Username or email address *
Lost your password?
Email address *
Well done. With health and safety knowledge like that we can go far together. Contact us today.
Why don't you share your results and test your friends?
You have a good level of health and safety knowledge that we can work with. Contact us today.
we can work together to help raise your health and safety knowledge, that’s why were the experts in health and safety. Contact us today.
Call Us: 01252 214 075
HSQE Consultancy Ltd (hereinafter referred to as the “Company”) needs to collect personal information to effectively carry out our everyday business functions and activities and to provide the products and services defined by our business type. Such Data is collected from employees, customers, suppliers and clients and includes (but is not limited to), name, address, email address, Data of birth, IP address, identification numbers, private and confidential information, sensitive information and bank/credit card details. In addition, we may be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to processing all personal information in accordance with the General Data Protection Regulation (GDPR), UK Data Protection Laws and any other relevant the Data Protection Laws and codes of conduct (herein collectively referred to as “the Data Protection Laws”).
The Company has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the Data Protection Laws and principles, including Workers training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and confidentiality of personal and/or special category Data is one of our top priorities and we are proud to operate a ‘Privacy by Design’ approach, assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of our business.
The purpose of this policy is to ensure that the Company meets its legal, statutory and regulatory requirements under the Data Protection Laws and to ensure that all personal and special category information is processed compliantly and, in the individuals, best interest. The Data Protection Laws include provisions that promote accountability and governance and as such the Company has put comprehensive and effective governance measures into place to meet these provisions. The aim of such measures is to ultimately minimise the risk of breaches and uphold the Protection of personal Data. This policy also serves as a reference document for employees and third-parties on the responsibilities of handling and accessing personal Data and Data subject requests.
This policy applies to all Workers within the Company (meaning permanent, fixed term, and temporary Workers, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
o takes place in more than one Member State; or
o which substantially affects or is likely to affect Data subjects in more than one Member State
The UK initially had The Data Protection Act 1984 in place to regulate the use of processed information that related to individuals. However, in 1995 the introduction of EU Directive 95/46/EC which set aims and requirements for member states on the Protection of personal Data when processing or sharing, meant an updated Act was required.
The UK subsequently developed and enacted The Data Protection Act 1998 (DPA) to ensure that British law complied with the EU Directive and to provide those with obligations under the Act, with updated rules, requirements and guidelines for processing and sharing personal Data. 2018 marks the 20th anniversary of the DPA enactment and whilst there have been periodical additions or alterations to the Act, technology has advanced at a far faster rate, necessitating new regulations for the current digital age. The past 20 years has also seen a vast increase in the number of businesses and services operating across borders, further highlighting the international inconsistency in Member States Data Protection Laws.
For this reason, in January 2012, the European Commission proposed a new regulation applying to all EU Member States and bringing a standardised and consistent approach to the processing and sharing of personal information across the EU.
4.1 NATIONAL DATA PROTECTION LAW
As the Company is in the UK, we are obligated under the GDPR and the UK’s Data Protection Bill that implements the GDPR into UK law. Our Data Protection policies and procedures adhere to both the GDPR and Data Protection Bill requirements, as applicable to our business type.
4.2 GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR) (EU)2016/679) was approved by the European Commission in April 2016 and will apply to all EU Member States from 25th May 2018. As a ‘Regulation’ rather than a ‘Directive’, its rules apply directly to Member States, replacing their existing local Data Protection Laws and repealing and replacing Directive 95/46EC and its Member State implementing legislation.
As the Company processes personal information regarding individuals (Data subjects), we are obligated under the General Data Protection Regulation (GDPR) to protect such information, and to obtain, use, process, store and destroy it, only in compliance with its rules and principles.
4.2.1 PERSONAL DATA
Information protected under the GDPR is known as “personal Data” and is defined as: –
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location Data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The Company ensures that a high level of care is afforded to personal Data falling within the GDPR’s ‘special categories’ (previously sensitive personal Data), due to the assumption that this type of information could be used in a negative or discriminatory way and is of a sensitive, personal nature to the persons it relates to.
