The General Data Protection Regulation (“GDPR”) came into force across the European Union and together with the Data Protection Act 2018 (“DPA”), replaced the UK Data Protection Act 1998. The purpose of the GDPR and DPA is to enhance and strengthen the protections afforded to individuals’ rights and freedoms especially their right to privacy with respect to the processing of personal data
1.1 Definitions and Meanings
1.1.1 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the Processing of personal data. Social care and health training ltd are a data Controller.
1.1.2 “Data Subject” means an identified or identifiable natural person about whom Personal Data is held. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the social care and health training ltd, Data Subjects include current, past and present students and staff, and other third parties such as suppliers, contractors, consultants or referees.
1.1.3 “Personal Data” means any information relating to a Data Subject. It includes, by way of example only, name, date of birth, images and photographs.
1.1.4 “Processing” means any operation which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.1.5 “Processor “ means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
1.1.6. “Special Categories of means personal data revealing racial or ethnic origin, Personal Data” political opinions, religious or philosophical beliefs, or trade union membership, and the processing of data concerning physical or mental health or data concerning a person’s sex life or sexual orientation.
The GDPR works in two ways. Firstly, it sets out the main responsibilities for organisations in relation to the Processing of Personal Data whereby they must comply with the six principles contained within the GDPR. The second area covered by the GDPR provides a Data Subject with important rights, including the right to be informed, the rights of access, rectification, erasure, restriction of processing, data portability, objection and rights in relation to automated decision making and profiling .
Social care and health training ltd as a Controller must provide prescribed information to the Information Commissioner’s Office (“ICO”) as well as pay a data protection fee annually. The ICO is the independent supervisory authority set up to promote and oversee compliance with data protection legislation in the UK. The ICO has the right to carry out investigations in the form of a data protection audit on social care and health training ltd.
Social care and health training ltd are committed to protecting the rights of individuals in accordance with the provisions of the GDPR and DPA.
Social care and health training ltd are committed to the six data protection principles contained within the GDPR. These principles represent best standards of practice with respect to the transmission, retention and disposal of Personal Data. All staff, students and others who process or use any Personal Data must comply with these principles. These state that Personal Data must:
- i) be processed lawfully, fairly and in a transparent manner in relation to the Data Subject (“lawfulness, fairness and transparency”). (Further details in relation to “lawfulness” and having a “lawful basis” for Processing is contained in section 7 below);
- ii) be collected for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes (“purpose limitation”).
iii) be adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed (“data minimisation”).
- iv) be accurate, kept up to date and if inaccurate erased or rectified (“accuracy”).
- v) be kept for no longer than is necessary for the purpose(s) for which the Personal Data is Processed (“storage limitation”); and
- vi) be Processed securely, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
LAWFUL BASIS FOR PROCESSING
For Processing of Personal Data to be lawful, all staff, students and others who process Personal Data must identify specific grounds for the Processing. This is called a “lawful basis” and there are six options Article 6 of the GDPR which depend on the purpose of the Processing and the relationship with the Data Subject
A “lawful basis” must be established before Processing begins and should be documented. If no “lawful basis” applies, then the Processing will be unlawful and in breach of the GDPR principles.
The “lawful bases” for Processing as set out in Article 6 of the GDPR are as follows:
- Consent: the individual has given clear consent to process their Personal Data for a specific purpose.
- Contract: The Processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering a contract.
- Legal obligation: The Processing is necessary to comply with the law (not including contractual obligations).
- Vital interests: The Processing is necessary to protect someone’s life.
- Public task: The Processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
- Legitimate interests: The Processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s Personal Data which overrides those legitimate interests. This cannot apply if you are a public authority Processing data to perform your official tasks.
At least one of these “lawful bases” must apply whenever Personal Data is being Processed.
The GDPR requires that Social care and health training ltd must inform Data Subjects when, why and how their Personal Data is used by the Social care and health training ltd. Privacy notices should include the following information:
(i) Name and contact details of Social care and health training ltd, its representative (as applicable) and Data Protection Officer; linus dignam 106 Tresham road B449ud
(ii) Purpose of the Processing of Personal Data; (iii) Lawful basis for Processing Personal Data (and the legitimate interests for Processing (if applicable)
(iv) The categories of Personal Data obtained (if the Personal Data is not obtained from the individual).
(v) Who the Data Subject’s Personal Data is shared with, the recipients or categories of recipients of the Personal Data;
(vi) Details of international Personal Data transfers to any third countries or international organisations (if applicable).
(vii) How long the individual’s Personal Data is held (retention periods).
(viii) Rights of the individual as a Data Subject.
(ix) Right to withdraw consent (if applicable).
(x) Right to lodge a complaint with the ICO.
(xi) The source of the Personal Data (if the Personal Data is not obtained from the individual);
(xii) The details of whether individuals are under a statutory or contractual obligation to provide the Personal Data (if applicable, and if the Personal Data is collected from the individual); and
(xiii) The details of the existence of automated decision-making, including profiling (if applicable).
DATA PROTECTION IMPACT ASSESSMENTS
A data protection impact assessment (“DPIA”) is a process to help identify and minimise the data protection risks of a project. A DPIA must be done for Processing that is likely to result in a high risk to individuals. This includes some specified types of Processing. It is also good practice to do a DPIA for any other major project which requires the processing of Personal Data.
PERSONAL DATA BREACHES
3.1 Definition of a Personal Data Breach of the GDPR
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed (“Personal Data Breach”).
There is an obligation on the social care and health training ltd to report certain types of Personal Data Breach to the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of it. If the breach is likely to result in a high risk to the individuals’ rights and freedoms, social care and health training ltd must also inform those individuals without undue delay. social care and health training ltd must keep a record of any Personal Data Breaches, their effects and the remedial action taken.
