General data protection regulation policy
1. INTRODUCTION
This Data Protection Policy has been developed to ensure that Alternative Programme Education (OWLS) fully complies with General Data Protection Regulation 2018, which come into force on 25TH May 2018 The policy emphasises the duties and obligations of every member of staff under General Data Protection Regulation 2018 and what the Provision sees as good practice.
Any breach of the Data Protection Policy may lead to a fine being imposed by the Information Commissioners Office, access to Provision facilities being withdrawn, or a criminal prosecution. If there are any questions about the interpretation or operation of this policy, please contact Dean Parkinson or Gemma Parkinson.
2. PURPOSE
The purpose of this policy is to:
· enable OWLS to demonstrate that it fully complies with General Data Protection Regulation 2018
· ensure that all staff and members of the OWLS are fully briefed, and effectively trained, on GDPR.
· inform staff of their responsibilities within the context of their job and show a line of responsibility towards implementing General Data Protection Regulation 2018
· clearly define individual’s rights with regard to processing personal data and accessing personal data within the context of the legislation
· ensure that all personal data is stored securely
· give direction and guidance for dealing with requests to access personal data
· ensure that all staff are aware of the issues surrounding the disclosure of personal data
· set data retention periods for personal data
· inform staff of their responsibilities if a data breach, or near miss, occurs.
3. RISK ANALYSIS The maximum penalty for failing to comply with General Data Protection Regulation 2018 is the greater of 10 million Euros or 4% of the OWLS annual turnover. The reputation of OWLS may also be damaged by non-compliance with this policy. Where there is a high risk that the rights and freedoms of individuals may be infringed, a Data Protection Impact Assessment will be undertaken.
4. SCOPE
It is a condition of employment that employees will abide by the rules and policies made by OWLS. Any failure to follow the policy can therefore result in legal and disciplinary proceedings. Any member of staff or student, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with Gemma Parkinson or Dean Parkinson. If the matter is not resolved it should be raised as a formal breach. OWLS is not responsible for any personal data processed by a member of staff or a student for their personal or domestic use, even where this involves the use of Alpacas & Friends equipment. The definition of personal or domestic use covers any data not concerned with their employment or studies at Alpacas & Friends.
5. RELATED DOCUMENTS
· Freedom of Information Policy
· Disciplinary Policy
· eSafety Policy
· Social Media and Networking Policy
· Safety and Security Policy
· Document Retention and Disposal Policy
· Comments, Compliments and Complaints - Process for Commissioners'
6. RESPONSIBILITIES
The Directors of owls are responsible for Data held by the company
All departmental managers and all those in managerial or supervisory roles are responsible for developing and encouraging good practice with regard to the handling of personal data.
Compliance with GDPR legislation is the responsibility of all members of owls who process personal or sensitive information.
6.1 Staff
The Directors are responsible for
· How HR processes personal or sensitive data in accordance with the GDPR principles
· Individual rights
· Data security
· Individual responsibilities
· Training
All staff are responsible for ensuring that information is protected against malware and for encrypting all laptops and storage devices issued to them. Care should be taken to ensure that PCs and terminals are not visible except to authorised staff and that computer passwords are kept confidential. PC screens should not be left unattended without password protected screen-savers and manual records should not be left where they can be accessed by unauthorised personnel.
This procedure also applies to staff who process personal data off-site. Offsite processing presents a potentially greater risk of loss, theft or damage to personal data. Staff should take particular care when processing personal data at home or in other locations outside the provision.
6.2 The Data Protection Officers
The Directors are designated as the Data Protection Officers.
The Data Protection Officers are responsible for;
· informing and advising its employees about their obligations to comply with the General Data Protection Regulation 2018 and other data protection laws
· monitoring compliance with the General Data Protection Regulation 2018 and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments, training staff and arranging internal audits.
· being the first point of contact for supervisory authorities and for individuals whose data is processed
· maintaining and updating the Data Protection Policy
· informing the Information Commissioners Office if a breach occurs.
7. DEFINITIONS
For the purposes of this Policy the following definitions shall apply;
"personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
"processing of personal data" ("processing") shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
"personal data filing system" ("filing system") shall mean any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
"controller" shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;
"processor" shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
“the provision” shall mean OWLS.
8. PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA
Personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The Directors, as data controllers, shall be responsible for, and be able to demonstrate compliance with, the principles above (‘accountability’).
9. THE RIGHTS OF INDIVIDUALS
9.1 The right to be informed
General Data Protection Regulation 2018 sets out the information that must be supplied to individuals whose personal data the provision holds and when those individuals should be informed. Further details may be obtained from the Data Protection Officers.
The information that the provision supplies about the processing of personal data must be:
· concise, transparent, intelligible and easily accessible;
· written in clear and plain language, particularly if addressed to a young person; and
· free of charge.
9.2 The right of access
Under General Data Protection Regulation 2018, individuals have the right to obtain:
· confirmation that their data is being processed;
· access to their personal data; and
· other supplementary information.
Access requests should be made to the Data Protection Officers in writing. The provision will provide one copy of the information free of charge. However, we may charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive.
9.3 The right to rectification
Individuals are entitled to have personal data held by the provision rectified if it is inaccurate or incomplete. Requests for rectification of data should be made to the provisions Data Protection Officers in writing who will respond within one month. This may be extended by two months where the request for rectification is complex.
9.4 The right to erasure
Individuals have a right to have their personal data erased and to prevent processing in specific circumstances. Requests for data to be erased should be made to the provisions Data Protection Officers in writing. There are some specific circumstances where the right to erasure does not apply and the Directors may refuse to deal with a request.
9.5 The right to restrict processing
Individuals have the right to restrict the processing of their personal data in the following circumstances:
a) the accuracy of the personal data is contested by the individual, for a period enabling the provision to verify the accuracy of the personal data;
b) the processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of their use instead;
c) the provision no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the individual has objected to processing pending verification whether the legitimate grounds of the Provision override those of the individual.
Requests to restrict the processing of data should be made to the Provisions Data Protection Officers in writing.
9.6 Data portability
The Provision will provide personal data in a structured and commonly used format. We will also transmit personal data directly to another organisation if requested by the data subject.
9.7 The right to object
An individual has the right to object;
a) where the lawful basis for processing the personal data of an individual is based solely on the legitimate interests of the Provision or the performance of a task in the public interest, or the exercise of an official authority vested in the Provision, on grounds relating to his or her particular situation.
b) to the use of their personal data for direct marketing. Objections to the processing of personal data under this section should be notified to the Data Protection Officers in writing.
The Provision will not process personal data for the purposes of scientific or historical research and statistics.
9.8 Automated decision making and profiling
The Provision will not undertake automated decision making or process personal data for the purpose of profiling individuals.
10. CONSENT OF THE DATA SUBJECT
The Provision will identify and record a lawful basis for the processing of personal data.
The lawful basis for the processing of personal data will normally be the consent of the data subject. Consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. Consent will not be inferred from silence, pre-ticked boxes or inactivity. Consent is not required if a different lawful basis has been identified (see following section). Individuals may withdraw their consent for the processing of their personal data by notifying the Data Protection Officers in writing.
11. OTHER LAWFUL BASES FOR PROCESSING PERSONAL DATA
Having regard to the purpose of the data processing and the relationship with the individual, the Provision may determine that it is not appropriate to obtain the consent of the data subject and may instead identify and document one of the following lawful bases for the processing of personal data;
a) the processing is necessary for a contract between the Provision and the individual, or because the individual has asked the Provision to take specific steps before entering into a contract
b) the processing is necessary for the Provision to comply with the law, for example, The Further and Higher Education Act 1998
c) the processing is necessary to protect someone’s life
d) the processing is necessary for the Provision to perform a task in the public interest or to discharge its official functions, and the task or function has a clear basis in law
e) the processing is necessary for the legitimate interests of the Provision or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this does not apply if the Provision is processing data to perform its official tasks).
12. PROCESSING OF DATA ON CRIMINAL CONVICTIONS
In order to comply with statutory guidance from the Department for Education issued under Section 175 of the Education Act 2002, the Provision obtains details of criminal allegations, proceedings and convictions for the purpose of safeguarding the young people and vulnerable adults for which it is responsible. This data is only retained for as long as required for this purpose and is then deleted. The Provision does not keep a comprehensive register of criminal convictions.
