Data Protection Policy
Please read this statement carefully. Our Data Protection Policy is a statement that sets out how our organisation protects your personal data, It is a set of principles, rules and guidelines that informs how you will ensure ongoing compliance with data protection laws.
1. SCOPE
Working together to handle personal data safely, respectfully and lawfully.
The Data Protection Policy (the Policy) ensures the company "Elsuhdnet" complies with Data Protection Law, using global set of frameworks for how to processes personal data.
2. GUIDING VALUES
In order to conduct its normal business, the company collects and uses certain types of personal information about its customers. These include current, past and prospective, members, staff, representatives, suppliers, clients, customers, and others with whom it has business, or with whom it communicates.
The company considers the lawful and correct treatment of such personal information as essential to the efficient and successful conduct of its business. It also recognises that it is crucial to fostering and maintaining the confidence of its main stakeholders and the wider public in the Company and its operations.
The Company is committed to ensuring that it treats personal information lawfully and correctly, and recognises that there are safeguards to ensure this in data protection law.
3. OBJECTIVES
The Policy’s objectives are to:
- Comply with Data Protection Law, e.g. data protection impact assessments
- Meet company / Genosec "Cyber Security Firm" data protection standards, e.g. information sharing arrangements
- Protect the rights of our staff, officers, members, representatives, suppliers, clients, customers and public users, e.g. procedures to govern Individual Rights’ request handling
- Protect the company from the risks of a data protection breach and related reputational, financial and legal damage, e.g. encrypt special category personal data.
4. DEFINITIONS
“Personal Data” is all information that relates to an identifiable living person (or “Data Subject”) and thatcan be used to identify the person directly, or indirectly when used with other information. It includes but is not limited to:
- A person's name
- Job title
- Age
- Job title
- Postal or email address
- IP address, e.g. online identifier
- Bank details
- Any other information that relates to them,
5. ROLES AND RESPOSIBLITIES
The data protection laws have clearly defined roles and responsibilities
A “Data Controller” is an individual or organisation who:
- decides to collect or process personal data
- decides what the purpose or outcome of processing is to be
- decides what personal data should be collected
- decides which individuals to collect personal data about
- obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller
- processes personal data as a result of a contract between us and the data subject
- whose data subjects are the employees
- makes decisions about the individuals concerned as part of or as a result of the processing
- exercises professional judgement in the processing of the personal data
- has a direct relationship with the data subjects
- has complete autonomy as to how the personal data is processed
- has appointed processors to process the personal data on our behalf.
“Joint Data Controllers” are two or more individuals or organisations who:
- has a common objective with others regarding the processing
- processes the personal data for the same purpose as another controller
- use the same set of personal data (e.g. one database) for this processing as another controller
- designs the processing with another controller
- has common information management rules with another controller.
A “Data Processor” is an individual or organisation who:
- follows instructions from someone else regarding the processing of personal data
- is given the personal data by a customer or similar third party, or told what data to collect
- does not decide whether to collect personal data from individuals
- does not decide what personal data should be collected from individuals
- does not decide the lawful basis for the use of that data
- does not decide what purpose or purposes the data will be used for
- does not decide whether to disclose the data, or to whom
- does not decide how long to retain the data
- make some decisions on how data is processed, but implements these decisions under a contract with someone else
- is not interested in the end result of the processing.
The company is predominantly a “data controller” when processing personal data, e.g. when we procure a service from a supplier under contract and the supplier is the “data processor”. Sometimes we are a “joint data controller”, e.g. many of our clinical quality projects and reviews involve sharing the “data controller” responsibilities with our partners.
A “Data Subject” is a living individual who can be identified from the personal data or from additional information held, or obtained, by the company.
The Policy defines the Company’s data protection roles and responsibilities:
Staff must
- understand, keep up-to-date with, and comply with the Policy
- complete their mandatory Data Security Awareness training every year, and within four weeks of joining,completion of the training is monitored and reported to Executive Director and Directors
Managers’ must
- apply the Policy across their team(s)
- cascade data protection awareness communications to their team(s)
- make sure their staff comply with the Policy
- Make sure their staff complete the mandatory Data Security Awareness training within given timescales
- monitor suppliers and partners' compliance with the Policy through routine procurement and contract management activities.
- understand what information assets their team(s) process(es)
- understand its value to the company and the related approach, appetite and capacity for risks and opportunities in conjunction with the company's risk management standards
- make sure the information is managed according to the Policy.