In relation to the ‘Special categories of Personal Data’ the GDPR advises that: –
“Processing of personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic Data, biometric Data for uniquely identifying a natural person, Data concerning health or Data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies.”
4.2.2 THE GDPR PRINCIPLES
Article 5 of the GDPR requires that personal Data shall be: –
Article 5(2) requires that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the Data Protection Laws principles’ (‘accountability’) and requires that firms show how they comply with the principles, detailing and summarising the measures and controls that they have in place to protect personal information and mitigate the risks of processing.
4.3 THE INFORMATION COMMISSIONERS OFFICE (ICO)
The Information Commissioners Office (ICO) is an independent regulatory office who report directly to Parliament and whose role it is to uphold information rights in the public interest. The legislation they have oversight for includes: –
The ICO’s mission statement is “to uphold information rights in the public interest, promoting openness by public bodies and Data privacy for individuals” and they can issue enforcement notices and fines for breaches in any of the Regulations, Acts and/or Laws regulated by them.
Under the Data Protection Laws the ICO, as the UK’s Data Protection authority (Supervisory Authority), will have a similar role as previously, when it comes to oversight, enforcement and responding to complaints with regards to the Data Protection Laws and those firms located solely in the UK.
The Company are registered with ICO and appear on the Data Protection Register as a controller and/or processer of personal information. Our Data Protection Registration Number is A8444102.
4.4 DATA PROTECTION OFFICER
Articles 37-39, and Recital 97 of the GDPR detail the obligations, requirements and responsibilities on firms to appoint a Data Protection Officer and specifies the duties that the officer themselves must perform.
A Data Protection Officer (DPO) must be appointed by a firm where: –
Where the Company has appointed a designated Approved Person, we have done so in accordance with the GDPR requirements and have ensured that the assigned person has an adequate and expert knowledge of Data Protection law. They have been assessed as being fully capable of assisting the Company in monitoring our internal compliance with the Regulation and supporting and advising employees and associated third parties with regards to the Data Protection Laws and requirements.
We are committed to ensuring that all personal Data processed by the Company is done so in accordance with the Data Protection Laws and its principles, along with any associated regulations and/or codes of conduct laid down by the Supervisory Authority and local law. We ensure the safe, secure, ethical and transparent processing of all personal Data and have stringent measures to enable Data subjects to exercise their rights.
The Company has developed the below objectives to meet our Data Protection obligations and to ensure continued compliance with the legal and regulatory requirements.
The Company ensures that: –
6.1 ACCOUNTABILITY & COMPLIANCE
Due to the nature, scope, context and purposes of processing undertaken by the Company, we carry out frequent risk assessments and information audits to identify, assess, measure and monitor the impact of such processing. We have implemented adequate and appropriate technical and organisational measures to ensure the safeguarding of personal Data and compliance with the Data Protection Laws and can evidence such measures through our documentation and practices.
Our main governance objectives are to: –
The technical and organisational measures that the Company has in place to ensure and demonstrate compliance with the Data Protection Laws, regulations and codes of conduct, are detailed in this document and associated information security policies.
6.1.1 PRIVACY BY DESIGN
We operate a ‘Privacy by Design’ approach and ethos, with the aim of mitigating the risks associated with processing personal Data through prevention via our processes, systems and activities. We have developed controls and measures (detailed below), that help us enforce this ethos.
Under Article 5 of the GDPR, principle (c) advises that Data should be ‘limited to what is necessary’, which forms the basis of our minimalist approach. We only ever obtain, retain, process and share the Data that is essential for carrying out our services and/or meeting our legal obligations and only retain Data for as long as is necessary. Our systems, employees, processes and activities are designed to limit the collection of personal information to that which is directly relevant and necessary to accomplish the specified purpose. Data minimisation enables us to reduce Data Protection risks and breaches and supports our compliance with the Data Protection Laws.
