Data Protection Policy

Data Protection Policy

1.1  Introduction

The Data Protection Act 1998 (“Act”) regulates the processing of data relating to individuals. This includes the obtaining, holding, using or disclosing of such data and covers computerised records as well as manual filing systems and card indexes.

The Company (Smarter Travel Limited) shall hold the minimum personal data necessary to enable it to perform its functions. All such data is confidential and needs to be treated with care, to comply with the law.

We recognise that the lawful and correct treatment of personal data is very important to successful operations and to maintaining customers’ and employees’ confidence in ourselves.

Any personal data which we collect, record or use in any way whether it is held on paper, on computer or other media shall have appropriate safeguards applied to it to ensure that we comply with the Act.

Smarter Travel Ltd is registered with the Information Commissioner (Ref. ZA298556).

1.2  Summary of Principles

The Company is fully committed to adhering to the Principles of Data Protection, as set out in the Act.

In summary, the Principles state that personal data shall:

  • Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
  • Be adequate, relevant and not excessive for that purpose
  • Be accurate and kept up to date
  • Not be kept for longer than is necessary for that purpose
  • Be processed in accordance with the data subject’s rights
  • Be kept safe from unauthorised access, accidental loss or destruction
  • Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data

To comply with the law, information shall be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

1.2.1 Compliance

In terms of the Act, we are the ‘data controller’, and as such determine the purpose for which, and the manner in which, any personal data are, or are to be, processed. To assist in achieving compliance with the principles, the Company has appointed a Data Protection Officer (DPO) with specific responsibility for data protection within the company.

It is the responsibility of the DPO to:

  • Assess the understanding of the obligations of the Company under the Act
  • Identify and monitor problem areas and risks and recommend solutions
  • Promote clear and effective procedures and offer guidance to staff on Data Protection issues
  • Review business changes and determine whether registration under the Act is required

1.2.2 Data Security

All staff are responsible for ensuring that:

  • Any personal data they hold, whether in electronic or paper format, is kept securely
  • Personal information is not disclosed deliberately or accidentally either orally or in writing to any unauthorised third party

Any breach of this Data Protection Policy whether deliberate or through negligence may lead to disciplinary action being taken or even a criminal prosecution.

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.

All company computers have a log in system and each Travel Plan Contact Database is password protected, which allow only authorised staff to access personal data. Passwords on all computers are changed frequently.  All personal and financial data is kept in a locked filing cabinet and can only be accessed by approved staff.  When staff members are using the laptop computers out of the office care should always be taken to ensure that personal data on screen is not visible to strangers.

1.2.3 Personal Data

We will not use data for a purpose other than those agreed by data subjects (residents, employees, staff and others). If the data held by us are requested by external organisations for any reason, this will only be passed if data subjects (residents, employees, staff and others) agree. Also, external organisations must state the purpose of processing, agree not to copy the data for further use and sign a disclaimer agreeing to abide by The Data Protection Act 1998 and the Smarter Travel Ltd Data Protection Policy.

The Company will monitor the data held for our purposes, ensuring we hold neither too much nor too little data in respect of the individuals about whom the data are held. If data given or obtained are excessive for such purpose, they will be immediately deleted or destroyed. The Company will always put our logo on all paperwork, stating their intentions on processing the data and state if, and to whom, we intend to give the personal data.

We discourage the retention of data for longer than it is required. All personal data will be deleted or destroyed by us after two years from receiving said data has elapsed.

All individuals that the Company hold data on have the right to:

  • Be informed upon the request of all the information held about them within 20 working days.
  • Prevent the processing of their data for the purpose of direct marketing.
  • The removal and correction of any inaccurate data about them.

Data must not be transferred to countries outside the European Economic Area without the explicit consent of the individual.  The Company takes particular care to be aware of this when obtaining survey information via the Internet, which can be accessed from anywhere in the globe. This is because transfer includes placing data on a web site that can be accessed from outside the European Economic Area.

If you ever wish to see your personal information we hold, please refer to section 1.2.5 so that arrangements can be made.

