Call us on: 01377 270607
JSR Farms Limited, JSR Genetics Limited, JSR Partnership
Data Retention Policy 24th May 2018 |
This Policy sets out the obligations of JSR Farms Limited (including Highfield Farm and Yorkshire Wolds Cookery School), JSR Genetics Limited, JSR Partnership, companies registered in the United Kingdom under numbers (for limited companies) 01221759 and 03902341, whose registered offices are all at Southburn, Driffield, East Yorkshire, YO25 9ED (“the Companies”) regarding retention of personal data collected, held, and processed by the Companies in accordance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The GDPR also addresses “special category” personal data (also known as “sensitive” personal data). Such data includes, but is not necessarily limited to, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation.
Under the GDPR, personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. In certain cases, personal data may be stored for longer periods where that data is to be processed for archiving purposes that are in the public interest, for scientific or historical research, or for statistical purposes (subject to the implementation of the appropriate technical and organisational measures required by the GDPR to protect that data).
In addition, the GDPR includes the right to erasure or “the right to be forgotten”. Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) in the following circumstances:
This Policy sets out the type(s) of personal data held by the Companies for employment, customer relationship and allied industry networking purposes and the period(s) for which that personal data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.
For further information on other aspects of data protection and compliance with the GDPR, please refer to the Companies’ Data Protection Policy.
All personal data held by the Companies is held in accordance with the requirements of the GDPR and data subjects’ rights thereunder, as set out in the Companies’ Data Protection Policy.
Upon the expiry of the data retention periods set out below in Part 7 of this Policy, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:
Type of Data | Purpose of Data | Review Period | Retention Period or Criteria | Comments |
Customer Personal Details | Name and Title to address customers held so the business can determine a recent repeat customer | 2 years | 2 years | |
Customer Contact Details | Postal address, Billing Address, Email Address and phone numbers held to prevent information being repeatedly requested for repeat purchases | 2 years | 2 years | |
CCTV Images | Collected for security and health and safety purposes | 1 year | 35 days | System automatically overwrites older days which cannot then be recovered |
Customer Photographs | Used for facebook posts and advertisement of Highfield Farm and Yorkshire Wolds Cookery School | 2 years | Kept whilst photos are relevant and up to date for the business | Customers must agree in advance of a cookery course or booking for their photograph to be used in such manner |
Biographical Data from applications and CVs | Used in the assessment of suitability of employment and maintaining records of qualifications and experience | 2 years | Unless express permission is given for such information to remain “on file” kept for as long as individual employed or if unsuccessful until the post applied for is filled. | If an employee leaves the business in some circumstances it may be necessary to keep information if required to demonstrate the individual was properly accredited and competent to fulfil a task |
Payment Card Details | Method of obtaining payment from a guest that has not settled the full account following a stay at Highfield Farm | Monthly | Until financial month end following their stay or settlement of their account whichever is the later of the two. | Only taken from B&B guests at Highfield farm who pay a single nights deposit in advance and are due to stay for a longer period of time requiring payment at the end of the stay. |
Transaction Data | Details of payments to and from data subjects and details of products and services data subjects have purchased from us to fulfil accounting requirements | 2 years | As long as is required by current account practice norms or to fulfil HMRC requirements if relevant | |
Marketing Data | Preferences of individual customers about whether they wish to receive marketing communications | 2 years | Kept unless the customer “opts out” of receiving such information | Only used with Highfield Farm and Yorkshire Wolds cookery school. |
Staff contact details and dates of birth | To allow the business to contact staff and fulfil requirements as an employer | 2 years | As long as the individual is employed by the business | In certain circumstances it may be necessary to keep information for a longer period until all issues with the member of staff are resolved post employment |
Staff Emergency Contact Details | To provide the business with a contact should something happen to that individual during their employment | 2 years | As long as an individual is employed by the business | |
Staff Gender | Required by the business in order to comply with our employer responsibilities | 2 years | As long as an individual is employed by the business | |
Staff Marital Data and family information | Needed so the business can supply information to others as part of your employment e.g. pension provider | 2 years | As long as an individual is employed by the business | Where legal or employment contractual obligations exceed the period of employment the data may be held for longer |
Staff information about their contract of employment | Required so the business can ensure it is meeting the contractual agreement of the data subjects employment e.g. holiday entitlement | 2 years | As long as an individual is employed by the business | Where legal or employment contractual obligations e.g. pension contributions, exceed the period of employment the data may be held for longer |
Staff bank details and national insurance number | Required so staff can be paid their salaries | 2 years | As long as an individual is employed by the business | Would only be held longer if information was required for legal obligations |
Staff identification documents e.g. driving license, passport, immigration status e.t.c. | Held to demonstrate the business and it’s employees are working legally | 2 years | As long as an individual is employed by the business | Would only be held longer if information was required for legal obligations |
Staff disciplinary or grievance information | Required to provide a record of action taken against staff | 2 years | Held for as long as the issue remains “on file” | See employment handbook for retention periods |
Staff performance and behaviour at work | Data is collected to inform the business to help decisions and discussion at e.g. appraisals | 2 years | As long as an individual is employed by the business | |
Staff Training Records | Required to demonstrate the suitability of a data subject to perform a task | 2 years | As long as an individual is employed by the business | Would be held longer if for example a HSE investigation was ongoing and training records were needed as evidence |
Electronic information of staff use of IT and telephone systems | Information is often needed to determined data use and access | 1 years | Typically not held longer than 1 year however service providers e.g. phone networks may have the ability to go back further | |
Photographs and digital images of staff | Photographs taken in and around the business may occasionally include staff members | 2 years | Images are kept for as long as they are considered to be relevant and worthwhile to the business | An individual member of staff that specifically does not want to be included on a picture is welcome to step aside whilst the photo is taken. This will have no bearing on their employment status. |
Special Data: Staff Ethnic Origin | Collected by the business to allow us to submit summary data on the ethnic diversity of the business | 2 years | As long as an individual is employed by the business | |
Special Data: Staff Health | Needed so the business can make appropriate allowances to an individual’s role based on their physical and mental health | 2 years | As long as an individual is employed by the business | |
Special Data: Criminal Convictions and offences of staff | Specific convictions e.g. driving ban, could mean that specific tasks cannot be performed by an individual | 2 years | As long as an individual is employed by the business |
This Policy shall be deemed effective as of 25th May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This Policy has been approved and authorised by:
Name: | Grant Walling |
Position: | Director of Science & Technology |
Date: | 11th May 2018 |
Due for Review by: | 25th November 2018 |
Signature: |