Privacy Policy

1. Introduction

Six Heritage Limited (SH) are required to collect and use specific forms of information on SH staff, as well as individuals and companies who engage with SH to undertake our work. Sensitive data must always be collected and stored in an appropriate manner, whether this be written onto paper documents, digitally stored on an electrical device (computer, tablet phone etc.) or recorded on other unspecified materials. Safeguards to ensure the correct handling and storing of data have been put into place, such as GDPR (General Data Protection Act), as well as other legislation and codes of conduct surrounding UK data protection, which have, herein been collectively referred to as “the data protection laws”.

SH have developed company control measures, procedures and policies to guarantee ongoing compliance with all relevant data protection laws, regulations, principals and codes of conduct. This is enabled via thorough staff training, audit assessments and measures and procedure documents. Through this, SH ensure and maintain the confidentiality and security of all personal and/or sensitive data as a top priority. As a company SH engage with data protection laws by operating a Privacy by Design’ approach where endeavour to assess any changes and the impact these may have from the start, which therefore allows us to design specific processes and methods to protect any and all personal information within our care

2. Data Controller

SH is the Data Controller under the Act, meaning it determines the purposes that any personal information that is held, will be used for. Additionally, this role denotes that SH is also responsible for notifying the Information Commissioner of the data that is held or likely to be held by SH, and the general purposes that this data will be used for

3. Disclosure

The day-to-day operations of SH and the services it provides may require SH to share data with other (third) parties. In the case of this the individual will be made aware in most circumstances what data has been shared, how and with whom. Certain circumstances may present themselves in which the law allows SH to disclose certain data (including sensitive data) without the express consent of the subject. These would include:

  • Carrying out a legal duty or as authorised by the Secretary of State
  • Protecting vital interests of an Individual or other person
  • The Individual has already made the information public
  • Conducting any legal proceedings, obtaining legal advice or defending any legal rights
  • Monitoring for equal opportunities purposes – i.e. race, disability or religion
  • Providing a confidential service where the individual’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Individuals to provide consent signatures.

SH regards the lawful and correct procedures surrounding the treatment and care of personal information as highly important to successful and ethical working practice, as well as to maintain the professional confidence of the public and professionals with whom SH interact with. SH will make every assurance to abide by the Principles of Data Protection, that are detailed throughout the following document, and based upon six principals of privacy, which are as follows:

1. Lawfulness, fairness and transparency

  • Transparency: ensure the subject has been fully informed about what data will be processed and how this will be done.
  • Fair: ensure that what data has been processed aligns with what has been described.
  • Lawful: All data processing meets the tests described in GDPR.

2. Purpose limitations

Personal data is only to be obtained and held for “specified, explicit and legitimate purposes”. Data is only to be used for a specific purpose that the subject is aware and in agreement with and no other, unless additional consent has been given by the subject.

3. Data minimisation

All data that is collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. I.e. no more than what is required should be kept for specific processing.

4. Accuracy

All data that is stored must be “accurate and where necessary kept up to date”. Baselining ensure good protection against identity theft. Data holders should develop rectification processes into data management/archiving activities for subject data.

5. Storage limitations

It is expected (by the regulator) that all stored personal data is “kept in a form which permits identification of data subjects for longer than necessary”. I.e. regular data reviews should take place and any data that is no longer required should be removed.

6. Integrity and confidentiality

All handled data will be done so by the processors “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”. Through the strict application of criteria and controls and appropriate management, SH will:

  • Adhere to every condition regarding the fair collection and use of data
  • Meet all legal obligations regarding the purposes for which data is used
  • Collect and process only relevant data to the extent that it is required to fulfil its operational needs or to comply with legal requirements
  • Ensure that the information used is of the highest possible quality
  • Ensure that the individual whose information has been gathered has is fully aware and capable of exercising their rights under the Act. These include:
  • The right to access one’s personal information
  • The right to edit incorrect information, which would include blocking, erasing or rectifying information
  • The right to access their own personal information
  • The right to inhibit processing in certain circumstances

4. Data Collection

Informed consent is when:

  • An individual fully comprehends why their information is required, who will be able to access their information and who it may be shared with, as well as any possible consequences that may arise from them agreeing or refusing the proposal to use their data
  • After fully comprehending the above, they continue to give their consent

SH will endeavour to ensure that all data is collected within the parameters defined in this policy. This applies to all data gathering methods. When collecting data, SH will ensure that the individual:

  • Fully comprehends why their information is required
  • Comprehend how it will be used and the consequences should consent not be given by the individual
  • Grant explicit consent in either a written or verbal format, for the data to be processed
  • Has given consent, as far as reasonably practicable, whilst fully competent to do so and not under the influence of any form of intoxicant and without duress
  • Has received sufficient information on why their information is needed and how it will be used

5. Data Storage

All information pertaining to individuals will be stored in an appropriately secure manner that is only accessible to staff authorised to do so.