1.2.4 Purpose of Data

Your privacy is of the utmost importance to us. Because we gather certain types of information about residents / staff associated with Travel Plans, we feel you should understand fully the terms and conditions surrounding the capture and use of that information. This Policy discloses what information and/or data we gather, how we use it, and how to correct or change it. This includes information supplied to us by you through a third-party service, such as Facebook or Liftshare. If you have any questions in relation to our Policy please contact the DPO on [email protected]

We gather two types of information about data subjects: data that subjects provide through optional, voluntary data gathered through information derived mainly by postal / online survey questionnaires and journey plan posts throughout the Liftshare Network.

Occasionally, we conduct surveys to understand better the travel needs of our audience in order to analyse current travel habits to and from regular destinations as well as to improve our features. We sometimes share the aggregated demographic information in these surveys with our clients or partners. We never share any information about a specific data subject gathered in a survey with any third party without that Member’s express consent.  We do not, however, control the practices of our partners. If you have questions about how our partners uses information about you please contact them directly (we will divulge information only as necessary to comply with English law).

We use your data to create aggregate reports and carry out analysis on demographics and traffic patterns for our Clients and carefully selected third party partners in order compare travel data and to improve our Services.

The personal type of data subjects that may be held by us would include:

  • your address;
  • your name;
  • your email address;
  • your work / education place or postcode;
  • number of independents; and
  • whether a disability affects choice of travel habits.

The personal data held by us will only be used for the following purposes:

  • Contacting purposes where the individual has won a prize.
  • Issuing of Travel Plan related incentives.
  • Personalised Travel Planning.
  • Research of travel habits and barriers to change.
  • Identify demographics of groups to tailor incentives and promotions.
  • Limited information on individual names will only be used when promoting winners of prize draws.
  • Responding to any queries raised by data subjects via letter, email, phone, website or social media channels.
  • Sharing of information to carefully selected third parties as to provide free incentive i.e. bike register kits.

Personnel Data of staff and clients associated with Smarter Travel Ltd will be subject to the Data Protection Policy of Richard Jackson Limited.

1.2.5   Viewing your personnel record

One of the rules under Data Protection gives you the right to see certain information held about you.

Personal data is confidential and access is restricted.  Under Section 7 of the Data Protection Act, 1998 (DPA) an individual has the right to request copies of all their personal data known as a subject access request (SAR).

In order to get a copy of their personal data, an individual has to make a request in writing, provide sufficient information to identify themselves and the information they are seeking and the necessary fee (the Act allows a Data Controller to charge up to £10 for a request).

SAR forms should be completed by the individual and returned to the Data Protection Administrator at Smarter Travel Ltd, 847 The Crescent, Colchester, Essex, CO4 9YQ

The Company will acknowledge all SARs within 5 working days and will respond to a SAR within 15 working days of the required documents and fee being submitted.

All SARs will be treated in the strictest confidence and will only be processed by authorised Smarter Travel Ltd staff in order to locate the information and process the SAR.  Only information which is considered to be personal data will be released under a SAR. The anonymity of other individuals or other information which is not considered to be personal data may be protected, as appropriate, by redaction or omission in accordance with the DPA.

In order to request information on behalf of another individual Smarter Travel Ltd requires proof that you are acting with the authorisation of that individual. Therefore, some additional information is required.

If you are acting on behalf of another individual a written request must be submitted along with the statutory £10 fee, signed authorisation confirming the data subject’s consent to the agent acting on individual’s behalf, and evidence of the identity of the data subject.

1.2.6   Website Data

The Website tracks visitor traffic patterns throughout its network. This information may be used to help personalize the Website or target advertising. We also break down overall usage statistics according to a Member’s domain name, browser type, and MIME type by reading this information from the browser string (information contained in every Visitor’s browser). We also use third party providers including Google Analytics to help us improve our Services.

A cookie is a small data file that certain websites write to your hard drive when you visit them. Typically, a cookie file can contain information such as a user ID and your browser type, which the Website uses to track the pages you’ve visited. The only personal information a cookie can contain is information you supply yourself. A cookie cannot read data off your hard disk or read cookie files created by other sites. The Website uses cookies to track user traffic patterns (as described above). Cookies are also used to analyse website traffic and anonymous demographic profiling so that we may improve our services. If you do not wish to receive cookies, visitors can easily adjust their settings to reflect this. Click here for more information about the cookies used by this site.

You can refuse cookies by turning them off in your browser. However, by turning off cookies you may limit the functionality and Services available offered through this Website.

We create SmarterTravel for...