Data Processing and Security Agreement
1. INTRODUCTION
1.1. The General Data Protection Regulation (GDPR) 2016 is an EU wide regulation that came into force in the UK on the 25th of May 2018. The Data Protection Act 2018 is the UK enacted legislation. For the purpose of this policy both shall be jointly referred to as “GDPR”
1.2. The GDPR lays down rules relating to the protection of individuals (data subjects) and protects their fundamental right to the protection of their personal data and how their personal data is used by Feedback Works.
1.3. Feedback Works, and its entire Workforce, are subject to, and must comply with, the GDPR and all associated policies. Feedback Works’ Workforce includes all of the following:
1.3.1. Employees
1.3.2. Board Members
1.3.3. Sub-contractors
1.3.4. Data processors
2. DATA PROTECTION LEAD (DPL)
2.1. Feedback Works is not required in law to appoint a Data Protection Officer. However, to ensure compliance with the legislation Feedback Works has chosen to appoint a Data Protection Lead (DPL).
2.2. There is no legal requirement to publish or inform the Information Commissioners Office of the details of the DPL.
2.3. In the performance of his or her tasks, Feedback Works’ DPL must have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
2.4. Feedback Works’ DPL must be involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
2.5. The duties of a DPL are:
2.5.1. Informing and advising Feedback Works, and its workforce, of their obligations relating to the regulations
2.5.2. Monitoring compliance with this regulation, and with Feedback Works’ policies relating to the protection of personal data, including:
2.5.2.1. The assignment of responsibilities
2.5.2.2. Awareness- raising
2.5.3. Training of staff involved in processing operations and
2.5.4. Any related audit
2.6. Providing advice where requested
2.7. Ensuring Feedback Works complies where requested
2.8. Ensuring Feedback Works complies with the requirement of Privacy by Design by promoting the use of Privacy Impact Assessments
2.9. Co-operating with the Information Commissioners’ Office and to act as the contact point on issues relating to processing; including the prior consultation with the Commissioner’s Office in all cases where a data protection impact assessment indicates that the processing would result in a higher risk, and to consult, where appropriate, with regard to any other matter.
3. TRAINING
3.1. GDPR training is compulsory for the whole of Feedback Works’ workforce as defined in 1.3 and shall provide an overview of the requirements of GDPR and must set out the responsibilities of Feedback Works’ workforce in relation to the Regulation.
3.2. Access to any of Feedback Works’ databases and systems is not permitted unless GDPR Training has been completed. Administrators for these systems are responsible for ensuring that all necessary training has been completed.
3.3. GDPR training will be monitored by the DPL and must be refreshed periodically.
4. DEFINITIONS
4.1. Personal Data means any information relating to an identifiable natural person (data subject)
4.2. The GDPR specifies that Special Categories of Personal Data is defined as data about a data subject’s:
4.2.1. racial or ethnic origin
4.2.2. political opinions
4.2.3. religious or philosophical beliefs
4.2.4. trade union membership
4.2.5. genetic and biometric data
4.2.6. health
4.2.7. sexual life or sexual orientation
4.3. A Data Subject is anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, culture or social identity of that natural person.
4.4. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structure, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In short, doing anything with personal data is processing.
4.5. A Data Controller is the person, public authority, agency or other body which decides what the purpose is for processing personal data and how it is processed. Feedback Works is the Data Controller for all of the personal data it processes about its employees, sub-contractors and clients.
4.6. A Data Processor means a person, public authority, agency or other body which processes personal data on behalf of a controller.
4.7. Privacy by Design is an approach to projects and processes that promotes privacy and data protection compliance from the start, for example when:
4.7.1. building new IT systems for storing or accessing personal data
4.7.2. developing policies or strategies that have privacy implications
4.7.3. embarking on personal data sharing initiatives
4.7.4. using personal data for new purposes.
4.8. Privacy Impact Assessments (PIA’s) are a tool used to identify and reduce the privacy risks of processing personal data and are an integral part of taking a privacy by design approach
5. PRINCIPLES RELATING TO PROCESSING PERSONAL DATA
5.1. The GDPR is based on six principles which state that personal data must be:
5.1.1. Processed lawfully, fairly and transparently
5.1.2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
5.1.3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
5.1.4. Accurate and, where necessary, kept up to date
5.1.5. Kept for no longer than is necessary for the purposes for which the personal data is being processed
5.1.6. Processed in a manner that ensures appropriate security of the personal data. Including protection against unauthorised or lawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Each principle is explained in more detail in the sections below.
