We recognise the need for legal compliance and accountability and endorse the importance of the integrity, availability, and confidentiality and security arrangements to safeguard personal data. We also recognise that there are times that personal data is shared with, and/or receiving from, other organisations and that this needs to be in accordance with the law. This policy sets out the key data protection obligations and accountability to which we are fully committed.
In order to fulfil statutory and operational obligations we have to collect, use, receive and share personal, special personal and crime personal data about living people e.g.
- members of the public (adults and children)
- current, past, prospective employees
- clients and customers
- contractors and suppliers
- elected members
This policy covers all aspects of handling personal data, regardless of age, format, systems and processes purchased, developed and managed by/or on behalf of us and any person directly employed or otherwise by us.
This policy reflects the commitment to data protection compliance to both UK and EU legislation, in particular the Data Protection Act 2018, the EU general Data Protection Regulation 2016 (GDPR) and the EU Law Enforcement Directive 2016 (LED).
Data Protection Officer (DPO): We will appoint a data protection officer who will be the key contact for the provision of independent advice on all things data protection. The DPO will be responsible for ensuring that we are appropriately registered with the Information Commissioner’s Office (ICO) and facilitating mandatory Record of Processing Activity (ROPA), to be made available to the ICO upon demand.
Definitions of personal data:
Personal datameans any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In summary, anything and everything that can relate to a living person.
Special Personal Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
In summary, these are the data categories that are subject to additional controls in order to prevent unauthorised collection, use, access etc.
Crime data means criminal offence data e.g. alleged commission of offences or proceedings for an offence, (actual or alleged), including sentencing, other than where it is used for law enforcement purposes (LED) by competent authorities within the scope of part of the Data Protection Act 2018 i.e. for the purposes of the prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties, including the safeguarding against at the prevention of threats to public security.
In summary this type of personal data is subject to specific conditions and controls.
Personal data for LED purposes means the handling of personal data by us for the purposes of the prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
In summary, personal data used for this purposes is subject to specific data protection conditions and controls.
Data Protection Principles: There are 6 principles which provide the framework for personal data handling and we are accountable for compliance.
Personal data shall be:
- processed lawfully, fairly and in a transparent manner.
To be lawful an appropriate condition of processing needs to be identified. To be fair and transparent a privacy notice needs to be provided/available to the data subject whose personal data is being handled (data subject) and the law specifies what information must be communicated.
- processed for an explicit and specific purpose and not processed for other incompatible purposes. Scientific/historical/statistical research is not incompatible and nor is archiving in the public interest.
Personal data should only be used for the stated lawful purpose, except where the law permits.
- adequate, relevant and limited to what is necessary for the purpose.
Ensure that the personal data is specific to the stated lawful purpose and is not excessive or unnecessary.
- accurate and, where necessary, kept up to date; ensuring that personal data that are inaccurate, are erased or rectified without delay.
Ensure that personal data is correct and that any errors are rectified and where appropriate notified to recipients of the personal data.
- keep no longer than necessary for the purpose, but can keep for longer is solely for scientific/historical/statistical research and archiving in the public interest purposes and is kept securely.
Personal data should not be kept longer than necessary taking into account legal and operational requirements.
- protection of the personal data using appropriate technical or organisational measures.
These measures should be selected on the basis of identified threats and risks to personal data and the potential impact on the data subjects, we and any third parties who are sources, recipients, or processors of the personal data.
Data Privacy Impact Assessment (DPIA): are an important vehicle in ensuring that we integrate data protection by design and default into our technical systems and day-to-day business operations by embedding privacy risk considerations into new/changing systems and business processes. These privacy risk assessments must take place where there is a high risk to the privacy rights and freedoms of a data subject. Examples where these are likely to be required, include, but are not limited to, new systems and processes, new or different uses of personal data. Where a high risk is identified, the DPO must be consulted before any new or changed processing is introduced to ensure adequate risk mitigation measures are implemented. Where risks are high and not adequately mitigated a referral to the ICO must be made.
Data Collection, Use and Disclosure: We handle personal data that has been either collected from the data subject and/or other parties e.g. other people, public sector and regulatory organisations, private and voluntary sector organisations etc.
