Managing personal data

The DPA sets out principles which govern the processing of personal data. These are to be understood by all those who are involved in the processing and require accuracy and care.

The principles are outlined below:

• All personal data must be processed fairly, lawfully and transparently
• Personal data must be obtained only for specified, explicit and lawful purposes and must not be processed in any manner incompatible with the purposes for which it was collected
• Personal data must be adequate, relevant and not excessive in relation to the original purpose for which it was processed
• Personal data must be accurate, kept up to date and every reasonable step taken to ensure that any inaccurate data is erased or rectified without delay
• Personal data must not be kept for any longer than is necessary for the purpose it was collected
• Personal data must be processed in a manner that ensures appropriate security, using technical or organisational measures. These measures should include protection against unauthorised or unlawful processing and against accidental loss, destruction or damage

In addition, the Group, its managers and employees must be able to demonstrate that they take responsibility for what they do with personal data i.e. accountability.

The DPA covers all forms of personal data, which is defined as information relating to identified or identifiable living individuals.

The information is classed as personal where the focus is on the individual or where a significant

The term “data processing” relates to all the routine aspects of handling the information, from the initial collection of the data about the individual through to the organisation, change, disclosure and its final destruction.

Data can be computerised data or manual records

Special categories of data

Under the GDPR, employers must restrict the processing of these special categories of data to what is necessary and adopt an appropriate company policy for this situation. Special categories of personal data’ alongside data which relates to criminal convictions and offences.

This data includes:

• An individual’s racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Generate data the for purpose of uniquely identifying an individual
• Data concerning health
• Data concerning sex life or orientation

The GDPR and DPA work in conjunction to protect individuals with regard to the processing of personal data, requiring that:

• personal data is processed lawfully and fairly on the basis of the data subject’s consent
• data subject can obtain information about the processing of their personal data and rectify inaccurate personal data

What data can we process?

There are six lawful bases:

• Consent – The Group processes employee data with their consent
• Legitimate interests – to provide a service
• Performance of a contract
• Legal obligation
• Vital interests
• Public task

Individual rights

Data subjects have the following rights regarding their personal data:

The right to be informed

Employees / Customers should receive certain information about the processing of their data, such as the categories of data and the purpose of processing.

The right of access

Employees / Customers have the right to access their personal data and other supplementary information.

The right to rectification

Employees / Customers have the right to rectify their personal data if it is inaccurate or incomplete.

The right to erase or “the right to be forgotten”

Employees / Customers can request removal or deletion of personal data where there is no compelling reason to keep processing the data.

The right to restrict processing

Employees / Customers have the right to restrict or block processing of personal data in specific circumstances, including where the accuracy of the data is questioned. The personal data can continue to be stored but no further processing can take place.

The right to data portability

Employees / Customers can obtain their personal data for personal use across different services.

The right to object

Employees / Customers have the right to object to the processing of personal data in specific circumstances, including for processing on the basis of a legitimate interest or direct marketing.

The Groups Privacy Notice is used as part of a data protection compliance which indicates how we manage and protect data.

Responsibilities and considerations when collecting data

• the data to be collected
• the purpose of the processing
• the legitimate interests of collecting the data and if a third party is involved
• the categories of personal data
• recipient or categories of recipient of the personal data
• details of transfers to third country and safeguards
• retention period or criteria used to determine the retention period
• the source of the personal data and whether it came from a publicly accessible source
• the existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

Please note for recruitment and employment the Group cover the collection data, processing and storage of the employee data under the Groups employee privacy notice and the job applicant privacy notice.

Employees have the right to access their data under existing data protection laws and this is known as a subject access request.

Employees have a right to know whether or not their employer is processing personal data about them, the employee has a right to know:

• the purposes of the processing
• the categories of personal data concerned
• the recipients or categories of recipients to whom data has been or will be disclosed
• the period during which personal data will be retained
• information on the source of the data

It is a common misconception that employees have a right to see a copy of documents; this is not the case. They have a right see their personal data.

If you receive a data subject request, please contact the HR team who will inform you of the process.

A subject access request may be refused if the information requested falls into one of the exemptions permitted by the legislation:

• confidential references
• information that the organisation is required to publish by law
• personal data processed for the purpose of prevention or detection of crime, the capture or prosecution of offenders and the assessment or collection of tax
• management planning or management forecasting
• a record of intentions in negotiations with the employee
• in relation to core regulatory activities
• legal privilege
• health and education records
• social work records.
• Other, less common, exemptions also apply.

Accessing sickness, absence and medical reports – HR will deal with access and manage the process. It’s important you don’t share or store unprotected employee medical data. You should destroy or send to HR for storage.

Intercepting telecommunications – You can access employee communications if you believe it for a  ‘legitimate business persons.’

Collection and storage of information – You should make it clear where the source of information is gathered from, for what use and where it will be shared and stored

Collection of data for recruitment – HR will deal with access and manage the process. It’s important you don’t share or store unprotected employee medical data. You should destroy or send to HR for storage.

Collection of data from Social Media – Please be care of data you obtain from social media sights should only be used as part of the recruitment process when there is a proper reason to do so.  Only information that is relevant to the recruitment decision should be considered

It’s important if you become aware of a data breach, you inform your senior manager, HR and if applicable ICT immediately. A breach may be a loss, alteration, unauthorised disclosure of, or access to, personal data. It may include a hacking attack or human error eg sending information to the wrong email address.

If you have any concerns regarding Data Protection, please contact the HR Team.