5.2. The GDPR further requires that Feedback Works must be able to demonstrate compliance with these principles. This is referred to as the Accountability Principle.
6. ACCOUNTABILITY PRINCIPLE
6.1. Feedback Works will demonstrate that it complies with GDPR by implementing appropriate technical and organisational measures. This includes:
6.1.1. GDPR policies and procedures
6.1.2. Mandatory staff training
6.1.3. Audits, of processing activities
6.1.4. Maintenance of relevant documentation on processing activities
6.1.5. Implementing measures that meet the principles of data protection by design and data protection by default
6.2. Feedback Works’ documentation on processing activities will be via its Processing Activity Register (also known as a data asset register). The Processing Activity Register shall contain the following information:
6.2.1. The name and contact details of Feedback Works’ Data Controller, Feedback Works’ representative and the DPL
6.2.2. A description of the processes in which the processing of personal data takes place and the purposes of these processing activities
6.2.3. The legal basis for all personal data processing activities
6.2.4. A description of the categories of data subject and the categories of personal data processed by each function within Feedback Works
6.2.5. The categories of recipients to whom the personal data has been or will be disclosed by each function within Feedback Works
6.2.6. Where applicable, transfers of personal data to another country or international organisation
6.2.7. How long each category of personal data shall be retained
6.2.8. A general description of the technical and organisational security measures taken to protect and safeguard the personal data
6.3. Any new project or change of process that results in a change to the processing of personal data or a new personal data processing activity must be documented in Feedback Works’ Processing Activity Register.
6.4. Any new project or change of process that involves processing personal data must comply with Privacy by Design requirements and undergo a Privacy Impact Assessment.
6.5. Any activity involving personal data that is not documented in Feedback Works’ Processing Activity Register could be deemed illegal.
7. THE LAWFULNESS OF PROCESSING PERSONAL DATA
7.1. The first principle states that personal data must be processed lawfully, fairly and transparently. The lawfulness of processing all personal data must be decided by Feedback Works’ DPL and be documented in Feedback Works’ Processing Activity Register.
7.2. To be lawful, at least one of the following must apply:
7.2.1. The data subject has given their consent to the processing of his or her personal data for one or more specific purpose
7.2.2. The processing of the data is necessary for the performance of a contract to which the data subject is party to, or necessary in order to enter into such a contract
7.2.3. The processing of the data is necessary for compliance with a legal obligation to which Feedback Works is subject to
7.2.4. The processing is necessary to protect the vital interests of a data subject
7.2.5. The processing is necessary for the purposes of the legitimate interests pursued by Feedback Works except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
7.3. If personal data is to be processed for a purpose different to the one for which it was collected, an assessment must be made to establish whether the new purpose is lawful. The assessment must be referred to the DPL and the decision documented in Feedback Works’ Processing Activity Register.
8. THE LAWFULNESS OF PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA
8.1. Additional rules apply to Special Categories of Personal Data. The lawfulness of processing any Special Category of Personal Data must be decided by Feedback Works’ DPL and be documented in Feedback Works’ Processing Activity Register.
8.2. In relation to the processing of any Special Category of Personal Data, to be lawful at least one legal basis from section 7.2 AND one of the following must apply:
8.2.1. The data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes
8.2.2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller of the data subject in the fields of employment, social security, and social protection in so far as it is authorised by Union or Member State Law or a collective agreement pursuant to member state law providing for appropriate safeguards for the fundamental rights and interests of the data subject
8.2.3. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
8.2.4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim
8.2.5. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
8.2.6. Processing is necessary for reasons of substantial public interest
8.2.7. Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of UK law or pursuant to contract with a health professional
8.2.8. Processing is necessary for reasons of public interest in the area of public health
8.2.9. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
9. CONDITIONS FOR CONSENT
9.1. The GDPR sets a high standard for consent and it must offer individuals real choice and control. Genuine consent puts individuals in charge, builds trust and engagement and enhances Feedback Works’ reputation.
9.2. Where the legal basis for processing personal data is based on consent, you must be able to evidence that the data subject has consented to processing of his or her personal data.
9.3. Where the legal basis for processing personal data is based on consent, it must be unambiguous and involve a clear affirmative action (an opt-in). Pre-ticked opt-in boxes must not be used to capture any form of consent.
