Data & Privacy Policy

PRIVACY POLICY

We take your privacy very seriously and we ask that you read this privacy policy carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and how to contact us and supervisory authorities in the event you have a complaint.

Who we are

Beach Lawn House Ltd is the operator of the website www.beachlawnhouse.com.  We collect, use and are responsible for certain information about you. When we do so, we are regulated under the General Data Protection Regulation which applies across the European Union (including the United Kingdom) and we are responsible as ‘controller’ of that personal information for the purposes of those laws. The person responsible for how we handle personal information is Tracey Robinson our director

THE PERSONAL INFORMATION WE COLLECT AND USE

Personal information provided by you

In the course of operating our serviced apartment business, we collect personal information when you provide it to us, such as your name, postal address, email address, phone numbers, date of birth, & payment details.

We also collect personal information from you if you apply for a job with us or work for us for any period of time.
In this context, personal information we gather may include: contact details, financial and payment details, details of education, qualifications and skills, marital status, nationality, NI number, job title, and CV.

Personal information provided by third parties

Occasionally we may receive information about you from other sources (such as credit reference agencies), which we will add to the information we already hold about you in order to help us provide services to you and to improve and personalise our service to you. If you apply for a job with us, we may receive information from the people who provide references.

Personal information about other individuals

If you give us information on behalf of someone else as an alternate contact, referee or next of kin, you confirm that the other person has agreed that you can:

  • give consent on his/her behalf to the processing of his/her personal data;
  • receive on his/her behalf any data protection notices; and
  • if relevant, give consent to the transfer of his/her personal data abroad.

Sensitive personal information

We will not usually ask you to provide sensitive personal information. We will only ask you to provide sensitive personal information if we need to for a specific reason, for example, if we believe you are having difficulty dealing with your employment or your stay due to illness. If we request such information, we will explain why we are requesting it and how we intend to use it.

Sensitive personal information includes information relating to your ethnic origin, political opinions, religious beliefs, whether you belong to a trade union, your physical or mental health or condition, sexual life, and whether you have committed a criminal offence. We will only collect your sensitive personal information with your explicit consent.

Children

We do not knowingly collect personal data relating to children under the age of 16. If you are a parent or guardian of a child under the age of 16 and think that we may have information relating to that child, please contact us. We will ask you to prove your relationship to the child but if you do so you may (subject to applicable law) request access to and deletion of that child’s personal data.

HOW AND WHEN DO WE COLLECT INFORMATION FROM YOU?

We gather information directly from you face to face if you come to our hotel or over the telephone if you ring us to make an enquiry.  We collect personal information via our website and mobile applications or ‘Apps’ and other technical systems. We collect this when you use our website or Apps to sign up to. Our website also uses cookies (see “Use of cookies” section below) and collects IP addresses (which means a number that can uniquely identify a specific computer or other device on the internet). We also collect personal information when you contact us or send us feedback.

We may monitor and record communications with you (such as telephone conversations and emails).  We may do this for a number of reasons, such as to check the quality of our customer service, for training purposes, to prevent fraud or to make sure we are complying with legal requirements.

If you visit our hotel, some personal data may be collected from monitoring devices and systems such as closed circuit TV (CCTV) and door entry systems at the site.

Use of cookies

A cookie is a small text file which is placed onto your computer (or other electronic device such as a mobile telephone or tablet) when you use our website. We use cookies and other similar tracking technologies such as action tags and pixel tracking on our website. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify you individually. We use analysis software to look at IP addresses and cookies to improve your experience as a user of our website. We do not use this information to develop a personal profile of you. If we do collect personally identifiable information, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

You can set your browser not to accept cookies and the websites below tell you how to remove cookies from your browser. However, some of our website features may not function as a result.

For further information on our use of cookies, please see our Website cookie policy.

For further information on cookies generally visit www.aboutcookies.org or www.allaboutcookies.org.

