Policies

Privacy Policy

At Gort Scott your privacy is important to us. We are fully committed to compliance with the requirements of the Data Protection Act 2018 and all other data protection legislation currently in force. The Regulation applies to anyone processing personal data and sets out principles which should be followed and gives rights to those whose data is being processed.

What is personal data
Personal data, or personal information, is information (name, email address, contact details, website statistics, etc and includes opinions) about an individual from which that individual can be identified. It does not include data where the identity has been removed (anonymous data). Individuals are sometimes referred to as data subjects.

Responsibilities
Gort Scott is the controller of the personal data we collect (referred to as ‘we’, ‘us’ or ‘our’ in this policy). We are responsible for ensuring our systems, processes, suppliers and people comply with data protection laws in relation to the information we handle.

All employees must follow this policy when handling personal data and must take part in data protection training we provide. Any breach will be taken seriously and may result in disciplinary action.

The Practice Manager at Gort Scott, has been appointed to oversea compliance with data protection laws and our policy and respond to any questions in relation to this policy or requests to exercise your legal rights.

Gemma Jachnik
Practice Manager
[email protected]
55 Leroy Street, London SE1 4SN
+44 (020) 7254 6294

What type of data do we collect
Gort Scott endorses fully and adheres to the Data Protection Principles listed below. When processing data we will ensure that it is:

  • processed lawfully, fairly and in a transparent way (‘lawfulness, fairness and transparency’);

  • processed no further than the legitimate purposes for which that data was collected (‘purpose limitation’);

  • limited to what is necessary in relation to the purpose (‘data minimisation’);

  • accurate and kept up to date (‘accuracy’);

  • kept in a form which permits identification of the data subject for no longer than is necessary (‘storage limitation’);

  • processed in a manner that ensures security of that personal data (‘integrity and confidentiality’);

  • processed by a controller who can demonstrate compliance with the principles (‘accountability’).

We may also collect Aggregate Data which is statistical or demographic data for any purpose. This type of data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. Should this data be combined with your personal data it can directly or indirectly identify you and will be used in accordance with this privacy policy.

We may on occasion collect Special Categories of Personal Data (race, ethnicity, religious or philosophical belief, sex life, sexual orientation). Any such data will only be used as Aggregate Data. For example, this could be information about health, racial or ethnic origin, criminal convictions, trade union membership, or religious beliefs. This information may be processed not only to meet Gort Scott’s legal responsibilities but, for example, for purposes of personnel management and administration, suitability for employment, and to comply with equal opportunity legislation. Since this information is considered sensitive, the processing of which may cause concern or distress, you will be asked to give express consent for this information to be processed, unless Gort Scott has a specific legal requirement to process such data.

How do we collect personal data

We recognise the importance and concerns individuals have with regards to their personal data. In line with data protection regulations, we collect data via the following methods:

  • Direct interaction where you have given clear consent that we may process your personal data for a specific purpose. For example, filling in a form, corresponding by post, email, phone and social media platforms, entering into a contractual or legal obligation.

    • Relating to clients and other contacts
    • Relating to providing our services
    • Relating to applying for a job or work placement
    • Relating to registering for marketing material, attend an event
    • Relating to entering a competitions, promotion or survey
    • Relating to providing feedback

  • Automated technologies and interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.

  • We collect cookies to support essential functionality and gather some insight on how our website is used. These cookies are not used to transport personal data to third parties. Vimeo cookies are set on pages with a Vimeo video embed, and Vimeo embeds include the DNT (“do not track”) parameter. Find out more here.
  • Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below:
  • Google Analytics collect and assess Aggregated Data such as statistical or demographic data for marketing purposes: to recognise and count the number of visitors, and to monitor website navigation. This helps us to optimise website performances and provide an efficient way for users and search engines to find our content.

  • Financial and Transaction Data from banks based inside or outside the EU.

  • Identity and Contact Data from publicly available sources such as Companies House based inside the EU and/or public website which display information about you, such as LinkedIn.


How we use personal data

Please feel confident that we will only use personal data when the law allows us:

  • Where you have given clear consent personal data may be processed for a specific purpose.
  • Where we need to comply with contractual, legal and regulatory obligations.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where it is necessary to protect an individual’s vital interests.

We have outlined below all the ways in which we may use your personal data. Please note that we may use data for more than one lawful purpose where we reasonably consider that we need to, and it is compatible with the original purpose. We may also process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

  • To register you as a new client, supplier, job applicant, employee or work placement.
  • To process payments and deliver/receive services to/from you.
  • To enable us to meet our contractual and legal obligations.
  • To send relevant communications.
  • To enable you to take part in a survey.
  • To administer and protect our business and our website.
  • To deliver relevant website content, including news articles, and measure or understand the effectiveness of the content we serve you.
  • To use data analytics to improve our website, products/services, marketing, customer relationships and experiences.
  • To make suggestions and recommendations to you about services, events and publications that may be of interest to you.
  • Throughout employment with Gort Scott and for as long as necessary after the termination of employment
  • Any references obtained during recruitment
  • Details of terms of employment
  • Any references obtained during recruitment
  • Pay roll details
  • Tax and national insurance information
  • Details of job duties
  • Details of health and sickness absence records
  • Details of holiday records
  • Information about performance
  • Details of any disciplinary and grievance investigation and proceedings
  • Training of records
  • Contact names and addresses
  • Correspondence with Gort Scott and other information that you have given us

We may use your personal data to form a view on what you think you may want or need, or what may be of interest to you. This is how we decide what products, services and offers may be relevant for you. You will only receive such marketing communication from us if you have requested it from us or purchased services from us and, in each case, you have not opted out of receiving such material. We will obtain your express consent before we share your data with any third-party for marketing purposes.

