (c) ,

i) we may make our file about your case available to an external "auditor" subject to  the following conditions.

 *The external "auditor" has agreed in writing to keep the contents of your case confidential.

* The external "auditor" has agreed in writing to use your file only to assess our performance against quality standards.

*We will not allow the external "auditor" to take your case file off our premises or to take any copies of documents.

ii) we may make documents and correspondence from your case available to the court or other authority as appropriate, or someone it has appointed, for it to assess a file.

 iii) we may ask an external typing company to type up letters and documents on your case.

iv) we may make your file about your case available to any current or any future 'professional indemnity' insurers.

5. Anti-Money laundering regulations

 The Anti-Money Laundering Regulations 2007 say we must, in most cases, gather evidence of the identity of our clients.

As a result, we will or may do an independent computer identity check on you with another service provider and we may ask you to show us some form of personal or business documents (as required by the Regulations),  including photo ID, to check your identity.

The service provider who carries out the check will record the fact that we have carried out a search and may also use the details from our search in the future to help other companies confirm people's identities.

 The service provider may also reveal your information to a Credit Reference Agency to confirm your identity. That Agency may keep a record of the search, but they will not carry out a credit check and your credit rating will not be affected.                                                                              

We use these third party search agencies and to obtain information about you for these purposes only. 

E. DIRECT MARKETING

Changes in the law  during the course of a matter

We may notify you of relevant changes in the law in the course of a current matter as part of our contract with you. We do not regard this as direct marketing but updating.

Matter reminders

We may send out reminders to you to send in information to us to enable us to complete documentation for you in good time. eg a Companies House  return.  The responsibility for filing your returns is yours, but we assist with reminders as part of our contract with you. We do not regard this as direct marketing but updating.

 Direct marketing

If  we are asking people to consent to receive direct marketing for our products or services , then, in addition to the  GDPR requirements, specific rules apply to this under the Privacy and Electronic  Regulations (PECR). We will have a separate unticked opt-in box for this, prominently displayed as below.

Consent may not be needed under PECR to undertake direct marketing by post mail but we consider gaining your Consent to do this is good practice, treating post mail marketing in the same way as e-mail  marketing.

 The Telephone Preference Service (TPS) is a free service available to you run by the Direct Marketing Association (DMA). It stops your telephone number being available to organisations, including charity and voluntary organisations, who may telephone you with sales or marketing calls.

It is our policy to send out a notice to contacts in the following form, or in substantially the following form, when seeking your consent for direct marketing.

Here at Temple Consultants (Nottingham) Limited we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.

However, from time to time we would like to contact you with details of other [specify products]/ [offers]/[services]/[competitions] we provide. If you consent to us contacting you for this purpose please tick to say how you would like us to contact you:

Post ☐ Email ☐ Telephone ☐ Text message ☐ Automated call ☐

 I agree ☐

We would also like to pass your details on to other [name of company/companies to which we will pass information]/[well-defined category of companies], so that they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide. If you consent to us passing on your details for that purpose please tick to confirm:

I agree ☐

Dated………………….

 F. PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS (PECR)

PECR cover several areas:

•Marketing by electronic means, including phone, texts, emails and faxes or any other type of electronic communication. PECR does not apply to postal mail marketing, but we apply similar procedures.

•The use of cookies or similar technologies that track information about people accessing a website or other electronic service.

It is our policy to comply with the PECR,  which run alongside the GDPR.

Obtaining consent for direct marketing by post or electronic communication

* We use opt-in boxes, not pre-ticked

*We ask for your consent to pass details to third parties for marketing and name those third parties

* We record when and how we got your consent, and exactly what it covers

G. INTERNATIONAL TRANSFERS

The transfer of your Personal Data may involve your Personal Data being sent outside the EEA, to locations that may not provide the same level of protection as those where you first provided the information eg  if your Personal Data is held on "the cloud". 

However, we will only transfer your Personal Information outside the EEA:

• where the transfer is to a place that is regarded by the European Commission, or appropriate supervisory data protection authority, as providing adequate protection for your Personal Data ; or

• where we have put in place appropriate safeguards, for example by using a contract for the transfer which contains specific data protection provisions that have been adopted by the European Commission or a relevant supervisory  data protection authority, or

• where you have consented to this, or

* there is another legal basis on which we are entitled to make the transfer.

H. SECURITY

Our Website is hosted on servers in the EEA. We take the security of your Personal Data seriously. We have strict procedures and security features in place to ensure that our paper and computer systems and databases are protected against unauthorised use, loss and damage and guarded against access by unauthorised persons. Information storage is on secure computers in a locked and certified information centre and Personal Data is encrypted wherever possible.

