Data Protection Policy
The General Data Protection Regulations (GDPR) is legislation that requires all organisations that process personal data to review the their procedures, processes and security measures and ensure that individual’s whose data they process are aware of their rights. As such Midton has developed this policy to provide clarity on how it will process personal data.
This document will outline Midton’s policy and procedure in relation to:
- How Midton Processes Your Personal Data and Your Rights - Staff Data (Section 2)
- All Staff Responsibilities & Work Standards when Processing Personal Data (Section 3)
- Data Breach Procedure (Section 4)
Section 1 provides an overview of the relevant parts of the GDPR, and, definitions of some key language that is used throughout this policy.
Section 1: GDPR Jargon and Overview
1.1 Useful Information
The below table gives definitions and examples of common terms that are used in the GDPR and are essential to your understanding of this policy.
|What||Definition (from GDPR)||Examples|
|Data Subject||An individual who is the subject of personal data. This excludes deceased individuals and individuals that cannot be identified or distinguished from others.||All staff at Midton|
|Processing data||In relation to information or data it means:
- Obtaining, recording or holding the information or data, or
- Carrying out any operation on the information or data
It includes access, storage, retrieval, disclosure and erasure / destruction.
|Storing staff home addresses, destroying outdated personal details, disclosing data to a 3rd party|
|Data Controller||The organisation or person which determines the purposes and means of the processing of personal data.||Midton, schools, doctors’ surgeries|
|Data Processor||An organisation which processes personal data on behalf of the controller.||Google, SalesForce, pension provider|
|Personal Data||Any information relating to a person (data subject).||Name, date of birth, IP address,|
|Special Category Personal Data||Special categories of personal data, including:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Physical or mental health or condition
- Sex life or sexual orientation
- Genetic data
- Biometric data
|Occupational health reports, equal opportunity monitoring data|
1.2 GDPR Principles
The Principles of the GDPR outline how personal data should be processed to ensure legal compliance.
The Principles are as follows:
Data should be:
- Processed, lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up to date
- Retained for only as long as necessary
- Processed in an appropriate manner to maintain security
1.3 Legal Basis for Processing Personal Data
The GDPR requires all data controllers and processors to meet at least one of the following legal basis for processing personal data:
- legal obligation
- vital interest
- public interest
- legitimate interest
Failure to meet at least one of these legal reasons for processing personal data means the data processing is likely to be illegal (unless a relevant exemption applies).
1.4 Special Category Data
Special category data is more sensitive than personal data, and therefore needs more protection. For example, information about an individual’s:
- ethnic origin
- trade union membership
- biometrics (where used for ID purposes)
- sex life
- sexual orientation
Special category personal data must still meet at least one of the above legal basis for processing, however it must also meet further conditions. For example special category personal data can be processed by a data controller in the following circumstances*:
- the purposes of performing or exercising obligations or rights of the employer or employee under employment law
- establishing, exercising or defending legal claims
- the assessment of an employee's working capacity (preventative or occupational medicine)
- the data subject has given explicit consent
- to protect the vital interests of the data subject
- the personal data has been made public by the data subject.
*there are other legal conditions, however they are unlikely to apply to Midton..
1.5 Data Subject Rights
Data subjects, under GDPR, have a number of rights with regards to their personal data. These are the right to:
- Be informed
- Erasure (Right to be forgotten)
- Restriction of processing
- Object to processing
- Automated decision making, including profiling
Details regarding specific procedures in each Section will be given to clarify how the Data Subject Rights will be taken forward in different circumstances.
Right to be Informed
Midton has an obligation to ensure openness and transparency in the way in which it processes personal data. This policy and the subsequent procedures provide data subjects with the information they need to understand how and why their personal data is being processed, and how to access their rights.
Data subjects have the right to request access to their personal data which Midton is processing. Where justified, a reasonable administrative fee may be charged, however this information will usually be provided for free.
Data Subjects have the right to have any inaccurate information that Midton is processing about them rectified without undue delay.
Erasure (right to be forgotten)
Data subjects have the right to request that their personal data be deleted in certain circumstances, for example:
- if they withdraw consent for processing
- they believe the grounds for processing are no longer legitimate.