We commit to:
- only handle personal data where there is a legal basis to do so;
- not unnecessarily rely on consent where an alternative legal basis is available for processing personal data. However, where consent/explicit consent, is the lawful basis, then we acknowledge that for consent to be valid it must be freely given and capable of being withdrawn. Where a particular individual is unable, due to age, capacity or other reasons, to give consent directly, consent will be sought from an appropriate person e.g. parent, guardian, legal representative etc;
- only send promotional or marketing material with consent or existing business relationship;
- provide data subjects with privacy notices that explain why the personal data is required and how to exercise their personal data rights;
- in the event of a personal data security breach, resulting in a high risk to the data subject(s), to notify the data subjects and/or the ICO as appropriate;
- in the event of a data subject exercising their personal data rights, we will assess the request and respond within the statutory timeline and provide a complaints process;
- personal data will be subject to appropriate retention and security controls taking into account the nature of the data and the information risks. Personal data may be stored for longer periods where it is archiving in the public interest, historical or scientific research purposes, or as required by legislation or regulatory activity;
- when sharing and disclosing personal data, this will be undertaken within the parameters of the law to prevent unauthorised access to personal data. A record will be kept and, where appropriate, information sharing agreement (ISAs) in line with the ICO data sharing code of practice will be adopted. Where the sharing involves a joint controller relationship, the ISA will identify the lead controller responsible for specified processing activities and for managing individual rights. Where appropriate, DPIAs will be undertaken in advance of the sharing/disclosure;
- when handling health and social care personal data, the Caldicott Principles and National Data Guardian Standard will be applied;
- when handling special category, crime conviction and offence data and data falling under LED we shall ensure compliance with the additional policy requirements necessary to support these particular processing activities in order to demonstrate compliance with the data protection principles and retention policies and ensure inclusion in the ROPA;
- ensure that processing of personal data within our supply chain includes the contractual clauses required by law and that processing is only undertaken in accordance with our instructions as data controller;
- not transfer personal data outside of the European Economic Area (EAA) i.e. to countries with lower data protection standards, unless the appropriate safeguards and controls are in place i.e. a decision by the EU that the country has ‘adequate’ data protection legislation, that a company in the US is signatory to the EU/US privacy shield, binding corporate rules or model contract clauses in place, or the law prescribes this in defined circumstances.
- co-operate and provide information to the ICO and other regulatory bodies in pursuance of any investigation or enforcement action.
Offences: The data protection legislation contains specific offences:
- It is an offence for a person knowingly or
recklessly, without the consent of the data controller, to:
- obtain or disclose personal data;
- procure the disclosure of personal data to another person;
- retain it without the consent of the original data controller;
- offer to sell, sell or buy the personal data obtained.
- It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller, or to knowingly or recklessly handle such data.
- It is an offence to alter, de-face, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the data subject making the request for access or portability would have been entitled to receive.
- It is an offence to require a data subject to provide or give access to information obtained via data subject access in relation to health, conviction/caution records for the purpose of recruitment, continued employment, in connection with provision of goods and service to the public. In summary, a data subject should not be obliged to make a data subject access request for this type of information as a condition/implied condition of employment or contract.
- It is an offence to intentionally obstruct, or give false information to the ICO in the exercise of its powers under information notices and/or warrants.
Assessment and monitoring
An assessment of compliance with requirements will be undertaken in order to provide:
- gap analysis of policy and practice;
- examples of best practice;
- improvement and training plans.
Reports will be submitted to the senior management team.
Responsibilities and approvals
The Managing Director is responsible for the approval of this Policy and ensuring that the necessary support and resources area available for the effective implementation of this Policy.
The Data Protection Officer is responsible for the review of this policy.
The senior management team as Senior Information Risk Owners (SIROs) have overall ownership of the Information Risk Policy. The SIROs are to act as champion(s) for information risk to senior management and leadership boards and is responsible for providing written advice to the Accounting Officer on the content of our Statement of Internal Control in regard to information risk. The SIROs are responsible for decisions in relation to any information issues or incidents.
The Information Manager and Information Management Team is responsible for specialist advice and support of all aspects of Information and Records Management and Governance.
Employees whether permanent, temporary or contracted, including students, contractors and volunteers are responsible for ensuring they are aware of the data protection legislation requirements and for ensuring they comply with these on a day-to-day basis. Where necessary advice, assistance and training should be sought. Any breach of this policy could result in disciplinary action or could constitute a criminal offence.
Authority for this policy
This policy is owned by the senior management team on behalf of the Senior Information Risk Officers.
This delegation is to establish and approve internal policies dealing with all aspects of the management of our information security, records and information governance.
The Managing Director is ultimately accountable for this policy and Senior Risk Information Officers are responsible for implementing it.