Why it matters

Data protection law (UK GDPR & DPA 2018) requires us to keep people’s information accurate, secure, and used only for valid purposes. Breaches can lead to fines (up to 4% of turnover), claims, and reputational damage.

What counts as personal data?

Anything that can identify someone directly or indirectly (customers, colleagues, suppliers): names, emails, phone numbers, payment details, employee records, photos/CCTV/bodycam footage, ID documents, IP/location data.

Golden rules (remember: Collect · Store · Use · Destroy · Access)

• Collect only what’s necessary for the task.
• Store securely; limit access to need-to-know.
• Use data only for the original purpose and in line with our Privacy Policy.
• Destroy using shredders/confidential waste—never general bins.
• Access only when authorised; never share logins or store data on personal devices.

Do / Don’t (quick checks)

• Do verify identity before changing or sharing booking details.
• Do write facts in notes (avoid opinions).
• Don’t email customer lists or purchase third-party data.
• Don’t send marketing from site accounts—Digital Marketing team does this centrally.
• Don’t share CCTV/bodycam images on WhatsApp or social media.

Subject Access Requests (SAR)

If anyone asks for their data (verbally, in writing, or via social media): forward immediately—response must be within 1 month.

• Customers/public: c.datarequest@stonegategroup.co.uk
• Former Operators: s.datarequest@stonegategroup.co.uk
• Current Operators: s.datarequest@stonegategroup.co.uk

Do not compile or hand over data yourself—route to the addresses above.

Incidents & data breaches

1. Tell your Area/Regional Manager immediately and follow the Data Breach Process.
2. Email the form to dataprotection@stonegategroup.co.uk (initial response within 12 hours).
3. Examples: wrong recipients visible in email (no BCC), lost device with personal data, phishing account access, copying CCTV to a phone.

CCTV, ID Scan & Bodycams (essentials)

• CCTV: retain min. 31 days; share with Police only via the CCTV log process; never share with public or on social.
• ID Scan: retain 31 days (longer only if barred); display the ID Scan notice and obtain consent.
• Bodycams: record only during incidents; footage retained ~31 days; treat as CCTV.

Minimum retention (keep, then securely destroy)

Shredding: Use a shredder for small volumes; for bulk, arrange confidential collection via Restore Data Shred and retain the certificate of destruction.

Marketing, images & social

• Promotional emails are sent centrally; do not send from site accounts.
• Images of customers: get consent; avoid identifiable bystanders; remove images if consent is withdrawn.
• Children’s data: avoid collecting personal identifiers; confirm 18+ where required.
• No business-card bowls or third-party purchased lists.

FAQ (fast answers)