Horizon Photographic GDPR Compliance 2018
Guidance Pertaining To The Transfer Of Student Records
Student record information used to update various software programmes will now be provided using our wetransfer secure online platform or alternatively by hand to one of our approved representatives.
The wetransfer platform is entirely secure to the following standards:
Your files are encrypted when they are being transferred (TLS) and when they are stored (AES-256). Once your files are safely stored, they can only be accessed using the unique links sent to the approved sender and approved recipient.
The wetransfer platform is fully compliant with EU privacy law.
Any information provided within a physical document will be transported directly to our offices via an approved and DBS certified Horizon representative and will be destroyed in accordance with the law once completed for the purposes of update provisions.
All data is secured offline on a secure server with 128 bit encryption.
Those with access are fully trained and certified with Enhanced DBS disclosure certificates. Access is also monitored and reviewed.
GDPR Compliance and The Protection Of Children
The GDPR Compliance Laws Outline The Following Specific Terms For Compliance In The Protection Of Children:
- Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.
- If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind.
- Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s personal data.
- You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.
- If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent.(This is the age proposed in the Data Protection Bill and is subject to Parliamentary approval).
- For children under this age you need to get consent from whoever holds parental responsibility for the child - unless the online service you offer is a preventive or counselling service.
- Children merit specific protection when you use their personal data for marketing purposes or creating personality or user profiles.
- You should not usually make decisions based solely on automated processing about children if this will have a legal or similarly significant effect on them.
- You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.
- Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.
- An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.
Because Horizon specifically handles images and the personal data of children we considered and where necessary put into action the following measures fully to comply with said terms of compliance:
☐ We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist.
☐ We design our processing with children in mind from the outset, and use a data protection by design and by default approach.
☐ We make sure that our processing is fair and complies with the data protection principles.
☐ As a matter of good practice, we use DPIAs to help us assess and mitigate the risks to children.
☐ If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA.
☐ As a matter of good practice, we consult with children as appropriate when designing our processing.
Bases for processing a child’s personal data
☐ When relying on consent, we make sure that the child understands what they are consenting to, and we do not exploit any imbalance in power in the relationship between us.
☐ When relying on ‘necessary for the performance of a contract’, we consider the child’s competence to understand what they are agreeing to, and to enter into a contract.
☐ When relying upon ‘legitimate interests’, we take responsibility for identifying the risks and consequences of the processing, and put age appropriate safeguards in place.
Offering an information Society Service (ISS) directly to a child, on the basis of consent
☐ If we decide not to offer our ISS (online service) directly to children, then we mitigate the risk of them gaining access, using measures that are proportionate to the risks inherent in the processing.
☐ When offering ISS to UK children on the basis of consent, we make reasonable efforts (taking into account the available technology and the risks inherent in the processing) to ensure that anyone who provides their own consent is at least 13 years old.
☐ When targeting wider European markets we comply with the age limits applicable in each Member state.
☐ We regularly review available age verification and parental responsibility verification mechanisms to ensure we are using appropriate current technology to reduce risk in the processing of children’s personal data.
☐ We don’t seek parental consent when offering online preventive or counselling services to a child.
☐ When considering marketing children we take into account their reduced ability to recognise and critically assess the purposes behind the processing and the potential consequences of providing their personal data.
☐ We take into account sector specific guidance on marketing, such as that issued by the Advertising Standards Authority, to make sure that children’s personal data is not used in a way that might lead to their exploitation.
☐ We stop processing a child’s personal data for the purposes of direct marketing if they ask us to.
☐ We comply with the direct marketing requirements of the Privacy and Electronic Communications Regulations (PECR).
Solely automated decision making (including profiling)
☐ We don’t usually use children’s personal data to make solely automated decisions about them if these will have a legal, or similarly significant effect upon them.
☐ If we do use children’s personal data to make such decisions then we make sure that one of the exceptions in Article 22(2) applies and that suitable, child appropriate, measures are in place to safeguard the child’s rights, freedoms and legitimate interests.
☐ In the context of behavioural advertising, when deciding whether a solely automated decision has a similarly significant effect upon a child, we take into account: the choices and behaviours that we are seeking to influence; the way in which these might affect the child; and the child’s increased vulnerability to this form of advertising; using wider evidence on these matters to support our assessment.
☐ We stop any profiling of a child that is related to direct marketing if they ask us to.
☐ Our privacy notices are clear, and written in plain, age-appropriate language.
☐ We use child friendly ways of presenting privacy information, such as: diagrams, cartoons, graphics and videos, dashboards, layered and just-in-time notices, icons and symbols.
☐ We explain to children why we require the personal data we have asked for, and what we will do with it, in a way which they can understand.
☐ As a matter of good practice, we explain the risks inherent in the processing, and how we intend to safeguard against them, in a child friendly way, so that children (and their parents) understand the implications of sharing their personal data.
