Data Protection Policy and Privacy Policy
Introduction
Full-On Ltd takes its responsibilities with regard to the management of the requirements of the General Data Protection Regulation (GDPR) very seriously. This policy sets out how Full-On manages those responsibilities.
Full-On obtains, uses, stores and otherwise processes personal data relating to potential staff and drivers (contractors), current staff and drivers (contractors), former staff and drivers (contractors), website users and contacts, collectively referred to in this policy as data subjects. When processing personal data, Full-On is obliged to fulfil individuals’ reasonable expectations of privacy by complying with GDPR and other relevant data protection legislation (data protection law).
This policy therefore seeks to ensure that we:
The main terms used are explained in the glossary at the end of this policy (Appendix 3).
Scope
This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. on an employee’s own device) and regardless of the data subject. All staff and others processing personal data on Full-On’s behalf must read it. A failure to comply with this policy may result in disciplinary action.
Directors are responsible for ensuring that all Full-On staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.
Personal data protection principles
When you process personal data, you should be guided by the following principles, which are set out in the GDPR. Full-On is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:
Those principles require personal data to be:
Data Subjects’ Rights
Data subjects have rights in relation to the way we handle their personal data. These include the following rights:
(a). if it is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
(b). if the only legal basis of processing is Consent and that Consent has been withdrawn and there is no other legal basis on which we can process that personal data;
(c). if the data subject objects to our processing where the legal basis is the pursuit of a legitimate interest or the public interest and we can show no overriding legitimate grounds or interest;
(d). if the data subject has objected to our processing for direct marketing purposes;
(e). if the processing is unlawful.
Requests (including for data subject access – see below) must be complied with, usually within one month of receipt. You must immediately forward any Data Subject Access Request you receive to the Director.
Accountability
Full-On must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. Full-On is responsible for, and must be able to demonstrate compliance with, the data protection principles.
We must therefore apply adequate resources and controls to ensure and to document GDPR compliance including:
Responsibilities
As the Data Controller, Full-On is responsible for establishing policies and procedures in order to comply with data protection law.
The DPO is responsible for:
(a) advising the Full-On and its staff of its obligations under GDPR
(b) monitoring compliance with this Regulation and other relevant data protection law, Full-On’s policies with respect to this and monitoring training and audit activities relate to GDPR compliance
(c) to provide advice where requested on data protection impact assessments
(d) to cooperate with and act as the contact point for the Information Commissioner’s Office
(e) the data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Staff members who process personal data about staff, or drivers (contractors) must comply with the requirements of this policy. Staff members must ensure that:
(a) all personal data is kept securely;
(b) no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
(c) personal data is kept in accordance with Full-On ’s retention schedule;
(d) any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Director;
(e) any data protection breaches are swiftly brought to the attention of the Director and that they support the Director in resolving breaches;
(f) where there is uncertainty around a data protection matter advice is sought from the Director.
Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Director.
Where external companies are used to process personal data on behalf of Full-On responsibility for the security and appropriate use of that data remains with Full-On.
Where a third-party data processor is used:
(a) a data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data;
(b) reasonable steps must be taken that such security measures are in place;
(c) a written contract establishing what personal data will be processed and for what purpose must be set out;
(d) a data processing agreement, must be signed by both parties.
For further guidance about the use of third-party data processors please contact the Director.
Managers who employ contractors, short term or voluntary staff must ensure that they are appropriately vetted for the data they will be processing. In addition, managers should ensure that:
(a) any personal data collected or processed in the course of work undertaken for Full-On is kept securely and confidentially;
(b) all personal data is returned to Full-On on completion of the work, including any copies that may have been made. Alternatively, that the data is securely destroyed and Full-On receives notification in this regard from the contractor or short term / voluntary member of staff;
(c) Full-On receives prior notification of any disclosure of personal data to any other organisation or any person who is not a direct employee of the contractor;
(d) any personal data made available by Full-On, or collected in the course of the work, is neither stored nor processed outside the UK unless written consent to do so has been received from Full-On ;
(e) all practical and reasonable steps are taken to ensure that contractors, short term or voluntary staff do not have access to any personal data beyond what is essential for the work to be carried out properly.