Legitimate business interests

Our priority is to make sure we give a high quality and secure service to customers and to follow up effectively on enquiries even though we accept that not all enquiries will lead to a business relationship or contract.  We collect personal information to:

  • follow up on enquiries in accordance with industry guidelines and provide quotes for v;
  • conduct research and analyse website visitor behaviour patterns;
  • customise our website and its content to your particular preferences;
  • improve our services;
  • detect and prevent fraud;
  • prevent offensive, inappropriate or objectionable content being sent to or posted on our websites or to stop any other form of disruptive behaviour.

We collect and process CCTV images

  • to monitor our internal public areas and car parks
  • to establish whether you are doing something that breaches your contract with us; and
  • to assist in the establishment or defence of any crime or other investigation.

We will also communicate with you information about other services we can offer you and update you about our activities and promotions which may be of interest to you. If you would like to stop receiving these email newsletters, you can also click on the “unsubscribe” button at the bottom of the email newsletter. It may take a few days for this to take place. See ‘What rights do you have?’ below for further information. If you ask us to stop contacting you in this way, you can also ask us to start again at any time.

If we propose to use your information for any other uses we will ensure that we notify you first. If we need your consent to use your information for these other purposes, we will give you the opportunity to opt in or to refuse.  If you opt in, you will be able to opt out at any time.

When will we contact any other person about you?

If you provide us with details of any other person we can contact to verify your employment or to act as your next of kin  , we may contact that person and discuss and share the details of what position you are applying for  or we may particularly want to do this if we are unable to get in touch with you for any reason.

If you change your mind, you can email or write to us and have this person taken off your file as an alternate contact person (see ‘How can you contact us?’ below).

If you provide us the details of a person who we can contact for a job reference, we may contact that person in connection with your job application.

Who your information might be shared with ?

We may disclose your personal data to:

  • service providers under contract with us to support our business operations, such as fraud prevention, debt collection, payroll, technology services]
  • law enforcement or government agencies in connection with any investigation to help prevent or detect unlawful activity;
  • any person or agency if we need to share that information to comply with the law or to enforce any agreement we may have with you or to protect the health and safety of any person;
  • any person who you have named as a person we can contact as your next of kin;
  • any person who is your agent or representative, such as the holder of a power of attorney, a legal guardian or person administering a will;
  • any person who we are negotiating with as a potential buyer of our business or property or if we are proposing to merge our business with another business;
  • credit card associations if specifically required;

If we pass data on to insurers, they may enter your data onto a register of claims which is shared with other insurers to prevent fraudulent claims. If we use an outside party to process your information, we will require them to comply with our instructions in connection with the services they provide for us and not for their own business purposes.

Keeping your personal information secure

We have appropriate security measure in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.  We limit access to your personal information to those who have a genuine business need to know it.  Those people processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We will use technical measures to safeguard your personal data, for example:

  • we store your personal data on secure servers; and
  • payment details are encrypted on the secure server

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable supervisory body of a suspected data breach where we are legally required to do so.

While we will use all reasonable efforts to keep your personal data safe, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that is transferred from you or to you via the internet. If you have any particular concerns about your information, please contact us (see ‘How to contact us’ below).

Our website contains links to websites and applications owned and operated by other people and businesses. These third party sites have their own privacy policies and use their own cookies and we recommend that you review them before you provide them with personal information.  They will tell you how your personal information is collected and used whilst you are visiting these other websites.  We do not accept any responsibility or liability for the content of these sites or the use of your information collected by any of these other sites and you use these other sites at your own risk.

If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.

Transfers of your personal information out of the eea

We will not transfer your personal data outside of the European Economic Area.

How long do we keep your personal information?

We will usually hold your personal information as a customer or employee on our system for the period we are required to retain this information by applicable UK law, currently 6 years from the end of our contract or 6 months after any unsuccessful job application, unless you have told us you want us to delete the information earlier (see section “What rights do you have” below).

What rights do you have?

