POLICIES&PROCEDURES
DataProtectionPolicy (GDPR)
Introduction
Thispolicyappliestotheprocessingofpersonaldatainmanualandelectronicrecordskeptbythe Company.ItalsocoverstheCompany’sresponsetoanydatabreachandotherrightsunderthe GeneralDataProtectionAct2018andGeneralDataProtectionRegulations(GDPR).
Thispolicyappliestothepersonaldataofemployeesandlearners;jobapplicants,existingand formeremployees,apprentices,volunteers,placementstudents,workersandself-employed contractors,potential,existingandcompletedlearners.Thesearereferredtointhispolicyas relevantindividuals.
“Personaldata”isinformationthatrelatestoanidentifiablepersonwhocanbedirectlyorindirectly identifiedfromthatinformation,forexample,aperson’sname,identificationnumber,location, onlineidentifier.Itcanalsoincludepseudonymiseddata.
“Specialcategoriesofpersonaldata”isdatawhichrelatestoanindividual’shealth,sexlife,sexual orientation,race,ethnicorigin,politicalopinion,religion,andtradeunionmembership.Italso includesgeneticandbiometricdata(whereusedforIDpurposes).
“Criminaloffencedata”isdatawhichrelatestoanindividual’scriminalconvictionsandoffences.
“Dataprocessing”isanyoperationorsetofoperationswhichisperformedonpersonaldataoron setsofpersonaldata,whetherornotbyautomatedmeans,suchascollection,recording, organisation,structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosureby transmission,disseminationorotherwisemakingavailable,alignmentorcombination,restriction, erasureordestruction
TheCompanymakesacommitmenttoensuringthatpersonaldata,includingspecialcategoriesof personaldataandcriminaloffencedata(whereappropriate)isprocessedinlinewithGDPRand domesticlawsandallitsemployeesconductthemselvesinlinewiththis,andotherrelated,policies WherethirdpartiesprocessdataonbehalfoftheCompany,theCompanywillensurethatthethird partytakessuchmeasuresinordertomaintaintheCompany’scommitmenttoprotectingdata In linewithGDPR,theCompanyunderstandsthatitwillbeaccountablefortheprocessing, managementandregulation,andstorageandretentionofallpersonaldataheldintheformof manualrecordsandoncomputers.
1
2.Typesofdataheld
ThefollowingtypesofdatamaybeheldbytheCompany,asappropriate,onrelevantindividuals:
name,address,phonenumbers-forindividualandnextofkin CVsandotherinformationgatheredduringrecruitment referencesfromformeremployers NationalInsurancenumbers jobtitle,jobdescriptionsandpaygrades taxcodes holidayrecords internalperformanceinformation medicalorhealthinformation/sicknessabsencerecords conductissuessuchaslettersofconcern,disciplinaryproceedings termsandconditionsofemployment trainingdetailspriorqualifications Bankaccountinformation Pension Dateofbirth
Learningactivityandfundingused
RelevantindividualsshouldrefertotheCompany’sprivacynoticeformoreinformationonthe reasonsforitsprocessingactivities,thelawfulbasesitreliesonfortheprocessinganddata retentionperiods.
3 Dataprotectionprinciples
AllpersonaldataobtainedandheldbytheCompanywill:
beprocessedfairly,lawfullyandinatransparentmanner becollectedforspecific,explicit,andlegitimatepurposes beadequate,relevantandlimitedtowhatisnecessaryforthepurposesofprocessing bekeptaccurateanduptodate Everyreasonableeffortwillbemadetoensurethatinaccurate dataisrectifiedorerasedwithoutdelay notbekeptforlongerthanisnecessaryforitsgivenpurpose beprocessedinamannerthatensuresappropriatesecurityofpersonaldataincluding protectionagainstunauthorisedorunlawfulprocessing,accidentalloss,destructionordamage byusingappropriatetechnicalororganisationmeasures complywiththerelevantGDPRproceduresforinternationaltransferringofpersonaldata.
2
Inaddition,personaldatawillbeprocessedinrecognitionofindividuals’dataprotectionrights,as follows:
therighttobeinformed therightofaccess therightforanyinaccuraciestobecorrected(rectification) therighttohaveinformationdeleted(erasure) therighttorestricttheprocessingofthedata therighttoportability therighttoobjecttotheinclusionofanyinformation therighttoregulateanyautomateddecision-makingandprofilingofpersonaldata.