Data subject Access Requests
Data subjects have the right to receive copy of their personal data which is held by the University. In addition, an individual is entitled to receive further information about the University’s processing of their personal data as follows:
You should not allow third parties to persuade you into disclosing personal data without proper authorisation. For example, spouse or family members do not have an automatic right to gain access to data.
The entitlement is not to documents per se (which may however be accessible by means of the Freedom of Information Act, subject to any exemptions and the public interest), but to such personal data as is contained in the document. The right relates to personal data held electronically and to limited manual records.
You should not alter, conceal, block or destroy personal data once a request for access has been made. You should contact the Director any changes are made to personal data which is the subject of an access request.
Reporting a personal data breach
The GDPR requires that we report to the Information Commissioner’s Office (ICO) any personal data breach where there is a risk to the rights and freedoms of the data subject. Where the Personal data breach results in a high risk to the data subject, he/she also has to be notified unless subsequent steps have been taken to ensure that the risk is unlikely to materialise, security measures were applied to render the personal data unintelligible (e.g. encryption) or it would amount to disproportionate effort to inform the data subject directly. In the latter circumstances, a public communication must be made or an equally effective alternative measure must be adopted to inform data subjects, so that they themselves can take any remedial action.
We have put in place procedures to deal with any suspected personal data breach and will notify data subjects or the ICO where we are legally required to do so.
If you know or suspect that a personal data breach has occurred, you should immediately contact the Director with instructions in the personal data breach procedure. You must retain all evidence relating to personal data breaches in particular to enable full-on to maintain a record of such breaches, as required by the GDPR.
Limitations on the transfer of personal data
The GDPR restricts data transfers to countries outside the EU in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer personal data originating in one country across borders when you transmit or send that data to a different country or view/access it in a different country.
You may only transfer personal data outside the EU if one of the following conditions applies:
Record Keeping
The GDPR requires us to keep full and accurate records of all our data processing activities. You must keep and maintain accurate corporate records reflecting our processing, including records of data subjects’ Consents and procedures for obtaining Consents, where Consent is the legal basis of processing.
These records should include clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period and a description of the security measures in place.
Records of personal data breaches must also be kept, setting out:
Training and Audit
We are required to ensure that all Full-On staff undergo adequate training to enable them to comply with data protection law. We must also regularly test our systems and processes to assess compliance.
You must regularly review all the systems and processes under your control to ensure they comply with this policy.
Data privacy by design and default and Data Protection Impact Assessments (DPIAs)
We are required to implement privacy-by-design measures when processing personal data, by implementing appropriate technical and organisational measures (like pseudonymisation) in an effective manner, to ensure compliance with data-protection principles. Full-On must ensure therefore that by default only personal data which is necessary for each specific purpose is processed. The obligation applies to the volume of personal data collected, the extent of the processing, the period of storage and the accessibility of the personal data. In particular, by default, personal data should not be available to an indefinite number of persons. You should ensure that you adhere to those measures.
As well as complying with Full-On practices designed to fulfil reasonable expectations of privacy, you should also ensure that your own data-handling practices default to privacy to minimise unwarranted intrusions in privacy e.g. by disseminating personal data to those who need to receive it to discharge their duties.
Full-On must also conduct DPIAs in respect of high-risk processing before that processing is undertaken.
You should conduct a DPIA (and discuss your findings with the Director) in the following circumstances:
Sharing Personal Data
In the absence of Consent, a legal obligation or other legal basis of processing, personal data should not generally be disclosed to third parties unrelated to Full-On.
Some bodies have a statutory power to obtain information (e.g. Child Support Agency). You should seek confirmation of any such power before disclosing personal data in response to a request. If you need guidance, please contact the Director.