9.4. Where the legal basis for processing personal data is based on consent, consent should not be a pre- condition of signing up to a service and the data subject must be able to withdraw his or her consent at any time.
9.5. Withdrawing consent must be as easy to withdraw as it was to give.
9.6. Requests for consent to process personal data must be presented in a way that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this regulation shall not be binding.
9.7. Where the legal basis for processing personal data is based on consent,
9.8. that consent must meet the standard of consent set out by the GDPR. Consent obtained prior to 25 May 2018 must meet the GDPR standard. Where this is not the case, new or fresh consent must have been obtained.
10. SPECIFIED, EXPLICIT AND LEGITIMATE PURPOSE
10.1. The second principle states that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purpose. Collecting personal data ‘just in case’ is not an adequate purpose.
10.2. All of Feedback Works’ Workforce must ensure that there is clarity about the purpose for which personal data is collected and used.
10.3. All specified, explicit and legitimate purposes must be approved by Feedback Works’ DPL and be documented in Feedback Works’ processing Activity Register.
11. ADEQUATE, RELEVANT AND LIMITED
11.1. The third principle states that personal data must be adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed.
11.2. All of Feedback Works’ Workforce must ensure that there is clarity about what information is required in order to meet the specific, explicit and legitimate purpose for which personal data is needed. Only the information needed to meet that purpose may be collected, information not needed cannot be collected.
11.3. Collecting personal data “just in case” will be deemed to be excessive and a breach of the GDPR.
12. ACCURATE AND KEPT UP TO DATE
12.1. The fourth principle states that personal data must be accurate and, where necessary, kept up to date.
12.2. All of Feedback Works’ Workforce must ensure that they have adequate procedures in place to ensure that personal data is accurate and that all notifications of changes to the accuracy of the data are actioned without delay.
13. RETENTION OF PERSONAL DATA
13.1. The fifth principle states that Personal Data must be kept for no longer than is necessary for the purposes for which the personal data is being processed.
13.2. The rules setting out how long records containing personal data may be kept are contained in Feedback Works’ Records Retention Schedule, which describes each record, sets out the period for which they are to be retained and provides some examples. Where relevant, the schedule identifies the reason (legislative, regulatory and / or operational) on which retention is based and how the records are managed.
13.3. All of Feedback Works’ Workforce are responsible for ensuring that all records, and the personal data contained in them, are managed in accordance with Feedback Works’ Records Retention Schedule.
13.4. Disposing of personal data sooner than is set out in Feedback Works’ Records Retention Schedule is likely to be a breach of the GDPR.
13.5. Keeping personal data for longer than is set out in Feedback Works’ Records Retention Schedule is likely to beach of the GDPR.
14. SECURITY OF PERSONAL DATA
14.1. The sixth principle states that Personal Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
14.2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Feedback Works shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
14.3. Feedback Works will take appropriate technical and organisational measures to protect all personal data held on and within its IT infrastructure. Feedback Works’ IT managed service provider is responsible for maintaining the security of Feedback Works’ IT infrastructure and for ensuring that regular tests are carried out to ensure that security is maintained.
14.4. All of Feedback Works’ Workforce is responsible and accountable for assessing the risks that are presented by processing the personal data for which they are responsible and to put in place appropriate technical and organisational measures to prevent:
14.4.1. accidental or unlawful destruction, loss or alteration of personal data
14.4.2. unauthorised disclosure of, or access to, personal data
14.5. All mobile phones, smart devices and tablets which have access to Feedback Works’ IT Network and e-mail system must be password or PIN protected. This includes any personal devices that are being used to access Feedback Works’ IT systems and which may hold special categories of personal data in the form of e- mails and attachments which belong to Feedback Works. The password must be unique to the user and not the default password which is assigned to the phone.
14.6. Appropriate technical and organisational measures taken by Feedback Works to safeguard personal data are:
14.6.1. mandatory GDPR training for all of Feedback Works’ workforce
14.6.2. password protecting all electronic files that contain confidential and special categories of personal data
14.6.3. sending documents containing confidential or special categories of data via password protected e-mail attachments, and paper documents by special or recorded delivery
14.6.4. keeping confidential and all forms of personal data in locked cabinets or locked drawers
14.6.5. not leaving all forms of personal data unattended on computer screens, desks, filling cabinets or on top of printers uncollected
14.6.6. locked computer screens at all times when left unattended
14.6.7. a DPL approved contract or data processing agreement with third parties outside of Feedback Works who process personal data on our behalf
14.6.8. never recording the front details of a credit card and the three-digit security number when processing financial data
14.6.9. securely disposing of paper files and records which contain confidential and all forms of personal data by shredding them and never throwing them in the wastepaper bin intact
14.7. Files containing confidential and Special Categories of Data must be stored on Feedback Works network; with access only available to authorised members of staff. This data should be password protected and only be copied to laptops or other mobile storage devices on a temporary basis for a specific purpose, then copied back to the network and deleted from the laptop or other device once it is no longer required.
