Wellingborough Bereavement Services Ltd
Wellingborough Bereavement Services Ltd, and Nene Valley Crematorium, recognise their responsibility to comply with the General Data Protection Regulations (GDPR) 2018 which regulate the use of personal data. This does not have to be sensitive data; it can be as little as a name and address.
General Data Protection Regulations (GDPR)
The GDPR sets out high standards for the handling of personal information and protecting individuals’ rights for privacy. It also regulates how personal information can be collected, handled and used. The GDPR applies to anyone holding personal information about people, electronically or on paper. Nene Valley Crematorium has also notified the Information Commissioner that it holds personal data about individuals.
When dealing with personal data, Nene Valley Crematorium staff and its Board of Directors must ensure that:
Data is processed fairly, lawfully and in a transparent manner
This means that personal information should only be collected from individuals if staff have been open and honest about why they want the personal information.
Data is processed for specified purposes only
This means that data is collected for specific, explicit and legitimate purposes only.
Data is relevant to what it is needed for
Data will be monitored so that too much or too little is not kept; only data that is needed should be held.
Data is accurate and kept up to date and is not kept longer than it is needed
Personal data should be accurate, if it is not it should be corrected. Data no longer needed will be shredded or securely disposed of.
Data is processed in accordance with the rights of individuals
Individuals must be informed, upon request, of all the personal information held about them.
Data is kept securely
There should be protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Why we need data, and what we use it for
Nene Valley Crematorium recognises its responsibility to be open with people when taking personal details from them. This means that staff must be honest about why they want a particular piece of personal information.
Nene Valley Crematorium may collect and hold personal information about individuals such as their names, addresses, email addresses and telephone numbers. This will be used for arranging a funeral/memorial service and in relation to memorial advice or applications, depending on what permissions you have given on paperwork submitted by you or your funeral director.
This information will be kept securely at the Nene Valley Crematorium office and is not available for public access. It will not be shared with third parties unless you have given your permission. All data stored on the Nene Valley Crematorium office computers is password protected.
Once data is not needed any more, is out of date or has served its use and falls outside the minimum retention time of the company’s document retention policy, it will be shredded or securely deleted from the computer. Further details on this are set out in our retention policy, below.
Nene Valley Crematorium is aware that people have the right to access any personal information that is held about them. Information about how Subject Access Requests (SARs) will be dealt with is set out below.
Individuals have the right to have their data rectified if it is incorrect; the right to request erasure of the data; the right to request restriction of processing of the data; and the right to object to data processing; although rules do apply to those requests.
Any breaches of data protection rules will be dealt with in accordance with the policy/procedure set out below.
When complaints are made or queries submitted Nene Valley Crematorium’s Board and its staff will ensure that they are treated confidentially unless the subject gives permission otherwise. All personal data will also remain confidential.
Personal Data Breach
This policy sets out how Nene Valley Crematorium will deal with a personal data breach, and what information requestors can expect from us.
Legal obligation and duty
Under GDPR, data controllers (the Manager of the crematorium) and data processors (all other staff) are subject to a general personal data breach notification system. GDPR makes it clear that when a security incident takes place, data processors and controllers should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it.
GDPR imposes a duty on data controllers to report personal data breaches to their supervisory authority (the Information Commissioner’s Office (ICO)). In order to fulfil these obligations staff must report all breaches to the Manager, who acts as Data Protection Officer, as soon as they are aware of the breach. The Data Protection Officer then has 72 hours, where feasible, to report the breach to ICO.
If there is likely to be a high risk of the breach adversely affecting individuals’ rights and freedoms, we will also inform those individuals without undue delay.
What is a data breach?
Whether accidental or deliberate, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, corruption, alteration, unauthorised disclosure of, or access to personal data; or where data is passed on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
Personal data breaches can include:
access by an unauthorised third party;
deliberate or accidental action (or inaction) by a controller or processor;
sending personal data to an incorrect recipient;
computing devices containing personal data being lost or stolen;
alteration of personal data without permission; and
Loss of availability of personal data.
