UK General Data Protection Regulation (GDPR) & The Data Protection Act 2018 Policy
The guide covers the Data Protection Act 2018 (DPA 2018), and the UK General Data Protection Regulation (UK GDPR).
Data protection is about ensuring people can trust you to use their data fairly and responsibly.
If you collect information about individuals for any reason other than your own personal, family or household purposes, you need to comply.
The UK data protection regime is set out in the DPA 2018, along with the UK GDPR. It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.
The Information Commissioner’s Office (ICO) regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate.
Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.
It’s also about removing unnecessary barriers to trade and co-operation. It exists in part because of international treaties for common standards that enable the free flow of data across borders. The UK has been actively involved in developing these standards.
Data protection is essential to innovation. Good practice in data protection is vital to ensure public trust in, engagement with and support for innovative uses of data in both the public and private sectors.
The UK data protection regime is set out in the DPA 2018 and the UK GDPR.
The UK GDPR applies to the processing of personal data that is:
· wholly or partly by automated means; or
· the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
Personal data only includes information relating to natural persons who:
· can be identified or who are identifiable, directly from the information in question; or
· who can be indirectly identified from that information in combination with other information.
Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
GDPR covers personal data relating to individuals. Resolute Care is committed to protecting the rights and freedoms of individuals with respect to processing the personal data of children, parents, visitors and staff.
This document sets out Resolute Care GDPR policy including information on data sharing, data security and data breach protocol. This policy is for data protection officers and others who have day-to-day responsibility for data protection.
This policy document has been prepared with due regard and consideration for the Information Commissioner’s Office (ICO) at: https://ico.org.uk/for-organisations/guide-to-data-protection/
Resolute Care is registered with the ICO.
Resolute Care is a ‘Data Controller’ – A controller determines the purposes and means of processing personal data. (A processor is responsible for processing personal data on behalf of a controller.)
Responsibility for Resolute Care’s GDPR policy and data compliance is shared by Senior Managers at Resolute Care Head Office. GDPR covers personal data relating to individuals. Resolute Care is committed to protecting the rights and freedoms of individuals with respect to processing the personal data of children, parents, visitors, staff, and general site visitors.
Resolute Care shall comply with the principles of data protection (the Principles) enumerated in the UK General Data Protection Regulation. We will make every effort possible in everything we do to comply with these principles.
The UK GDPR sets out seven key principles:
· You must identify valid grounds under the UK GDPR (known as a ‘lawful basis’) for collecting and using personal data.
· You must ensure that you do not do anything with the data in breach of any other laws.
· You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
· You must be clear, open and honest with people from the start about how you will use their personal data.
· You must be clear about what your purposes for processing are from the start.
· You need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
· You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law.
You must ensure the personal data you are processing is:
· adequate – sufficient to properly fulfil your stated purpose;
· relevant – has a rational link to that purpose; and
· limited to what is necessary – you do not hold more than you need for that purpose.
You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact.
You must not keep personal data for longer than you need it.
You must ensure that you have appropriate security measures in place to protect the personal data you hold.
The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles.
The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever you process personal data:
a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
d) Vital interests: the processing is necessary to protect someone’s life.
e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Special category data is personal data that needs more protection because it is sensitive.
The UK GDPR defines special category data as:
· personal data revealing racial or ethnic origin;
· personal data revealing political opinions;
· personal data revealing religious or philosophical beliefs;
· personal data revealing trade union membership;
· genetic data;
· biometric data (where used for identification purposes);
· data concerning health;
· data concerning a person’s sex life; and
· data concerning a person’s sexual orientation.
This does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply.
The UK GDPR gives extra protection to the personal data of offenders or suspected offenders in the context of criminal activity, allegations, investigations, and proceedings.
If you have official authority, you can process personal data about criminal convictions and offences, because you are processing the data in an official capacity.
If you do not have official authority, you can only process criminal offence data if you can identify a specific condition for processing in Schedule 1 of the DPA 2018.
GDPR is designed to protect personal data
GDPR is designed to protect individual rights in the following way:
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR. You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’. You must provide privacy information to individuals at the time you collect their personal data from them.
Resolute Care has a legal and contractual right to collect and process certain types of data. For the collection or processing of any other types of data, such as photographs, we will seek active consent and also provide a suitable and accessible method for withdrawal of consent.
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a subject access request or ‘SAR’.
There are special requirements and exceptions around this. See ICO for further information.
See Information sharing and access to records policy.
The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. Resolute Care will respond within one calendar month to a request.
In certain circumstances you can refuse a request for rectification.
See Recording & Record Retention Policy.
The UK GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. Resolute Care will respond within one calendar month to a request.
Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, you are permitted to store the personal data, but not use it. Resolute Care will respond within one calendar month to a request.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits. The right only applies to information an individual has provided to a controller.
The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. Resolute Care does not pass on your data to a third-party for marketing purposes.
In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
You must tell individuals about their right to object. Resolute Care will respond within one calendar month to a request.
The UK GDPR has provisions on:
· automated individual decision-making (making a decision solely by automated means without any human involvement); and
· profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
The UK GDPR applies to all automated individual decision-making and profiling.
Individuals also have the right to lodge a complaint with the ICO. Full information about this is available at https://ico.org.uk/concerns/handling/
Please refer to Resolute Care policies on Information Sharing and Access to Records.
Paper copies of young people’s and staff records are kept in a secure location.
Other personal data is also stored at various Resolute Care locations where it is kept in locked filing cabinets. Members of staff can have access to young people’s files but information taken from the files about individual children is confidential. Apart from archiving, these records remain on site at all times. These records are shredded after the retention period.
The Resolute Care data archive is kept at a secure location.
Please refer to Resolute Care Recording and Record Retention Policy.
Please also refer to Resolute Care IT Policies for information on how data is stored electronically.
As per GDPR requirements, data breach notification to the ICO is mandatory.
The UK GDPR introduces a duty on all organisations to report certain personal data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority or the affected individuals, or both.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify.