Data Protection Policy

1. Purpose and Scope

This Data Protection Policy sets out how Code Inclusive collects, processes, stores, and protects personal data in accordance with applicable data protection legislation in the United Kingdom, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to:

All employees, contractors, and associates of Code Inclusive.

All personal data processed by Code Inclusive in the course of providing IT services across the Yorkshire region.

The only external personal data handled by Code Inclusive relates to clients and individuals making enquiries about services.

2. Data Controller and Data Protection Officer

Code Inclusive acts as a Data Controller in relation to personal data it collects and processes for its own business purposes and as a Data Processor where it processes personal data on behalf of clients.

The appointed Data Protection Officer (DPO) is:

Name: Peter Arkwright

Role: Data Protection Officer

Responsibility: Oversight of data protection compliance, advice on obligations, and acting as the point of contact for data subjects and the Information Commissioner’s Office (ICO).

3. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Data Subject: The individual to whom the personal data relates.

4. Lawful Basis for Processing

Code Inclusive processes personal data only where there is a lawful basis under Article 6 of the UK GDPR. The primary lawful bases relied upon are:

Contractual necessity: To enter into or perform a contract with a client.

Legitimate interests: For business administration, service improvement, and responding to enquiries, where such interests are not overridden by the rights of data subjects.

Legal obligation: Where processing is required to comply with UK law.

Special category data is not routinely processed. Where it is exceptionally required, an additional lawful condition under Article 9 UK GDPR will be identified and documented.

5. Data Minimisation and Purpose Limitation

Code Inclusive:

Collects only personal data that is adequate, relevant, and limited to what is necessary for specified purposes.

Uses personal data solely for explicit and legitimate purposes related to service delivery, client management, and enquiry handling.

Does not process personal data in a manner incompatible with those purposes.

6. Accuracy of Data

Reasonable steps are taken to ensure that personal data is accurate and, where necessary, kept up to date. Inaccurate or incomplete data will be rectified or erased without undue delay when identified.

7. Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. Retention periods are documented internally and reviewed periodically. Data that is no longer required is securely deleted or anonymised.

8. Data Security

Code Inclusive implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

Access controls based on role and business need.

Secure authentication mechanisms.

Encryption of data where appropriate.

Regular security updates and patch management.

Staff training on data protection and information security.

9. Data Subject Rights

Code Inclusive recognises and facilitates the rights of data subjects under the UK GDPR, including:

The right of access.

The right to rectification.

The right to erasure.

The right to restrict processing.

The right to data portability (where applicable).

The right to object to processing.

Requests to exercise these rights must be submitted in writing and will be handled within statutory timeframes.

10. Data Sharing and Third Parties

Personal data is not shared with third parties unless:

It is necessary for the provision of services.

There is a contractual requirement with appropriate data protection clauses in place.

Disclosure is required by law.

Where Code Inclusive engages sub-processors, it ensures that they provide sufficient guarantees of compliance with UK GDPR requirements.

11. International Transfers

Code Inclusive does not routinely transfer personal data outside the United Kingdom. Where an international transfer is required, appropriate safeguards will be implemented in accordance with UK GDPR, such as adequacy regulations or standard contractual clauses.

12. Data Breaches

All personal data breaches must be reported immediately to the DPO. Code Inclusive maintains procedures to:

Assess the risk to data subjects.

Notify the ICO within 72 hours where required.

Notify affected data subjects where there is a high risk to their rights and freedoms.

All breaches are documented, regardless of whether notification is required.

13. Training and Awareness

All staff with access to personal data receive appropriate data protection training. Training is refreshed periodically and updated to reflect changes in law or business practices.

14. Policy Review and Compliance

This policy is reviewed at least annually, or sooner if required due to legal, regulatory, or operational changes. Non-compliance with this policy may result in disciplinary action.

15. Contact

Questions or concerns regarding this policy or data protection practices should be directed to the Data Protection Officer.