Under the General Data Protection Regulation, you have a number of important rights. These include the following rights:

  • request a copy of your information which we hold (subject access request);
  • require us to correct any mistakes in your information which we hold;
  • require the erasure of personal information concerning you in certain situations
  • require us to stop contacting you for direct marketing purposes;
  • object in certain other situations to our continued processing of your personal information;
  • restrict our processing of your personal information in certain circumstances;
  • object to decisions being taken by automated means which produce legal effects concerning you or which affect you significantly; and
  • receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations.

Further information on each of these rights is available from the Information Commissioner’s Office.

If you would like to exercise any of these rights, please:

  • email, call or write to us (see ‘How to contact us’ below)
  • let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
  • let us know the information to which your request relates, including any account or reference numbers, if you have them

We will not charge any fee for any of these services in most cases.

How to contact us

We hope that we can resolve any query or concern you raise about the way we use your personal information Please contact us if you have any questions about this privacy policy or the information we hold about you.

If you wish to contact us, please send an email to stay@beachlawnhouse.com or write to us at Beach Lawn House 13 Beach Lawn , Waterloo, Liverpool L22 8QA or call us on 0151 2946279

The General data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority. The supervisory authority I the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone 0303 123 1113

Changes to the privacy policy

We may change this Privacy Notice from time to time. You should check this policy occasionally to ensure you are aware of the most recent version.

INFORMATION SECURITY SCHEDULE

Introduction

We are committed to the highest standards of document and information management and security and treat confidentiality and data security extremely seriously. All management of our IT systems is done by a 3rdparty company called Sensible IT ( see details below )

Mike Wright

Operations Director

Phone: 01524 238622
Unit 1 Lansil Way, Lansil Industrial Estate, Lancaster, Lancashire, LA1 3QY

www.sensiblechoice.co.uk

One of the purposes of this policy is to:

  • protect against potential breaches of confidentiality and failures of integrity or availability of information
  • ensure our information assets and IT facilities are protected against damage, loss or misuse
  • ensure all staff are aware of and comply with UK law and our own procedures applying to the processing of data
  • increase awareness and understanding in the business of the requirements for information security and the responsibility of staff to protect information they handle

Sensible  IT will review security event logs and error logs on a monthly basis and are responsible for downloading and installing any necessary software, security patches or system updates.

Our procedures

Information management

  • Records and information are owned by the business and not by any individual or team.
  • Keeping accurate and up-to-date records is an integral part of all business activities.
  • Complete and accurate records must be securely stored in the appropriate locations and be easily identifiable and accessible to those who need to see them. This means:
    • files must be kept in accordance with our normal file management protocols and must be kept organised and up-to-date
    • substantive matter related emails and notes of telephone or other conversations must be placed on file and must not be stored solely in personal mailboxes
    • files must not be removed from the office except as permitted under this policy
  • Information includes information stored anywhere on our IT system, as well as paper records and CCTV images.
  • Information will be held only as long as is required and disposed of in accordance with our Information retention and destruction policy.
  • All staff must ensure that any information and data gathered is accurate and, where appropriate, kept up-to-date.

Human resources information

  • Given the internal confidentiality and sensitivity of personnel files, access to such information is limited to Tracey Robinson the director of the business along with the company accountant’s Fosters Ltd and the 3rdparty payroll used to process all wage slips company Cumbria Payroll Services Ltd ( copies of their DPP policy’s are attached to the back of this document ) . Except as provided in individual roles, no other staff are authorised to access that information.
  • Any staff member in a management or supervisory role must keep personnel information confidential.
  • Subject to the provisions of the GDPR and associated codes of conduct, staff may ask to see their personnel files at any time by request to the DCM.