When a breach has occurred
Staff must notify the Manager without undue delay when they become aware of it.
This includes near misses – a breach where no personal data is concerned.
The Data Protection Officer must notify the ICO without undue delay and, where feasible, not later than 72 hours after becoming aware of it.
There is no need to report if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the timing obligation is not met, reasons will have to be provided to the supervisory authority (e.g. if there is a request from a law enforcement authority).
Obligation for the Manager/staff to communicate a personal data breach to data subjects.
If the data controller is yet to do so, the ICO may compel the Manager to communicate a personal data breach to affected data subjects without undue delay, unless one of these three exemptions is satisfied.*
The breach is unlikely to result in a high risk for the rights and freedoms of data subjects; or
Appropriate technical and organisational protection was in place at the time of the incident (e.g. encrypted data); or
This would trigger disproportionate efforts; if so, a public information campaign or “similar measures” should be relied on so that affected individuals can be effectively informed.
*the need to mitigate an immediate risk of damage would call for a prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify more time for communication.
Assessing the breach
When a personal data breach has occurred, the company needs to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it is likely that there will be a risk then the Manager must notify the ICO; if it is unlikely then it does not need to be reported. If the breach is not reported the reason must be justified and documented.
In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for individuals. The GDPR explains that:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
This means that a breach can have a range of adverse effects on individuals, which includes emotional distress, and physical and/or material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. This will be assessed on a case by case basis, looking at all relevant factors.
On becoming aware of a breach, the Manager will first try to contain it, and then assess the potential adverse consequences for individuals (based on how serious or substantial these are) and how likely they are to happen.
Reporting a breach
When reporting a breach, staff must provide the below information to the Manager:
a description of the nature of the personal data breach including, where possible:
the categories and approximate number of individuals concerned;
the categories and approximate number of personal data records concerned;
where more information can be obtained;
a description of the likely consequences of the personal data breach; and
a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
If not available at the time the breach is identified, information may be provided in phases, as long as this is done without undue further delay.
The investigation should be prioritised, given adequate resources, and expedited urgently. The ICO should still be notified upon awareness of the breach and further information submitted as soon as possible. This should be accompanied by an explanation as to the delay and an indication of when further information is expected to be submitted.
The Manager, as Data Protection Officer, will:
Maintain an internal breach register regardless of whether notification is required.
Record near misses.
Advise if the affected data subjects (the individual whom the personal data relates to) need informing.
Assess whether there are any additional notification obligations under other laws for example:
Notify the ICO of any personal data breach within 24 hours under the Privacy and Electronic Communications Regulations (PECR).
If a UK trust service provider – within 24 hours under the Electronic Identification and Trust Services (eIDAS) Regulation via the eIDAS breach notification form
If an operator of essential services or a digital service provider, you will have incident-reporting obligations under the NIS Directive.
Record any reasons for not reporting a breach.
Consider whether any third parties need informing, such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.
Investigate whether or not the breach was a result of human error or a systemic issue and assess how a recurrence can be prevented (such as better processes, further training or other corrective steps).
Ensure that lessons learned are recorded and the appropriate action is taken.
When to inform individuals of a breach:
If a breach is likely to result in a high risk to the rights and freedoms of individuals, those concerned will be informed directly without undue delay.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. The severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring will need to be assessed by the manager. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. Those affected will need to be promptly informed, particularly if there is a need to mitigate an immediate risk of damage to them. This will help individuals take steps to protect themselves from the effects of a breach.
What we will tell individuals who are affected
The nature of the personal data breach will be described in clear and plain English, including the name and contact details of the Data Protection Officer.
A description of the likely consequences of the personal data breach.
A description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
That the ICO may be notified.
Advise individuals that if they are unhappy with the action taken the company will consider it under the complaints process.
Staff must prepare a statement detailing a summary of the conversation or correspondence with the individual concerned. This must then be sent to the Manager to keep on file.
Failure to notify
Failing to notify a breach when required to do so and non-compliance can lead to an administrative fine up to €10,000,000.
Subject Access Requests
This policy sets out how Nene Valley Crematorium will deal with a subject access request and what information requesters can expect from us.
