GDPR

Introduction

This document highlights the key areas of the General Data Protection Regulation (GDPR) to help us understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements. It is aimed at those who have day-to-day responsibility for data protection. The GDPR came into force in the UK from 25 May 2018.

Statement of Intent

The General Data Protection Regulation (GDPR) is designed to protect the privacy of individuals. It requires that any personal information about an individual is processed securely and confidentially. This includes both staff and contractors. How the company obtains, shares and uses information is critical, as personal data is sensitive and private. Everyone alike, has the right to know how the information about them is used. The General Data Protection Regulation requires the company to strike the right balance in processing personal information so that an individual’s privacy is protected. Applying the principles to all information held by the company will typically achieve this balance and help to comply with the legislation.

We will respect the privacy of all personnel. We aim to ensure that all personnel can share their information in the confidence that it will only be used to for activities within the business. There are record keeping systems in place that meet legal requirements; means of storing and sharing that information take place within the framework of the General Data Protection Regulation and the Human Rights Act.

General Data Protection Regulation principles

To comply with GDPR, the company shall observe the eight ‘General Data Protection Regulation principles’, ensuring that:

  • Personal data shall be processed fairly and lawfully
  • Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance with the rights of data subjects under this Act.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

In practice, it means that the company must:

  • have legitimate grounds for collecting and using the personal data.
  • not use the data in ways that have unjustified adverse effects on the individuals concerned.
  • be transparent about how they intend to use the data, and give individuals appropriate privacy notices when collecting their personal data.
  • handle people’s personal data only in ways they would reasonably expect; and make sure they do not do anything unlawful with the data

Personal data is information that relates to an identifiable living individual that is processed as data. Processing amounts to collecting, using, disclosing, retaining or disposing of information. The General Data Protection Regulation principles apply to all information held electronically or in structured paper files.

The principles also extend to additional records – the names of employees and others, dates of birth, addresses, national insurance numbers, qualification, medical information, security checks, personal records and staff development reviews.

Sensitive personal data is information that relates to

  • Race and ethnicity,
  • Political opinions,
  • Religious beliefs,
  • Membership of trade unions,
  • Physical and mental health,
  • Sexuality
  • Criminal offences

Sensitive personal data is given greater legal protection as individuals would expect certain information to be treated as private or confidential – for example, a security check may be required to work in certain areas within the scope of the business. The individual will be asked for consent prior to this being done and results are private and confidential and should only be available to those to whom consent had been granted.

It is important to differentiate between personal information that individuals would expect to be treated as private or confidential (whether or not legally classified as sensitive personal data) and personal information you can make freely available. For example: the company’s employees and contractors working on behalf of the company, the names would be expected to be known by client and personnel within the company. However, the address and personal contact number will be known as private unless permission is granted by the said person.

What must the company do?

We must have full understanding of how and what is required when processing personal data.

We have a nominated individual, the company administrators, as the ‘Data Protection Controller’.

The company has clear, practical policies and procedures on information governance for personnel to follow, and needs to monitor their operation

These should include:

– Requirements for compliance to applicable legislation
– Privacy notices for employees and contactors
– Record Management

Data Breaches

In the event of a personal data breach, the Data Protection Controller and Senior Management team should be notified immediately, and an investigation carried out.

Individual Rights

The General Data Protection Regulation includes the following rights for individuals:

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object; and
  • The right not to be subject to automated decision-making including profiling.

The General Data Protection Regulation entitles an individual the right to request the personal information that the company holds on their behalf – this is known as a Subject Access Request and includes all and any information held by the company, not just that information held on central files or electronically, so it could also include correspondence or notes held by others in the company.

  • Requests must be responded to within 1 month of receipt.
  • The request should be made in writing by the individual making the request.
  • The company can refuse or charge for requests that are manifestly unfounded or excessive.

Staff Responsibilities

Staff need to know and understand:

  • How to manage, keep and dispose of data
  • The company’s procedures in relation to records, email, social media, mobile technology, and website.
  • When they are allowed to share information with others and how to make sure it is kept secure when shared.

Information and I.T Equipment Acceptable Usage

Acceptable Usage covers the security and use of all company information and IT equipment. It also includes the use of email, internet, voice and mobile IT equipment. This applies to all employees, contractors and agents working on behalf of the company.

This applies to all information, in whatever form, relating to SEP business activities, and to all information handled by SEP relating to other organisations with whom it deals. It also covers all IT and information communications facilities operated by SEP or on its behalf.

Computer Access Control – Individual’s Responsibility

Access to the IT systems is controlled by the use of User IDs and passwords. All User IDs and passwords are to be uniquely assigned to named individuals and consequently, individuals are accountable for all actions on the IT systems.

Individuals must not:

  • Allow anyone else to use their user ID and password on any of the companies IT system
  • Leave their user accounts logged in at an unattended and unlocked computer.
  • Use someone else’s user ID and password to access the IT systems
  • Leave their password unprotected (for example writing it down).
  • Perform any unauthorised changes to the IT systems or information.
  • Attempt to access data that they are not authorised to use or access.
  • Exceed the limits of their authorisation or specific business need to interrogate the system or data.
  • Connect any unauthorised device to the IT systems
  • Store data on any non-authorised equipment
  • Give or transfer data or software to any person or organisation outside the companies without the authority of the company.

Managers must ensure that individuals are given clear direction on the extent and limits of their authority with regard to IT systems and data.

Internet and email Conditions of Use

Use of SEP internet and email is intended for business use. Personal use is permitted where such use does not affect the individual’s business performance, is not detrimental to the companies in any way, not in breach of any term and condition of employment and does not place the individual or the companies in breach of statutory or other legal obligations.