We undergo periodic reviews of our security policies and procedures to ensure that our systems are secure and protected. However, as the transmission of information via the Internet is not completely secure we cannot guarantee the security of your information transmitted to or from us.

I. Photographs of individuals

Staff

It is our policy not to ask for consent from our staff to be the subject of photographs, but state that no photograph will be taken other than for our Legitimate Interests insofar as these are not over-ridden by fundamental rights and freedoms of staff. Staff may object at any time if that is their wish.

Informal Photographs   ("snaps") of an office summer outing event ( or an inter-office sports  match) put on by the firm, showing staff enjoying themselves are part of our Legitimate Interests, as are photos of a member of staff for putting on our office website under ‘About the Team’.

Private photos by staff, only of each other and not including clients, for exclusively private use, are not subject to this privacy notice.

Clients and professional / business contacts ("contacts").

The key point is that all consent must be opt-in consent – there is no such thing as ‘opt-out consent’. Clear affirmative action of consent means the contacts must take deliberate action to opt in. There will be separate tick boxes (not pre-ticked).  It is our policy to give separate "granular" options to consent separately to separate purposes, unless this would be unduly disruptive or confusing.  People may wish to consent to their information being used for one purpose but not another.

Posed photographs with contacts eg  in front of their office after a great success, for a press release.

The parties  in the photo must have provided  clearly  implied consent to the processing for this stated purpose only. Not for our ongoing PR unless that purpose is stated. It is our policy to keep consents under review and refresh them if our purposes or activities evolve beyond what we originally specified.

Posed photographs with contacts eg  in front of their office after a great success, for putting on our website.

The parties in the photo must have provided clearly   implied consent to the processing for this stated purpose only. Not for our ongoing PR unless that purpose is stated. It is our policy to keep consents under review and refresh them if our purposes or activities evolve beyond what we originally specified.

Photographs  of a hospitality event put on by the firm, showing contacts and staff enjoying themselves.

a)  "Taking" the photos

On arrival at the event, guests will call at the reception desk for a name badge and should be asked to sign a sheet containing their consents to having the photographs taken for the stated purpose.

b) "Using" the photos for press releases and /or the website and /or storing them …the stated purpose(s).

On arrival at the event, guests will call at the reception desk for a name badge and should be asked to sign a sheet containing their consents to the use of the photographs ….for the stated purpose(s).

J. CONFIDENTIALITY

We acknowledge that the information you provide may be confidential. We will maintain the confidentiality of and protect your information in accordance with our Privacy Policy and all applicable laws.

 K.  YOUR RIGHTS 

If you wish to:

• access, confirm, correct, rectify, update, supplement, anonymise, block, restrict or delete your Personal Data ;

• object to our use of your Personal Data;

• if you have any questions about our processing of your Personal Data; or

• if you would like to transfer your Personal Data from us to another person or business,

please contact us.

We will provide you with all rights in relation to your Personal Data to which you are entitled under applicable law. If you are unhappy with the way that we have handled your Personal Data, you can make a complaint to the Information Commissioner’s Office responsible for data protection in the UK. Contact details are typically available online, or alternatively you may ask us for assistance.

L.  CHANGES TO THIS PRIVACY POLICY

We may change our Privacy Policy from time to time. When we change our Privacy Policy, we will publish the updated policy on our Website. Please check this Privacy Policy regularly.

Subject to applicable law, all changes will take effect as soon as we publish the updated Privacy Policy, but where we have already collected information about you and/or where legally required to do so, we may take additional steps to inform you of any material changes to our Privacy Policy and we may request that you agree to these changes.

M. HOW TO CONTACT US

If you have any questions in relation to this Privacy Policy, or if you would like to contact us to exercise your rights as stated in this Privacy Policy, you may contact us at Temple Consultants (Nottingham) Limited, 8 Main Road, Radcliffe on Trent, Nottingham NG12 2FH  tel 08452 41 40 45 email eft@templesconsult.com

O. Subject Access Request (S.A.R.) Procedure

We are aware that people have the right to access any Personal Data that is held about them. Subject Access Requests (SARs) must be submitted in writing (this can be done in hard copy, email or social media). If a person requests  the above contact point to disclose  any Personal Data that is being held about them, our SAR response will detail:

•             How and to what purpose Personal Data is processed

•             The period we tend to process it for

•             Anyone who has access to the personal data

If a SAR includes personal data of other individuals, we must not disclose the personal data of the other individual.  That individual’s personal data may either be redacted, or the individual may be contacted to give permission for their information to be shared with the data subject. 