Measures to ensure that only the necessary Data is collected includes: –
We utilise pseudonymisation where possible to record and store personal Data in a way that ensures it can no longer be attributed to a specific Data subject without the use of separate, additional information (personal identifiers). Encryption and partitioning is also used to protect the personal identifiers, being kept separate from the pseudonymised Data sets.
When using pseudonymisation, we ensure that the attribute(s) being removed and replaced, are unique and prevent the Data subject from being identified through the remaining markers and attributes. Pseudonymisation can mean that the Data subject is still likely to be identified indirectly and as such, we use this technique in conjunction with other technical and operational measures of risk reduction and Data Protection.
We utilise encryption as a further risk prevention measure for securing the personal Data that we hold. Encryption with a secret key is used to make Data indecipherable unless decryption of the Dataset is carried out using the assigned key. We utilise encryption via secret key for transferring personal Data to any external party and provide the secret key in a separate format. Where special category information is being transferred and/or disclosed, the Data Protection Officer is required to authorise the transfer and review the encryption method for compliance and accuracy.
Our Privacy by Design approach means that we use company-wide restriction methods for all personal Data activities. Restricting access is built into the foundation of the Company’s processes, systems and structure and ensures that only those with authorisation and/or a relevant purpose, have access to personal information. Special category Data is restricted at all levels and can only be accessed by the HR Department. Refer to our Access Control Policy in our Information Security program for further details.
Hard Copy Data
Due to the nature of our business, it is sometimes essential for us to obtain, process and share personal and special category information which is only available in a paper format without pseudonymisation options (i.e. copies of patient records, hospital invoices or claims information). Where this is necessary, we utilise a tiered approach to minimise the information we hold and/or the length of time we hold it for. Steps include: –
6.1.2 INFORMATION AUDIT
To enable the Company to fully prepare for and comply with the Data Protection Laws, we have carried out a company-wide Data Protection information audit to better enable us to record, categorise and protect the personal Data that we hold and process.
The audit has identified, categorised and recorded all personal information obtained, processed and shared by our company in our capacity as a controller/processor and has been compiled on a central register which includes: –
6.2 LEGAL BASIS FOR PROCESSING (LAWFULNESS)
At the core of all personal information processing activities undertaken by the Company, is the assurance and verification that we are complying with Article 6 of the GDPR and our lawfulness of processing obligations. Prior to carrying out any personal Data processing activity, we identify and establish the legal basis for doing so and verify these against the regulation requirements to ensure we are using the most appropriate legal basis.
The legal basis is documented on our information audit register and in our Privacy Notice and, where applicable, is provided to the Data subject and Supervisory Authority as part of our information disclosure obligations.
Data is only obtained, processed or stored when we have met the lawfulness of processing requirements, where: –
6.2.1 PROCESSING SPECIAL CATEGORY DATA
Special categories of Personal Data are defined in the Data Protection Laws as: –
Processing of personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic Data, biometric Data for uniquely identifying a natural person, Data concerning health or Data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies.
Where the Company processes any personal information classed as special category or information relating to criminal convictions, we do so in accordance with Article 9 of the GDPR regulations and in compliance with the Data Protection Bill’s Schedule 1 Parts 1, 2, 3 & 4 conditions and requirements.
We will only ever process special category Data where: –
Schedule 1, Parts 1, 2 & 3 of The Data Protection provide specific conditions and circumstances when special category personal Data can be processed and details the requirements that organisations are obligated to meet when processing such Data.
Where the Company processes personal information that falls into one of the above categories, we have adequate and appropriate provisions and measures in place prior to any processing.
Measures include: –
o procedures for securing compliance with the Data Protection Laws principles
o policies about the retention and erasure of personal Data processed in reliance on the condition
o retention periods and reason (i.e. legal, statutory etc…)
o procedures for reviewing and updating our policies in this area
Please refer to our Retention & Erasure Policy for further guidance and procedures.
