All Nisa Retail LTD (“Nisa”) employees, temporary staff, consultants, contractors and third parties have a duty to protect Nisa’s data that they create, store, process or transfer.
The Data Protection Act 1998 (which is designed to protect personal data stored on computers or in an organised paper filing system) will be superseded by the EU General Data Protection Regulation (“GDPR”) on 25 th May 2018. At a minimum, Nisa must ensure data protection standards to meet these regulations. The lawful and proper treatment of personal and special category information by Nisa is extremely important to the success of our business in order to maintain the confidence of our members, employees, third party stakeholders and suppliers. This policy document sets out the requirements for Nisa employees, temporary staff, consultants, contractors and third parties (where applicable), to fulfil these regulatory obligations.
2 Policy Statement
Everyone has rights with regard to the way in which their personal data is processed. During the course of Nisa’s activities, Nisa will collect, store and process personal data about its customers, suppliers and other third parties. Nisa recognises that the correct and lawful treatment of data will maintain confidence in the organisation and provide for successful business operations. It is the policy of Nisa to ensure that all data shall be protected in proportion to the nature and sensitivity of the data, and in line with all legal and regulatory requirements.
All data users are required to comply with this policy when processing personal data on Nisa’s behalf. Any breach of this policy may result in disciplinary action.
The types of personal data that Nisa may be required to process include information about current, past and prospective employees, consultants, contractors, suppliers, third parties and any others that Nisa communicates with. The personal data which may be held on paper or on computer or other media is subject to certain legal safeguards specified in the Act which will be superseded by the GDPR in May 2018.
This policy sets out the basis on which Nisa will process any personal data (supported by the noted related documents) it collects from data subjects, or that is provided to Nisa by data subjects or other sources and in particular:
- To ensure data protection good practice across all business functions in the business.
- To ensure compliance with GDPR and other applicable legislation and regulation related to the processing of personal and special category data.
This policy does not form part of any employee’s contract of employment and may be amended at any time. This document outlines internal policy in respect of data handling and has been approved by the Information Governance Group, but is subject to all the laws, rules and regulations that Nisa is governed by specifically in relation to how personal data is obtained, handled, processed, transferred and stored. In the event this policy allows employees, temporary staff, consultants, contractors and third parties to exercise discretion, such discretion must be exercised within the confines of Nisa’s statutory obligations and must not contravene any of its legal, accounting or other regulatory requirements
4 Data Protection Principles
It is the policy of Nisa to ensure that all data shall be protected in proportion to the nature and sensitivity of the data, and in line with all legal and regulatory requirements.
Nisa fully supports and complies with the six principles of the GDPR which are summarised below:
a) Personal data shall be processed fairly, lawfully and in a transparent manner;
b) Personal data shall be obtained/processed for specific lawful purposes;
c) Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
d) Personal data must be accurate and kept up to date;
e) Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
f) Personal data shall be processed in a secure manner
An overriding principle that Nisa is required to adhere to is Accountability. Nisa demonstrates compliance with the six principles by having processes in place to clearly document and justify the approach and processes in place for each of these principles.
5.1.1 Personal data is noted as being ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. This means data is considered personal when the individual can be uniquely identified from one or more items (for example a name in addition to a date of birth, or a name in addition to an address).
5.1.2 Special category personal data is defined as personal data consisting of information relating to the data subject with regard to racial or ethnic origin; political opinions; religious beliefs or other beliefs of a similar nature; trade union membership; physical or mental health or condition; sexual life; the commission or alleged commission by the data subject of any offence; or any proceedings for any offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings. Special category personal data can only be processed under strict conditions including conditions requiring the express permission of the person concerned.
5.1.3 Processing means any activity which involves the use of data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction (being the marking of stored personal data with the aim of limiting its future processing), erasure or destruction.
