GDPR Policy
Contents
INTRODUCTION
The EU General Data Protection Regulations (GDPR) came into force in the UK from 25 May 2018, superseding the 1998 Data Protection Act (DPA).
The GDPR applies to data processing carried out by organisations operating within the EU; significantly for a post-Brexit UK, it also applies to organisations outside the EU that offer goods or services to individuals in the EU. The UK Government has confirmed that the GDPR will be a legal requirement and an example of best practise within the UK, pre/post-Brexit.
GDPR SUMMARY
The basic theme and principles of the GDPR share many similarities with the DPA, setting out the main responsibilities for organisations whilst adding detail at certain points, with new accountability requirements.
The GDPR will require organisations to demonstrate how they comply with the principles – for example, by documenting the decision processes taken regarding processing activities.
Other relevant legislation and guidance referenced and to be read in conjunction with this policy, is outlined in Appendix 2.
OUR COMMITMENT
We have always honoured our clients’ right to data privacy and protection, adhering to the highest standards of information security, privacy and transparency and will continue to demonstrate our commitment by adhering to GDPR regulations, following good practice to protect individuals and the organisation.
PURPOSE OF THE POLICY
The aim of this policy is to outline how we meet our legal obligations to safeguard confidentiality and how it adheres to information security standards. Obligations within this policy are principally based on GDPR, as the key legislative and regulatory provisions governing the security of person-identifiable information.
POLICY STATEMENT
The policy applies to all person-identifiable information obtained by our companies and its employees in relation to the collection, use, retention, transfer, disclosure and destruction of any personal data where processed:
- In the context of our business activities
- For the provision of our services to individuals and/or organisations
DATA PROTECTION PRINCIPLES
In line with Article 5 of the GDPR, we have adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of personal data:
Principle 1: | Lawfulness, Fairness & Transparency – Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals; |
Principle 2: | Purpose Limitation – Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; |
Principle 3: | Data Minimisation – Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; |
Principle 4: | Accuracy – Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; |
Principle 5: | Storage Limitations – Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and |
Principle 6: | Integrity & Confidentiality – Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; |
Principle 7: | Accountability – we shall be responsible for, and must demonstrate compliance. This means demonstrating that the six Data Protection Principles (outlined above) are met for all personal data for which it is responsible. |
RESPONSIBILITIES
Overall Responsibilities
The company directors, collectively known as the ‘Data Controller’ have overall responsibility for ensuring that the organisation complies with its legal obligations.
Data Protection Officer
Our Data Protection Officer is Kevin Light, whose responsibilities include:
- Reviewing data protection and related policies ensuring that they are kept up to date;
- Ensuring that the appropriate practices and procedures are adopted and followed by the organisation and its employees;
- Advising the company directors and staff on data protection issues within the organisation, providing guidance where necessary;
- Working collaboratively with Organisational Development and Governance to ensure that the appropriate data protection training and support is given to all staff handling personal data, so that they can act confidently and consistently;
- Ensuring that data protection notification with the Information Commissioner’s Office (ICO) is reviewed, maintained and periodically renewed for all use of personidentifiable information;
- Ensuring compliance with individual rights, including subject access requests;
- Approving unusual or controversial disclosures of personal data;
- Acting as a central point of contact on all data protection issues within the organisation;
- Implementing an effective framework for the management of data protection;
- Overall responsibility for the confidential destruction/disposal of data.
Management Team Responsibilities
Our Office Manager, Kieran Stansbury, is directly responsible for:
- Ensuring their staff are made aware of this policy and any notices;
- Ensuring their staff are aware of their data protection responsibilities;
- Ensuring their staff receive suitable data protection training.
General Responsibilities
All staff, including temporary staff and volunteers, are subject to compliance with this policy and are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. Under GDPR individuals can be held personally liable for data protection breaches.
DATA PROCESSING
Data Protection
We will adopt the necessary physical, technical and organisational measures to ensure the security of Personal Data. This includes the prevention of loss or damage, unauthorised alteration, access or Processing and
Details of Personal Data Processed
Personal data within the respective legislative and regulatory provisions covers ‘any data that can be used to identify a living individual either directly or indirectly’.
We will process Personal Data in accordance with all applicable laws and applicable contractual obligations.
We process personal information that:
- Enables us to contact and stay in touch with existing clients;
- Enables us to promote our services to new/existing clients;
- Ensures we can maintain our own accounts, records and relationships with suppliers and service providers;
- Enables us to support and manage employees;
- Enables us to respond to inbound enquiries.
Special Categories of Data
In any situation where Special Categories of Data are to be processed, either the Data Subject must expressly consent to such processing, or prior approval must be obtained from the Data Protection Officer. The basis for processing this information must be clearly recorded with the Personal Data in question.
Where Special Categories of Data are being processed, additional protection measures will be adopted.
SECURITY
Minimum Security Measures
As a minimum, we will employ the following technical and organisational security measures:
- The prevention of unauthorised access to data processing systems in which Personal Data is Processed;
- Preventing persons entitled to use data processing systems from accessing Personal Data beyond their needs and authorisations;
- Ensure that Personal Data is protected against unintentional destruction or loss;
- Ensure that Personal Data collected for different purposes can and is Processed separately;
- Ensure that Personal Data is kept no longer than necessary;
- Employ properly configured Firewalls using up to date software;
- Perform regular software updates;
- Utilise real-time protection anti-virus, anti-malware and anti-spyware software;
- Ensure physical security on premises, including securing documents in secure cabinets overnight;
- Ensuring a clear desk and screen policy whenever work stations are left unattended.
DATA RETENTION & STORAGE
To ensure fair Processing, Personal Data will not be retained for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further Processed, and other risks to which it may be exposed by virtue of human action or the physical and/or natural environment.