6.2.2 RECORDS OF PROCESSING ACTIVITIES
As an organisation with less than 250 employees, the Company does not maintain records of our processing activities. However, we continually review all such activities and company size to ensure that we will being to record such information as detailed in GDPR Article 30 where: –
6.3 THIRD-PARTY PROCESSORS
The Company utilise external processors for certain processing activities (where applicable). We use information audits to identify, categorise and record all personal Data that is processed outside of the company, so that the information, processing activity, processor and legal basis are all recorded, reviewed and easily accessible. Such external processing includes (but is not limited to): –
We have strict due diligence and Know Your Customer procedures and measures in place and review, assess and background check all processors prior to forming a business relationship. We obtain company documents, certifications, references and ensure that the processor is adequate, appropriate and effective for the task we are employing them for.
We audit their processes and activities prior to contract and during the contract period to ensure compliance with the Data Protection regulations and review any codes of conduct that they are obligated under to confirm compliance.
The continued Protection of Data subjects’ rights and the security of their personal information is always our top priority when choosing a processor and we understand the importance of adequate and reliable outsourcing for processing activities as well as our continued obligations under the Data Protection Laws for Data processed and handled by a third-party.
We draft bespoke Service Level Agreements (SLAs) and contracts with each processor as per the services provided and have a dedicated Processor Agreement template that details: –
Each of the areas specified in the contract are monitored, audited and reported on. Processors are notified that they shall not engage another processor without our prior specific authorisation and any intended changes concerning the addition or replacement of existing processors must be done in writing, in advance of any such changes being implemented.
The Processor Agreement and any associated contract reflects the fact that the processor: –
6.4 DATA RETENTION & DISPOSAL
The Company have defined procedures for adhering to the retention periods as set out by the relevant Laws, contracts and our business requirements, as well as adhering to the GDPR requirement to only hold and process personal information for as long as is necessary. All personal Data is disposed of in a way that protects the rights and privacy of Data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and prioritises the Protection of the personal Data in all instances.
Please refer to our Data Retention & Erasure Policy for full details on our retention, storage, periods and destruction processes.
Individuals have an expectation that their privacy and confidentiality will be upheld and respected whilst their Data is being stored and processed by the Company. We therefore utilise several measures and tools to reduce risks and breaches for general processing. However, where processing is likely to be high risk or cause significant impact to a Data subject, we utilise proportionate methods to map out and assess the impact ahead of time.
Where the Company must or are considering carrying out processing that utilises new technologies, and/or where there is a likelihood that such processing could result in a high risk to the rights and freedoms of Data subjects, we always carry out a Data Protection Impact Assessment (DPIA) (sometimes referred to as a Privacy Impact Assessment).
Pursuant to Article 35(3) and Recitals 84, 89-96, we consider processing that is likely to result in a high risk to include: –
Carrying out DPIAs enables us to identify the most effective way to comply with our Data Protection obligations and ensure the highest level of Data privacy when processing. It is part of our Privacy by Design approach and allows us to assess the impact and risk before carrying out the processing, thus identifying and correcting issues at the source, reducing costs, breaches and risks. The DPIA enables us to identify possible privacy solutions and mitigating actions to address the risks and reduce the impact. Solutions and suggestions are set out in the DPIA and all risks are rated to assess their likelihood and impact. The aim of solutions and mitigating actions for all risks is to ensure that the risk is either: –
Please refer to our external DPIA Procedures for further details.
8.1 CONSENT & THE RIGHT TO BE INFORMED
The collection of personal and sometimes special category Data is a fundamental part of the products/services offered by the Company and we therefore have specific measures and controls in place to ensure that we comply with the conditions for consent under the Data Protection Laws.
The Data Protection law defines consent as; ‘Any freely given, specific, informed and unambiguous indication of the Data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal Data relating to him or her’.
Where processing is based on consent, the Company have reviewed and revised all consent mechanisms to ensure that: –
o that the individual has consented to the use and processing of their personal Data.
o that the individual has been advised of our company name and any third party using the Data.
o what the individual was told at the time of consent.
o how and when consent was obtained.
o Opt-out links in mailings or electronic communications.
o Opt-out process explanation and steps on website and in all written communications.
o Ability to opt-out verbally, in writing or by email.