Midton will be required to liaise with 3rd parties regarding the erasure of personal data when:
- the personal data has been disclosed to others
- the personal data has been made public in an online environment (for example on social networks, forums or websites).
If Midton disclosed personal data to others, it must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, Midton must also inform the individuals about these recipients.
The right to erasure does not apply in some circumstances, for example if processing:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation
- for the establishment, exercise or defence of legal claims.
The right to erasure will not apply to special category data if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee).
Erasure requests may be refused in some circumstances: if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
Restriction of processing
Data subjects have the right to request the restricting of personal data being processed by Midton in the following circumstances:
- they contest the accuracy of their personal data and the verification process is in progress
- the data has been unlawfully processed and they oppose erasure and request restriction instead
- Midton no longer needs the personal data but the data subject needs Midton to keep it in order to establish, exercise or defend a legal claim, or
- the data subject has objected to Midton regarding the processing of their data, and Midton is considering whether its legitimate grounds override those of the data subject.
In such circumstances, the relevant data will be:
- temporarily moved to another processing system
- unavailable to users.
Your restricted data will not be processed in any way except to store it while the restriction is in place, unless:
- you give consent
- it is for the establishment, exercise or defence of legal claims;
- it is for the protection of the rights of another person (natural or legal); or
- it is for reasons of important public interest.
Where a 3rd party processes your data, they will be informed of the restriction.
In many cases the restriction of processing is only temporary. Where Midton decides to lift the restriction, you will be informed of this before the restriction is lifted. You will also be advised why the restriction is being lifted and of your right to make a complaint to the Information Commissioner's Office.
Data subjects have the right to obtain a copy of their personal data in a commonly used format and have it transferred to another data controller.
Object to Processing
Data subjects have the right to object to:
- processing based on legitimate interests;
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
If a data subject has an objection on “grounds relating to his/her particular situation”, Midton must stop processing the personal data unless:
- it can can demonstrate compelling legitimate grounds for the processing,
- the processing is for the establishment, exercise or defence of legal claims.
Automated decision making, including profiling
Data subjects have the right to object to a significant decision, including profiling, solely made by automated means. Exemptions include the necessity for the performance of a contract or where the data subject has given explicit consent.
Data subjects have the right to complain to the Information Commissioner’s Office (ICO) if they believe that their rights have not been recognised. Details of where to write to can be found on the ICO’s website: www.ico.org.uk
Section 2: How Midton Processes Your Personal Data and Your Access Rights (Staff Data)
This Section outlines how and why Midton processes your data, including:
- what data we process about you
- why we process that data
- the legal basis for processing that data
- the retention period of the data
- measures that have been put in place to ensure the security of your data
- additional measures that have been put in place for special category data
The Section also includes:
- Midton’s Commitment to the GDPR Principles
- details of the key commitments, actions and procedures that are in place to ensure staff personal data is processed in compliance with the GDPR.
- the procedures that are in place to enable staff to access their Data Subject Rights.
2.1 Midton’s Commitment to GDPR Principles – Processing of Staff Personal Data
Midton is committed to complying with the principles of the GDPR, as outlined in Section 1. The following is a summary of the main commitments, actions and procedures to ensure that Midton complies with the GDPR in relation to the processing of Staff Personal Data.
Data shall be processed, lawfully, fairly and in a transparent manner
- ensure that it keeps up to date records of what personal data it processes, the purpose for processing it, the legal reason for processing the data and the retention period. The staff personal data that Midton processes can be found in our Data Audit in Appendix 1.
- use privacy notices, where appropriate, to confirm the data that is being processed, the purpose of the processing, the legal basis for processing and the retention period.
Data shall be collected for specified, explicit and legitimate purposes
- only process personal data for the reason already confirmed to the data subject (in Appendix 1, or by some other means, such as a privacy notice)
- ensure that the purpose of the data processing is clearly specified to data subjects.
