Data Protection Policy

Introduction – The Policy

This document, Data Protection Policy sets out our rules and guidelines relating to holding, processing and dealing with information, materials and data about our clients and is designed to bring together the rights and obligations as set out in the General Data Protection Act Regulations 2018 and current "best practice" based on the guidance and other publications of the Information Commissioner.
CHICS is registered with the Information Commissioners Office Register of Data Controllers – Registration number Z6806750

CHICS is not an active processor of data. Rather we hold occasional copies of client data at their behest, as an aid to training/IT support. In general this will hold names, addresses, contacts, and detail on rent and property maintenance. Some systems may hold further information on basic family circumstance or medical history.
Occasionally we will make structural modifications to this copy and return.
As such we never have call to pass information over to a third party.

On sending us data it is our presumption that our Clients have permission from their Clients to do so.
Security is enhanced in that data is accessible only if running a CHICS system. CHICS X data is further safeguarded as it is held in a proprietary format, and very difficult to re-assemble meaningfully.

The purpose of the policy is to ensure the security of information held.

General Data Protection Regulations 2018

General Data Protection Regulations replaces the Data Protection Act 1998 and regulates when and how an individual's ‘personal data’ may be obtained, held, used, disclosed and generally processed.  It applies to computerised processing of personal data, and also certain paper‑based data files and records.
Under the Act, living individuals who are the subject of personal data have certain rights in relation to their data, which will govern what Chics is allowed to do with their personal data. 

8 Data Protection Principles

The data must be:

  1. Fairly and lawfully processed.

CHICS data will only be sent to us with the knowledge or consent of our Client.
Will be processed within the strict terms of the law, including but not limited to, the regulations and in line with any current guidance and other publications of the Information Commissioner where possible.

  1. Processed for limited purposes.

All data shall be relevant for the purposes for which it is to be used.
We will not sell, distribute or lease our Clients data to third parties unless we have our Clients permission or are required by law to do so.
The principal purposes for holding data held include but are not limited to:

      1. Assisting with support issues
      2. Tailored enhancements to the Clients software package
      3. Training of staff
      4. Providing information regarding our Company and its products

In all those cases cited in above, the relevant information will only be disclosed following a request from the Client.

  1. Adequate, relevant and not excessive.

CHICS holds information on its past, present and potential future Clients. CHICS collects and maintains such data in order to meet its legitimate interests as a service provider, to comply with statutory requirements or to fulfil individual contracts with its Clients.

  1. Accurate and up to date.

As a small company it is likely that any changes required to information held will be notified and dealt with as soon as they arise.

  1. Not kept for longer than necessary.

Data files provided to us by our Clients, for support purposes, will be destroyed when the Client requests we do so, when the Client is no longer supported by us or after a period of 12 months of non-use.
Details that we hold about our clients will be destroyed after 10 years of non-support.

  1. Processed in line with individual data subject rights

All Clients have the right to know whether or not any personal data relating to them is being processed and to receive information relating to the description of the personal data, the purposes for which their data is or is to be processed, from whom it is received, to whom it is disclosed. All Clients have the right to receive a copy of such personal data and have the right to correct any errors which exist on record about them. When further data is requested from them, they may know if replies to the questions are obligatory or voluntary and the possible consequences of failure to reply.
You may request details of personal information which we hold about you under the General Data Protection Regulation. If you would like a copy of the information held on you please write to CHICS, 14 Windsor Mead, Sidford, Sidmouth, Devon EX10 9SJ.

  1. Secure

CHICS may place all or part of its files onto a secure computer network and with restricted access to data. When implemented access to individual data will only be granted for specific and legitimate purposes:
Any paper files will be kept in a secure location and locked away when necessary.
Chics reserves the right to 'back up' data files and hold secure multiple copies of personal data in order to protect its interests in the event of data loss.

  1. Not transferred to other countries without adequate protection.

Transfer of data outside of the UK will only take place in conjunction with the Client concerned who will assist in determining the level of protection required in the transfer of such data.

Internal Procedures

Staff will be responsible for adhering to these policies, in particular for protection on their own computers / devices.

Breaches of our Data Protection policy will be regarded as misconduct and could lead to disciplinary proceedings.


Controlling your personal information

You may choose to restrict the collection or use of your personal information in the following ways:
if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at mark@chics.co.uk

In the case of a dispute concerning any specific application of this Procedure, the matter should be brought to the attention of the Managing Director.

GDPR 2018. Review date May 2019