8.1.1 CONSENT CONTROLS
The Company maintain rigid records of Data subject consent for processing personal Data and are always able to demonstrate that the Data subject has consented to processing of his or her personal Data where applicable. We also ensure that the withdrawal of consent is as clear, simple and transparent and is documented in all instances.
Where the Data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent is presented in a manner which is clearly distinguishable from those matters, in an intelligible and easily accessible form, using clear and plain language. All such written declarations are reviewed and authorised by the Data Protection Officer prior to being circulated.
Consent to obtain and process personal Data is obtained by the Company through: –
Any electronic methods of gaining consent are regularly reviewed and tested to ensure that a compliant Privacy Notice is accessible and displayed and that consent is clear, granular and utilises a demonstrable opt-in mechanism. Where consent is obtained verbally, we utilise scripts, checklists to ensure that all requirements have been met and that consent is obtained compliantly and can be evidenced.
Electronic consent is always by a non-ticked, opt-in action (or double opt-in where applicable), enabling the individual to provide consent after the below information has been provided. This is then followed up with an email, SMS or written confirmation of the consent to process, store and share the personal information.
Privacy Notices are used in all forms of consent and personal Data collection, to ensure that we are compliant in disclosing the information required in the Data Protection Laws in an easy to read and accessible format.
8.1.2 ALTERNATIVES TO CONSENT
The Company recognise that there are six lawful bases for processing and that consent is not always the most appropriate option. We have reviewed all processing activities and only use consent as an option where the individual has a choice.
When reviewing the processing activity for compliance with the consent requirements, we ensure that none of the below are a factor: –
8.1.3 INFORMATION PROVISIONS
Where personal Data is obtained directly from the individual (i.e. through consent, by employees, written materials and/or electronic formats (i.e. website forms, subscriptions, email etc)), we provide the below information in all instances, in the form of a privacy notice: –
o where the Company intends to transfer the personal Data to a third country or international organisation without an adequate decision by the Commission, reference to the appropriate or suitable safeguards the Company has put into place and how to obtain a copy of them or where they have been made available.
The above information is provided to the Data subject at the time the information is collected and records pertaining to the consent obtained are maintained and stored for 6 years from the date of consent, unless there is a legal requirement to keep the information longer.
8.2 PRIVACY NOTICE
The Company defines a Privacy Notice as a document, form, webpage or pop-up that is provided to individuals at the time we collect their personal Data (or at the earliest possibility where that Data is obtained indirectly).
Our Privacy Notice includes the Article 13 (where collected directly from individual) or 14 (where not collected directly) requirements and provides individuals with all the necessary and legal information about how, why and when we process their Data, along with their rights and obligations.
We have a link to our Privacy Notice on our website and provide a copy of physical and digital formats upon request. The notice is the customer facing policy that provides the legal information on how we handle, process and disclose personal information.
The notice is easily accessible, legible, jargon-free and is available in several formats, dependant on the method of Data collection: –
With lengthy content being provided in the privacy notice and with informed consent being based on its contents, we have tested, assessed and reviewed our privacy notice to ensure usability, effectiveness and understanding.
We follow the below ICO preferred steps for testing, reviewing and auditing our privacy notice(s) and opt-in consent formats prior to use and to record such assessments.
Where we rely on consent to obtain and process personal information, we ensure that it is: –
8.3 PERSONAL DATA NOT OBTAINED FROM THE DATA SUBJECT
Where the Company obtains and/or processes personal Data that has not been obtained directly from the Data subject, the Company ensures that the information disclosures contain in Article 14 are provided to the Data subject within 30 days of our obtaining the personal Data (except for advising if the personal Data is a statutory or contractual requirement).
In addition to the information disclosures in section 8.1.4, where personal Data has not been obtained directly from a Data subject, we also provide them with information about: –
Where the personal Data is to be used for communication with the Data subject, or a disclosure to another recipient is envisaged, the information will be provided at the latest, at the time of the first communication or disclosure.
