1. POLICY STATEMENT
1.1 Connect are committed to compliance with all relevant EU and UK laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information we collect and process in accordance with the General Data Protection Regulation (GDPR).
1.2 Everyone has rights regarding the ways in which their personal data in handled. The importance of keeping clients’ affairs confidential, protecting personal and sensitive personal data and keeping information secure is fundamental. This policy is designed to cover all these areas so that all employees are clear about their obligations and how to protect data/ensure confidential information is kept confidential.
1.3 This policy applies to all employees (permanent and temporary), agency, and contract staff. Any breach of the GDPR may be dealt with under our disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
1.4 Third parties working with us, or for us, which have or may have access to personal data will be expected to adhere to all obligations imposed by data protection legislation. No third party may access personal data held by us without having first entered into a Data Sharing Agreement which imposes on the third party obligations no less onerous than those to which we are committed, and which gives us the right to audit their compliance with the Data Sharing Agreement.
1.5 Matthew Brown is the Data Protection Officer (DPO) and is responsible for all data protection matters.
2. ABOUT THIS POLICY
2.1 The types of personal data that Connect may be required to handle include information about current, past and prospective clients, suppliers, third parties and others that we communicate with. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the GDPR.
2.2 This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
2.3 We reserve the right to change this policy at any time.
3. DEFINITION OF DATA PROTECTION TERMS
Child – the GDPR defines a child as anyone under the age of 16 years. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained. The data controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.
Consent – means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.
Data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The data controller is required to report data breaches to the Information Commissioner’s Office (ICO), particularly breaches likely to adversely affect the personal data or privacy of the Data Subject.
Data Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the Data Controller or the specific criteria for its nomination may be provided for by EU or Member State law.
Data Processor – in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Data Subject – any living individual who is the subject of personal data held by an organisation.
Data users are those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
Personal data – any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Sensitive personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a living person, data concerning health or data concerning a living person’s sex life or sexual orientation.
Third party – a natural or legal person, public authority, agency or body other than the Data Subject, data controller, data processor and persons who, under the direct authority of the data controller or data processor, are authorised to process personal data.
4. DATA PROTECTION PRINCIPLES
All processing of personal data must be conducted in accordance with the Data Protection Principles as set out in the GDPR and outlined below. Our policies and procedures are designed to ensure compliance with these Principles.
Personal data must be processed lawfully, fairly, and transparently
Lawfully– we need to identify a lawful basis before we can process personal data e.g. consent.
Fairly – in order for processing to be fair, we have to make certain information available to Data Subjects. This applies whether the personal data was obtained directly from Data Subjects or from other sources.
Transparently – the GDPR includes rules on giving privacy information to Data Subjects. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. Information must be communicated to the Data Subject in an intelligible form using clear and plain language.
Personal data can only be collected for specific, explicit, and legitimate purposes
The data we obtain for specified purposes must not be used for a purpose that is incompatible with those purposes.
Personal data must be adequate, relevant, and limited to what is necessary for processing
We cannot collect information that is not strictly necessary for the purpose for which it is obtained.
Personal data must be accurate and, where necessary, kept up to date.
Every reasonable step must be taken to ensure that personal data we hold is accurate and up to date. Data that is stored by us must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that it is accurate. Reasonable steps must be taken to destroy or amend inaccurate or out-of-date data.
Personal data must be kept in a form such that the Data Subject can be identified only as long as is necessary for processing.
We should only keep personal data for as long as we need it. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.
5. DEMONSTRATING ACCOUNTABILITY
The GDPR includes provisions that promote Accountability and Governance. These complement the GDPR’s transparency requirements. Accountability requires us to demonstrate that we comply with the GDPR Principles.
We will demonstrate compliance with the GDPR Principles by implementing and adhering to data protection policies, implementing technical and organisational measures, as well as adopting techniques such as Data Protection by Design, Data Protection Impact Assessments, breach notification procedures and incident response plans.
6. DATA SUBJECTS’ RIGHTS
The GDPR provides the following rights for individuals in relation to their personal data:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.
Data Subjects may make Subject Access Requests relating to their personal data. Our Subject Access Request Policy describes how we will ensure that our response to the request complies with the requirements of the GDPR.
Our DPO is responsible for responding to requests for information from Data Subjects within one calendar month in accordance with our Subject Access Request Policy. This can be extended to two months for complex requests in certain circumstances. If we decide not to comply with the request, the DPO must respond to the Data Subject to explain our reasoning and inform them of their right to complain to the ICO and seek judicial remedy.
Data Subjects have the right to complain to us about the processing of their personal data, the handling of a Subject Access Request and to appeal against how their complaints have been handled.
We understand ‘consent’ to mean that it has been explicitly and freely given, and it is a specific, informed and unambiguous indication of the Data Subject’s wish that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The Data Subject can withdraw his/her consent at any time.
