Data Protection Policy
Table of Contents
The Health Matters (Health & Safety) Ltd (“HMHS”) is committed to data protection by default and by design and supports the data protection rights of all those with whom it works, including, but not limited to, employees, clients, visitors, and suppliers. This policy sets out the accountability and responsibilities of HMHS and its employees to comply fully with the provisions of the General Data Protection Regulation (“the GDPR”) and the Data Protection Act 2018 (“the DPA”) and recognises that handling personal data appropriately and in compliance with data protection legislation enhances trust, is the right thing to do and protects HMHS’s relationship with all its stakeholders.
HMHS holds and processes personal data about individuals such as employees, clients and others, defined as ‘data subjects’ by the law. Such data must only be processed in accordance with the GDPR and the DPA.
HMHS has appointed a Data Protection Officer (DPO) to monitor and advise on compliance with the GDPR and the DPA. However, responsibility for compliance and the consequences of any breaches cannot legally be transferred to the DPO but instead remains with the business area. Information and advice can be obtained from the DPO.
This policy covers the following areas:
Purpose of Policy
This policy sets out the responsibilities of HMHS and its employees to comply fully with the provisions of GDPR and the DPA. It is accompanied by a Data Protection Handbook (‘the Handbook’) with provides information and guidance on different aspects of data protection. This policy and the Handbook form the framework which everybody processing personal data should follow to ensure compliance with data protection legislation.
This policy applies to all employees in all cases where the Health Matters (Health & Safety) Ltd is the data controller or a data processor of personal data. The policy applies in these cases regardless of who created the data, where it is held, or the ownership of the equipment used.
Status of the Policy
The policy has been approved by HMHS Director Shaun Doran on 16 June 2018. In common with previous data protection policies, this policy does not form part of the formal contract between HMHS and employees, but compliance with it is a condition of employment to abide by HMHS’s rules and policies. Any failure to follow the policy can therefore result in disciplinary proceedings.
Responsibilities under the Policy
HMHS as data controller has a corporate responsibility to implement and comply with data protection legislation. Thus, in determining the purposes for which, and the manner in which, personal data is processed, HMHS must adhere to the six Data Protection Principles (“the
Principles”) as set out in the legislation. Details of these six principles are found in the accompanying Handbook.
This section will set out the main requirements for compliance. Data Security
All users of personal data within HMHS must ensure that personal data is always held securely and are not disclosed to any unauthorised third party either accidentally, negligently or intentionally.
When HMHS collects personal data from individuals, the requirement for ‘fairness and transparency’ must be adhered to. This means that HMHS must provide data subjects with a ‘privacy notice’ to let them know how and for what purpose their personal data are processed. Any data processing must be consistent or compatible with that purpose.
- Privacy Notice – V2 – 07.2018
- Health Promotion Privacy Notice – V1 -07.2018
- HMHS Employee Privacy Notice – V1 – 06.2018
More information can be found in Section 5 of the Handbook. Conditions of Processing/Lawfulness
In order to meet the ‘lawfulness’ requirement, processing personal data must meet at least one the following conditions:
- The data subject has given
- The processing is required due to a
- It is necessary due to a legal
- It is necessary to protect someone’s vital interests (i.e. life or death situation).
- It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- It is necessary for the legitimate interests of the controller or a third
For special categories of personal data, at least one of the following conditions must be met:
- The data subject has given explicit
- The processing is necessary for the purposes of employment, social security and social protection law.
- The processing is necessary to protect someone’s vital
- The processing is carried out by a not-for-profit
- The processing is manifestly made public by the data subject
- The processing is necessary for legal claims
- The processing is necessary for reasons of substantial public
- The processing is necessary for the purposes of medicine, the provision of health or social care or treatment or the management of health or social care systems and services.
- The processing is necessary for public health
- The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to certain safeguards which are explained in the Handbook
More information can be found in section 6 of the Handbook.
Personal data must not be kept longer than necessary for the purposes for which it was originally collected. This applies to all personal data, whether held on a core systems, local PCs, laptops or mobile devices or held on paper. If the data is no longer required, it must be securely destroyed or deleted.
- HMHS Data Retention Policy & Further information can be found in section 7 of the Handbook.
Data Protection by Design and Default
Under the GDPR and the DPA, HMHS has an obligation to consider the impact on data privacy during all processing activities. This includes implementing appropriate technical and organisational measures to minimise the potential negative impact processing can have on the data subjects’ privacy.
Data Protection Impact Assessment
When considering new processing activities or setting up new procedures or systems that involve personal data, privacy issues must always be considered at the earliest stage and a Data Protection Impact Assessment (DPIA) must be conducted. The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimise or reduce risks during the design stages of a process and throughout the lifecycle of the initiative. This will ensure that privacy and data protection control requirements are not an after-thought.
- HMHS Data Protection Impact Assessment (DPIA)
Anonymisation and Pseudonymisation
Further mechanisms of reducing risks associated with handling personal data are to apply anonymization or pseudonymisation. Wherever possible, personal data must be anonymised or, where that is not possible, pseudonymised.
