Appendix 14 – GDPR & Data Protection Policy
Purpose
Tracklements needs to collect and use certain types of information about our employees and other individuals who come into contact with us, in order to carry on its business. This personal data must be collected and dealt with appropriately whether it is collected on paper, stored in an electronic database, or recorded on other material and there are safeguards to ensure this under applicable data protection laws.
Policy
This policy applies to all persons employed by, or working for Tracklements including permanent and fixed term employees, contractors, consultants or agency workers. For the purposes of convenience only in this policy, all such persons working for Tracklements are referred to as “Employees” or Tracklementeers notwithstanding that they are not. For the purposes of this policy, all Tracklements’ entities are referred to as Tracklements or The Company.
This policy does not form part of the employment contract and does not otherwise have contractual effect and may be amended by Tracklements from time to time in its absolute discretion. In the event that any employee is found to have breached this policy, Tracklements may take action under the Disciplinary Policy.
Criminal Offence
It may be a criminal offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal data without our permission.
Data Protection Law
Tracklements regards the lawful and correct treatment of personal data as very important to successful working, and to maintaining the confidence of those with whom we deal. Tracklements is committed to ensuring that personal data are treated lawfully and correctly, in compliance with applicable data protection laws. Data protection laws are not intended to prevent the processing of personal data, but to ensure that any processing is done fairly and without adversely affecting the rights of the data subject.
Personal data of individuals (“data subjects”) in the UK is protected by a set of data protection principles, as currently set out in the Data Protection Act 2018 and in the separate UK General Data Protection Regulations (the “UK GDPR”).
From 25 May 2018, in all EEA countries, the Directive and separate national laws was replaced by the General Data Protection Regulation (the “UK GDPR”) to increase the level of protection for personal data and significantly increase the level of fines that can be imposed on companies who breach data protection laws.
The UK GDPR sets out principles to protect personal data. These are similar to the principles under the Directive, but contain some additional elements which increase the level of protection for personal data. As best practice, and to ensure that all processing of personal data by the Company is compliant with the UK GDPR, Employees are required to comply with the following key GDPR principles with immediate effect under this Policy. These principles cover:
Lawfulness, fairness and transparency;
Purpose limitation;
Data minimisation;
Accuracy;
Storage limitation;
Integrity and confidentiality;
Rights of the data subject;
Transfers of personal data outside the UK.
In addition, Tracklements through its Employees is accountable for compliance with these principles (this is known as “accountability”).
Data Protection Principles
Below is an explanation of the UK GDPR data protection principles which are most relevant our Employees.
Storage Limitation
Principle: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
What the principle means: Once the purpose of the data processing has been achieved and the personal data are no longer needed for that purpose, the personal data should no longer be kept in a form which enables the data subject to be readily identified.
Applying the principle to Tracklements business: Tracklements should delete or destroy personal data which is no longer required. However, if the main processing purpose has been achieved, there may still be a need to retain data for a secondary purpose for which there is also a legal basis for processing the data. In such case, it may be appropriate to delete the data that is no longer required and/or archive the data that has to be retained for a certain period, rather than keeping all of the data “live” and readily accessible during this period. Unless there is an established procedure in place, always check with the Marketing Director before deleting or destroying personal data.
Integrity and Confidentiality
Principle: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
What the principle means: Data controllers must take appropriate technical and organisational security measures to protect personal information against accidental or unlawful destruction, loss or alteration, and against unauthorised disclosure or access. Data protection legislation does not specify which measures are appropriate to take; this depends on the nature of the personal data and how it is processed. As a general rule, Special Categories of Personal Data, are likely to require greater protection than non-sensitive personal data. Examples of technical measures are:
Password protection on IT systems;
Applying password protection and/or encryption to documents; and
Limiting access rights to IT systems or parts of IT systems to users on a “need to know” basis.
Organisational measures can be physical measures, or practices and procedures. Examples are:
Entry controls to limit physical access to buildings or parts of buildings;
Secure lockable desks and cupboards;
Secure shredding of paper documents;
Logging off from unattended computers;
Using computer monitor privacy screens; and
Business continuity plans which identify how to protect and recover personal data in the event of a disaster.
Appropriate measures should be built into processes or systems from the outset, so that personal data are protected “by design” and “by default”.
Applying the principle to Tracklements business: Personal data must be stored securely and only be accessible to Employees on a “need to know” basis in accordance with the Employee’s role. When developing a new process or system which will involve the processing of personal data, whether manually (e.g., using files of paper records) or electronically (e.g. on an electronic database), Employees must consider from the outset how the personal data will be safeguarded, so there is maximum opportunity for the process or system to comply with data protection requirements.
Data Breaches
The UK GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. We must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals without undue delay.
What is a Data Breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
Examples of personal data breaches include:
access by an unauthorised third party;
deliberate or accidental action (or inaction) by a controller or processor;
sending personal data to an incorrect recipient;
computing devices containing personal data being lost or stolen;
alteration of personal data without permission; and
loss of availability of personal data.
What to do in the event of a Data Breach
If you become aware of, or suspect there has been a data breach, you must contact the Marketing Director immediately.
Definitions And Abbreviations
General Data Protection Regulation/the GDPR - a European Union statutory instrument which aims to harmonise European data protection laws.
Special Categories of Personal Data - this is personal data consisting of information such as your racial or ethnic origin, your political opinions, religious or philosophical beliefs, whether you are a trade union member, your physical and mental health, your genetic and biometric data and data relating to your sex life and sexual orientation.