14.8. Passwords
14.8.1. Passwords are essential to keep data secure from unauthorised access and accidental misuse. Passwords also prevent malicious destruction of data and protects individuals from accidentally erasing data through error.
14.8.2. All passwords should be reasonably complex and difficult for unauthorised people to guess. Staff should choose passwords that are at least eight characters long and contain a combination of upper- and lower-case letters, numbers, punctuation marks and other special characters. These requirements will be enforced with software when possible.
14.8.3. Passwords must never be shared with anyone else within Feedback Works, including co-workers, managers, administrative assistants or IT staff.
14.8.4. Passwords must never be shared with outside parties, including those claiming to be representatives of a business partner with a legitimate need to access a system.
14.8.5. Passwords should never be written down.
14.9. Transporting or Sending Personal Data
14.9.1. Before any personal data is removed from Feedback Works office, staff must establish whether it contains Special Categories of Data.
14.9.2. Whenever any personal data leaves any Feedback Works premises, whether it is by post, carried by hand or sent by e-mail, staff must assess the risks to the data subject and to Feedback Works in the event that the data is lost or stolen. As part of this process, staff must assess:
14.9.3. the likely impact on the data subject if the data is lost or stolen.
14.9.4. the likely consequences for Feedback Works if the data is lost or stolen.
14.9.5. what measures are necessary to ensure that every reasonable precaution has been taken to prevent the data from being lost or stolen.
14.9.6. Where necessary, assessments on the risks of removing Special Categories of Data, (including the measures taken to ensure the safety of any Special Categories of Data), must be kept on record and produced as evidence in the event of a breach.
14.9.7. To ensure that every reasonable precaution has been taken to prevent data from being lost or stolen whilst in transit, the following measures should be taken. Please note this list is not exhaustive.
14.9.8. checking the envelope is correctly addressed.
14.9.9. sending the document(s) by Royal Mail’s Special Delivery Service or via recorded delivery.
14.9.10. clearly marking the envelope ‘private and confidential’.
14.9.11. ensuring that the documents are packaged securely.
14.9.12. when transporting documents by hand, keeping them with you at all times and not leaving them unattended.
14.9.13. when sending sensitive personal data or confidential data electronically, ensure that the content is either sent as an attached password protected word document or the data is anonymised.
14.9.14. When sending confidential and Special Categories of Data both inside and outside of the organisation electronically, i.e., via e-mail, ensure attachments are password protected. Confidential and sensitive personal data should not be sent in the body of an email but should be sent as a password protected attachment.
14.9.15. In the event of a breach, where the data subject has provided explicit written consent for their sensitive personal data to be sent outside of Feedback Works, the staff member responsible must be able to provide evidence that every possible measure was taken to ensure the safety of the data
14.9.16. Any lists or databases that contain names, addresses or other identifiable data must be password protected before being sent as an email attachment.
14.9.17. If there is a need to send confidential and Special Categories of Data physically rather than electronically, it must be transported by a trusted source, either with a colleague in a locked bag, via a courier or by special or recorded delivery
14.9.18. Personal data being transported on backup media or memory stick must be password protected. The recipient should also be contacted to confirm the data has reached its destination and a record kept of what data has been provided and to whom.
14.9.19. When sending emails, particularly those which contain personal data, the email must only be sent to those members of staff who need to be kept informed.
14.9.20. When using portable storage media such as laptops, CDs, memory sticks etc. to store sensitive personal data the device must be encrypted
15. PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENTS (PIAs)
15.1. Privacy by Design is an approach to ensure that privacy and GDPR compliance is built into the initial design stages of:
15.1.1. any new IT system that includes storing or accessing personal data
15.1.2. any new policy or strategy that has privacy implications
15.1.3. any change in the processing of personal data, such as a new HR system
15.2. All projects that involve the processing of personal data or change the way in which existing personal data is processed, must undertake a PIA to ensure Privacy by Design.