Data shall be adequate, relevant and limited to what is necessary
Midton will ensure that the data it holds is not excessive for the purpose for which it is being processed
Data shall be accurate and, where necessary, kept up to date
Midton will, where appropriate, periodically request data subjects to review and update their details to ensure information is accurate
Data shall be retained for only as long as necessary
- review its data retention periods, as required, to ensure that the data it holds is adequate, relevant and limited to what is necessary
- ensure that it complies with the data retention periods outlined in Appendix 1, or in privacy notices.
Data shall be processed in an appropriate manner to maintain security
Midton will ensure that data is processed appropriately to ensure its security. For example use of locked cabinets, encrypting files etc.
New policies, procedure and working practices will be GDPR compliant by design.
2.2 How and Why Midton Processes your Data
Midton (the Data Controller) collects and processes personal data relating to you to manage the employment relationship. Midton is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
Midton collects this information in a variety of ways. For example: data is collected through application forms; CVs; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments. In some cases, Midton collects personal data about you from third parties, such as references supplied by former employers.
The data is stored in a range of different places, including in your personnel file, in the HR management systems and in other IT systems (including the organisation's email system).
Midton needs to process data to enter into an employment contract with you and to meet its obligations under your employment contract. For example, it needs to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefit, pension and insurance entitlements.
In some cases, Midton needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.
In other cases, Midton has a legitimate interest in processing personal data before, during and after the end of the employment relationship. For example, processing employee data allows the organisation to:
- run recruitment processes
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace
- keep a record of employee performance and related processes
- to plan for career development, and for succession planning and workforce management purposes
- operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled
- obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities and meet its obligations under health and safety law
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave)
- ensure effective general HR and business administration
- provide references on request for current or former employees
- respond to and defend against legal claims
- maintain and promote equality in the workplace.
Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes).
Where Midton processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring.
A list of your personal data that Midton processes can be found in Appendix 1. This includes the:
- purpose of processing the data
- the legal basis for processing the data
- the retention period for this data
Where Midton collects further personal data from you for processing you will clearly be advised of the purpose of processing the data, the legal basis for processing the data, the retention period and your data subject rights. This will usually be in the form of a Privacy Notice.
2.4 Who has access to my data?
Your information will be shared internally, including with members of the HR (including payroll), your line manager, other managers and IT staff if access to the data is necessary to perform their role.
Midton shares your data with third parties in order to obtain pre-employment references from other employers. It also shares your data with third parties that process data on its behalf, in connection the provision of benefits and the provision of occupational health services.
Midton also shares your data with data processors who provide services to it, for example Google Drive and SalesForce. This may require your data to be transferred outwith the EU; in such circumstances Midton will take all reasonable steps to ensure that your data is secure and is subject to appropriate safeguards.
Please see Appendix 1 for more details.
2.5 Special Category Data
Midton processes some personal special category data, this is clearly marked in Appendix 1. Special category data will only be processed where one or more of the enhanced legal tests is met, this will usually be one of the following:
- the purposes of performing or exercising obligations or rights of the employer or employee under employment law;
- establishing, exercising or defending legal claims;
- the assessment of an employee's working capacity;
- you have given explicit consent;
- to protect your vital interests;
- the personal data has been made public by you.
For example processing your medical information by providing it to the emergency services as a result of you suffering a severe illness whilst at work (this would be in your vital interest).
Midton may process your sickness absence record by including it in a referral to its occupational health advisors in order to gain advice and guidance regarding your capability to safely undertake your job.
When processing special category data, additional security measures will be put in place to maximise the security of this sensitive data. In some circumstances a Privacy Impact Assessment may be required where there is high risk to that data. Please see the below Section on Data Security for more general information, and, Section 3 of this policy for further details of the work standards that staff will be expected to adhere to when processing special category data.
2.6 Data Security
Midton takes the security of your data seriously. Midton has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. These policies and procedures include:
- IT Policy and Procedure
- All Staff Responsibilities & Work Standards When Processing Personal Data (Section 3 of this document)
- Data Breach Procedure (Section 5 of this document).
Midton will take steps to ensure the security of your personal data at all times.
