Cosy Toes Kennels GDPR internal security Privacy Policy                                                     

Under the Animal Welfare Act, Cosy Toes is required to hold certain personal data on our customers in order to care for their pets and liaise with their vet and local authority inspectors. Under the GDPR we are required to take care of such data to keep it safe.

Data sources: emails, record cards, online bank activity, website, phone, post.

1.         Email details: we will keep good and up to date antiviral protection to ensure customers emails are not hacked or otherwise maliciously affected, using multiple layers and providers, and checking recipient address is correct before sending an email.

2.         Computer systems: are protected by use of computer with inbuilt security software. Software updates regularly. Remove unused software rather than update.

3.         Our system will be accessed by the partners only. Passwords will be strong and changed regularly, not written and stored in easily accessed places.

4.         Information files: we will retain the minimum necessary customer and staff details on record cards and files in Office or on computer in encrypted files in a securely locked room; laptop in the safe when not in supervised use: only trained authorised staff will have access to these. We don’t have a Databases with personal information, but if and when we do it will be stored on an external drive in a locked store. Backup devices which are regularly used  (maximum fortnightly backups) will be stored separately and securely. Files will not be stored in Cloud storage unless the provider’s security has been checked to be adequately secure for this purpose and 2 layer security enabled. Archived data will be stored separately in a locked drawer.

5.         Staff will be trained to respect and care for customer data according to GDPR. Recognition of threats by phishing emails, social media leaks and mis-posting as well as updates and securing machine safety. Reading of FSB business updates will facilitate awareness of scams in vogue. Our acceptable-use policy is we only use customer information as required for the job in hand of pet care, checking we correctly address outgoing communications.

6.         We hold no old data on machines but if and when we do it will be securely wiped before disposal.

7.         Security software messages must be checked on a regular basis, plus control logs and other reporting systems that we have in place. We must also act on any alerts that are issued by these monitoring services.

8.         We check what software or services are running on our network and make sure we can identify if there is something there which should not be.

9.         We run regular vulnerability scans and penetration tests to scan our systems for known vulnerabilities – and make sure we address any vulnerabilities identified.

10.          We don’t use Social media but if and when we do, we will post personal information only by private messaging and give due forethought to customer security and privacy in social media posts. We will post images of pets only when they have returned home and with owners’ permissions. Same applies to website posting.

11.          Data use: we ask permission to hold customer’s data, giving Lawful Need as primary requirement, with Contract as secondary need and Consent needed for continuing to capture data after more than 2 years after the boarding period is over. Erasure happens by incineration/deletion after 6 years from last date of boarding. Annual record reviews are made to ensure only necessary records are retained.

12.          We inform customers and staff of GDPR requirements separately from our terms and conditions and contract.

13.          We specify why we need the data and what we will do with it

14.          We use clear language to explain why we need personal data

15.          We tell individuals they can withdraw their consent after the legal storage period is over (currently 2 years)

16.          We make it possible for individuals to access their data and rectify errors or omissions

17.          We make it possible for people to have records removed once the legal period is over on request with no fuss or penalty

18.          We will check any request for customer information is legitimate and respond within 1 calendar month

19.          We keep records of what those customers were told at that time by file kept in correspondence folder

20.          We regularly review the GDPR process and basis for retaining personal data along with updating security features

21.           If any 3rd party controllers will use this data the customers must be so informed.

22.           We specify the periods which data is stored for (minimum 2 years post date of stay, maximum 6 years from last stay)

23.           We specify which governing body deals with complaints as being www.ico.org.uk

24.           Information on restricting data can be found at: httsp://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/

25.           If data is breached : https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/ Report to ico within 72 hours and to persons affected if this breach is likely to affect their rights and freedoms. Detail of any data breaches to be stored with this document in correspondence folder

26.           The consequence of withholding data to us, means we are not able to board your pet.

27.           Data protection information is provided at the time that personal data is provided, therefore orally if a phone

      booking is made and otherwise as a form .

                The data controller is: Diana Newman, Cosy Toes Boarding Kennels. Allensmore. Hereford. HR2 9AJ