- This includes making decisions about how information is processed e.g. what’s collected, how it’s used, who it’s shared with, when it’s deleted, and whether information risks are mitigated further or accepted by us.
- facilitate an annual assessment across their departments for the Data Security and Protection Toolkit.
Officers and Committee Members to comply with the Policy when handling personal data on behalf of the company
6. POLICY
StatementThe company commits to processing all personal data in compliance with the data protection principles (unless a data protection law exemption applies).
Personal data must:
- Be processed lawfully, fairly and in a transparent manner (Lawful, fair and transparent)
- Be obtained only for specific, lawful purposes (Purpose limitation)
- Be adequate, relevant and limited to what is necessary (Data minimisation)
- Be accurate and, where necessary, kept up to date (Accuracy)
- Not be held for any longer than necessary (Storage limitation)
- Be protected in appropriate ways (Integrity and confidentiality/Security)
The Company must demonstrate how we comply with the above principles (a) - (f) (Accountability), therefore the Policy governs or is integral to the following policies, procedures and ways of working:
- Privacy Notice
- Data Protection Impact Assessment and Guidance
- Guidance Notes on Handling Personal Data
- Records Management Policy and procedures, e.g. Retention Schedule
- IT Security Policy
- Be protected in appropriate ways (Integrity and confidentiality/Security)
All personal data processing must have a lawful basis for processing from the following:
the Data Subject consents to the processing of their personal data
the processing is necessary:
- to enter into or carry out a contract with the Data Subject
- to comply with our (or another Controller’s) legal obligations
- to protect the vital interests of the Data Subject
- to exercise our (or another Controller’s) official authority or perform a public interest task
- to meet the legitimate interests of a Controller or another third party.
Of these lawful bases, the company most frequently uses the following three which then determine which of the company’s procedures and ways of working must be adopted:
contract – where this applies, the contracts must:
- be written
- include/based the company’s mandatory data protection clauses and schedules whether we are the Client or the Contractor
- be monitored for compliance
- be up-to-date.
The Company commits to the processing of all personal data in compliance with the Data Subjects’ Individual Rights (unless a data protection law exemption applies).
Data Subjects have:
- the right to be informed - e.g. Fair processing/privacy notices
- the right of access - e.g. subject access requests (SARs)
- the right to rectification - e.g. have their data corrected
- the right to erasure – e.g. have their data deleted/removed
- the right to restrict processing – e.g. stop their data being used
- the right to data portability – e.g. transfer their data easily
- the right to object – e.g. challenge what we’re doing with their data
As part of these rights, Data Subjects can:
- make a verbal request against any of the rights listed above
- complain to the ICO about data protection breaches and can bring court proceedings for compensation where a data protection breach has caused them damage.
7. IMPLEMENTAION
In summary:
- All staff must receive training, appropriate to their role, to help them understand how to process personal data in line with the Policy - e.g. complete the annual, mandatory data security awareness training and other training as and when required, such as Privacy and Consent (includes marketing consent), Data Protection Impact Assessments and Information Sharing. Please see the current Learning and Development Programme for details of scheduled sessions
- All staff processing special category personal data or with a dedicated IG role to attend the Advanced Data Protection training course and follow their departmental Special Category Personal Data Handling policy
- All staff must assess and manage the risks around how they process personal data to make sure it’s classified and handled appropriately using the appropriate Company tool
- All staff, members, company representatives and suppliers must follow all the data protection requirements in their respective role descriptions, contracts, terms and conditions and/or Code of Conduct
- All staff, officers, members and company representatives to inform the ICO Officer of any Individual Rights Request received relating to the Company
- All staff, officers, members and Company representatives must promptly report potential or actual breaches of the Policy or data protection law to the ICO Officer, in line with the Security Incident and Reporting Policy
- All staff, officers, members, company representatives and suppliers must fully co-operate with any investigation, audit or enforcement activity.
The Company, or our suppliers, may log staff, officer, member or company representative activity to:
- monitor compliance with our policies to provide assurance on adherence to the Policy
- respond to incidents
- prevent, detect, or investigate crime.
We will take appropriate action against staff, officer, member, company representative or suppliers found breaching the Policy where appropriate to them. Such action may include but not be limited to disciplinary investigations, dismissal, or criminal proceedings and fines.