Data Protection Policy
Date: April 2018
Title: Data Protection Policy
Author: Managing Director
Approval Date: 21st May 2018
Review Date: 21st May 2018 – 2nd version
Approved By: Managing Director / Board
The company stores, processes and on occasion discloses information about employees and other Data Subjects for academic, administrative and commercial purposes. It is committed to a policy of protecting the fundamental rights and freedoms of individuals and in particular their right to privacy with respect to the processing of personal data, as set out by law. When handling such information, the company, and all staff or others who process or use any personal information will comply with the law in full at all times.
To ensure compliance the company will:
Observe the spirit and the letter of the Data Protection Act 1998 and General Data Protection Regulation that will not seek to exploit ambiguous wordings or “grey areas” to avoid its responsibilities.
Co-operate fully with the Information Commissioner and her office.
Maintain a series of Codes of Practice outlining the meaning of the Data Protection Act 1998 and General Data Protection Regulation establishing procedures for processing data in day to day working. The Codes of Practice will provide a reference source for all staff to clarify anomalies, which may arise in routine operations.
Consider that all parts of the company are subject to the Act and Regulation: no individual, section, or division shall hold or process records in any manner which does not conform to the company’s Data Protection Policy and Codes of Practice.
Seek to obtain comprehensive “informed consent” from Data Subjects regarding the keeping of records, the processing of data and the disclosure of data to third parties where the company is the Data Controller and will work in full compliance as the Data Processor of the Data Controller’s requirements and under their contractual request.
Initiate and maintain an on-going programme of staff development.
Periodically review its policies and practices to ensure continuing compliance with the Act and Regulation.
In order to minimise its liability in law the company will:
Ensure that all new data systems and new forms of processing data will be implemented in accordance with the Act and Regulation.
Regard all members of staff of the company as having an obligation to divulge the existence and contents of databases or other soft or hard copy filing systems that contain personal data, to the Managing Director or other person nominated by the Managing Director.
Implement and maintain appropriate practical and technical measures to ensure the security of all personal data.
Date: May 2018
Title: Data Subject Rights
Autho: Managing Director
Approval Date: 22nd May 2018
Approved By: Managing Director / Board
The Right Of Access
Individuals are entitled to make a subject access request for a copy of their personal data, including what data is being held, where, and for what purpose. These will be free.
Organisations can refuse to respond to a request if it is manifestly unfounded or excessive or can choose to charge an administrative fee in these cases. Where large volumes of personal data are processed, the individual should specify exactly what information or processing their request relates to.
Requests should be responded to within one month. This can be extended by a further two months if the request is complex or a large number of requests are received. Data can be withheld if disclosure would adversely affect the rights and freedoms of others. This includes rights affecting the organisation / business of the organisation.
The right to be informed
The right to be informed encompasses the obligation on organisations to provide “fair processing information”, typically through a privacy notice. This should be concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child.
The right to rectification
The individual has the right to have personal data rectified. This is if it is inaccurate or incomplete.
The right to erasure (“right to be forgotten”)
This is the right to be able to request the deletion or removal of data where there is no compelling reason for its continued processing or overriding legitimate grounds to justify processing. Data will not be erased if it is: necessary for rights of freedom of expression or information; compliance with a legal obligation; in the public interest; for archiving or research; for legal claims.
The right to restrict processing
Processing may be restricted where the organisation is considering whether continued processing is justified; where it is no longer necessary but when it is needed for legal claims; when an individual wants it restricted but not erased; where the accuracy of data is being verified.
The right to object to processing
This applies where the organisation’s processing is based on the following conditions: public task; or legitimate interests. It does not apply if the processing is for legal claims, or if the compelling legitimate interest overrides the interests of the individual.
The right to object to direct marketing
This requires organisations who are marketing to individuals to obtain unambiguous consent, resting on a “clear affirmative action” by consumers.
The right to withdraw consent
If processing is based on consent, the individual has the right to withdraw consent, at any time, where relevant.
The right to data portability
This right exists to allow individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily, in a machine-readable format, from one IT environment to another in a safe and secure way, without hindrance to usability. This right only applies to personal data which has been provided to the organisation by the individual.
Automated decision making and profiling
Individuals have the right not to be subject to decisions made automatically that produce legal effects or significantly affect them. This does not apply where the decision is based on explicit consent from the individual; necessary for a contract with the individual; subject to suitable safeguards, including a right to a human review of the decision; authorised by law. Additional restrictions apply to automated decision making or profiling using sensitive personal data or carried out on children.
Exercising these rights
Individuals may exercise these rights if the organisation is processing personal data pertaining to them, by: emailing firstname.lastname@example.org, or writing to: Rick Yarrow, GDPR Document Co-Ordinator, 30a Upper High Street, Thame, Oxfordshire, OX9 3EX
The right to lodge a complaint
The individual has the right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office (ICO), at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.