Access to offices and files

  • At the end of each day, or when desks are unoccupied, all files, backup systems and devices containing confidential information must be securely locked away or access disabled in case of temporary absence.
  • All office access doors are kept secure at all times and customers or external visitors do not have access to our back-office storage system or our filing cabinets.
  • All Staff information is held off site at the private office of the DCM.
  • Customers and visitors will never be left alone in areas where they could have access to confidential information.
    Computers and IT
  • All Computers are password protected and those passwords are set-up and changed in accordance with requirements issued by the DCM’s from time to time. Passwords will never be written down or given to others.
  • Computers and other devices will be locked when not in use to minimise the risk of accidental data loss or disclosure.
  • The use of memory sticks and other removable media is prohibited. No confidential information is to be copied onto floppy disk, removable hard drive, CD or DVD or memory stick/thumb drive without the express permission of the DCM and even then, it must be encrypted.
  • Data copied to any of these devices must not be uploaded to out IT system until the device has been checked and cleared by our IT manager. Once this has happened, relevant Data should be stored on our computer network in order for it to be backed up and the Data on the removable device should be deleted.

Backup of data

  • All electronic data will be securely backed up at the end of each working day.
  • Backups are encrypted if leaving site and the onsite cabinet must be locked at all times.
  • Backup media that is retained on site prior to being sent for storage at a remote location is stored securely in a locked safe and at a sufficient distance away from the original data to ensure both the original and backup copies are not compromised.
  • A recording mechanism is in place and maintained by our IT manager to record all backup information including any failures or other issues.

Communication and transfer

  • Confidential information will not be removed from our offices without permission from the DCM.
  • Postal, fax and email addresses and numbers should be checked and verified before information is sent to them. Particular is taken with email addresses where auto-complete features may have inserted incorrect addresses.
  • All sensitive or particularly confidential information is encrypted before being sent by email, or be sent by recorded delivery.

Personal email and cloud storage accounts

  • Personal email accounts, such as yahoo, google or Hotmail and cloud storage services, such as drop box, iCloud and OneDrive are vulnerable to hacking. They do not provide the same level of security as the services provided by our own IT systems.
  • Staff will not use a personal email account or cloud storage account for work purposes.

Home working

  • No confidential or other information will be taken to any home office without the permission of the DCM and only then if you are accessing the companies data using company provided lap tops .
  • No confidential information is to be stored on your home computer (PC, laptop or tablet).
  • Files and confidential information must be kept in a secure and locked environment where they cannot be accessed by family members or visitors.
  • For more guidance, consult the DCM for details of our remote working and removable media policy.

Cybercrime prevention and management

  • All staff are required to be aware of and comply with our Cybercrime prevention strategy and incident management plan, which incorporates our Password policy [and criteria for remote working].

IT system management and development

Our IT systems are managed by suitably trained staff who are responsible for overseeing day-to-day operation and to ensure continued security and integrity.

Sensible Choice  IT is responsible for ensuring we have procedures for the secure configuration of network devices.
These will vary from time to time but are likely to include:

  • ensuring all network devices have up to date fire walls
  • encryption of hard drives
  • ensuring all devices are password protected[/alarmed]

Sensible Choice  IT is responsible for the management of user accounts and will implement procedures to ensure:

  • appropriate permissions are set for different types of user accounts, eg administration, standard or guest
  • all members of staff have the correct type of user account
  • users run with a minimal set of permissions whenever possible
  • user accounts are suspended or deleted promptly where required, eg if a member of staff leaves the firm

Access controls will be maintained at appropriate levels for all systems by ongoing and proactive management.

Any changes to permissions must be approved by Sensible Choice   IT

New IT systems, or upgrades to existing systems, must be authorised by [Sensible Choice   IT and the DCM] and the authorisation process must take account of security requirements. The information assets associated with any proposed new or updated systems must be identified and a risk assessment undertaken.

Any new equipment must have appropriate levels of resilience and fault tolerance and must be correctly maintained.

Software and applications must be managed to ensure their smooth day-to-day running and to preserve data security and integrity. The purchase or installation of new or upgraded software must be planned and managed and any information security risks must be mitigated. Specifications for new software or upgrades of existing software must specify the required information security controls.

Business continuity

The business has in place a Business continuity plan. That plan has been designed to ensure continued data security and to maintain confidentiality. Staff will be trained on what to do if this plan needs to be put into place.

Reporting breaches

If you suspect or become aware of any data security breach or that we have failed to do something which may be a breach of our data compliance obligations, you should report these facts or your suspicions immediately to the DCM.