4.Procedures
TheCompanyhastakenthefollowingstepstoprotectthepersonaldataofrelevantindividuals, whichitholdsortowhichithasaccess:
Itappointsoremploysemployeeswithspecificresponsibilitiesfor: theprocessingandcontrollingofdata1. thecomprehensivereviewingandauditingofitsdataprotectionsystemsandprocedures2. overviewingtheeffectivenessandintegrityofallthedatathatmustbeprotected.3. Thereareclearlinesofresponsibilityandaccountabilityforthesedifferentroles. Itprovidesinformationtoindividualsontheirdataprotectionrights,howitusestheirpersonal data,andhowitprotectsit.Theinformationincludestheactionsrelevantindividualscantakeif theythinkthattheirdatahasbeencompromisedinanyway
Itprovidesitsemployeeswithinformationandtrainingtomakethemawareoftheimportance ofprotectingpersonaldata,toteachthemhowtodothis,andtounderstandhowtotreat informationconfidentially
Itcanaccountforallpersonaldataitholds,whereitcomesfrom,whoitissharedwithandalso whoitmightbesharedwith
Itcarriesoutriskassessmentsaspartofitsreviewingactivitiestoidentifyanyvulnerabilitiesin itspersonaldatahandlingandprocessing,andtotakemeasurestoreducetherisksof mishandlingandpotentialbreachesofdatasecurity Theprocedureincludesanassessmentof theimpactofbothuseandpotentialmisuseofpersonaldatainandbytheCompany Itrecognisestheimportanceofseekingindividuals’consentforobtaining,recording,using, sharing,storingandretainingtheirpersonaldata,andregularlyreviewsitsproceduresfordoing so,includingtheaudittrailsthatareneededandarefollowedforallconsentdecisions.The Companyunderstandsthatconsentmustbefreelygiven,specific,informedandunambiguous. TheCompanywillseekconsentonaspecificandindividualbasiswhereappropriate.Full informationwillbegivenregardingtheactivitiesaboutwhichconsentissought.Relevant individualshavetheabsoluteandunimpededrighttowithdrawthatconsentatanytime
3
Ithastheappropriatemechanismsfordetecting,reportingandinvestigatingsuspectedor actualpersonaldatabreaches,includingsecuritybreaches.Itisawareofitsdutytoreport significantbreachesthatcausesignificantharmtotheaffectedindividualstotheInformation Commissioner,andisawareofthepossibleconsequences Itisawareoftheimplicationsinternationaltransferofpersonaldatainternationally.
5.Accesstodata
RelevantindividualshavearighttobeinformedwhethertheCompanyprocessespersonaldata relatingtothemandtoaccessthedatathattheCompanyholdsaboutthem.Requestsforaccessto thisdatawillbedealtwithunderthefollowingsummaryguidelines:
AformonwhichtomakeasubjectaccessrequestisavailablefromtheHeadofCentralSupport.The requestshouldbemadetotheHeadofCentralSupport.
TheCompanywillnotchargeforthesupplyofdataunlesstherequestismanifestlyunfounded, excessiveorrepetitive,orunlessarequestismadeforduplicatecopiestobeprovidedtoparties otherthantheemployeemakingtherequest
TheCompanywillrespondtoarequestwithoutdelay.Accesstodatawillbeprovided,subjectto legallypermittedexemptions,withinonemonthasamaximum.Thismaybeextendedbyafurther twomonthswhererequestsarecomplexornumerous.
RelevantindividualsmustinformtheCompanyimmediatelyiftheybelievethatthedatais inaccurate,eitherasaresultofasubjectaccessrequestorotherwise TheCompanywilltake immediatestepstorectifytheinformation
6.Datadisclosures
TheCompanymayberequiredtodisclosecertaindata/informationtoanyperson The circumstancesleadingtosuchdisclosuresinclude:
anyrelevantfundingbodies anyrelevantexaminationbodies anyemployeebenefitsoperatedbythirdparties disabledindividuals-whetheranyreasonableadjustmentsarerequiredtoassistthematwork individuals’healthdata-tocomplywithhealthandsafetyoroccupationalhealthobligations towardstheemployee forStatutorySickPaypurposes HRmanagementandadministration-toconsiderhowanindividual’shealthaffectshisorher abilitytodotheirjob thesmoothoperationofanyemployeeinsurancepoliciesorpensionplans.
Thesekindsofdisclosureswillonlybemadewhenstrictlynecessaryforthepurpose
4
7.Datasecurity
TheCompanyhasachievedandcontinuestoadheretoCyberEssentialsPlusAccreditation–CertificateNo:280ff6c6-4cc6-4f61-b54f-821d4e5d53e8–CertDate:Nov2022
TheCompanyadoptsproceduresdesignedtomaintainthesecurityofdatawhenitisstoredand transported.
Inaddition,employeesmust:
ensurethatallfilesorwritteninformationofaconfidentialnaturearestoredinasecuremanner andareonlyaccessedbypeoplewhohaveaneedandarighttoaccessthem ensurethatallfilesorwritteninformationofaconfidentialnaturearenotleftwheretheycanbe readbyunauthorisedpeople checkregularlyontheaccuracyofdatabeingenteredintocomputers alwaysusethepasswordsprovidedtoaccessthecomputersystemandnotabusethemby passingthemontopeoplewhoshouldnothavethem usecomputerscreenblankingtoensurethatpersonaldataisnotleftonscreenwhennotinuse.
Personaldatashouldnotbekeptortransportedonlaptops,USBsticks,orsimilardevices.These shouldallbekeptsecurelywithinthesystemtheyarestored,eg:PICS,Zohodriveetc
Thetransmissionofdataisdonesecurelythroughsystemsweuse:Zoho,PICS,etc Allaccountsare passwordprotectedandencrypted
FailuretofollowtheCompany’srulesondatasecuritymaybedealtwithviatheCompany’s disciplinaryprocedure Appropriatesanctionsincludedismissalwithorwithoutnotice,dependent ontheseverityofthefailure
8.Internationaldatatransfers
TheCompanydoesnottransferpersonaldatatoanyrecipientsoutsideoftheEEA.