All individuals are accountable for their actions on the internet and email systems.

Individuals must not:

  • Use the internet or email for the purposes of harassment or abuse.
  • Use profanity, obscenities, or derogatory remarks in communications
  • Access, download, send or receive any data (including images), which the company considers offensive in any way, including sexually explicit, discriminatory, defamatory or libelous material.
  • Use the internet or email to make personal gains or conduct a personal business
  • Use the internet or email to gamble
  • Use the email systems in a way that could affect its reliability or effectiveness, for example distributing chain letters or spam.
  • Place any information on the Internet that relates to the companies, alter any information about it, or express any opinion about the companies, unless they are specifically authorised to do this.
  • Send unprotected sensitive or confidential information externally.
  • Make official commitments through the internet or email on behalf of the companies unless authorised to do so.
  • Download copyrighted material such as music media (MP3) files, film and video files (not an exhaustive list) without appropriate approval.
  • In any way infringe any copyright, database rights, trademarks, or other intellectual property.
  • Download any software from the internet without prior approval of the IT Department
  • Connect the companies’ devices to the internet using non-standard connections

Clear Desk and Clear Screen Policy

In order to reduce the risk of unauthorised access or loss of information, we enforce a clear desk and screen policy as follows:

  • Personal or confidential business information must be protected using security features provided.
  • Computers must be logged off/locked or protected with a screen locking mechanism controlled by a password when unattended.
  • Care must be taken to not leave confidential material on printers or photocopiers.
  • All business-related printed matter must be disposed of using shredders.

Working off Site

It is accepted that laptops and mobile devices will be taken off-site. The following controls must be applied:

  • Working away from the office must be in line with company polices.
  • Equipment and media taken off-site must not be left unattended in public places and not left in sight in a car.
  • Laptops must be carried as hand luggage when travelling.
  • Information should be protected against loss or compromise when working remotely (for example at home or in public places). Screen locked by username and password.
  • Particular care should be taken with the use of mobile devices such as laptops, mobile phones, smartphones and tablets. They must be protected at least by a password or a PIN and, where available, encryption.

Mobile Storage Devices

Mobile devices such as memory sticks, CDs, DVDs and removable hard drives must be used only in situations when network connectivity is unavailable or there is no other secure method of transferring data. Only company authorised mobile storage devices with must be used, when transferring sensitive or confidential data. The confidential data shall be erased from the mobile device at the earliest opportunity. The information of the device shall not be given to others unless to authorised.

Software

Employees must use only software that is authorised by the company on company computers. Authorised software must be used in accordance with the software supplier’s licensing agreements. All software on SEP computers must be approved and installed by the companies IT support.
Individuals must not:

  • Store personal files such as music, video, photographs or games on the companies IT equipment.

Viruses

The IT support has been implemented via the employment of third-party specialists, automated virus detection, virus software updates, fire wall and blockers are in use. All PCs must have these installed prior to access to the server.
Individuals must not:

  • Remove or disable anti-virus software or other protection software.
  • Attempt to remove virus-infected files or clean up an infection, other than by the use of approved anti-virus software and procedures.

Telephony (Voice) Equipment Conditions of Use

Use of the companies’ voice equipment is intended for business use. Individuals must not use voice facilities for sending or receiving private communications on personal matters, except in exceptional circumstances. All non-urgent personal communications should be made at an individual’s own expense using alternative means of communications.

Individuals must not:

  • Use voice for conducting private business unless permission is granted
  • Make hoax or threatening calls to internal or external destinations
  • Accept reverse charge calls from domestic or International operators, unless it is for business use

Actions upon Termination of Contract

All the company’s equipment and data, for example laptops and mobile devices including telephones, smartphones, USB memory devices and CDs/DVDs, must be returned to the company at termination of contract.

All the company’s data or intellectual property developed or gained during the period of employment remains the property of the company and must not be retained beyond termination or reused for any other purpose.

Monitoring and Filtering

All data that is created and stored on the companies’ computers is the property of the companies and there is no official provision for individual data privacy, however wherever possible the companies will avoid opening personal emails.

IT system logging will take place where appropriate, and investigations will be commenced where reasonable suspicion exists of a breach of this or any other policy. The company has the right (under certain conditions) to monitor activity on its systems, including internet and email use, in order to ensure systems security and effective operation, and to protect against misuse.

Any monitoring will be carried out in accordance with audited, controlled internal processes, the UK Data Protection Act 1998, the Regulation of Investigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice Interception of Communications) Regulations 2000.

It is your responsibility to report suspected breaches of security policy without delay to the Management Team.

All breaches of information security policies will be investigated. Where investigations reveal misconduct, disciplinary action may follow in line with disciplinary procedures.

Access to staff personal data

  • Employees are allowed to have access to all personal data about them held on manual or computer records under the GDPR. The Act requires the organisation to action requests for access to personal data within one month.
  • Should an employee request access to their personal data, the request must be addressed in writing to the relevant line manager. The request will be judged in the light of the nature of the personal data and the frequency with which they are updated. The employee will be informed whether or not the request is to be granted. If it is, the information will be provided within one month of the date of the request.
  • In the event of a disagreement between an employee and the line manager regarding personal data, the matter should be taken up under the company’s grievance procedure.
  • The right of employees to see information held about them is extended to information held in paper record-keeping systems as well as computerised systems.
  • There are some exemptions; for example employees will not be able to see employment references about them supplied in confidence, nor will people involved in negotiations with the data controller be able to see information about the data controller’s intentions in relation to those negotiations.
  • Employee data cannot be used for direct marketing if the data subject objects. Approval to use employee data for marketing purposes must be sought from the Director of Communications.