Our GDPR Compliance Statement

Introduction

The EU General Data Protection Regulation (“GDPR”) comes into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades.

The new Regulation aims to standardise data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.

Personal Data is at the heart of GDPR, and Personal Data means any information that is clearly about a particular person, and could lead their identification.

Our Commitment

SimpleNeeds is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this program to meet the demands of the GDPR and the UK’s Data Protection Bill.

SimpleNeeds is dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation.

SimpleNeeds already has a consistent level of data protection and security across our organisation, however it is our aim to be fully compliant with the GDPR by 25th May 2018.

Our approach to preparing this Compliance Statement

SimpleNeeds is a small website, with low income, and therefore limited resources available to deal with GDPR. We cannot afford lawyers and an off-the-shelf Statement seems inappropriate.

The Information Commission's Office (ICO) has produced a series of publications as guidance to compliance with GDPR, one of which is the Controllers Checklist. We have decided use this as the basis for our Compliance Statement, by providing a response to each and every item in the checklist. This ensures all points are covered and you the reader know what question we are answering.

The ICO's Controllers checklist consists of 4 steps, and each is listed below with our responses.

The ICO's Controllers checklist Designed to help you, as a controller, assess your high level compliance with data protection legislation. Includes the rights of individuals, handling requests for personal data, consent, data breaches, and data protection impact assessments under the General Data Protection Regulations.

Step 1 of 4: Lawfulness, fairness and transparency

1.1 Information you hold, what personal data you hold, where it came from, who you share it with and what you do with it.

When you place an Advert on SimpleNeeds we ask for your email address, name, and postcode and then details of the care setting .

Your email address is never shown to anyone.

Your name is shown only in email enquires and replies, to help distinguish from others. Client Adverts display only the first part of the postcode and the village/district/town, without road name. Carer Adverts display the whole postcode and associated partial address, which includes road name. Your data is held in a secure professional data centre.

We collect information relating to your visits, for example searches conducted, adverts looked at, and enquiries made.

We collect information relating to your computer at the time of your visit, for example browser type and version.

Our Cookie policy is that we use them only to recognise a repeat visit and welcome an individual by name.

We use Google Analytics for performance analysis of SimpleNeeds, and Google AdSense to show Google Ads on SimpleNeeds.

We do not share any of your personal data with any 3rd party.

We share Testimonial comments with Facebook and Google. Testimonial comments are not deemed to be personal data.

1.2 Lawful basis for processing personal data Your business has identified your lawful bases for processing and documented them.

We are opting for the 'legitimate interests’ basis.

ICO offers this advice: Legitimate interests is most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact.

There is a three-part test that ICO recommend:

Purpose test: are you pursuing a legitimate interest? Yes, SimpleNeeds offers a legitimate and socially useful introductory service.

Necessity test: is the processing necessary for that purpose? Yes, without processing there would be no service.

Balancing test: do the individual’s interests override the legitimate interest? No, the individual is informed of all uses of their data, and there should be no surprises.

1.3 Consent. Your business has reviewed how you ask for and record consent. Your business has systems to record and manage ongoing consent.

SimpleNeeds offers a simple service connecting Carers and Clients with data exchange limited to postcode and name.Individuals registering for and using the service are deemed to provide consent.

1.4 Consent to process children’s personal data for online services. If your business relies on consent to offer online services directly to children, you have systems in place to manage it.

Not applicable

1.5 Vital interests. If you may be required to process data to protect the vital interests of an individual, your business has clearly documented the circumstances where it will be relevant. Your business documents your justification for relying on this basis and informs individuals where necessary.

In the very rare event that Officials from Social Services or Police request information, then subject to appropriate identification of the Official, and subject to Legal advice, information may be provided.

1.6 Legitimate interests. If you are relying on legitimate interests as the lawful basis for processing, your business has applied the three part test and can demonstrate you have fully considered and protected individual’s rights and interests.

There is a three-part test that ICO recommend:

Purpose test: are you pursuing a legitimate interest? Yes, SimpleNeeds offers a legitimate and socially useful introductory service.

