Managing personal data
The Data Protection Act 2018 (DPA)
The Data Protection Act 2018 (DPA) is the law surrounding data protection and is in conjunction with the General Data Protection Regulation (GDPR)
The purpose of the Act is to instruct and inform upon appropriate processing of all information relating to individuals. It has also been introduced to make provision for a direct marketing code of practice and for connected purposes.
The DPA sets out how personal information should be processed to protect individual rights and allows employees to be aware of, and have some control over, the nature of the data held about them.
General Data Protection Regulation
The General Data Protection Regulation (GDPR) provides a framework for data protection. The GDPR applies to controllers and processors of data in the same manner as with the DPA. As such, personal data that is covered by the DPA is also covered by the GDPR.
The DPA and GDPR apply to the Group because we process personal data and we must adopt to protect key individual rights. If we do not follow or provide the employee/customer with their rights a significant fine of €20m, or 4% of the company’s annual turnover, could be awarded if there was a breach found.
The Group have produced company policies on data protection and all staff and customers must be made aware of these polices and have access to them. You will find the Group Privacy statement on the Groups business websites.
All employees have a responsibility to ensure Data Protection is taken seriously and the principles are complied with.
What is the Data Protection Act?
- The DPA consists of six key principles
- The Act also outlines specified conditions which can be referred to in the absence of employee consent
- Under the act employees must give consent for their personal data to be processed.
- The Group must provide the employee/ customers the right to make a ‘subject access request’ to view all information that is held on them from their employer. If you receive a request, contact HR for the Group’s process or see the section subject data requests
- Employers must seek permission from their employees to request personal medical documents from their relevant health practitioners. This requirement is undertaken by the HR Team upon employment and if referred to Occupational Health
- When recruiting, you should be careful not to use information on the candidate from social media unless there is a clear reason to do so and allow the candidate to respond in relation to the content.
- Data can be shared with third-party organisations, such as the police, if it relates to an ongoing crime or possible fraud
Finally, all business must register on a yearly basis with the ICO. Registration is provided for each business by HR.