Where the Company intends to further process any personal Data for a purpose other than that for which it was originally obtained, we communicate this intention to the Data subject prior doing so and where applicable, process only with their consent.
Whilst we follow best practice in the provision of the information noted in the relevant section of this policy, we reserve the right not to provide the Data subject with the information if: –
8.3.1 EMPLOYEE PERSONAL DATA
As per the Data Protection law guidelines, we do not use consent as a legal basis for obtaining or processing employee personal information. Our HR policies have been updated to ensure that employees are provided with the appropriate information disclosure and are aware of how we process their Data and why.
All employees are provided with our Workers Handbook which informs them of their rights under the Data Protection Laws and how to exercise these rights and are provided with a Privacy Notice specific to the personal information we collect and process about them.
8.4 THE RIGHT OF ACCESS
We have ensured that appropriate measures have been taken to provide information referred to in Articles 13/14 and any communication under Articles 15 to 22 and 34 (collectively, The Rights of Data Subjects), in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Such information is provided free of charge and is in writing, or by other means where authorised by the Data subject and with prior verification as to the subject’s identity (i.e. verbally, electronic).
Information is provided to the Data subject at the earliest convenience, but at a maximum of 30 days from the date the request is received. Where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months where necessary. However, this is only done in exceptional circumstances and the Data subject is kept informed in writing throughout the retrieval process of any delays or reasons for delay.
Where we do not comply with a request for Data provision, the Data subject is informed within 30 days of the reason(s) for the refusal and of their right to lodge a complaint with the Supervisory Authority.
8.4.1 SUBJECT ACCESS REQUEST
Where a Data subject asks us to confirm whether we hold and process personal Data concerning him or her and requests access to such Data; we provide them with: –
Subject Access Requests (SAR) are passed to the Compliance Officer as soon as received and a record of the request is noted. The type of personal Data held about the individual is checked against our Information Audit to see what format it is held in, who else has it has been shared with and any specific timeframes for access.
SARs are always completed within 30-days and are provided free of charge. Where the individual makes the request by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested.
Please refer to our external Subject Access Request Procedures for the guidelines on how an SAR can be made and what steps we take to ensure that access is provided under the Data Protection Laws.
8.5 DATA PORTABILITY
The Company provides all personal information pertaining to the Data subject to them on request and in a format, that is easy to disclose and read. We ensure that we comply with the Data portability rights of individuals by ensuring that all personal Data is readily available and is in a structured, commonly used and machine-readable format, enabling Data subjects to obtain and reuse their personal Data for their own purposes across different services.
To ensure that we comply with Article 20 of the Data Protection Laws concerning Data portability, we keep a commonly used and machine-readable format of personal information where the processing is based on: –
Where requested by a Data subject and if the criteria meet the above conditions, we will transmit the personal Data directly from the Company to a designated controller, where technically feasible.
We utilise the below formats for the machine-readable Data: –
All requests for information to be provided to the Data subject or a designated controller are done so free of charge and within 30 days of the request being received. If for any reason, we do not act in responding to a request, we provide a full, written explanation within 30 days to the Data subject or the reasons for refusal and of their right to complain to the supervisory authority and to a judicial remedy.
All transmission requests under the portability right are assessed to ensure that no other Data subject is concerned. Where the personal Data relates to more individuals than the subject requesting the Data/transmission to another controller, this is always without prejudice to the rights and freedoms of the other Data subjects.
8.6 RECTIFICATION & ERASURE
8.6.1 CORRECTING INACCURATE OR INCOMPLETE DATA
Pursuant to Article 5(d), all Data held and processed by the Company is reviewed and verified as being accurate wherever possible and is always kept up to date. Where inconsistencies are identified and/or where the Data subject or controller inform us that the Data we hold is inaccurate, we take every reasonable step to ensure that such inaccuracies are corrected with immediate effect.
The Responsible Person are notified of the Data subjects request to update personal Data and are responsible for validating the information and rectifying errors where they have been notified. The information is altered as directed by the Data subject, with the information audit being checked to ensure that all Data relating to the subject is updated where incomplete or inaccurate. Once updated, we add an addendum or supplementary statement where applicable.