In the event, for any category of documents not specifically defined elsewhere in this Policy and unless otherwise mandated differently by applicable law, the required retention period for such a document will be deemed to be three years from the date of creation.
Safeguarding of Data During the Retention Period
Appropriate controls are in place to prevent the permanent loss of essential company information as a result of malicious or unintentional destruction of information. These controls are described in our IT Security Policy.
Destruction of Data
Overall responsibility for the destruction of data falls to the Data Protection Officer. Once the decision is made to dispose of data this information will be deleted, shredded or otherwise destroyed to its level of confidentiality.
The method of disposal varies and is dependent upon the nature of the document. Specifically, any documents or files that contain sensitive or confidential information and sensitive Personal Data must be disposed of as confidential waste and will be subject to secure electronic deletion.
Category 1 Data / Documents | Category 1 documents contain information that is of the highest security and confidentiality and includes Personal Data. Disposal – This information will be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of the documents should include proof of destruction. |
Category 2 Data / Documents | Category 2 documents contain confidential information such as names, signatures and addresses, or information that can be used by third parties to commit fraud, but which does not contain any Personal Data. Disposal – This information will be cross-cut shredded and placed into locked rubbish bins for collection. Electronic documents will be subject to secure electronic deletion. |
Category 3 Data / Documents | Category 3 are those that do not contain any confidential information or personal data. Disposal – This information will be strip-shredded or disposed of through local recycling schemes. |
BREACH REPORTING
Any individual who suspects that a personal data breach has occurred due to the theft or exposure of personal data must immediately notify the Data Controller and shall at least:
- Describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- Communicate the name and contact details of the Data Protection Officer where more information can be obtained;
- Describe the likely consequences of the personal data breach;
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Data Controller and Data Protection Officer will investigate all reported incidences to confirm whether or not a personal data breach has occurred. If a personal data breach is confirmed the Data Controller and Data Protection Officer will notify the supervisory authority competent in accordance with Article 55 of GDPR, no later than 72 hours after having been made aware.
Please Note: the guidance from ICO on when breaches should be reported as this is one of the main changes from the superseded Data Protection Act:
Please also note the information on individuals’ rights which is another key change:
POLICY REVIEW
This policy will be reviewed annually as a minimum and will be performed by the nominated Data Protection Officer. Associated data protection standards will be subject to an ongoing development and review programme.
APPENDIX 1 – DEFINITIONS
Data Controller | A Data Controller is a natural, legal person, organisation, authority, agency or other body that determines the purpose and methods for processing personal data. |
Data Processer | A natural or legal person, public authority, agency or other body that processes personal data on behalf of the Data Controller. |
Data Protection | The process of safeguarding personal data / person-identifiable information from unauthorised or unlawful disclosure, access, alteration, processing, transfer or destruction. |
Data Protection Officer | Nominated individual responsible for overseeing the organisation’s data protection strategy and implementation to ensure compliance with GDPR requirements. |
Data Subject | The identified or identifiable natural person to which the data refers. |
Employee | An individual who works part-time or full-time for ROBERTS AND DENNYS (LONDON) LTD under a contract of employment, whether oral or written, express or implied, and has recognised rights and duties. Includes temporary employees and independent contractors. |
Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data / person-identifiable information transmitted, stored or otherwise processed. |
Personal Data / Person-Identifiable Information | GDPR broadly defines personal data /
person-identifiable information as any
information related to a person that can be
used to directly or indirectly identify the
person. Such data can include, but is not
limited to:
|
Process, Processed, Processing |
Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Special Categories of Data | Personal data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. |
APPENDIX 2 – SUMMARY OF RELEVANT LEGISLATION & GUIDANCE
General Data Protection Regulations (GDPR)
A legal basis must be identified and documented before personal data can be processed. Data Controllers and Data Processors will be required to document decisions and maintain records of processing activities.
Please Note: the guidance from ICO on when breaches should be reported as this is one of the main changes from the superseded Data Protection Act:
Please also note the information on individuals’ rights which is another key change:
Human Rights Act 1998
This Act binds public authorities (including Health Authorities, Trusts and Primary Care Groups) to respect and protect an individual’s human rights. This will include an individual’s right to privacy (under Article 8) and a service user’s right to expect confidentiality of their information at all times.
Article 8 of the Act provides that “everyone has the right to respect for his private and family life, his home and his correspondence”. However, this article also states “there shall be no interference by a public authority with the exercise of this right except as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention or disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.
Freedom of Information Act 2000
This Act gives individuals rights of access to information held by public authorities.
Regulation of Investigatory Powers Act 2000
This Act combines rules relating to access to protected electronic information as well as revising the “Interception of Communications Act 1985”. The aim of the Act was to modernise the legal regulation of interception of communications, in the light of the Human Rights laws and rapidly changing technology.
Crime and Disorder Act 1998
This Act introduces measures to reduce crime and disorder, including the introduction of local crime partnerships around local authority boundaries to formulate and implement strategies for reducing crime and disorder in that local area.
The Act allows disclosure of person-identifiable information to the Police, Local Authorities, Probation Service or the Health Service but only if the purposes are defined within the Crime and Disorder Act. The Act does not impose a legal requirement to disclose person-identifiable information and responsibility for disclosure rests with the organisation holding the information.
The Computer Misuse Act 1990
This Act makes it a criminal offence to access any part of a computer system, programs and/or data that a user is not entitled to access.
ROBERTS AND DENNYS (LONDON) LTD will adhere to the requirements of the Computer Misuse Act 1990, by ensuring that its staff are aware of their responsibilities regarding the misuse of computers for fraudulent activities or other personal gain. Any member of staff found to have contravened this Act will be considered to have committed a disciplinary offence and be dealt with accordingly.