15.3. PIAs are a tool to identify and reduce the privacy risks of personal data processing and can reduce the risks of harm to individuals through the misuse of their personal information. It can also help in the design of more efficient and effective processes for handling personal data.
15.4. All PIAs must use Feedback Works PIA template published by the ICO.
16. DATA CONTROLLERS AND DATA PROCESSORS
16.1. Data Controllers
16.1.1. A data controller is any organisation or person that decides the purpose for processing personal data and how it is processed. As it decides what the purpose is for processing personal data about the people we support, its workforce and its clients, Feedback Works is a Data Controller.
16.1.2. As a Data Controller, Feedback Works is responsible for being able to demonstrate that its processing of personal data is performed in accordance with the GDPR.
16.1.3. As a Data Controller, Feedback Works is responsible for ensuring Privacy by Design is built into all new processing activities, or changes to existing processing activities, that involve personal data.
16.2. Data Processors
16.2.1. A Data Processor is any organisation or person that processes personal data on behalf of Feedback Works. Anyone that Feedback Works shares personal data with, in order that they do something with it on our behalf, is a Data Processor.
16.2.2. Where processing is carried out on behalf of Feedback Works, we must use only processors providing sufficient guarantees that they have appropriate technical and organisational measures to ensure that processing meets the requirements of GDPR, and they are able to ensure the protection of the rights of the data subjects whose data they are processing. These guarantees must be documented and updated on a regular basis.
16.2.3. As a data controller, Feedback Works must clearly set out, in the form of a contract or data processing agreement that is binding on the processor with specific regard to the processing of personal data on Feedback Works’ behalf:
16.2.3.1. the purpose of processing
16.2.3.2. the intended duration of processing
16.2.3.3. a description of the personal data to be processed on our behalf
16.2.3.4. the categories of data subjects
16.2.3.5. the obligations and rights of the controller.
16.2.4. All contracts and data processing agreements with processors must be reviewed by Feedback Works’ DPL in order to ensure that it contains sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this regulation.
16.2.5. The DPL shall keep and maintain a register of Data Processors. This register shall include who the data processor is, the purpose for which they are processing the data, a description of the technical and organisational measures and a copy of the contract or data processing agreement.
16.2.6. Where Feedback Works’ DPL deems that a processor determines the purpose and means of processing personal data covered by a data processing agreement, that processor shall be considered to be a controller in respect of that processing.
16.2.7. No processor may engage another processor without prior specific or general written authorisation of Feedback Works. In the case of general written authorisation, the processor shall inform Feedback Works of any intended changes concerning the addition or replacement of other processors, thereby giving Feedback Works the opportunity to object to such changes.
16.2.8. In some circumstances Feedback Works operates as a data processor to our clients. It is equally important to apply the same rules, and any additional rules required by the client, when processing the clients’ data.
17. DATA SUBJECT RIGHTS
17.1. Transparency
17.1.1. All Data Subjects must be provided with information about the processing of their personal data. This information must be concise, transparent, intelligible and easily accessible, using clear and plain language. This information must be communicated at the time that the data is collected or, no later than one month after the data is collected.
17.1.2. All of the following data subjects whose personal data we are processing at the time that GDPR comes into force, must be provided with information about the processing of their personal data:
17.1.2.1. Clients
17.1.2.2. All current members of Feedback Works’ Workforce (employees) as defined in 1.3.
17.1.3. Whenever personal data is collected directly from the data subject (or their representative), the data subject must be provided with the following:
17.1.3.1. information clearly identifying Feedback Works as the Data Controller
17.1.3.2. an explanation of the purpose(s) for which their personal data will be processed
17.1.3.3. the legal basis for which the personal data will be processed
17.1.3.4. who the personal data is likely to be shared with
17.1.3.5. how long the personal data will be stored
17.1.3.6. Where applicable, the fact that the controller intends to transfer personal data to another or international organisation along with the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available
17.1.3.7. an explanation of their right to request access to their personal data
17.1.3.8. an explanation of their right to request rectification or erasure of their personal data, to restrict the processing of their personal data subject, to object to processing their personal data and their right to data portability
17.1.3.9. where the legal basis for processing their personal data is based on consent, an explanation of their right to withdraw consent at any time
17.1.3.10. an explanation of their right to lodge a complaint with a supervisory authority
17.1.3.11. an explanation of their right to know the source of the personal data originated, and if applicable, whether it came from publicly accessible sources
17.1.3.12. an explanation of their right to know of the existence, and information about, automated decision-making, including profiling
17.1.4. Whenever personal data about a data subject is obtained, but NOT from the data subject, in addition to the above, the data subject must be told, and the categories of personal data explained.