We will ensure that personal information is not transferred outside the EU, to other countries or international organisations without adequate level of protection.

Storing and protecting personal data
We have put in place appropriate measures to secure personal data and protect it from accidental loss, used or accessed in an unauthorised way, disclosed or altered. In addition, in recognition that data security is a key element of data protection, we have Cyber Security Essentials Certification and it is a requirement that all our people comply with this policy and our IT and Communications Policy, and that all third parties will only process personal data on our instructions, and they are subject to a duty of confidentiality.

We use appropriate technological measures to transmit large or sensitive documents or data to clients and other third parties. However, we cannot be held responsible for the security of correspondence sent by email, post or courier.

We only retain personal data for as long as is necessary to fulfil the purpose that we collect it for and in line with UK Records Management and Retention and Disposal Policy.

All employees must ensure that personal information is not disclosed orally, in writing, via web pages, or by any other means, accidentally or otherwise, to any unauthorised third party.

All employees should note that unauthorised disclosure may result in action under the Disciplinary Procedure, which may include dismissal for gross misconduct. Personal information should be kept in a locked filing cabinet, drawer, or safe. Electronic data should be coded, encrypted, or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.

When travelling with a device containing personal data, you must ensure both the device and data is password protected. The device should be kept secure and, where possible, it should be locked away out of sight, for example in the boot of a car. You should avoid travelling with hard copies of personal data where there is secure electronic storage available. When it is essential to travel with hard copies of personal data this should be kept securely in a bag and where possible locked away out of sight, for example in the boot of a car.


Sharing personal data

For the purposes set out above describing how we use personal data, we may share data with certain third parties and they may have access to personal data we possess. These third parties comprise of:

  • Service providers acting as processors based in the UK and inside and outside the EU who provide IT and system administrative services.
  • Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the UK and who provide consultancy, banking, legal, insurance and accounting services.
  • HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers in the UK who require reporting of professional activities in certain circumstances.
  • Market researchers in the UK.

We will not give personal data to third parties for any other reason without your permission.

Your data protection rights
We process personal data in line with your rights as an individual. These rights include the right to:

  • Request a copy of your personal data.
  • Request that in any accuracies in your personal data are corrected.
  • Request that your personal data is deleted and destroyed when causing damage or distress.
  • Request to restrict or object to the processing of your personal data in certain circumstances.
  • Request to transfer your personal data to another organisation, or to you, in certain circumstances.

You can ask us or third parties to stop sending you marketing messages any time by following the opt-out links on any marketing message sent to you or by contacting us at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of the service.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.

Should you wish to make a request in line with your rights as an individual, please forward the request in writing or by email to the Practice Manager.

All our people are aware that they must notify or inform the Practice Manager immediately if they receive a request from a third party in relation to personal data which the practice processes.

Notifying breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed.

The following are examples of data breaches:

• access by an unauthorised third party;
• deliberate or accidental action (or inaction) by a data controller or data processor;
• sending personal data to an incorrect recipient;
• computing devices containing personal data being lost or stolen;
• alteration of personal data without permission;
• loss of availability of personal data.


How to make a complaint
We hope that you have no reason to make a complaint about how we gather, store, use and transfer your personal data, but should you wish to do so please contact the Practice Manager, acting on behalf of Gort Scott (the Data Controller).

All Directors and people at Gort Scott must also inform the Practice Manager , acting on behalf of Gort Scott (the Data Controller) immediately if they receive a compliant relating to how the practice has processed personal data of a third party so the practice’s complaints procedure may be followed.

On notification of a breach, an investigation will be carried out. This investigation will be carried out by the Practice Manager.

We will undertake to notify the Information Commissioner of a breach which is likely to pose a risk to people’s rights and freedoms without undue delay and at the latest within 72 hours of discovery. If we are unable to report in full within this timescale, we will make an initial report to the Information Commissioner, and then provide a full report in more than one instalment if so required.

We will undertake to notify the individual whose data is the subject of a breach if there is a high risk to people’s rights and freedoms without undue delay and may, dependent on the circumstances, be made before the supervisory authority is notified.

Record of beaches
Gort Scott records all personal data breaches regardless of whether they are notifiable or not as part of its general accountability requirement under the Data Protection Act 2018. It records the facts relating to the breach, its effects and the remedial action taken.