GDPR

1.0 Document Purpose

The purpose of this Policy is to ensure compliance with the Data Protection Act 2018 and to ensure that Difrent discharges all of its legal obligations in this respect.  This policy also takes into account the requirements from the EU General Data Protection Regulation (GDPR) which came into effect on 25th May 2018 and applies to Personal Data and ‘Special Category’ Personal Data.

2.0 Scope

This Policy applies to all activities for which Difrent is the data controller and to all Difrent staff (including permanent, temporary, associates and contract staff), as well as applying to all activities for which Difrent is the data controller e.g. client data.

3.0 Definitions

3.1 Personally Identifiable Information (PII): any information that can identify or potentially identify a living individual.

This definition provides for a wide range of personal identifiers to constitute personal data, including:

  • Personal details
  • Family details
  • Lifestyle and social circumstances
  • Goods and services
  • Financial details
  • Education and employment details

3.2 ‘Special Category’ Personal Data: ‘Special Category’ data must not be processed without a lawful basis for processing or the data subject’s consent.  Breach of the GDPR in relation to ‘special category’ data carries the highest penalties.  The following information types are identified as ‘special category’:

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life
  • sexual orientation.

Criminal records are not specifically referred to within GDPR as ‘special category’, but a similar level of protection is implied within the regulation.

4.0 Responsibilities

  • This Data Protection Policy has been approved by, and has the full support of, the Difrent board who are ultimately responsible for compliance with data protection legislation
  • The Difrent board has appointed a Data Protection Officer who has direct responsibility for maintaining this policy, the data protection system and providing advice and guidance on its implementation
  • All staff are responsible for implementing the policy within their areas of responsibility
  • All staff will be provided with appropriate education and training and will be expected to comply with data protection legislation and adhere to this policy

5.0 Policy Statement

It is the policy of Difrent that personal data shall:

  • Be processed fairly, lawfully and in a transparent manner
  • Be collected only for specific, explicit and legitimate purposes
  • Be adequate, relevant and not be excessive in relation to the purpose(s) for which they are processed
  • Be kept accurate and, where necessary, kept up to date
  • Be kept no longer than is necessary
  • Be protected from unauthorised and unlawful processing and against accidental loss or destruction or damage by appropriate technical and organisational controls
  • Be processed in accordance with the rights of the data subjects
  • Not be transferred to a country or territory outside the EEA unless an adequate level of protection of the rights and freedoms of the data subject(s) can be guaranteed.

Further information security policies and procedures support this Policy.

6.0 Principles

The following principles shall be complied with throughout Difrent, for PII data collected by Difrent, where:

  • Difrent is the controller and the data is used for internal business operations and
  • Difrent receives data from a client and is required to be the Processor of that data. 

6.1 Fair and Lawful Processing

  • When asking individuals to provide personal information, Difrent shall be identified as the data controller
  • At the point where personal data is collected, there will be a clear statement of the purpose for which the information is being collected
  • Difrent will not use personal data for any purposes other than those set out to individuals, where there is a lawful basis for processing or where an individual’s consent has been obtained
  • Difrent will process personal data only:
    • where it is necessary for compliance with the law, the performance of a contract, with a view to establishing a contract, or
    • where it is in the organisation’s legitimate interests to do so
  • Where this is not possible, or in the case of sensitive personal data (see below), consent of the individual will be sought to enable the personal data to be processed
  • Difrent will obtain the explicit consent of the individual concerned for all processing of sensitive personal data; unless:
    • It is information relating to racial/ethnic origin, religion or disability that is being collected purely for monitoring equality of opportunity or treatment
    • It relates to the employment of Difrent staff
    • It is necessary for the provision of advice or support and the individual cannot reasonably be expected to give explicit consent
  • Difrent will require all third parties who process information on their behalf to formally agree that personal data will not be used for any purpose other than the agreed purpose
  • Difrent will not disclose personal data to third parties unless:
    • required by law
    • there is an information sharing agreement in place to ensure that any processing by the third party will be within the law
    • it is necessary in order to fulfil a legitimate purpose that has been advised to the data subject

6.2 Personal Data Quality

  • Collection of personal data will be limited solely to information that is necessary for processing purposes
  • When requested, staff will be provided with an opportunity to view and confirm the accuracy of personal data held by Difrent
  • Changes in personal data must be promptly updated on all relevant systems as soon as possible after being informed of the change 

6.3 Data Subject Access Requests and Requests to Correct Information

  • Where an individual requests copies of their personal data (a Data Subject Access Request – DSAR), the request will be dealt with within 30 days of receipt
  • The Data Protection Officer must be advised of all DSAR as soon as possible after receipt
  • A written record of all requests will be created
  • Any requests to correct inaccurate information will be dealt with promptly and the information corrected wherever it is held.

6.4 Personal Data Storage and Retention

  • Personal data held in hard copy format will be stored securely with access restricted to authorised staff
  • Personal data will be retained in accordance with Appendix A below
  • Where a retention period is not specified, personal information will only be retained for:
    • as long as required for its purpose
    • as long as required by law
  • Manual files relating to previous staff will have all non-essential information removed and securely destroyed prior to being archived
  • Difrent will require all data processors to formally agree that personal data will not be retained for longer than the purpose for which they are processing it
  • Personal data held on digital systems will be erased when no longer required.  Any storage media that holds personal data will be disposed of securely

6.5 Staff Awareness

  • Data protection training will be included in the staff induction process
  • All new staff will receive data protection training relevant to their role as soon as possible after the commencement of their employment
  • All staff will receive data protection training periodically
  • Guidance material will be available to all staff who process personal data

6.6 Client Data

  • During any client project data which is received by Difrent must be secured and managed as directed by the client
  • A Data Protection Impact Assessment (DPIA) must be completed
  • All staff will receive data protection training periodically
  • Guidance material will be available to all staff who process data

7.0 Governance

7.1 Communication, Review & Maintenance

Difrent’s Data Protection Policy will be audited periodically, as appropriate, in order to ensure ongoing compliance with data protection legislation.

Staff shall be informed of any changes to the Policy by Management.  This Policy shall be made available to relevant interested parties as required.

This Policy will be reviewed regularly, at least on an annual basis, by Difrent’s Information Security Management Forum (ISMF) to ensure it remains fit for purpose and at other times as dictated by operational needs.

7.2 Related Documents

This Policy is supported by a number of information security related policies processes, procedures, guidelines and forms, details of which are available within the document store.

7.3 References

Appendix A – Personal Data Retention

The following tables show the types of personal data that may be held, as well as the legal retention period, or a recommendation, by an appropriate body.  Retention periods shown in bold type are legal requirements, those in italic are recommended.

Staff Records

Record Retention Comment
Application forms of non-shortlisted candidates 3 months

6 months

Sex Discrimination Act & Race Relations Act

Institute of Personnel Directors recommendation

Shortlists, interview notes and related application forms  1 year Institute of Personnel Directors recommendation
Personnel records (incl. training & disciplinary) 6 years after employment ceases Institute of Personnel Directors recommendation
Redundancy details/ calculations 6 years after redundancy Institute of Personnel Directors recommendation
Wage/salary records 6 years Taxes Management Act
SMP & SSP records (incl. certificates & self-certification) 3 years after the end of the related tax year SMP Regulations

SSP Regulations

Parental leave 5 years from birth/adoption Institute of Personnel Directors recommendation

 

Insights direct to your inbox

Receive the latest and greatest insights on digital transformation and service delivery, fresh from our newsletter.