Like most websites, our site uses cookies. By using the site, you are agreeing to our use of cookies.
The Co-operative Food
The Co-operative Travel
The Co-operative Childcare
The Co-operative Funeralcare
The Co-operative Flexible Benefits
Co-op Pharmacy
Co-op Energy
Post Office
The Phone Coop

Data Protection

Find out more about Data Protection and what it means for you...


Data Protection

In May 2018, new EU data protection legislation was introduced for all member states (the General Data Protection Regulation, or GDPR). The Data Protection Act 2018 (DPA) sets out the framework for data protection law in the UK. The DPA updates and replaces the former Data Protection Act 1998 and it sits alongside the GDPR, tailoring how the GDPR applies in the UK. Data protection legislation regulates the processing of people’s personal data, which means the way personal data is collected, used, shared, stored and disposed of by public and private organisations. 

There isn’t a business group within the Society that doesn’t process people’s personal data, with different purposes and in different measure, so we are all accountable for looking after this data.

Over the years, the Society has processed an incrementally larger amount of personal data, either for members, customers, colleagues, contractors and agency workers, third party business partners etc.   We also use electronic communication channels a lot more, such as emails and social media, potentially exposing people’s personal data to increased risks – so we have to make sure we safeguard adequately the personal data our customers, members and colleagues have entrusted to us.

The Information Commissioner's Office (ICO) is the supervisory authority for data protection in the UK.  They are tasked with protecting people’s individual rights over their personal data, and making sure organisations comply with the law.  Failure to comply could lead to serious consequences for the Society – financially, commercially and reputationally – decreased sales, increased complaints, loss of customers confidence and negative press.

For serious breaches, the ICO can impose fines of up to 4% of an organisation global turnover – that’s approximately £60 million for the Society!


What is personal data?

Simply put, anything that identifies a living person – name, surname, postal and email addresses, telephone number, financial information (bank account details, credit and debit card numbers etc.) payroll number, DOB, NI number… but also health and medical information, physical appearance and pictures, religious and political beliefs, or sexual orientation.

Of course, data protection law is not just about other people’s personal data!

The Society also holds information about you, as a colleague, and it must protect and be respectful of it.   The Society’s Privacy Notice for Colleagues, Workers and Contractors explains how this is done.


Our Policies, Procedures and Guidance

As any other organisation that processes people’s personal data, the Society has a number of obligations to comply with. It is therefore essential that colleagues are familiar, and comply with, all the relevant policies the Society has put in place to ensure compliance with the law. The Society has also created some useful guidance documents to aid colleagues if they’re unsure what to do in certain situations, click on the links below to find out more...



CCTV Policy and Guidance to Managers

Short Guide for Colleagues

CCTV Privacy Notice

Colleague Guidance – Dealing with Data Breaches

Use of Access to CCTV Recordings – Policy

Data Breaches – Are you Ready

Clean Desk Policy

DBS Checks – quick guidance for colleagues

Data Protection Policy

Due Diligence Questionnaire for data processors

Data Retention & Disposal Policy

Do I need to carry out a DPIA

Information Security Policy

WFH 10 tips on GDPR


Data Protection Do’s and Don’ts


Colleagues Guidance – Individual Rights requests


Informing the Public

One of the obligations the Society has under the law is to inform people about the way their personal data is processed, how to access it, and how to exercise their individual rights over it.  We do this in our Privacy Policy, which is publicly accessible on our website:

We also tell people how their online behaviour may be tracked, and how their personal data may be processed when they use our website, or access our social media pages on Facebook, Twitter etc.  We do this in our Cookie Policy, which is also publicly accessible on our website:


What rights do people have over their personal data?

Most rights people have over their personal data already existed before the GDPR and the DPA came into effect but weren’t very well known.  The GDPR makes those rights clearer and wider, and also adds some new ones, such as the right to be forgotten, the right to restrict processing of personal data, and the right to data portability.

Colleagues should familiarise themselves with the Society's Colleague Guidance – Individual Rights requests, to ensure they understand these rights and know what to do when they receive an individual rights request from a customer, a member or a colleague. 

The most frequent request we receive relates to people wanting to access the personal data we hold about them, and often they want copies of it. This is called a Subject Access Request and, as for any other type of request regarding personal data, the Society has an obligation to complete it within 30 days, and our response must be compliant with the requirements under the law.  This means we must be proactive, timely and accurate in our responses.

If you receive any of these requests, make sure you follow the process explained in the Colleague Guidance above.


What to do when things go wrong

The law says we have an obligation, as an organisation, to protect people’s personal data from “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage”.

What does that mean? Well, it means that, should any of the above happen, it would be a personal data breach.

Every time we process people’s personal data, which for many of us is every day, we must be thoughtful of who we share it with, how we store it, how we use and it and how we dispose of it when we no longer need it.  We must treat other people’s personal data with the same care we would use for our own, and this applies to all of us, regardless of seniority, job title or business location. So, remember…

Think - Respect - Protect

But sometimes things can go wrong so when they do, we need to act quickly.

If you think you, or a colleague, may have caused a data breach, or you have spotted something which doesn’t look right, you should make sure you act quickly, following the process outlined in the Colleague Guidance – Dealing with data breaches.


Need more help?

If you have any questions about our policies, or a general query about data protection, or perhaps you have read a Colleague Guidance and you still aren’t sure about what to do, you should seek additional information from your Data Protection Champions (DPCs). There are two DPCs in each business group, to find your DPC and get in touch please click here.

Alternatively, you can also contact the Society's Data Protection Officer (DPO) directly, either by email or post: data-protection@midcounties.coopSecretariat Group, Co-operative House, Warwick Technology Park, Warwick, CV34 6DA.