17.1.5. It is the responsibility of staff to ensure that the information set out in 17.1.3 is communicated at the time that the data is collected or, no later than one month after the data is collected.
17.1.6. The information in 17.1.3 must be provided, in the first instance, in writing. However, if requested by the data subject, the information may be provided orally.
17.1.7. If the data subject is a child, this information must be communicated in a way that the child will understand.
17.1.8. A record must be kept of all instances of when a data subject is provided with the above information.
17.2. Right of Access
17.2.1. All data subjects have the right to obtain from Feedback Works confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and the following information:
17.2.1.1. the purpose of the processing
17.2.1.2. the categories of personal data concerned
17.2.1.3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in other countries or international organisations
17.2.1.4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
17.2.1.5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
17.2.1.6. the right to lodge a complaint with a supervisory authority
17.2.1.7. where the personal data is not collected from the data subject, any available information as to their source
17.2.1.8. the existence of automated decision-making, including profiling, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
17.2.2. All requests from data subjects to access their personal data MUST be forwarded to Feedback Works’ Data Protection Lead (DPL) immediately and not more than 24 hours after receipt of the request.
17.2.3. Deciding the information a data subject may, and may not, be given access to can be complicated and involve the application of exemptions. Therefore, ALL requests for access to personal data MUST be dealt with by Feedback Works’ DPL.
17.2.4. Failure to notify Feedback Works’ DPL of a request to access personal data may result in a failure to up-hold the rights of the data subject and a breach of the GDPR.
17.2.5. Failure to notify Feedback Works’ DPL of a request to access personal data may result in a data subject being provided with personal data that they are not entitled to. This may result in a failure to up-hold their rights and a breach of the GDPR.
17.3. Right of Rectification or Erasure (Right to be Forgotten)
17.3.1. Data subjects have the right to request Feedback Works, without undue delay, to carry out the rectification of inaccurate personal data concerning him or her and the right to the erasure of personal data concerning him or her. This is also referred to as the ‘right to be forgotten’.
17.3.2. Deciding whether personal data may be rectified or erased can be complicated and involve the application of exemptions. Therefore, ALL requests for personal data to be rectified or erased MUST be dealt with by Feedback Works’ DPL and must therefore be forwarded immediately and not more than 24 hours after receipt of the request.
17.3.3. A failure to inform Feedback Works’ DPL of a request from a data subject exercising their right of rectification or erasure of personal data concerning him or her could result in a breach of GDPR and may lead to action being taken against Feedback Works. Such a failure may also result in disciplinary action.
17.4. Right to Restrict Processing
17.4.1. Data subjects have the right to request that Feedback Works restrict the processing of their personal data.
17.4.2. All requests from data subjects exercising their right to request a restriction in the processing of their personal data MUST be forwarded to Feedback Works’ Data Protection Lead immediately and not more than 24 hours after receipt of the request.
17.4.3. Deciding what restrictions must be applied can be complicated and involve the application of exemptions. Therefore, ALL requests for the processing of personal data to be restricted are dealt with by Feedback Works’ DPL.
17.4.4. A failure to inform Feedback Works’ DPL of a request from a data subject exercising their right to obtain a restriction in the processing of their personal data could result in a breach of GDPR and may lead to action being taken against Feedback Works. Such a failure may also result in disciplinary action.
17.5. Right to Data Portability
17.5.1. Data subjects have the right to receive from Feedback Works, personal data concerning him or her in a structured, commonly used and machine-readable format and to have that data transmitted directly from Feedback Works to another controller, where technically feasible, without hindrance.
17.5.2. All requests from data subjects exercising their right to data portability MUST be forwarded to Feedback Works’ DPL immediately and not more than 24 hours after receipt of the request.
17.5.3. Deciding what restrictions must be applied can be complicated and involve the application of exemptions. Therefore, ALL requests from data subjects exercising their right to data portability are dealt with by Feedback Works’ DPL.
17.5.4. A failure to inform the DPL of a request from a data subject exercising their right to data portability could result in a breach of GDPR and may lead to action being taken against Feedback Works. Such a failure may also result in disciplinary action.