Information will only be stored for as long as it is required by statute, after this time period has lapsed the information will be disposed of in an appropriate manner.

It is the responsibility of SH to ensure that all sensitive information has been permanently deleted from all devices (desktops, laptops, tablets, phones) prior to being passed on to third parties.

6. Data Protection Officer (DPO)

Certain requirements, obligations and responsibilities are placed on SH in accordance with Articles 37-39, and recital 97 of the GDPR. These relate to the appointment of a Data Protection Officer (DPO), the duties of which are set out in the articles and recital of the regulation. A Data Protection Officer (DPO) must be appointed by a company where the:

  • Information processing is undertaken by a public authority or body (with the exception of courts acting in their judicial capacity)
  • core activities of the controller/processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
  • core activities of the controller/processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

In accordance with GDPR requirements SH have appointed a Designated Protection Officer (DPO). The assigned person has an adequate level of knowledge surrounding data protection law, for the required tasks of the role. They have been assessed as suitably capable of assisting SH in monitoring compliance with GDPR and providing assistance and support to employees and third parties with regard to the laws and requirements of GDPR

7. Data Access and Accuracy

It is the right of the individual that they can access all information about them that is held by SH. SH will take steps that are reasonably practicable to ensure that information is kept up to date by asking subjects if there have been any changes. Additionally, SH will ensure that:

  • It has a designated Data Protection Officer who holds the responsibility of compliance with GDPR
  • All staff members involved in the processing of information understand that they are contractually responsible for following data protection practices
  • All staff members involved in the processing of information are suitably trained to do so
  • All staff members involved in the processing of information are appropriately supervised
  • Anyone wanting to make enquiries about handling personal information knows what to do and what steps to follow
  • All enquiries regarding the handling of personal information are handled in a timely fashion
  • The description of how personal information is handled is clear and succint
  • The ways in which personal information are held, audited and used will undergo regular reviews
  • Methods and performance relating to the handling of personal information will undergo regular assessments and evaluations
  • All members of staff are made aware of the consequences and potential disciplinary measures that may occur should there be any breaches of the rules and policies identified in this policy

This policy will undergo regular review and amendments, as necessary, to reflect best practice and the evolving nature of data management, security and control to ensure any changes or amendments are compliant with the Data Protection Act 1998.

Any queries or questions in relation to this policy should be directed to the Data Protection Officer: Patrick Hughes –

Glossary of Terms

Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data.

Binding Corporate Rule means personal data protection policies which are adhered to by the Company for transfers of personal data to a controller or processor in one or more third countries or to an international organisation.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Cross Border Processing means processing of personal data which: –

  • takes place in more than one Member State; or
  • which substantially affects or is likely to affect data subjects in more than one Member State

Data Controller means, the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data protection laws means for the purposes of this document, the collective description of the GDPR, Data Protection Bill and any other relevant data protection laws that the Company complies with.

Data Subject means an individual who is the subject of personal data

Explicit consent is a freely given, specific and informed agreement by an Individual in the processing of personal information about her/him. Explicit consent is needed for processing sensitive data.

GDPR means the General Data Protection Regulation (EU) (2016/679)

Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Individual is the person whose personal information is being held or processed by the Company for example: a client, an employee, or supporter.

Notification – Notifying the Information Commissioner about the data processing activities of the Company, as certain activities may be exempt from notification.

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Supervisory Authority means an independent public authority which is established by a Member State

Sensitive data – refers to data about:

  • Racial or ethnic origin
  • Political affiliations
  • Religion or similar beliefs
  • Trade union membership
  • Physical or mental health
  • Sexuality
  • Criminal record or proceedings

Third Party means a natural or legal person, public authority, agency or body other than the data subject, under our direct authority.

Get in touch with us today