This procedure is to be followed when an individual contacts us to request access to their personal information held by the Council. Requests must be completed within 30 days, so it should be actioned as soon as it is received.  SAR’s should be provided free of charge, however, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

It is our policy that the steps below should be followed to action the request:

1.            Is it a valid subject access request?

a)            The request must be in writing (letter, email, social media or fax).

b)            Has the person requesting the information provided us with sufficient information to allow us to search for the information?  (We are allowed to request for more information from the person if the request is too broad.)

2.            Verify the identity of the requestor.

a)            We must be confident that the person requesting the information is indeed the person the information relates to.  We should ask for the person to attend the office with their passport/photo driving licence and confirmation of their address (utility bill/bank statement).

3.            Determine where the personal information will be found

a)            Consider the type of information requested and use the data processing map to determine where the records are stored. (Personal Data is data which relates to a living individual who can be identified from the data (name, address, email address, database information) and can include expressions of opinion about the individual.)

b)            If we do not hold any personal data, we will inform the requestor. If we do hold personal data, we will continue to the next step.

4.            Screen the information

a)            Some of the information we have retrieved may not be disclosable due to exemptions, however as a policy, legal advice will usually be sought by us before applying exemptions.

Examples of exemptions are:

•             References given to us

•             Publicly available information

•             Crime and taxation

•             Management information (restructuring/redundancies)

•             Negotiations by us with the requestor

•             Regulatory activities (planning enforcement, noise nuisance)

•             Legal advice and proceedings

•             Personal data of third parties

5.            Are we able to disclose all the information?

a)            In some cases, emails and documents may contain the personal information of other individuals who have not given their consent to share their personal information with others.  If this is the case, the other individual’s personal data will be redacted before the SAR is sent out.

6.            We will prepare the SAR response (using the template  letters at the end of this document) and will make sure to include as a minimum the following information:

a)            the purposes of the processing;

b)            the categories of personal data concerned;

c)            the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data;

d)            where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;

e)            the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f)             the right to lodge a complaint with the Information Commissioner’s Office ("ICO");

g)            if the data has not been collected from the data subject: the source of such data;

h)            the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

We will be careful  also to provide a copy of the personal data undergoing processing.

All SAR’s will be logged to include the date of receipt, identity of the data subject, summary of the request, indication of whether we can comply, and the date information is sent to the data subject.

Sample letters:

Replying to a Subject Access Request providing the requested personal data

"[Name] [Address]

    [Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject]. We are pleased to enclose the personal data you requested.

Include the information in 6(a) to (h) above.

Copyright in the personal data you have been given belongs to the East Bridgf9rd Parish Council or to another party. Copyright material must not be copied, distributed, modified, reproduced, transmitted, published or otherwise made available in whole or in part without the prior written consent of the copyright holder.

Yours sincerely"

Release of part of the personal data, when the remainder is covered by an exemption

"[Name] [Address]

[Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject]. To answer your request we asked the following areas to search their records for personal data relating to you:

•             [List the areas]

I am pleased to enclose [some/most] of the personal data you requested.  [If any personal data has been removed] We have removed any obvious duplicate personal data that we noticed as we processed your request, as well as any personal data that is not about you. You will notice that [if there are gaps in the document] parts of the document(s) have been blacked out. [OR if there are fewer documents enclose] I have not enclosed all of the personal data you requested.  This is because [explain why it is exempt].

Include  the information in 6(a) to (h) above.

Copyright in the personal data you have been given belongs to East Bridgford Parish Council or to another party. Copyright material must not be copied, distributed, modified, reproduced, transmitted, published, or otherwise made available in whole or in part without the prior written consent of the copyright holder.

Yours sincerely"

Replying to a subject access request explaining why we cannot provide any of the requested personal data

"[Name] [Address]

[Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject].

I regret that we cannot provide the personal data you requested. This is because [explanation where appropriate].

[Examples include where one of the exemptions under the data protection legislation applies.  For example the personal data might include personal data is ‘legally privileged’ because it is contained within legal advice provided to the Council or relevant to on-going or preparation for litigation.  Other exemptions include where the personal data identifies another living individual or relates to negotiations with the data subject. Advice will be taken whether a relevant exemption applies and if we are going to rely on the exemption to withhold or redact the data disclosed to the individual, then in this section of the letter we will set out the reason why some of the data has been excluded.]

Yours sincerely