Where notified of inaccurate Data by the Data subject, we will rectify the error within 30 days and inform any third party of the rectification if we have disclosed the personal Data in question to them. The Data subject is informed in writing of the correction and where applicable, is provided with the details of any third-party to whom the Data has been disclosed.
If for any reason, we are unable to act in response to a request for rectification and/or completion, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy.
8.6.2 THE RIGHT TO ERASURE
Also, known as ‘The Right to be Forgotten’, the Company complies fully with Article 5(e) and ensures that personal Data which identifies a Data subject, is not kept longer than is necessary for the purposes for which the personal Data is processed.
All personal Data obtained and processed by the Company is categorised when assessed by the information audit and is either given an erasure date or is monitored so that it can be destroyed when no longer necessary.
Please refer to our Data Retention & Erasure Policy for exact procedures on erasing Data and complying with the Article 17 requirements.
8.7 THE RIGHT TO RESTRICT PROCESSING
There are certain circumstances where the Company restricts the processing of personal information, to validate, verify or comply with a legal requirement of a Data subjects request. Restricted Data is removed from the normal flow of information and is recorded as being restricted on the information audit.
Any account and/or system related to the Data subject of restricted Data is updated to notify users of the restriction category and reason. When Data is restricted it is only stored and not processed in any way.
The Company will apply restrictions to Data processing in the following circumstances: –
The Data Protection Officer reviews and authorises all restriction requests and actions and retains copies of notifications from and to Data subjects and relevant third-parties. Where Data is restricted, and we have disclosed such Data to a third-party, we will inform the third-party of the restriction in place and the reason and re-inform them if any such restriction is lifted.
Data subjects who have requested restriction of Data are informed within 30 days of the restriction application and are also advised of any third-party to whom the Data has been disclosed. We also provide in writing to the Data subject, any decision to lift a restriction on processing. If for any reason, we are unable to act in response to a request for restriction, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy.
8.8 OBJECTIONS AND AUTOMATED DECISION MAKING
Data subjects are informed of their right to object to processing in our Privacy Notices and at the point of first communication, in a clear and legible form and separate from other information. We provide opt-out options on all direct marketing material and provide an online objection form where processing is carried out online. Individuals have the right to object to: –
Where the Company processes personal Data for the performance of a legal task, in relation to our legitimate interests or for research purposes, a Data subjects’ objection will only be considered where it is on ‘grounds relating to their particular situation’. We reserve the right to continue processing such personal Data where: –
Where we are processing personal information for direct marketing purposes under a previously obtained consent, we will stop processing such personal Data immediately where an objection is received from the Data subject. This measure is absolute, free of charge and is always adhered to. Where a Data subject objects to Data processing on valid grounds, the Company will cease the processing for that purpose and advise the Data subject of cessation in writing within 30 days of the objection being received.
We have carried out a system audit to identify automated decision-making processes that do not involve human intervention. We also assess new systems and technologies for this same component prior to implementation.
The Company understands that decisions absent of human interactions can be biased towards individuals and pursuant to Articles 9 and 22 of the Data Protection Laws, we aim to put measures into place to safeguard individuals where appropriate. Via our Privacy Notices, in our first communications with an individual and on our website, we advise individuals of their rights not to be subject to a decision when: –
In limited circumstances, the Company will use automated decision-making processes within the guidelines of the regulations. Such instances include: –
Where the Company uses, automated decision-making processes, we always inform the individual and advise them of their rights. We also ensure that individuals can obtain human intervention, express their point of view and obtain an explanation of the decision and challenge it.
9.1 SECURITY & BREACH MANAGEMENT
Alongside our ‘Privacy be Design’ approach to protecting Data, we ensure the maximum security of Data that is processed, including as a priority, when it is shared, disclosed and transferred. Our Information Security Policies provide the detailed measures and controls that we take to protect personal information and to ensure its security from consent to disposal. We carry out information audits to ensures that all personal Data held and processed by us is accounted for and recorded, alongside risk assessments as to the scope and impact a Data breach could have on Data subject(s).