13. PRIVACY NOTICES, TRANSPARENCY AND CONTROL
The Provision aims to comply with the code of practice on communicating privacy information to individuals issued by the Information Commissioner’s Office.
Privacy notices will be as informative as possible and will, as a minimum, inform individuals;
· that the Directors are the data controllers
· how their personal data will be used by the Provision and
· with whom their data will be shared.
Privacy information will be given before personal data is collected and may be communicated through a variety of media;
· in writing - forms, such as application forms; printed media; printed adverts
· electronically - on the Provision website; in emails; in text messages; in mobile apps
· orally - face to face or when speaking on the telephone (this will be documented)
· through signage - for example an information poster in a public area.
14. DATA SHARING
The Provision aims to comply with the code of practice on data sharing issued by the Information Commissioner’s Office.
The Provision will inform an individual if is intended to share his or her personal data with another organisation and will normally obtain the consent of individual.
The Provision does not require the consent of a student to share his or her personal data for the purpose on complying with:
· its contractual obligations to the Education and Skills Funding Agency and successor organisations
· its legal obligations under the education acts and safeguarding legislation.
The Provision may share personal data without the individual’s knowledge, where, for example, personal data is processed for the:
· prevention or detection of crime
· apprehension or prosecution of offenders
The Provision will share personal data with its service providers to the minimum extent required for those service providers to discharge their obligations to the Provision under relevant service contracts. Service providers, not limited to, but may include auditors, payroll & HR system provider, bankers, debt collection agencies, software suppliers and funding providers.
The Provision will not transfer personal data outside the European Union.
15. RETENTION OF DATA
The Provision will retain data in a form which permits the identification of data subjects for no longer than the purposes for which the data are processed. The retention periods for each class of data are shown within the Document Retention and Disposal Policy
16. REPORTING PERSONAL DATA BREACHES
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This is more than a loss of personal data. All personal data breaches, or circumstances which may give rise to a personal data breach, must be reported to the Data Protection Officers immediately. The Data Protection Officers will investigate the alleged breach and prepare a written report.
If the breach is likely to result in a risk to the rights and freedoms of individuals (if unaddressed, such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage) then the Data Protection Officer will notify the Commissioners.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the Data Protection Officer will, in addition, make arrangements to notify the individuals concerned.
17. CLOSED CIRCUIT TELEVISION (CCTV)
The operation of cameras is covered by a CCTV Code of Practice. The CCTV Code of Practice determines that:
· any monitoring of data will be carried out only by a limited number of specified staff
· data will be accessed only by the Directors.
· personal data obtained during monitoring will be erased as soon as possible after any investigation is complete
· data will only be made available to law enforcement agencies involved in the prevention and detection of crime, and no other third parties
· staff involved in monitoring will maintain confidentiality in respect of personal data
· data are securely stored, where only a limited number of authorised persons may have access to them
· the operating equipment is regularly checked to ensure that it is working properly (e.g. the recording media used is of an appropriate standard and that features on the equipment, such as the date and time stamp, are correctly set and applied to the data).
18. COMPLAINTS
Any person who believes that the Provision has not complied with this Policy, or with any aspect of the wider General Data Protection Regulation 2018, should notify the Provisions Data Protection Officers in the first instance. If the issue is not resolved, a complaint should be made in writing to the Information Commissioners Office and will be investigated by them following their own Complains Procedure Policy.
If the complainant is still unhappy with the Providers and their Commissioners response or needs any advice he or she should contact the Information Commissioner’s Office (ICO) on the ICO helpline (telephone: 0303 123 1113) or go to the Information Commissioner’s website at https://www.gov.uk/data-protection/make-a-complaint.
19. MONITORING AND REVIEW
The Data Protection Officer is responsible overall for the implementation of the Policy.
As a general rule the Policy will be reviewed every two years. However, the Provision reserves the right to amend the policy at its discretion and in accordance with the relevant legal regulations/laws.