The Co-operative Food
The Co-operative Travel
The Co-operative Childcare
The Co-operative Funeralcare
The Co-operative Flexible Benefits
Co-op Pharmacy
Co-op Energy
Post Office
The Phone Coop

Data Protection

Find out more about the Data Protection and what it means for you. 

Some information on this page is private. Sign in to view the contents which are only accessible to colleagues:

- Contact details for the Society's Data Protection Officer (DPO) and Data Protection Champions

- Policies and guidance material 

Sign in  


Data Protection

In May 2018, new EU data protection legislation was introduced for all member states (the General Data Protection Regulation, or GDPR), which became law in the UK as the Data Protection Act 2018 (formerly known as the DPA 1998). Data protection legislation regulates the processing of people’s personal data, which means the way organisations collect, use, share, store and dispose of personal data.

There isn’t a business group within the Society that doesn’t process people’s personal data, with different purposes and in different measure, so we are all accountable for looking after this data.

Over the years, the Society has processed an incrementally larger amount of personal data, either for members, customers, colleagues, contractors and agency workers, third party business partners etc.   We also use electronic communication channels a lot more, such as emails and social media, potentially exposing people’s personal data to increased risks – so we have to make sure we safeguard adequately the personal data our customers, members and colleagues have entrusted to us.

The Information Commissioner's Office (ICO) is the supervisory authority for data protection in the UK.  They are tasked with protecting people’s individual rights over their personal data, and making sure organisations comply with the law.  Failure to comply could lead to serious consequences for the Society – financially, commercially and reputationally – decreased sales, increased complaints, loss of customers confidence and negative press.

For serious breaches, the ICO can impose fines of up to 4% of an organisation global turnover – that’s approximately £60 million for the Society!


What is personal data?

Simply put, anything that identifies a living person – name, surname, postal and email addresses, telephone number, financial information (bank account details, credit and debit card numbers etc.) payroll number, DOB, NI number… but also health and medical information, physical appearance and pictures, religious and political beliefs, or sexual orientation.

Of course, data protection law is not just about other people’s personal data!

The Society also holds information about you, as a colleague, and it must protect and be respectful of it.   The Society’s Privacy Notice for Colleagues, Workers and Contractors explains how this is done.


Our Policies and Procedures

As any other organisation that processes people’s personal data, the Society has a number of obligations to comply with.  It is therefore essential that colleagues are familiar, and comply with, all the relevant policies and procedures the Society has put in place to ensure compliance with the law.

Here are the key policies you should know about: 


One of the obligations the Society has under the law is to inform people about the way their personal data is processed, how to access it, and how to exercise their individual rights over it.  We do this in our Privacy Policy, which is accessible to the public on our website:

We also tell people how their online behaviour may be tracked, and how their personal data may be processed when they use our website, or access our social media pages on Facebook, Twitter etc.  We do this in our Cookie Policy, which is also accessible to the public on our website:


What rights do people have over their personal data?

Most rights people have over their personal data already existed before the new legislation came into effect but weren’t very well known.  The GDPR makes those rights clearer and wider, and also adds some new ones, such as the right to be forgotten, the right to restrict processing of personal data, and the right to data portability.

The Society has put in place the Colleague Guidance – Individual Rights requests, which colleagues should read and familiarise themselves with, to ensure they understand these rights and know what to do when they receive an individual rights request from a customer, a member or a colleague. 

The most frequent request we receive relates to people wanting to access the personal data we hold about them, and often they want copies of it. This is called a Subject Access Request and, as for any other type of request regarding personal data, the Society has an obligation to complete it within 30 days, and our response must be compliant with the requirements under the law.  This means we must be proactive, timely and accurate in our responses.

If you receive any of these requests, make sure you follow the process explained in the Colleague Guidance - Individual Rights requests. 


What to do when things go wrong

The law says we have an obligation, as an organisation, to protect people’s personal data from “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage”.

What does that mean? Well, it means that, should any of the above happen, it would be a personal data breach.

Every time we process people’s personal data, which for many of us is every day, we must be thoughtful of who we share it with, how we store it, how we use and it and how we dispose of it when we no longer need it.  We must treat other people’s personal data with the same care we would use for our own, and this applies to all of us, regardless of seniority, job title or business location. So, remember…

Think - Respect - Protect

But sometimes things can go wrong so when they do, we need to act quickly.

If you think you, or a colleague, may have caused a data breach, or you have spotted something which doesn’t look right, you should make sure you act quickly, following the process outlined in the Colleague Guidance – how and when to report data breaches


Need more help?

If you have any questions about our policies, or data protection in general, or perhaps you have read a Colleague Guidance and you still aren’t sure about what to do, you should contact your Data Protection Champions (DPCs) without delay. There are two DPCs in each business group; if you don't already know who the DPCs are in your business area, please contact for the contact details.

The Society's Data Protection Officer (DPO) can be contacted by email, post or telephone: data-protection@midcounties.coopSecretariat Group, Co-operative House, Warwick Technology Park, Warwick, CV34 6DA; tel: 01926 516 007.