We also understand ‘consent’ to mean that the Data Subject has been fully informed of the intended processing and has signified their agreement while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.
Consent cannot be inferred from non-response to a communication. As Data Controller, we must be able to demonstrate that consent, where necessary, was obtained for the processing operation.
For Sensitive Personal Data, explicit written consent of Data Subjects must be obtained unless an alternative legitimate basis for processing exists.
Where we provide services to children under the age of 16, parental or custodial authorisation must be obtained.
8. COLLECTION OF DATA
All data collection forms (electronic and paper-based), including data collection requirements in new information systems, must include a fair processing statement or a link to our Privacy Notice and be approved by the DPO.
If we collect personal data directly from data subjects, we will inform them about:
(a) The purpose or purposes for which we intend to process that personal data.
(b) The types of third parties, if any, with which we will share or to which we will disclose that personal data.
(c) The means, if any, with which data subjects can limit our use and disclosure of their personal data
If we receive personal data about a data subject from other sources, we will provide the data subject with this information as soon as possible thereafter.
We will also inform data subjects whose personal data we process that we are the data controller with regard to that data.
9. ACCURACY OF DATA
Our DPO is responsible for ensuring that all employees are trained in the importance of collecting accurate data and maintaining it.
Employees are required to notify the Human Resources Manager of any changes in their personal circumstance’s which may require personal records be updated accordingly.
Our DPO is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.
Our DPO is responsible for making appropriate arrangements where third-party organisations may have been passed inaccurate or out-of-date personal data to inform them that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal data to the third party where this is required.
10. SECURITY OF DATA
All personal data should be accessible only to those who need to use it. All personal data should be treated with the highest security as set out in our Data Security Policy.
All requests to provide personal data must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer.
We must ensure that personal data is not disclosed to unauthorised third parties, which includes family members, friends, government bodies, and, in certain circumstances, the Police. All employees should exercise caution when asked to disclose personal data held on another individual to a third party.
No less than annually our DPO will carry out a risk assessment taking into account all the circumstances of our data controlling and processing operations.
In determining appropriateness of all technical and organisational security measures, the DPO will consider the extent of possible damage or loss that might be caused to individuals (e.g. staff or clients) if a security breach occurs, the effect of any security breach on our organisation itself, and any likely reputational damage, including the possible loss of client trust.
It is strictly prohibited to remove personal data from our premises for any reason other than carrying out legitimate processing activities.
Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft, or damage to personal data and the precautions that must be taken are set out in our Data Security Policy.
All employees are responsible for ensuring that any personal data that we hold and for which they are responsible is kept securely and is not, under any condition, disclosed to any third party unless that third party has been specifically authorised by us to receive that information and has entered into a Data Sharing Agreement.
11. RETENTION AND DISPOSAL OF DATA
We shall not keep personal data in a form that permits identification of Data Subjects for a longer period than is necessary in relation to the purpose(s) for which the data was originally collected.
The retention period for each category of personal data is set out in our Retention and Disposal Policy.
Personal data will be retained in line with our Retention and Disposal Policy and, once its retention date is passed, it must be securely destroyed as set out in this policy.
On at least an annual basis, our DPO will review the retention dates of all the personal data processed by our organisation and will identify any data that is no longer required. This data will be securely archived, deleted or destroyed in line with our Retention and Disposal Policy.
Where personal data is archived it will be minimised in order to protect the identity of the Data Subject in the event of a data breach.
Our DPO must specifically approve any data retention that exceeds the retention periods defined in our Retention and Disposal Policy, and must ensure that the justification is clearly identified and recorded.
We may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the Data Subject. Any such retention must be approved in advance by the DPO.
12. INTERNATIONAL DATA TRANSFERS
Under GDPR transfers of personal data outside of the European Economic Area can only be made if specific safeguards exist.
No employee is authorised to transfer personal data internationally until the DPO has confirmed in writing that we have appropriate safeguards in place.
13. DATA PROCESSED REGISTER
We have established a Data Processed Register that records:
• each type of personal data;
• why the data it is collected;
• the lawful grounds for processing;
• where the data it is held;
• the Responsible Person for the data;
• its Review Date; and
• how it is kept accurate.
14. DATA PROTECTION IMPACT ASSESSMENTS (DPIA)
Where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of living peoples, we shall, prior to the processing, carry out a Data Protection Impact Assessment of the envisaged processing operations. All DPIAs should be lead by or overseen by the DPO.
Where, as a result of a DPIA it is clear that we are about to commence processing of personal data that could cause damage and/or distress to the Data Subjects, the decision as to whether or not we may proceed must be referred to senior management for approval to proceed.
Our DPO shall, if there are significant concerns, either as to the potential damage or distress, or the quantity of data concerned, refer to the ICO for guidance and advice.