Implemented for use in:
Smart Property Concept Limited
11 Buts, Coventry, CV1 3GJ11 Butts, Coventry, CV1 3GJ
Issue date 8 / 11/ 2021
- Current, past and prospective employees,
- Users of its websites,
- Other stakeholders
In collecting and using this data, the organization is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.
The purpose of this policy is to set out the relevant legislation and to describe the steps The Company is taking to ensure that it complies with it.
This control applies to all system, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to the Company systems.
- Data Protection Policy
2.1. The UK general data protection regulation
The UK General Data Protection Regulation (UK GDPR), combined with the Data Protection Act 2018, is one of the most significant pieces of legislation affecting the way that the Company carries out its information processing activities. Significant fines are applicable if a breach is deemed to have occurred under the UK GDPR, which is designed to protect the personal data of citizen and residents of the United Kingdom. It is the Company policy to ensure that our compliance with the UK GDPR and other relevant legislation is clear and demonstrable at all times.
There is a significant number of definitions listed within the UK GDPR and it is not appropriate to reproduce them all here. However, the most fundamental definitions with respect to the policy are as follows:
2.2.1. Personal Data
Defined as “any information relating to an identified natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specified to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
“Any operation or set of operation which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
“The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; (but see section 6 of the 2018 Act)”.
2.3. Principles relating to processing of personal data
There are several fundamental principles upon which the UK GDPR is based. These are as set out in Article 5 (1) of the regulation as follows:
“Personal data shall be:
- a) Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical, research purposes or statistical purposes shall, in accordance with Article 89 (1), not to be considered to be incompatible with the initial purposes (‘purpose limitation’)
- c) Adequate,relevantandlimitedtowhatisnecessaryinrelationtothepurposes for which the are processed (‘data minimization’);
- d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- e) Kept in a form which permits identification of data subject for no longer that is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- f) Processed in a manner that ensures appropriate security of the personal dara, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’)”.
Paragraph 2 further states that “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (accountability’).
The Company will ensure that it complies with all these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems.
2.4. Rights of the individual
2.4.1. The data subject also has rights under the UK GDPR. These consist of:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Each of this rights are supported by appropriate procedure within the Company that allow the required action to be taken within the timescales stated in the UK GDPR. These timescale is are shown in Table 1.
DATA SUBJECT REQUEST
The right to be informed
When data is collected (if supplied by data subject or within one month (if not supplied by data subject)
The right of access
The right to rectification
The right to erasure
Without undue delay
The right to restrict processing
Without undue delay
The right to data portability
The right to object
On receipt of objection
Rights in relation to automated decision making and profiling
2.4.2. Summary of data subject rights by lawful basis of processing
The following table shows which right of the data subject are relevant to each basis of lawful processing. It should be used as a general guide only, as the specific circumstances may affect the validity of the request.
BASIS OF LAWFUL PROCESSING
Right of the data subject
Automated Decision making and profiling
2.4.3. Privacy notices
When to supply a privacy notice
A privacy notice must be supplied at the time the data is obtained if obtained directly from the data subject. If the data is not obtained directly from the data subject, the privacy notice must be provided within a reasonable period of having obtained the data, which mean within one month.
If the data is being used to communicate with the individual, then the privacy notice must be supplied at the latest when the first communication takes place.
If disclosure to another recipient is envisaged, then the privacy notice must be supplied prior to the data being disclosed.
What to include in a privacy notice
Privacy notices must be concise, transparent, intelligible and easily accessible. They are provided free of charge and must be written in clear and plain language, particularly if aimed at children
The following information must be included in a privacy notice to all data subjects:
- Identification and contact information of the data controller and the data protection officer
- The purpose of processing the data and the lawful basis for doing so
- The legitimate interests of the controller or third party, if applicable
- The right to withdraw consent at any time, if applicable
- The category of the personal data (only for data not obtained directly from the data subject)
- Any recipient or categories of recipients of the personal data
- Detailed information of any transfers to third countries and safeguards in place
- The retention period of the data or the criteria used to determine the retention period, including details for the data disposal after the retention period
- The right to lodge a complaint with the ICO, and internal complaint procedures
- The source of the personal data, and whether it came from publicly available sources (only for data not obtained directly from the data subject)
- Any existence of automated decision making, including profiling and information about how those decisions are made, their significances and consequences to the data subject).
Whether the provision of personal data is part of a statutory of contractual requirement or obligation and possible consequences for any failure to provide the data (only for data obtained directly from the data subject.
2.5. Lawfulness of processing
There are six alternative ways in which the lawfulness of a specific case of processing of personal data may be established under the UK GDPR. It is It is the Company policy to identify the appropriate basis for processing and to document it, in accordance with the Regulation. The options are described in brief in the following sections.
Where appropriate, the Company will obtain consent from a data subject to collect and process their data. In case of children below the age of 13 parental consent will be obtained. Transparent information about our usage of their personal data will be provided to data subjects at the time that consent is obtained and their rights regarding their data explained, such as the right to withdraw consent. This information will be provided in an accessible form, written in clear language and free of charge.
If the personal data are not obtained directly from the data subject, then this information will be provided to the data subject within a reasonable period after the data are obtained and definitely within one month.
2.5.2. Performance of a contract
Where the personal data collected and processed are required to fulfil a contract with the data subject, consent is not required. This will often be the case where the contract cannot be completed without the personal data in question e.g. a delivery cannot be made without an address.
2.5.3. Legal obligation
If the personal data are required to be collected and processed in order to comply with the law, then consent is not required. This may be the case for some data related to employment and taxation for example, and for many areas addressed by the public sector.
2.5.4. Vital interests of the data subject
In a case where the personal data are required to protect the vital interests of the data subject or of another natural person, then this may be used as the lawful basis of the processing. The Company will retain reasonable, documented evidence that this is the case, whenever this reason is used as the lawful basis of the processing of the personal data. As an example this may be used in aspects of social care, particularly in the public sector.
2.5.5. Task carried out in the public interest
Where The Company needs to perform a task that it believes is in the public interest or as a part of an official duty then the data subject’s consent will not be requested. The assessment of the public interest or official duty will be documented and made available as evidence where required.
2.5.6. Legitimate interests
If the processing of specific personal data is in the legitimate interests of The Company and is judged no to affect the rights and freedoms of the data subject in a significant way, then this may be defined as the lawful reason for the processing. Again, the reasoning behind this view will be documented.
2.6. Roles and Responsibilities
2.6.1. Data protection officer
A defined role of Data Protection Officer (DPO) is required under the UK GDPR if an organization is a public authority, if it performs large scale monitoring or if it processes particularly sensitive types of data on a large scale. The DPO is required to have an appropriate level of knowledge and can either be an in-house resource or outsourced to an appropriate service provider.
Based on this criteria, the Company appoint Data protection Officer in Person :Mrs Magdalena Adigwe, email address: firstname.lastname@example.org, responsible – in particular for:
- Keeping the board updated about data protection responsibilities, risks and issues
- Reviewing all data protection procedures and policies on a regular basis
- Arranging data protection training and advice for all staff members and those included in this policy
- Answering questions on data protection from staff, board members and other stakeholders
- Responding to individuals such as clients and employees who wish to know which data is being held on them by us
- Checking and approving with third parties that handle the company’s data any contracts or agreement regarding data processing
All staff are responsible for understanding and complying with relevant policies and procedures for processing and protecting special category personal data.
2.6.2. Our Company Responsibilities
- Analysing and documenting the type of personal data we hold
- Checking procedures to ensure they cover all the rights of the individual
- Identify the lawful basis for processing data
- Ensuring consent procedures are lawful
- Implementing and reviewing procedures to detect, report and investigate personal data breaches
- Store data in safe and secure ways
- Assess the risk that could be posed to individual rights and freedoms should data be compromised
2.6.3. Storing data securely
- In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it
- Printed data should be shredded when it is no longer needed
- Data stored on a computer should be protected by strong passwords that are changed regularly. We encourage all staff to use a password manager to create and store their passwords.
- Data stored on CDs or memory sticks must be encrypted or password protected and locked away securely when they are not being used
- The DPO must approve any cloud used to store data
- Servers containing personal data must be kept in a secure location, away from general office space
- Data should be regularly backed up in line with the company’s backup procedures
- Data should never be saved directly to mobile devices such as laptops, tablets or smartphones
- All servers containing sensitive data must be approved and protected by security software
- All possible technical measures must be put in place to keep data secure
- Access to personal data processed in IT systems must be password protected. Password should contain at least 12 characters consisting of a random combination of numbers, upper and lower case letters, and special symbols.
- All mobile devices that connect to the company network must be secured with a password and/or biometric authentication and must be configured to lock after 3 minutes of inactivity.
2.7. Privacy by design
The Company has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the consideration of the risk assessment and approval made every time by a person appointed as a responsible for the data protection matters in The Company.
Use of techniques such as data minimization and pseudonymization will be considered where applicable and appropriate.
2.8. Contract involving the processing of personal data
The Company will ensure that all relationship it enterers that involve the processing of personal data are subject to a documented contract that includes the specific information and terms required by the UK GDPR.
2.9. International transfers of personal data
Transfers of personal data does not exist for a destination country, an appropriate safeguards such as standard contractual clauses will be used, or relevant exception identified as permitted under the UK GDPR.
2.10. Breach notification
It is the Company policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the UK GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the Information Commissioner’s Office (ICO) will be informed within 72 hours. This will be managed in accordance with our DATA BREACH NOTIFICATION POLICY.
Under the UK GDPR the ICO has the authority to impose a range of fines of up to four percent (4%) of annual worldwide turnover or 17,500,500 GBP for infringements of the regulations.
2.11. Addressing compliance to the UK GDPR
The following actions are undertaken to ensure that the Company complies at all times with the accountability principle of the UK GDPR:
- The legal basis for the processing personal data is clear and unambiguous
- All staff involved in handling personal data understand their responsibilities for following good data protection practice
- Training in data protection has been provided to all staff
- Rules regarding consent are followed
- Regular reviews of procedures involving personal data are carried out
- Privacy by design is adopted for all new or changed systems and processes
- The following documentation of processing activities is recorded:
o Organization name and relevant details
o Purposes of the personal data processing
o Categories of individuals and personal data processed
o Categories of personal data recipients
o Agreements and mechanisms for transfer of personal data to countries other than the UK including details of controls in place
o Personal data retention schedules
o Relevant technical and organizational controls in place
These actions are reviewed on a regular basis as part of the management process concerned with data protection.
Review of the policy
Our policy is reviewed regularly and updated as necessary.
UK GDPR REVISION
- Privacy Notice – appendix to the company form: before moving into the house (3.1 – 3.7)
- CCVT Policy (3.1-3.7)
- Staff Data Policy (3.1,3.7)
- Template of: Authorisation to process personal data (3.1,3.6, 3.7)
- Template of Records of authorisation to process personal data.(3.1,3.6, 3.7)
- Bring Your own device to work (BYOD) Policy (3.1,3.6,3.7)
- Data Retention
- Data Breach Notification
- Record of Breach.
- Special Category Data Policy.
- DPIA – template.
- Agreement on processing personal data on behalf of controller.
- Template – Letter to controller – to be send before agreement on processing personal data on behalf of controller.
- Template – Letter to processor – to be send before agreement on processing personal data on behalf of controller.
- Record of processing activities.
Record of consent.