5.1.4 Controller means the legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. They are responsible for establishing practices and policies in line with the Act and subsequently GDPR. Nisa Retail is the controller for all personal data used in its business for its own commercial purposes.
5.1.5 Processor means a person, public authority, agency or other body that is not a data user which processes personal data on behalf of the controller ie Nisa.
5.1.6 Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
6 Roles and Responsibilities
6.1 The Executive Management Committee
6.1.1 The Executive Management Committee have delegated the responsibility for all matters relating to data protection to the Information Governance Group.
6.2 Information Governance Group
6.2.1 The Information Governance Group (IGG) will take overall responsibility and ownership for the development of data protection and information governance and will support the identification of additional and suitable controls when deemed applicable.
6.2.2 The IGG is responsible for assisting the Data Protection Lead in his/her role to coordinate and to provide oversight for all work on matters relating to data protection and information governance at Nisa.
6.2.3 The IGG shall delegate responsibilities to appropriate group members to carry out data protection and information governance related tasks with its authority.
6.2.4 The IGG shall ensure suitable awareness exists throughout the business around the Data Protection Policy and all other data protection related policies, standards, guidelines and procedures.
6.3 The Data Protection Lead
6.3.1 The Data Protection Lead in partnership with the IGG will ensure that this Data Protection Policy is pertinent, fit for purpose and reviewed at timely intervals or when significant changes occur to Nisa information processing activities.
6.3.2 The Data Protection Lead will be responsible for coordinating and reporting on data protection related matters to the IGG.
6.3.3 The Data Protection Lead in partnership with the IGG will ensure that all employees, temporary staff, consultants, contractors and third parties (where applicable) are informed and have awareness of this Data Protection Policy and its importance to the business.
6.3.4 The Data Protection Lead is responsible for ensuring the IGG are aware of newly identified data protection related risks that have the potential to harm the business.
6.3.5 The Data Protection Lead will ensure that a suitable training and awareness programme is maintained and audited at Nisa. This programme will incorporate visibility and awareness of this and all other data protection related policies.
6.4 IT Security Manager
6.4.1 The IT Security Manager in partnership with the Data Protection Lead and the IGG is responsible for all information security matters at Nisa.
6.5 The Head(s) of IT - (Operations and Business Systems)
6.5.1 The Head(s) of IT will ensure all teams across the IT Department (and other areas where applicable) acknowledge and comply with this Data Protection Policy.
6.5.2 The Head(s) of IT, will support the implementation across all Nisa information systems the adoption of all policies, standards and guidelines accepted at the IGG for matters relating to data protection and information processing governance.
6.6 Line Manager and Human Resources
6.6.1 Local management, in partnership with Human Resources (and the IGG) will ensure that all employees, temporary staff, consultants, contractors and third parties (where applicable) understand their responsibilities and are suitable for roles for which they are considered.
6.6.2 Local management, in partnership with the IGG and Human Resources will ensure that all employees, temporary staff, consultants, contractors and third parties (where applicable) are aware of and fulfil their data protection related responsibilities.
6.6.3 Line managers, with the support of Human Resources will ensure data protection is considered as part of recruitment, changes in role or termination of employment at Nisa.
6.7 Physical Security Management
6.7.1 Physical Security Management (in partnership with the Data Protection Lead and the IT Security Manager) will prevent unauthorised physical access, damage and interference to the organisations information and information processing facilities across all Nisa sites.
6.7.2 Local Physical Security Management with responsibility for corporate or public spaces at any Nisa location will be involved as necessary/required.
6.8 All Staff
6.8.1 All employees, temporary staff, consultants and contractors are responsible for the records they create, use, transfer and store.
6.8.2 All employees, temporary staff, consultants and contractors shall be aware of their responsibilities in relation to this policy and ensure that all access and usage of Nisa information systems respects the values and controls promoted within this and other end user policies.
6.9 Third Party Providers
6.9.1 All Third Party cloud or hosting providers that are responsible for hosting and processing Nisa owned information assets on their facilities shall be monitored by Nisa for compliance against this policy.