The definition of a Subject Access Request
The Data Protection Act 1998 (DPA) gives individuals the right to be told what personal data an organisation is processing about them and, unless an exemption applies, to receive a copy of that information. This right is governed by S7 of the DPA and known as a Subject Access Request (SAR).
A requester can do this by making a data subject access request.
Information that a requester is entitled to in relation to themselves
Whether any personal data is being processed by the company;
A description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
A copy of the personal data, unless an exemption applies; and
Details of the source of the data (where this is available).
An individual can also request information about the reasoning behind any automated decisions taken about him or her, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret).
Subject access provides a right for the requester to see their own personal data, rather than a right to see copies of documents that contain their personal data.
How a SAR should be made
A SAR does not need to be made in a particular format; however it must be in writing. This includes emails and faxes. If someone (i.e. the requester) makes a SAR by telephone or in person, we will ask that it be put in writing.
The request can be very broad, such as requesting a copy of all the information we hold about them, or it can be very precise, such as requesting a copy of the letter we wrote about or to them on a particular date.
A SAR can be received by any member of staff but should then be forwarded to the Manager to ensure that it is processed promptly and in accordance with policy and statute.
Requests made on behalf of others
The company is required to be satisfied that any third party making a subject access request is entitled to act on behalf of an individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
The company is also required to be satisfied that the individual fully understands what information would be disclosed to a third party who has made a SAR on their behalf. We may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party after having had a chance to review it.
Confirming the requester’s identity
To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, the company needs to be satisfied that we know the identity of the requester. We are entitled to request that enough information be provided in order for us to make a clear judgement that the person making the request is the individual to whom the personal data relates (or a person/third party authorised to make a SAR on their behalf).
Clarifying the request
Before responding to a SAR, we may ask the requester for further reasonable information that we would need in order to find the personal data covered by the request. We need not comply with the SAR until we have received this additional information.
It is not standard procedure to search CCTV records as part of a SAR unless specifically requested. We would therefore ask that, with reference to information held on CCTV, requesters provide a timescale and/or dates in order to find the footage.
Requests involving other people’s information
The Data Protection Act 1998 (DPA) says we do not have to comply with a SAR if to do so would mean disclosing information about another individual who can be identified from that information, except where:
The other individual has consented to the disclosure; or
It is reasonable in all the circumstances to comply with the request without that individual’s consent.
We will decide whether it is appropriate on a case-by-case basis. This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data.
If third party consent cannot be obtained and we are not satisfied that it would be reasonable in all the circumstances to disclose the third-party information, the information will be withheld. Depending on the circumstances, it may be possible to provide some information, having edited or ‘redacted’ it to remove information that would identify the third-party individual.
Under the General Data Protection Regulation (GDPR) you can make a subject access request at no cost.
The time limit for responding
In most cases we must respond to a SAR promptly and within 40 calendar days of receiving the written request. Please note that the 40 calendar days will exclude any days which are used to verify the requester’s identity or clarify the request.
Exemptions for not releasing the information
Where an exemption applies to a particular request as follows, the company may refuse to provide all or some of the information requested, depending on the circumstances, and will explain this in the reply.
Confidential references – Reference that we give for the purpose of education, training, employment or the provision of a service by the individual.
Publicly available information – This exemption only applies to the information that the organisation is required to publish. If an enactment requires the information to be publicly available any personal information included is exempt from the right of subject access.
Crime and taxation – personal data processed for the prevention and detection of crime, to capture or to enable the prosecution of offenders, and the assessment or collection of tax or duty is exempt.
Management information – personal data processed for management forecasting or management planning is exempt to the extent that complying with a SAR would be likely to prejudice the business or other activity of the organisation.
Negotiations with the requester – personal data that consists of a record of intentions in negotiations with an individual is exempt if it would be likely to prejudice the negotiations.
Regulatory activity – This is only available to those organisations which hold a regulatory function if the request concerns personal data processed for the core regulatory activities. The application is only to the extent that the disclosure would be likely to prejudice the proper discharge of those functions.