More information on privacy by design and default can be found in Section 11 of the Handbook
Responsibilities of Management and Data Users
The Directors and staff within their respective areas of work have a responsibility to ensure compliance with the GDPR, the DPA and this policy, and to develop and encourage good information handling practices within their areas of responsibility. All users of personal data within HMHS have a responsibility to ensure that they process the data in accordance with the Principles and the other conditions set down in the legislation. The Handbook provides detailed guidance to assist with fulfilling these obligations.
HMOH has identified Shaun Doran as the Data Protection Officer (DOP) or Champion. The DPO is the first point of contact for data protection questions, queries or concerns relating to Data Protection. The DPO will perform periodic audits to ensure compliance with this policy and the legislation.
Data Subject Rights
The GDPR and the Act contain eight data subject rights HMHS must comply with – the rights to information (see Privacy Notices), subject access, to rectification, to object, to erasure, to portability, to restrict processing and in relation to automated decision-making and profiling.
Subject Access Requests and the right to data portability
Individuals have the right to request to see or receive copies of any information HMHS holds about them, and in certain circumstances to have that data provided in a structured, commonly used and machine readable format so it can be forwarded to another data controller. HMHS must respond to these requests within four weeks. It is a personal criminal offence to delete relevant personal data after a subject access request has been received.
Individuals receiving a subject access request must follow the subject access request procedures contained in section 11 the Handbook.
Right to erasure, to restrict processing, to rectification and to object
In certain circumstances data subjects have the right to have their data erased. This only applies
- where the data is no longer required for the purpose for which it was originally collected, or
- where the data subject withdraws consent, or
- where the data is being processed
In some circumstances, data subjects may not wish to have their data erased but rather have any further processing restricted.
If personal data is inaccurate, data subjects have the right to require HMHS to rectify inaccuracies. In some circumstances, if personal data are incomplete, the data subject can also require the controller to complete the data, or to record a supplementary statement.
Data subjects have the right to object to specific types of processing such as processing for direct marketing, research or statistical purposes. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right.
Individuals receiving any of these requests should not act to respond but instead should contact the Data Protection Officer immediately.
Rights in relation to automated decision making and profiling
In the case of automated decision making and profiling that may have significant effects on data subjects, they have the right to either have the decision reviewed by a human being or to not be subject to this type of decision making at all. These requests must be forwarded to the Data Protection Officer immediately.
More information can be found in Section 11 of the Handbook.
When personal data is transferred internally, the recipient must only process the data in a manner consistent with the original purpose for which the data was collected. If personal data is shared internally for a new and different purpose, a new privacy notice will need to be provided to the client delegate.
When personal data is transferred externally, a legal basis must be determined and a data sharing agreement between HMHS and the third party must be signed, unless disclosure is required by law, such as certain requests from the Department for Work and Pensions or Inland Revenue, or the third party requires the data for law enforcement purposes.
More information can be found in Section 8 of the Handbook.
Transfers of Personal Data Outside the EEA
Personal data can only be transferred out of the European Economic Area when there are safeguards in place to ensure an adequate level of protection for the data. For transfers of personal data to a receiving party in the United States of America, the Privacy Shield Agreement between the European Union and the United States of America provides sufficient protection. Before transferring data, the Privacy Shield website should be consulted to determine whether the receiving party is on the Privacy Shield List. Staff involved in transferring personal data to other countries must ensure that an appropriate safeguard is in place before agreeing to any such transfer.
More information can be found in Section 9 of the Handbook.
Direct marketing does not only cover the communication of material about the sale of products and services to individuals, but also the promotion of aims and ideals. For HMHS, this will include notifications about upcoming courses, selling goods or services. Marketing covers all forms of communications, such as contact by post, fax, telephone and electronic messages, whereby the use of electronic means such as emails and text messaging is governed by the Privacy and Electronic Communications Regulations 2003. HMHS must ensure that it always complies with relevant legislation every time it undertakes direct marketing and must cease all direct marketing activities if an individual requests it to stop.
More information can be found in Section 12 of the Handbook.
Data Protection Training
HMHS Directors agreed on 16 June 2018 that it should be mandatory for all new employees to complete Data Protection Training as part of an induction. In addition, all employees must undergo an element of refresher training at least annually.
Data Protection Breaches
HMHS is responsible for ensuring appropriate and proportionate security for the personal data that it holds. This includes protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage of the data. HMHS makes every effort to avoid data protection incidents; however, it is possible that mistakes will occur on occasions. Examples of personal data incidents might occur through:
- Loss or theft of data or equipment
- Ineffective access controls allowing unauthorised use
- Equipment failure
- Unauthorised disclosure (e.g. email sent to the incorrect recipient)
- Human error
- Hacking attack
Any data protection incident must be brought to the attention of HMHS’s Data Protection Officer who will investigate and decide if the incident constitutes a data protection breach. If a reportable data protection breach occurs, HMHS is required to notify the Information Commissioner’s Office as soon as possible, and not later than 72 hours after becoming aware of it. Any employee of HMHS who encounters something they believe may be a data protection incident must report it immediately to management in person, and email with ‘breach’ in the subject line.
Details of how to report a breach and the information that will be required are included in Section 13 of the Handbook.