3.2 Fines In the event of an infringement of the GDPR, the ICO has the power to impose fines (in more serious cases) of up to 20 million euros or in the case of an undertaking up to 4% of annual turnover whichever is higher.
RIGHTS OF DATA SUBJECTS
4.1 Under the GDPR, an individual has the following rights (all of which are qualified in different ways).
(i) The right to be informed:
A Data Subject has the right to be informed about the collection of their Personal Data and to be informed of how their Personal Data is being used by social care and health training ltd. This is a key transparency requirement under the GDPR.
Data Subjects must be provided with information including: the purpose(s) for processing their Personal Data, the retention periods and who it will be shared with. This is called ‘privacy information’ and must be provided to individuals at the time Personal Data is collected from them. The information provided must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. Privacy information must be regularly reviewed, and where necessary updated. Any new uses of an individual’s Personal Data must be brought to their attention before Processing commences.
If Personal Data is obtained from other sources, individuals must be provided with privacy information within a reasonable period of obtaining the data and no later than one month.
The right of access to your Personal Data (Subject Access Request(“SAR”)
A Data Subject has the right to request access to their Personal Data held by Social care and health training ltd. A SAR does not have to be submitted in any particular format nor does the request have to include the phrase ‘subject access request’ or refer to data protection legislation.
The right to rectification:
A Data Subject has the right to have inaccurate Personal Data held by the Social care and health training ltd rectified or completed if it is incomplete.(See Article 16, GDPR
The right to be forgotten:
A Data Subject has the right to have their Personal Data held by the Social care and health training ltd erased. This right is not absolute and only applies in certain circumstances
The right to restrict processing:
A Data Subject has the right to restrict Processing of their Personal Data. This right is not absolute and only applies in certain circumstances as detailed in Article 18 of the GDPR
The right to data portability:
A Data Subject has the right to receive copies of their Personal Data in a machine readable and commonly used format. This right is not absolute and only applies in certain circumstances as detailed in Article 20 of the GDPR
The right to object:
A Data Subject has a right to object to the Processing of their Personal Data. This right is not absolute and only applies in certain circumstances as detailed in Article 21 of the GDPR
Rights in relation to automated decision making and profiling:
A Data Subject has a right not to be subject to a decision based solely on automated decision-making using their Personal Data without any human involvement. Profiling (automated processing of Personal Data to evaluate certain things about an individual) can be part of an automated decision-making process. This right is not absolute and only applies in certain circumstances as detailed in Article 22 of the GDPR
Exercising Data Subject Rights:
Any person who wishes to exercise any of those rights detailed at points (i) to (viii) above, is required to make their request either verbally or by post to Linus Dignam social care and health ltd 106 Tresham Road B44 9UD
Social Care and Health Training Ltd do not normally charge a fee to process such requests. However, where the request is manifestly unfounded or excessive, Social Care and Health Training Ltd may charge a reasonable fee for the administrative costs of complying with the request, or refuse to comply with the request (taking into account whether the request is repetitive in nature).
Social Care and Health Training Ltd undertake to consider and if appropriate act upon a request without undue delay. In compliance with the law, this will be at the latest within one month of receipt of a request. However, that period may be extended by 2 further months where necessary, considering the complexity and number of the requests. Social care and health training ltd shall inform the Data Subject of any such extension within 1 month of the receipt of the request, together with the reasons for the delay.
If Social Care and Health Training lLd refuses to comply with a request, it will inform the individual without undue delay and within one month of receipt of the request. In such circumstance, Social Care and Health Training Ltd shall explain its reasons for not taking the action, and inform the individual of their right to make a complaint to the ICO and of their ability to seek to enforce this right through a judicial remedy.
Rights in relation to automated decision making and profiling:
Social Care and Health Training Ltd undertake to consider an objection without undue delay. In compliance with the law, Social Care and Health Training Ltd will confirm the action it has taken within one month of receipt of an objection.
If Social Care and Health Training Ltd refuses to comply with an objection, it will similarly inform the individual without undue delay and within one month of receipt of the objection. In such circumstances, Social Care and Health Training Ltd shall explain its reasons for not taking the action and inform the individual of their right to challenge or appeal such decision, and the grounds on which they can appeal.
Social Care and Health Training Ltd, as Controller, shall be responsible for, and be able to demonstrate compliance with the Data Protection principles and the rights of individuals detailed above.
The GDPR introduces a range of accountability requirements which encourages Social Care and Health Training Ltd to take a proactive and documented approach to compliance. These accountability requirements include:
5.1 Implementing policies, procedures, processes and training to promote “data protection by design and by default”.
5.2 Having appropriate contracts in place when outsourcing functions that involve the Processing of Personal Data
5.3 Implementing appropriate security measures.
5.4 Maintaining records of the Data Processing that is carried out across Social Care and Health Training Ltd
5.5 Documenting and reporting Personal Data breaches .
5.6 The obligation to carry out a Data Protection Impact Assessment before carrying out types of Processing “likely to result in a high risk “to individuals”.
5.7 Appointing a Data Protection Officer.
5.8 Adhering to relevant codes of conduct and signing up to certification schemes.
Under Article 77 of the GDPR, available at: http://www.privacy-regulation.eu/en/article-77right-to-lodge-a-complaint-with-a-supervisory-authority-GDPR.htm, an individual has the right to make a complaint if they feel that their personal information has not been handled by Social Care and Health Training Ltd in accordance with the GDPR. A complaint may be submitted in writing to the Data Protection Officer, Mr Linus Dignam Social Care and Health Training Ltd, 106 Tresham Road Birmingham B44 9UD.
Guide to the General Data Protection Regulation (GDPR) https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protectionregulation-gdpr/
Information Commissioner’s website: https://ico.org.uk/