Data Protection Policy
(INCLUDING GDPR PRINCIPLES)
1.1 Burkes of Cornascriebe (2014) LTD is required to process relevant personal data regarding members of staff and range of service users. This policy sets out our commitment to protecting personal data and how we will ensure that staff understand how to handle data they have access to a part of their work.
2.1 This policy applies to anyone working with personal data that is controlled or processed by or on behalf of Burkes of Cornascriebe (2014) including and not limited to employees and service providers.
2.2 Personal information means any data or information, in paper or digital format, relating to a living individual. Personal Identifiable Information (PII) is any data that enables a user to identify an individual directly.
3 Data Protection Principles
3.1 Burkes of Cornascriebe (2014) LTD will comply with the Data Protection Act and General Data Protection Regulation (GDPR) principles and ensure that personal data is:
• Processed fairly and lawfully and in a transparent manner
• Obtained for one or more specified, explicit and lawful purposes
• Adequate, relevant and only limited to what is required
• Accurate and where necessary kept up to date
• Not kept in a form which permits identification of data subjects for longer than is necessary
• Processed in accordance with the rights of data subjects
• Processed in a manner that ensures appropriate security of the personal data.
4 General requirements
4.1 Some requirements under the DPA and GDPR are:
• Personal data should only be accessed by those who need to for work purposes
• Personal data should not be divulged or discussed except when needed in performing normal work duties
• Personal data must be always kept safe and secure, including at the office, public areas, home or in transit.
• Personal data should be regularly reviewed and updated
• Queries about data protection, internal and external to Burkes of Cornascriebe (2014) LTD must be dealt with effectively and promptly
5 Information Sharing
5.1 Personal data may need to be shared with other organisations to deliver services or perform our duties. This can only be done where we have permission or there is legal obligation for us to share.
5.2 Personal data can be shared within Burkes of Cornascriebe (2014) LTD or with other third parties and the sharing can be:
• “Systematic” or routine information sharing where there is an established purpose or
• “Exceptional” or one-off decisions or example in conditions of real urgency.
5.3 Data Sharing Agreements should be completed when setting up ‘on-going’ or ‘routine’ information sharing arrangements with third parties. However, they are not needed when information is shared in one-off circumstances but a record of the decision and the reasons for sharing information should be kept.
5.4 All Data Sharing Agreements must be signed off by the Company Secretary who will keep a register of all Data Sharing Agreements.
6 Privacy Impact Assessments (PIAs)
6.1 PIAs will be completed in the following situations to help identify and minimise risks to individuals and must be completed in the following situations that involve personal data:
• At the beginning of a new project or when implementing a new system
• Before entering a data sharing agreement
• When major changes are introduced into a system or process
7 Subject Access Requests (SARs)
7.1 Burkes of Cornascriebe (2014) LTD recognises that access to personal data held about an individual is a fundamental right provided in the Act and will ensure that all requests from individuals to access their personal data are dealt with as quickly as possible and within the timescales allowed in the legislation.
7.2 Individuals will be expected to submit SARs in writing and provide any necessary proof of identification as part of the request. Under the GDPR Burkes of Cornascriebe (2014) LTD is not required to charge for these requests.
8.1 Anyone who feels that Burkes of Cornascriebe (2014) LTD has broken the law or note protected personal data in any way can complain. Examples of this are when they think their information has not been obtained fairly, it has not been handled securely or they have asked for a copy of their information, and they are not happy with Burkes of Cornascriebe (2014) LTD response.
8.2 Individuals who consider that data is inaccurate or out of date may also request, in writing, that the information be corrected or erased. They will receive a written response indicating whether Burkes of Cornascriebe (2014) LTD agrees and if so, the action to be taken.
8.3 Individuals can also ask Burkes of Cornascriebe (2014) LTD to stop handling their personal information if they think this will cause them harm or distress. This is not always possible if legal requirement to hold the data prevail. Data Protection Act complaints are initially dealt with by the Company Secretary.
9.1 Data Protection training is important so that all staff and agency workers understand their responsibilities. All employees (including temporary employees) must complete the mandatory e-learning training periodically.
9.2 Other staff with additional responsibilities should complete relevant training as appropriate – e.g., Subject Access Requests.
10.1 Serious breaches of this policy caused by deliberate, negligent or reckless behaviour could result in disciplinary action and may even lead to criminal prosecution.
10.2 Where those breaching the policy are not Burkes of Cornascriebe (2014) LTD employees, this will be regarded as a breach of contract and may lead to termination of their contract.
11 Policy Review
11.1 The Director has direct responsibility for co-ordinating the maintenance and review of this policy annually.
11.2 Reviews will consider changes in legislation, best practice, lessons learnt and input from specialist ICT areas within Burkes of Cornascriebe (2014) LTD and in consultation with relevant IT service providers.