Further, without a warrant, the police have no automatic right of access to records of personal data, though voluntary disclosure may be permitted for the purposes of preventing/detecting crime or for apprehending offenders. You should seek written assurances from the police that the relevant exemption applies.
Some additional sharing of personal data for research purposes may also be permissible, subject to certain safeguards.
Changes to this policy
We reserve the right to change this policy at any time without notice to you so please check regularly to obtain the latest copy. This policy was approved on 21 May 2019 by the Managing Director.
Appendix 1
Principle 1 of GDPR – Processing personal data lawfully, fairly and transparently
You may only process personal data fairly and lawfully and for specified purposes. These restrictions are not intended to prevent processing, but ensure that we process personal data for legitimate purposes without prejudicing the rights and freedoms of data subjects. In order to be justified, Full-On may only process personal data if the processing in question is based on one (or more) of the legal bases set out below. Section 4.3 below deals with justifying the processing of sensitive personal data. Including special category data.
The legal bases for processing non-sensitive personal data are as follows:
You must identify the legal basis that is being relied on for each processing activity, which will be included in the Privacy Notice provided to data subjects.
(a) Consent
You should only obtain a data subject’s Consent if there is no other legal basis for the processing. Consent requires genuine choice and genuine control.
A data subject consents to processing of his/her personal data if he/she indicates agreement clearly either by a statement or positive action to the processing. Silence, pre-ticked boxes or inactivity are therefore unlikely to be sufficient. If Consent is given in a document that deals with other matters, you must ensure that the Consent is separate and distinct from those other matters.
Data subjects must be able to withdraw Consent to processing easily at any time. Withdrawal of Consent must be promptly honoured. Consent may need to be renewed if you intend to process personal data for a different and incompatible purpose which was not disclosed when the data subject first consented, or if the Consent is historic.
You will need to ensure that you have evidence of Consent and you should keep a record of all Consents obtained so that we can demonstrate compliance.
Consent is required for some electronic marketing and some research purposes.
(b) Legal bases for Processing Sensitive Personal Data, including Special Category Data
Special Category Personal Data is data revealing:
It also includes the processing of:
Personal data relating to criminal convictions and offences including the alleged commission of offences or proceedings for offences or alleged offences should be treated in the same way to special category data.
The processing of sensitive personal data by Full-On must be based on one of the following (together with one of the legal bases for processing non-sensitive personal data as listed above):
Examples of sensitive personal data processed by Full-On will include:
Processing sensitive personal data represents a greater intrusion into individual privacy than when processing non-sensitive personal data. You must therefore take special care when processing sensitive personal data and ensure that you comply with the data protection principles (as set out in the main body of this policy) and with this policy, in particular in ensuring the security of the sensitive personal data.
Under the GDPR Full-On is required to provide detailed, specific information to data subjects depending on whether the information was collected directly from data subjects or from elsewhere. That information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a data subject can easily understand what happens to their personal data.
Whenever we collect personal data directly from data subjects, for example for the recruitment and employment of staff and for the recruitment of contractors, at the time of collection we must provide the data subject with all the prescribed information which includes:
When personal data is collected indirectly (for example, from a third party or publicly available source), you must also provide information about the categories of personal data and any information on the source. The data subject must be provided with all the information required by the GDPR as soon as possible after collecting/receiving the data. You must also check that the personal data was collected by the third party in accordance with the GDPR and on a basis which contemplates our proposed processing of that personal data.
Appendix 2
Principle 2 of GDPR – Purpose Limitation
Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
You cannot therefore use personal data for entirely new, different or incompatible purposes from those disclosed when it was first obtained unless you have informed the data subject of the new purposes. Where the further processing is not based on the data subject’s Consent or on a lawful exemption from data-protection law requirements, you should assess whether a purpose is incompatible by taking into account factors such as:
Provided that prescribed safeguards are implemented, further processing for historical research purposes or for statistical purposes will not be regarded as incompatible. Safeguards include ensuring data minimisation (e.g. pseudonymisation or anonymisation where possible), the research will not be carried out for the purposes of making decisions about particular individuals and it must not be likely to cause substantial damage/distress to an individual.