9.Breachnotification
9.1Definition–Incident
Forthetermsofthispolicy,an‘incident’isanyoccurrencewherePersonalDatahas,ormayhave, beenmadeavailabletosomeonewhodoesnothavetherighttoseeoraccessit.Thisdoesnotapply exclusivelytoelectronicinformation,astheDataProtectionActcoversallformofdata,including paperrecords.
5
ExamplesofanIncident:
AlaptopcontaininglearnerorstaffrecordsgoesmissingwhilstawayfromCompanypremises Alearnerfilecontainingpersonalinformationaboutthatlearner(eg address,DOB,telephone number,etc)cannotbefound
Youre-mailseemstohavebeenhacked,andyoubelievesomepersonaldatayouhavesenttoa colleaguecouldhavebeencompromised
9.2WhattodoifyouthinkanIncidentmayhavetakenplace
Ifyouthinkapotentialbreachofdatasecuritymayhavehappened,youmust:
a)Immediatelyinformamemberofseniormanagement–dothisverbally,notbyemail,andifyou can’tgetholdofonemanager,moveontoanother.
b)Giveasmuchinformationabouttheincidentasyoucan:i.e.whathasoccurred(laptoporfile missing,emailsinsecure),whenitoccurred,whereitoccurred,whyitoccurred
c)Makeasimplewrittenreportassoonaspossible,coveringeverythinginb)above,andhaveit readytosubmitwhenasked.
9.3Whathappensifadatasecuritybreachisreported
Aninvestigationwilltakeplaceandareportmadetothoroughlyassessthelikelihoodofavalid securitybreach,andtrytoidentifywhatrecordsareatrisk.
Ifthesecuritybreachisvalid,andpotentiallossofpersonaldataislikelytohaveoccurred:
TheInformationCommissioner’sOfficewillbecontactedandareportoftheincidentmade Ifandwhenitispossibletoestablishwhoseinformationhasbeencompromised,contactthe individualsowningtheinformation Ifandwhenitispossibletoestablishwhatinformationhasbeencompromised,contactany contractingagencytoadviseofapossiblebreach,andprovideasmuchdetailaspossible
Whereadatabreachislikelytoresultinarisktotherightsandfreedomsofindividuals,itwillbe reportedtotheInformationCommissionerwithin72hoursoftheCompanybecomingawareofit andmaybereportedinmorethanoneinstalment.
Individualswillbeinformeddirectlyintheeventthatthebreachislikelytoresultinahighrisktothe rightsandfreedomsofthatindividual
Ifthebreachissufficienttowarrantnotificationtothepublic,theCompanywilldosowithoutundue delay
6
10.Training
Newemployeesmustreadandunderstandthepoliciesondataprotectionaspartoftheirinduction
Allemployeesreceivetrainingcoveringbasicinformationaboutconfidentiality,dataprotectionand theactionstotakeuponidentifyingapotentialdatabreach
Thenominateddatacontroller/auditors/protectionofficersfortheCompanyaretrained appropriatelyintheirrolesundertheGDPR
Allemployeeswhoneedtousethecomputersystemaretrainedtoprotectindividuals’privatedata, toensuredatasecurity,andtounderstandtheconsequencestothemasindividualsandthe CompanyofanypotentiallapsesandbreachesoftheCompany’spoliciesandprocedures.
11.Records
TheCompanykeepsrecordsofitsprocessingactivities,includingthepurposefortheprocessingand retentionperiodsinitsDataRecord.Theserecordswillbekeptuptodatesothattheyreflectcurrent processingactivities.
12.DataProtectionOfficer
TheCompanydoesnotmeettheICOrequirementsofneedingtoappointaDataProtectionOfficer.
13.Testing/Assessment
TheHeadofIT&Facilitiesreviewsandtestsonaregularbasistherobustnessofoursecurity proceduresthroughpenetrationtestingtodetermineanyvulnerabilities,theseareriskassessedand threatleveldeterminedwithappropriatemeasuresimplemented.
14.Reviewofthepolicy
ASeniorManagerwillreviewthispolicyannuallyormorefrequentlywheretherearesignificant changesincircumstances.
7
To be disseminated to: All Staff / Service Users
Authorised by:
Amendments:
Aug 2018 – Created
Dec 2018 – Updated with actions to be taken (9)
Dec 2019 – Cyber Essentials Accreditation certificate number added
Nov 2020 – Replaced Google drive with Zoho drive, Added data protection Act 2018 and a wider list to types of data held
Dec 2021 – Updated Cyber Essential Plus certificate number and certification date
Dec 2022 - Updated Cyber Essential Plus certificate number and certificate date.
Policy Ref:
006
CEO Head
IT Facilities Issue Date: August 2018 Review Due: December 2023
of
8
thinkemployment.com Helping people to achieve their potential