Data Privacy Policy

Purpose

CJP is committed to using Personal Data responsibly and to ensuring that all staff understand and comply with their responsibilities under this Data Protection Policy (“Policy”) and the law. CJP recognises that the correct and lawful treatment of Personal Data is a critical responsibilityThis policy has been developed to align with the General Data Protection Regulation (GDPR) to ensure European standards. Failure to adequately protect Personal Data could result in harm to others, reputational damage, loss of income, or fines.

This Policy sets out the principles CJP applies in handling and safeguarding Personal Data entrusted to CJP and sets out the obligations of Staff in relation to Personal Data or Processes. Staff members each have a responsibility in securing and protecting the Personal Data in CJP’s care. 

This Policy is mandatory for all Staff, and all Staff must read and comply with this Policy and any related procedures and guidance. 

Personal Data Protection Principles 

CJP must be able to demonstrate compliance with the data protection principles, which are: 

  • Lawfulness, Fairness and Transparency: Personal Data must be Processed lawfully, fairly and in a transparent manner. 
  • Limitation: Personal Data must only be collected for specified, explicit, and legitimate purposes. 
  • Minimal Processing: Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are Processed. Where possible, CJP must apply anonymisation to Personal Data to reduce the risks to the Data Subjects concerned. 
  • Accuracy: Personal Data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are Processed, are erased or rectified in a timely manner. 
  • Storage Period Limitation: Personal Data must be kept for no longer than is necessary for the purposes for which the Personal Data are Processed. 
  • Integrity and Confidentiality: Appropriate technical or organisational measures must be adopted to ensure security of Personal Data, including protection against accidental or unlawful destruction, loss, alteration, unauthorised access, or disclosure. 
  • Accountability: Data Controllers must be responsible for and be able to demonstrate compliance with the principles outlined above. 

All Staff shall adhere to these principles when Processing Personal Data. 

  1. Lawfulness and Fairness of Processing
  2. Consent 
  3. Children 

Whenever Personal Data is Processed there must be one of the following legal bases present:

  • the Data Subject has given his or her Consent;
  • the Processing is necessary for the performance of a contract with the Data Subject;
  • to meet legal compliance obligations;
  • to protect the Data Subject’s vital interests; or 
  • to pursue CJPCJP’s legitimate interests

CJP must identify and document the legal basis being relied on for each Processing activity. Where Consent is relied upon, CJP must ensure the following: 

  • Consent must be clearly indicated by a statement or positive action. 
  • Consent requires affirmative action, so a pre-ticked box would not meet this requirement. 
  • The Data Subject has the right to withdraw Consent at any time and CJP must be able to honor this promptly. 
  • Whenever Personal Data Processing is based on the Data Subject's Consent, CJP shall retain a record of such Consent. 
  • Where collection of Personal Data relates to a child under the age of18, and CJP is relying on Consent to Process that Personal Data, CJP must ensure that parent or legal guardian consent is given prior to the collection of Personal Data. 
  • Unless another legal basis of Processing is being relied upon, where Sensitive Personal Data (also known as Special Category Data) is being collected, Explicit Consent of the Data Subject will be required to Process this data. 

CJP recognises that children need particular protection when CJP is collecting and Processing their Personal Data. CJP shall ensure that the principle of fairness is central to all Processing of children’s Personal Data. Consent is one possible legal basis for Processing children’s Personal Data, but CJP recognises that sometimes using an alternative basis is more appropriate and provides better protection for the child. 

  1. Transparent Processing 
  2. Data Retention 
  3. Privacy Notices Either before or at the time of collection of any Personal Data, CJP is required to: 
  • inform Data Subjects about what kind of Personal Data CJP collects; 
  • the reason for collecting the Personal Data; 
  • the purposes of the Processing; 
  • the legal basis which is being relied upon; 
  • the Data Subjects’ rights in relation to the Personal Data; 
  • security measures taken in relation to the Personal Data; 
  • whether CJP transfers Personal Data to third parties; 
  • the retention period and any potential transfers of Personal Data 

Children If Personal Data is collected from children, clear privacy notices must be specifically tailored for children, so that they are able to understand what will happen to their Personal Data, and what rights they have. 

For any category of Personal Data not specifically defined in this or any other CJP Policy and unless otherwise specified by applicable law, the required retention period for any Personal Data record will be deemed to be seven years from the date of creation of the record. 

  1. Data Subject Rights 
  2. Transfer of Data to Third Parties

Data Subjects (including children) have the following rights: 

  • Right to be informed Data Subjects have a right to know about CJPCJP’s Personal Data protection and data Processing activities, details of which will be contained in CJPCJP’s privacy notices. 
  • Right of access Data Subjects can make what is known as a Subject Access Request (“SAR”) to request information about the Personal Data CJP holds about the Data Subject 
  • Right to correction Data Subjects have a right to require that any incomplete or inaccurate information is corrected. 
  • Right to erasure (the ‘right to be forgotten’) Data Subjects have a right to require that CJP removes data held about them, unless CJP has reasonable grounds to refuse the erasure. 
  • Right to restrict Processing Data Subjects can request that CJP no longer Process their Personal Data in certain ways. 
  • Right to data portability Data Subjects can ask CJP to provide copies of Personal Data held about them in a commonly used and easily storable format. 
  • Right to object Unless CJP has overriding compelling legitimate grounds for such Processing, Data Subjects may object to CJP using their Personal Data for direct marketing purposes (including profiling) or for research or statistical purposes and may also object if CJP is Processing their data on the grounds of pursuit of CJPCJP’s legitimate interests. 
  • Right to withdraw Consent If CJP is relying on Consent as the basis on which CJP is Processing a Data Subject’s Personal Data, the Data Subject can withdraw their Consent at any time. 

If CJP is using any third-party supplier or business partner (Supplier) to Process Personal Data on CJPCJP’s behalf, the Relevant Manager is responsible for ensuring compliance.

If CJP is Processing Personal Data jointly with an independent third party, CJP must explicitly agree in the contract with that third party each party’s respective responsibilities regarding Personal Data. 

Data Security 

It is important that CJP Staff keep all Personal Data safe and secure, whether held physically or electronically, and not disclose or allow access to unauthorised persons. 

Data Breaches and Notification 

A Data Breach includes but is not limited to the following: 

  • unauthorised disclosure of Personal Data; 
  • loss or theft of confidential or sensitive data; 
  • loss or theft of equipment on which Personal Data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record); 
  • unauthorised use of, access to or modification of IT, data or information systems (e.g. via a hacking attack); and 
  • attempts (failed or successful) to gain unauthorised access to IT, data or information systems. 

If any member of Staff, or other person learns of a suspected or actual Personal Data Breach, it must be reported immediately. The report should include as many details of the incident as possible, including date and time of the breach (if known), the nature of the information concerned, and how many individuals are involved. 

Please contact CJP if you have further questions.

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.