Legal advice and proceedings – personal data is exempt from the right of subject access if it consists of information which is encompassed by legal professional privilege. This consists of both legal advice and litigation privilege. Confidential communications between a client, professional legal adviser or third party is exempt where litigation is contemplated or in progress.
Freedom of information requests (FOIA) for the requester’s personal data
If it is clear that the requester is merely asking for their own personal data, but they have cited FOIA or the Environmental Information Regulations 2004 (EIR), the company will deal with the request as a SAR in the normal way. The requester does not need to make a new request. The company may need to request payment of any necessary fee or require the individual to verify their identity.
Supplying the requester with their information
Along with the requested information we will:
Tell the applicant whether any personal data is being processed, or if we do not hold the information we will let them know;
Give a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; and
Give details of the source of the data (if known);
Advise of the retention period for keeping the data;
Advise of the right to request rectification, erasure or restriction, or to object to such processing;
Advise of the right to lodge a complaint with the ICO.
Form in which the information must be supplied
Once we have located and retrieved the personal data that is relevant to the request, we will communicate it to the requester in intelligible form. We will check their preference.
Information will be supplied in permanent form. However, there are two situations in which the obligation to supply the requester with a copy of the relevant information ‘in permanent form’ does not apply. The first is where the requester agrees to another arrangement, and the second is where the supply of such a copy is impossible or would involve disproportionate effort. Mitigating factors will include considering whether supplying a copy of the requested information in permanent form would result in so much work or expense as to outweigh the requester’s right of access to their personal data.
The company will make reasonable adjustments for disabled people
The company will endeavour to respond in a particular format that is accessible, such as large print or email, if requested to do so.
Dealing with repeated or unreasonable requests
The DPA does not limit the number of SARs an individual can make. However, it does allow some discretion when dealing with requests that are made at unreasonable intervals. We are not obliged to comply with an identical or similar request to one we have already dealt with, unless a reasonable interval has elapsed between the first request and any subsequent ones. If we refuse a request we will inform the applicant of our reasons.
If the requester is unhappy with the handling of their SAR they can notify the Information Commissioner who has enforcement powers. The Information Commissioner can be contacted at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Tel: 0303 123 1113 or at www.ico.org.uk.
Retention of data
This policy sets out the duties of Nene Valley Crematorium staff in dealing with the retention of personal data.
What does GDPR and the Data Protection Act 1988 (DPA) say about keeping personal data?
Neither GDPR nor the fifth data protection principle of the DPA set out any specific minimum or maximum periods for retaining personal data. Instead, it says that: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
If there is a good reason for processing personal data discarding it unnecessarily may be disadvantageous and inconvenient to the people the information refers. Similarly personal data held for longer than necessary will, by definition, be excessive, inefficient and irrelevant. The company aims to ensure that the balance is right to avoid the following problems that may occur where data is held for longer than necessary:
An increased risk that the information will go out of date
Outdated information will be used in error (to the detriment of all concerned)
Over time it becomes difficult to ensure information is accurate.
How to make decisions about retaining personal data?
It is good practice to regularly review the personal data held, and delete anything no longer needed. Information that does not need to be accessed regularly, but which still needs to be retained, will be safely archived or taken offline. Archived or offline data will be supplied if a subject access request is submitted.
What determines the length of a retention period?
How long personal data is kept depends on the purpose for which it was obtained and its nature.
Legal or regulatory requirements – For an application for cremation, we keep your personal information (name, address and contact details) for 15 years, and regarding memorial applications for the term of the lease from the receipt date of an application, after which time it will be securely destroyed.
Agreed industry practices – Any other personal data held will be in compliance with industry practice..
Where there is no legal requirement – In the absence of any legal requirements, personal data will only be retained as long as necessary for the purpose of processing. Data will be deleted when:
the data subject has withdrawn consent to processing;
a contract has been performed or cannot be performed anymore; or
the data is no longer up to date.
When deleting information the below will be taken into consideration:
has the data subject requested the erasure of data or the restriction of processing?
is the retention still necessary for the original purpose of processing?
