Data Protection Policy

Last Updated: January 2024

Policy Statement

John Hunt Photography Limited is committed to protecting the privacy and security of all personal data we process. This Data Protection Policy sets out how we comply with data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Scope

This policy applies to all personal data processed by John Hunt Photography Limited in connection with our school photography services, including data relating to:

• Students
• Parents and guardians
• School staff and contacts
• Suppliers and business contacts

Data Protection Principles

We process all personal data in accordance with the following principles:

• Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner
• Purpose Limitation: We collect data for specified, explicit, and legitimate purposes
• Data Minimization: We only collect data that is adequate, relevant, and necessary
• Accuracy: We keep data accurate and up to date
• Storage Limitation: We retain data only as long as necessary
• Integrity and Confidentiality: We process data securely with appropriate technical and organizational measures
• Accountability: We demonstrate compliance with data protection principles

Roles and Responsibilities

Data Controller: John Hunt Photography Limited is the data controller responsible for ensuring compliance with data protection legislation.

Data Protection Contact: Kerry Hunt is responsible for overseeing data protection compliance and responding to data subject requests.

Lawful Bases for Processing

We process personal data under the following lawful bases:

• Consent: For photographing children and processing photographs
• Contract: For fulfilling contracts with schools and parents
• Legitimate Interests: For business operations and service improvement
• Legal Obligation: For compliance with legal and regulatory requirements

Special Category Data

Photographs of children are considered special category data. We process such data only with explicit consent from parents/guardians and implement additional safeguards including:

• Secure encrypted storage
• Password-protected access
• Limited retention periods
• Staff training on handling sensitive data

Data Subject Rights

We respect and facilitate the exercise of data subject rights, including:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision-making

Data Security

We implement appropriate technical and organizational security measures, including:

• Encryption of data at rest and in transit
• Secure password policies
• Access controls and authentication
• Regular security updates and patches
• Secure backup procedures
• Staff training on data security
• Incident response procedures

Data Breach Procedures

In the event of a data breach, we will:

• Assess the breach and take immediate containment action
• Notify the Information Commissioner's Office within 72 hours if required
• Notify affected individuals without undue delay if high risk to their rights and freedoms
• Document the breach and our response
• Review and improve security measures

Data Sharing and Transfers

We only share personal data with third parties when necessary for service delivery, including:

• Print suppliers for order fulfillment
• Payment processors for secure transactions
• Delivery services for home delivery
• Schools for coordination and commission payment

All third parties are required to maintain appropriate data protection standards through written agreements.

Retention and Disposal

We retain personal data only as long as necessary for the purposes for which it was collected:

• Photographs: One academic year
• Order records: 7 years (accounting requirements)
• Marketing consent: Until withdrawn
• CCTV footage: 30 days

Data is securely disposed of when no longer needed through secure deletion or physical destruction.

Training and Awareness

All staff receive training on data protection principles and their responsibilities, including:

• GDPR fundamentals
• Handling personal data securely
• Recognizing and reporting data breaches
• Responding to data subject requests

Policy Review

This policy is reviewed annually and updated as necessary to reflect changes in legislation, technology, and business practices.

Contact Information

For questions about this policy or to exercise your data protection rights, contact:

Data Protection Contact: Kerry Hunt
Email: kerry@jhpschools.com
Phone: 0161 723 5170
Address: John Hunt Photography Limited, 55 Stand Lane, Radcliffe, Manchester M26 1LQ

Supervisory Authority

Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113