Principle 3 of the GDPR – Data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. You should not therefore amass large volumes of personal data that are not relevant for the purposes for which they are intended to be processed. Conversely, personal data must be adequate to ensure that we can fulfil the purposes for which it was intended to be processed.
You may only process personal data when performing your job duties requires it and you should not process personal data for any reason unrelated to your job duties.
You must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the University’s data retention policy and schedule.
Principle 4 of the GDPR – Accuracy
Personal data must be accurate and, where necessary, kept up to date. You should ensure that personal data is recorded in the correct files.
Incomplete records can lead to inaccurate conclusions being drawn and in particular, where there is such a risk, you should ensure that relevant records are completed.
You must check the accuracy of any personal data at the point of collection and at regular intervals thereafter. You must take all reasonable steps to destroy or amend inaccurate records without delay and you should up-date out-of-date personal data where necessary (e.g. where it is not simply a pure historical record).
Where a data subject has required his/her personal data to be rectified or erased, you should inform recipients of that personal data that it has been erased/rectified, unless it is impossible or significantly onerous to do so.
Principle 5 of the GDPR – Storage limitation
You must not keep personal data in a form that allows data subjects to be identified for longer than needed for the legitimate educational/research or Full-On business purposes or other purposes for which Full-On collected it. Those purposes include satisfying any legal, accounting or reporting requirements. Records of personal data can be kept for longer than necessary if anonymised.
You will take all reasonable steps to destroy or erase from Full-On ’s systems all personal data that we no longer require in accordance with all relevant Full-On records retention schedules and policies.
You will ensure that data subjects are informed of the period for which their personal data is stored or how that period is determined in any relevant Privacy Notice.
Principle 6 of the GDPR – Security, Integrity and Confidentiality
Full-On is required to implement and maintain appropriate safeguards to protect personal data, taking into account in particular the risks to data subjects presented by unauthorised or unlawful processing or accidental loss, destruction of, or damage to their personal data. Safeguarding will include the use of encryption and pseudonymisation where appropriate. It also includes protecting the confidentiality (i.e. that only those who need to know and are authorised to use personal data have access to it), integrity and availability of the personal data. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.
You are also responsible for protecting the personal data that you process in the course of your duties. You must therefore handle personal data in a way that guards against accidental loss or disclosure or other unintended or unlawful processing and in a way that maintains its confidentiality. You must exercise particular care in protecting sensitive personal data from loss and unauthorised access, use or disclosure.
You must comply with all procedures and technologies we put in place to maintain the security of all personal data from the point of collection to the point of destruction.
You must comply with all applicable aspects of our Information Security Policy, and comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the Data Protection Law standards to protect personal data.
You may only transfer personal data to third-party service providers (i.e. data processors) who provide sufficient guarantees to implement appropriate technical and organisational measures to comply with Data Protection Law and who agree to act only on Full-On’s instructions. Data processors should therefore be appointed subject to Full-On’s standard contractual requirements for data processors.
Appendix 3
Glossary of Terms
Automated Decision-Making (ADM): when a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not automated processing.
Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.
Data Controller: the person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the GDPR. Full-On is the Data Controller of all personal data relating to it and used delivering education and training, conducting research and all other purposes connected with it including business purposes. .
Data Subject: a living, identified or identifiable individual about whom we hold personal data.
Data Protection impact assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the processing of personal data.
Data Protection Officer (DPO): the person appointed as such under the GDPR and in accordance with its requirements. A Director (DPO) is responsible for advising Full-On including its employees) on their obligations under Data Protection Law, for monitoring compliance with data protection law, as well as with Full-On ’s polices, providing advice, cooperating with the ICO and acting as a point of contact with the ICO.
Personal Data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.
Privacy by Design and Default: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Privacy Notices: separate notices setting out information that may be provided to data subjects when Full-On collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee, student and donor privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering processing related to a specific purpose.
Processing or Process: any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.
Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.