Necessity test: is the processing necessary for that purpose? Yes, without processing there would be no service.

Balancing test: do the individual’s interests override the legitimate interest? No, the individual is informed of all uses of their data, and there should be no surprises.

1.7 Data Protection Fee. Your business is currently registered with the Information Commissioner's Office.

We are registered under the Data Protection Act 1998, Registration Number: Z229825X

We are registered under the Data Protection Act 1998, Registration Number: Z229825X

Step 2 of 4: Individuals' rights

2.1 Right to be informed including privacy information. Your business has provided privacy information to individuals.

Our Privacy Statement is published on this website.

2.2 Communicate the processing of children’s personal data. If your business offers online services directly to children, you communicate privacy information in a way that a child will understand.

Not applicable

2.3 Right of access. Your business has a process to recognise and respond to individuals' requests to access their personal data.

All Personal Data is accessible to individuals to change as required.

2.4 Right to rectification and data quality. Your business has processes to ensure that the personal data you hold remains accurate and up to date.

All Personal Data is accessible to individuals to change as required.

2.5 Right to erasure including retention and disposal. Your business has a process to securely dispose of personal data that is no longer required or where an individual has asked you to erase it.

When an Individual requests cancellation or removal, our policy is to cease all processing, and remove the data from public view, but to retain the data for a period of 1 year, then securely archive the data indefinately.

2.6 Right to restrict processing. Your business has procedures to respond to an individual’s request to restrict the processing of their personal data.

When an Individual requests restriction, our policy is to cease all processing, and remove the data from public view, but to retain the data for a period of 1 year.

2.7 Right to data portability. Your business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.

We make no provision for individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability. In the event of such a request we would offer the data securely offline.

2.8 Right to object. Your business has procedures to handle an individual’s objection to the processing of their personal data.

When an Individual objects to the processing of their personal data, our policy is to cease all processing, and remove the data from public view, but to retain the data for a period of 1 year.

2.9 Rights related to automated decision making including profiling Your business has identified whether any of your processing operations constitute automated decision making and have procedures in place to deal with the requirements.

The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their: performance at work; economic situation; health; personal preferences; reliability; behaviour; location; movements.

We do not engage in automated decision making or profiling, as defined by GDPR.

Step 3 of 4: Accountability and governance

3.1 Accountability. Your business has an appropriate data protection policy. Your business monitors your own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls. Your business provides data protection awareness training for all staff.

Data is held in a secure and robust Hosting environment, operated by one of the UK's leading providers. Web traffic between the website and individuals uses encrypted https protocols. We regularly review our procedures.

3.2 Processor contracts. Your business has a written contract with any processors you use.

We have a contract with our Processor Hosting provider.

3.3 Information risks. Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

We operate in the Social Care space where users are particularly vulnerable both Carers as lone workers, and Clients as isolated and elderly. We are continually mindful of the information risks that prevail.

3.4 Data Protection by Design. Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.

To the extent that this is possible we are compliant in this regard.

3.5 Data Protection Impact Assessments (DPIA). Your business understands when you must conduct a DPIA and has processes in place to action this.

Adequate DPIA processes are in place.

3.6 Data Protection Officers (DPO). Your business has nominated a data protection lead or Data Protection Officer (DPO).

We have nominated a data protection lead.

3.7 Management Responsibility. Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

Management is fully supportive.

Step 4 of 4: Data security, international transfers and breaches

4.1 Security policy. Your business has an information security policy supported by appropriate security measures.

Data is held in a secure and robust Hosting environment, operated by one of the UK's leading providers. Web traffic between the website and individuals uses encrypted https protocols. We regularly review our procedures.

4.2 Breach notification. Your business has effective processes to identify, report, manage and resolve any personal data breaches.

In the event of a data breach, we rely on notification by our Hosting Provider. Once notified, appropiate steps would be taken.

4.3 International transfers. Your business ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area.

We have no circumstances under which this could occur.

End of Our GDPR Compliance Statement