We have implemented adequate and appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Whilst every effort and measure are taken to reduce the risk of Data breaches, the Company has dedicated controls and procedures in place for such situations, along with the notifications to be made to the Supervisory Authority and Data subjects (where applicable).
Please refer to our Data Breach Policy & Procedures for specific protocols.
The Company takes proportionate and effective measures to protect personal Data held and processed by us always, however we recognise the high-risk nature of disclosing and transferring personal Data and as such, place an even higher priority on the Protection and security of Data being transferred. Data transfers within the UK and EU are deemed less of a risk than a third country or an international organisation, due to the Data Protection Laws covering the former and the strict regulations applicable to all EU Member States.
Where Data is being transferred for a legal and necessary purpose, compliant with all Articles in the Regulation, we utilise a process that ensures such Data is encrypted with a secret key and where possible is also subject to our Data minimisation methods. We use approved, secure methods of transfer and have dedicated points of contact with each Member State organisation with whom we deal. All Data being transferred is noted on our information audit so that tracking is easily available, and authorisation is accessible. The Data Protection Officer authorises all EU transfers and verifies the encryption and security methods and measures.
This policy and procedure document details the extensive controls, measures and methods used by the Company to protect personal Data, uphold the rights of Data subjects, mitigate risks, minimise breaches and comply with the Data Protection Laws and associated Laws and codes of conduct. In addition to these, we also carry out regular audits and compliance monitoring processes that are detailed in our Compliance Monitoring & Audit Policy & Procedure, with a view to ensuring that the measures and controls in place to protect Data subjects and their information, are adequate, effective and compliant always.
The Data Protection Officer has overall responsibility for assessing, testing, reviewing and improving the processes, measures and controls in place and reporting improvement action plans to the Senior Management Team where applicable. Data minimisation methods are frequently reviewed, and new technologies assessed to ensure that we are protecting Data and individuals to the best of our ability.
All reviews, audits and ongoing monitoring processes are recorded by the Data Protection Officer and copies provided to Senior Management and are made readily available to the Supervisory Authority where requested.
The aim of internal Data Protection audits is to: –
Through our strong commitment and robust controls, we ensure that all Workers understand, have access to and can easily interpret the Data Protection Laws requirements and its principles and that they have ongoing training, support and assessments to ensure and demonstrate their knowledge, competence and adequacy for the role.
Our Training & Development Policy & Procedures and Induction Policy detail how new and existing employees are trained, assessed and supported and include: –
Employees are continually supported and trained in the Data Protection Laws requirements and out own objectives and obligations around Data Protection.
The Company understands its obligations and responsibilities under the Data Protection Laws and recognises the severity of breaching any part of the law or Regulation. We respect the Supervisory Authority’s authorisation under the legislation to impose and enforce fines and penalties on us where we fail to comply with the regulations, fail to mitigate the risks where possible and operate in a knowingly non-compliant manner.
Employees have been made aware of the severity of such penalties and their proportionate nature in accordance with the breach. We recognise that: –
The Company has appointed a Data Protection Lead whose role it is to identify and mitigate any risks to the Protection of personal Data, to act in an advisory capacity to the business, its employees and upper management and to actively stay informed and up-to-date with all legislation and changes relating to Data Protection.
The DPO will work in conjunction with the Compliance Officer, IT Manager and Training Officer to ensure that all processes, systems and Workers are operating compliantly and within the requirements of the Data Protection Laws and its principles.
The DPO has overall responsibility for due diligence, privacy impact assessments, risk analysis and Data transfers where personal Data is involved and will also maintain adequate and effective records and management reports in accordance with the Data Protection Laws and our own internal objectives and obligations.
Workers who manage and process personal or special category information will be provided with extensive Data Protection training and will be subject to continuous development support and mentoring to ensure that they are competent and knowledge for the role they undertake.