Exceptions may apply to the processing for historical, statistical or scientific purposes.
Legitimate Interests – If personal data has been recorded because of a relationship between the company and the individual, we will consider whether we need to keep the information once the relationship ends. It may not be possible to delete all personal data when the relationship ends. Some may be needed to confirm that the relationship existed – and that it has ended – as well as some of its details. The company may also may need to keep some personal data about the customer to deal with any complaints they might make about the services provided. This would not need to be kept indefinitely, so a retention period will still be established.
Some personal data may need to be kept to defend possible future legal claims. Unless there is another reason for keeping it, personal data will be deleted when a claim could no longer arise.
Actions at the end of the retention period
At the end of the retention period, or the life of a particular record/data, it will be reviewed and deleted, unless there is a legitimate reason for keeping it.
Automated systems can flag records for review, or delete information after a pre-determined period. This is particularly useful where many records of the same type are held.
In terms of deletion, personal data may not necessarily have to be completely erased. This option will be used if appropriate. This may be achieved by means of:
erasure of the unique identifiers which allow the allocation of a data set to a unique person;
erasure of single pieces of information that identify the data subject (whether alone or in combination with other pieces of information);
separation of personal data from non-identifying information (e.g. an order number from the customer’s name and address); or
aggregation of personal data in a way that no allocation to any individual is possible.
In some cases, no action will be required if data cannot be allocated to an identifiable person at the end of the retention period. This will be the case where:
the pool of data has grown so much that personal identification is not possible based on the information retained; or
the identifying data has already been deleted.
There is a significant difference between permanently deleting and archiving data. If a record is archived or stored offline, this should reduce its availability and the risk of misuse or mistake. However, records will only be archived (rather than deleted) if the company still needs to hold it. The Data Protection Officer will still give the data subject access to it, and to comply with the data protection principles. If it is appropriate to delete a record from a live system, it will also be deleted from any back-up of the information on that system.
Where personal data is shared between the company and any other organisation, the company will agree with the other organisation what to do once sharing is no longer needed. In some cases the shared information will be returned, without keeping a copy. In other cases, it will be deleted.
Both organisations will need to set their own retention periods, because one may have good reason to retain personal data for longer than the other. If shared information needs to be deleted this will be done by the organisations with copies of the data.
Data subjects will be informed:
of the retention period;
if no fixed retention period can be provided – the criteria used to determine that period; and
the new retention period if the purpose of processing has changed after personal data has been obtained.
Personal data will be held and kept for:
funeral applications and related documents: 15 years;
memorial applications, leases and related documents: three months after the term of the lease;
all other personal details received in correspondence: two years
Personal data will be held for the purposes outlined above and will be used only for those purposes. Only anonymised data will be used for management information purposes.
Retained data will be reviewed in line with the retention periods above.
Data will be destroyed unless there is a reason not to (e.g. legal requirement or legitimate interests). Paper documents will be labelled, and electronic files will be tagged with destruction dates
The company is required to respond to requests for information in compliance with the following legislation:
General Data Protection Regulation
Freedom of Information Act 2000
Environmental Information Regulations 2004
To fulfil this duty it is essential that both electronic, paper and email records are readily accessible (although this does not mean that records should be retained indefinitely).
Written procedures will be maintained setting out storage arrangements for paper and electronic data, including physical or digital location, security and disposal.
Procedures will be reviewed annually or in line with legislative changes
Business continuity plans will include a provision for loss of or inaccessibility to both electronic and paper records.
Means any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Special Category Data
racial or ethnic origin;
religious or philosophical beliefs;
trade union membership;
physical or mental health or condition;
sex life or sexual orientation.
Data Controller Nene Valley Crematorium which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Subject: Means an individual who is the subject of personal data.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Processor Nene Valley Crematorium (and its staff), or another agency or body to which the personal data are disclosed, whether a third party or not.
Supervisory authority: The governing body – Information Commissioner’s Office (ICO).
Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Individual concerned: The person the information relates to also known as the data subject and natural person.
Exemption: An exception to the rule.