17.6. Right to Object and Automated Decision Making
17.6.1. Data subjects have the right to object to Feedback Works processing their personal data and to object to automated decisions being made about them using their personal data.
17.6.2. Decisions relating to the right to object to Feedback Works processing their personal data and to object to automated decisions can be complicated and involve the application of exemptions. Therefore, ALL objections to Feedback Works processing personal data and automated decision-making MUST be dealt with by Feedback Works’ DPL and must therefore be forwarded immediately and not more than 24 hours after receipt of the request.
17.6.3. A failure to inform Feedback Works’ DPL of a data subject exercising their right to object to Feedback Works processing their personal data and to automated decision making could result in a breach of GDPR and may lead to action being taken against Feedback Works. Such a failure may also result in disciplinary action.
17.6.4. Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her.
17.6.5. All automated decision-making processes must be subject to a Privacy Impact Assessment and be approved by the DPL.
18. PROCESSING PERSONAL DATA RELATING TO CRIMINAL CONVICTIONS AND OFFENCES
18.1. Processing personal data relating to criminal convictions and offences or related security measures may only be carried out under the control of official authority or when the processing is authorised by UK law.
19. SHARING PERSONAL DATA AS PART OF A POLICE INVESTIGATION
19.1. Occasionally, Feedback Works may be asked to share personal data as part of a Police Investigation. This includes access to images captured by CCTV Cameras.
19.2. Any request by the Police for Feedback Works to share personal data MUST be made in writing and include an explanation as to why the data is needed. All such requests MUST be passed to Feedback Works’ DPL. No information should be provided to the Police unless the request has been assessed by Feedback Works’ DPL and a legal basis for sharing is established.
20. REPORTING GDPR BREACHES
20.1. A breach of GDPR can occur for a number of reasons:
20.1.1. Loss or theft of data or equipment on which data was stored
20.1.2. Inappropriate access controls allowing unauthorised use
20.1.3. Equipment failure
20.1.4. Human error
20.1.5. Unforeseen circumstances such as fire or flood
20.1.6. Hacking attack
20.1.7. ‘Blagging’ offences where data is obtained by deceiving an organisation
20.2. Where a GDPR breach results in a risk to a data subject’s rights and freedoms, Feedback Works must inform the Information Commissioner’s Office without undue delay and, where feasible, not later than 72 hours after becoming aware of it.
20.3. In order to comply with the requirement, set out in 20.2, all GDPR breaches must be reported to Feedback Works’ DPL immediately, and no later than 2 hours after the breach has become known. The DPL will request that the reporter of the breach completes a breach reporting form so that there is a written record of what happened. This must be completed within 24 hours of initial notification and then sent back to the DPL.
20.4. All employees are required to read the Data Breach Policy and Data Breach Management Procedure.
21. CONFIDENTIALITY
21.1. Feedback Works takes its obligations of maintaining the confidentiality of personal data very seriously. All staff and must respect an individual’s right to confidentiality.
21.2. In order for Feedback Works to function, it may be necessary to share information with colleagues within Feedback Works or external organisations. However, any sharing of this type must be compatible with the principles of the GDPR, in that there must be a legal basis for the sharing that is compatible with the purpose for which the data was collected.
21.3. During the course of their work, staff may see, hear or read confidential data relating to Feedback Works and its employees and sub-contractors. Confidential data must not be misused or divulged to any third party. This includes the press or media. A breach of confidence is likely to be a breach of GDPR.
21.4. All members of Feedback Works’ Workforce that have access to personal data are responsible for taking the necessary steps to safeguard its confidentiality.
21.5. Even when consent to disclose has been obtained, personal data must only be used in ways that safeguard the confidentiality of the data (including appropriate anonymity where possible).
21.6. Individuals who do not have a contract of employment with Feedback Works (and are not covered by an agreement or contract) are required to sign a data processing agreement and/or non-disclosure agreement. Where a contract is placed with another organisation for services which involve sharing or disclosing personal data, the parties concerned must also sign the agreement (see Section 16.3).
21.7. When sharing personal data, an obligation of confidentiality can only be set aside if the data subject has consented, there is a statutory obligation, or, it is in the ‘public interest’, such as matters concerning crime, national security etc.
21.8. When setting aside a duty of confidence for the purpose of sharing, the DPL must be consulted to ensure that it complies with the GDPR.