6.9.2 All Third Party cloud and hosting providers shall allow the Nisa Data Protection and IT Security functions to audit against this and other applicable policies and contract agreements.
7.1.1 Nisa shall have a designated Data Protection Lead (DPL) at all times.
7.1.2 All personnel shall support the DPL in performing his/her tasks, these tasks shall be carried out without influence on or consequence to the DPL and without any conflict of interest.
7.1.3 The DPL shall be designated on the basis of (amongst other capabilities) professional qualities and expert knowledge of data protection law and practices.
7.1.4 Nisa shall advise all staff of the DPL including contact details.
7.1.5 The DPL shall have at least the following tasks:
- Inform and advise Nisa and its employees, temporary staff, consultants, contractors and third parties (where applicable) who carry out processing of their obligations pursuant to GDPR and other data protection provisions.
- To monitor compliance with GDPR, other data protection provisions and Nisa policies in relation to the protection of personal data.
- To provide advice where requested as regards the data protection impact assessment and monitor its performance.
- To cooperate with the supervisory authorities.
- To act as the contact point for the supervisory authorities on issues relating to personal data processing.
7.1.6 All data created, stored, processed and transferred by employees, temporary staff, consultants, contractors and third parties (where applicable) shall have a classification in accordance with the Nisa Retail Information Classification and Handling Policy.
7.1.7 Personal and special category data shall be protected by the implementation of appropriate technical and organisational measures (the Nisa Retail Information Classification and Handling policy defines the level of appropriate technical and organisational measures and integration of necessary safeguards), taking into account:
- The control / technology in question.
- The cost of implementation.
- The nature, scope, context and purposes of processing the data.
- The risks to rights and freedoms of persons posed by the processing.
7.1.8 Appropriate technical and organisational measures shall be implemented for ensuring that, by default, personal and sensitive data is:
- Personal and special category data collection is limited to that which is necessary for each specific purpose of the processing.
- Personal and special category data processing is limited to that which is necessary for each specific purpose of the processing.
- Personal and special category data access is limited to that which is necessary for each specific purpose of the processing.
- The storage period of all personal and special category data is limited to that which is necessary for each specific purpose of the processing.
7.1.9 All employees, temporary staff, consultants, contractors and third parties (where applicable) shall ensure that the Data Protection Lead is involved and advice sought where deemed necessary/ needed in all issues which relate to the protection of personal and special category data.
Access keys are keyboard shortcuts for the main links used on this website.
How the keys work varies between platforms and browsers. Most browsers support jumping to specific links by typing the keys defined on the web site.
As a rule, on Windows, you can press ALT + an access key.
On a Mac (OS X), you can press Ctrl + alt (option) + an access key, pressing the enter key will follow a link.
|Page||Key||Windows||Mac (OS X)|
|Access Keys||0||Alt + 0||Ctrl + alt (option) + 0|
|Home||1||Alt + 1||Ctrl + alt (option) + 1|
|Stores||2||Alt + 2||Ctrl + alt (option) + 2|
|Offers||3||Alt + 3||Ctrl + alt (option) + 3|
|Heritage Range||4||Alt + 4||Ctrl + alt (option) + 4|
|Competitions||5||Alt + 5||Ctrl + alt (option) + 5|
|Recipes||6||Alt + 6||Ctrl + alt (option) + 6|
|Our Community||7||Alt + 7||Ctrl + alt (option) + 7|
|Our Approach||8||Alt + 8||Ctrl + alt (option) + 8|
|Contact Us||9||Alt + 9||Ctrl + alt (option) + 9|
|Store Locator||E||Alt + E||Ctrl + alt (option) + E|
|Newsletter||R||Alt + R||Ctrl + alt (option) + R|
|Food||O||Alt + O||Ctrl + alt (option) + O|
Press Esc to close this pop up.