☐ We tell children what rights they have over their personal data in language they can understand.
☐ As a matter of good practice, if we are relying upon parental consent then we offer two different versions of our privacy notices; one aimed at the holder of parental responsibility and one aimed at the child.
The child’s data protection rights
☐ We design the processes by which a child can exercise their data protection rights with the child in mind, and make them easy for children to access and understand.
☐ We allow competent children to exercise their own data protection rights.
☐ If our original processing was based on consent provided when the individual was a child, then we comply with requests for erasure whenever we can.
☐ We design our processes so that, as far as possible, it is as easy for a child to get their personal data erased as it was for them to provide it in the first place.
GDPR rights for your clients of Horizon Photographic Commencing May 2018:
1. Horizon will continue to document what personal data we hold, where it came from and who we share it with. Our systems already consider these factors under current DPA legislation.
2. Horizon will from May 2018 become fully compliant to fully consider and provide Individual Rights. These include the following:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Our processing system under current DPA legislation considers the aforementioned points entirely in the following ways:
1. All client data is secured offline on a secure server with 128 bit encryption. Those with access are fully trained and certified with Enhanced DBS disclosure certificates. Access is also monitored and reviewed.
2. Our Online Service incorporates a 128 bit encryption end-to-end encryption. Students images are proofed with the provision of individual pass codes specific to each individual student/family only. Information is never cross shared with any third party without full prior consent of both the school and individual concerned.
3. Client personal data is not stored for a period longer 6 months and is never used for broad marketing purposes outside of the provided terms. Horizon will never share client personal data with any third party without full prior consent.
4. Horizon Photographic is a fully PCI DSS compliant company and as such adheres to the rules provided within this context. We therefore do not store client financial details and safely dispose of any physical documents containing any financial/personal information in accordance with the law.
5. All Horizon Photographic clients are fully informed of the student photographic process via our proofing service, which adheres to compliance under current DPA legislation. Details of our processing including how we store client personal and financial details are freely available by request. Specifically we will provide to clients confirmation that their data is being processed and access to their personal data and other supplementary information
6. All Horizon Photographic clients will be made fully aware of their right to access information by request and without limitation in accordance with the law.
7. All Horizon Photographic clients already have the right to rectification within our existing policy. Our company ethos is to ensure the satisfaction of all clients without limitation or cost. Any rectification required will be acted upon and updated immediately in accordance with GDPR rules.
8. Any client request for erasure of personal and/or financial information held will be acted upon and updated immediately in accordance with GDPR rules. This will include the following:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
9. Horizon will restrict the processing of personal data in the following circumstances:
- Where an individual contests the accuracy of the personal data, Horizon will restrict the processing until we have verified the accuracy of the personal data.
- Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our organisation’s legitimate grounds override those of the individual.
- When processing is unlawful and the individual opposes erasure and requests restriction instead.
- If Horizon no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
10. Horizon will provide full data portability where deemed appropriate and in full accordance with the GDPR Rules.
11. In accordance with GDPR rules individuals must have an objection on “grounds relating to his or her particular situation”.
Horizon will stop processing client personal data when requested unless:
- We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defence of legal claims.
We will furthermore inform individuals of their right to object “at the point of first communication” and in our privacy notice.
12. In accordance with Article 22 of the GDPR Horizon will comply fully with additional rules to protect individuals if we are carrying out solely automated decision-making that has legal or similarly significant effects on them.
Horizon will only carry out this type of decision-making where the decision is:
- necessary for the entry into or performance of a contract; or
- authorised by Union or Member state law applicable to the controller; or
- based on the individual’s explicit consent.
- Horizon will identify whether any of our processing falls under Article 22 and, if so, make sure that we:
- give individuals information about the processing;
- introduce simple ways for them to request human intervention or challenge a decision;
- carry out regular checks to make sure that your systems are working as intended.
Although many of the aforementioned components of the GDPR compliance rules are not relevant to the processes employed by Horizon Photographic, our core data controller and data processing staff have been fully trained and are regulated to understand all components of the General Data Protection Regulation in accordance with the law.
The information in full as given by the Information Commissioners Office has been provided and explained to any and all staff employed by Horizon Photographic whom have access to any client and/or child personal data in any form or delivered via any platform.
This document has been created to address the information most specific to the continued business terms relevant to our ongoing relationships with our clients and the law. Whilst we have considered and adhered to all components of the GDPR rules in accordance with the law entirely, we have taken the time to highlight the specific elements that apply to our actual business operations overall. Should the way we operate amend at any point we will fully update our policy and supply a new copy of the specifics to our clients accordingly.
Our processes have been amended where necessary and will be independently monitored and assessed in future to ensure continued compliance. All other factors pertinent to the new GDPR compliance laws are categorically adhered to under the current DPA legislation, where said existing legislation falls within the remit of the new GDPR laws and no alterations to current policy is required for the purposes of full compliance.