Where Midton engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Special Category Data
Midton will ensure that adequate security measures are put in place when processing special category data to reduce the risk to your fundamental rights and freedoms. For example hard copy special category data should be kept in a locked cabinet at all times that is only accessible to relevant staff.
2.7 How long do you retain my data for?
Generally, Midton will hold your personal data for the duration of your employment + 6 years, in some cases for longer. The retention periods for which your specific types of data are held are set out in Appendix 1.
2.8 Data Subject Rights
As a data subject, under GDPR you have a number of rights, as detailed in the GDPR summary in Section 1. This Section will give details of how Midton will manage your data subject rights in relation to staff personal data.
If you wish to access your personal data which Midton is processing, you should submit a written request to Craig Cameron, Managing Director. You will receive a written confirmation of receipt of your request. Midton will respond to your request within one month.
Where possible you will receive copies of the personal data that is being processed. However, in some circumstances you may be asked to come to the Midton site to view the data.
There is not normally a charge for this request, however in some circumstances there may be an administrative fee, for example where the request is repetitive.
You have the right to have any inaccurate information that Midton is processing about you rectified without undue delay. Please advise your line manager of any rectification requests.
Erasure (right to be forgotten)
You have the right to request that your personal data be deleted in certain circumstances, for example:
- if you withdraw your consent for processing
- you believe the grounds for processing are no longer legitimate
- you believe that the processing of your data is no longer necessary for the purpose which Midton originally collected or processed it for.
If you would like to make such a request, this should be made to your line manager outlining:
- the data you wish to be erased
- the grounds for the erasure.
Your line manager will consider your request with relevant colleagues and confirm the outcome of your request within 1 month.
Restriction of processing
You have the right to request the restricting of personal data being processed by Midton in the circumstances outlined in Section 1.
If you wish to exercise this right you should advise your line manager.
You have the right to obtain a copy of your personal data in a commonly used format and have it transferred to another data controller. This is unlikely to be relevant to staff personal data. If you do have any queries about this right please speak to your line manager.
Object to Processing
You have the right to object to the processing of your personal data on the grounds relating to your particular situation. Midton must comply with this unless it can:
- demonstrate compelling legitimate ground for the processing
- the processing is for the establishment, exercise or defence of legal claims.
Should you wish to object to your data being processed you should inform your line manager.
Automated decision making, including profiling
You have the right to object to significant decisions, including profiling, solely made by automated means. Exemptions include the necessity for the performance of a contract or where you have given explicit consent.
This is unlikely to be relevant to staff personal data. However, where you would like to object please contact your line manager.
Section 3: All Staff Responsibilities & Work Standards When Processing Personal Data
This Section outlines the work standards that all staff are expected to uphold to ensure the safety and security of personal data processed at work.
3.2 Processing Data Electronically
All staff are expected to work within the guidance outlined in Midton’ IT Policy and Procedure. Generally, staff should take the following steps to ensure the security of data whilst processing electronically:
- ensure your device is locked when unattended
- NEVER give anyone your password
- only use company approved systems and services to process personal data
- When processing personal data, especially special category data, be aware of who is around you and ensure that security of the data is not compromised
- When sharing data internally or with an authorised third party, ensure that data is adequately protected, taking extra security measures with special category data (such as encryption, pseudonymisation)
- NEVER use pen drives to transport personal data
Please refer to Midton’ IT Policy and Procedure for more detailed guidance on how to process personal data.
Each category of personal data should only be processed for the purposes it was collected for and transferred to an authorised data process or controller, as detailed in Appendix 1.
3.3 Processing Hard Copy Data
Where possible, data should be kept in electronic format. Where there is a necessity for a hard copy the following steps should be taken:
- NEVER leave hard copy personal data on your desk, or any other location, unattended
- ensure that personal data is kept secure on your desk, even when you are there (e.g. cover it up to ensure nobody accidently sees the information)
- ensure special category data is only ever on your desk when you are actively working with it - it should be stored securely at all other times (e.g. in a locked cabinet with restricted access)
- ensure that personal data is stored securely when you have finished work for the day - NEVER leave it on your desk overnight
- when processing personal data be aware of who is around you and ensure that the security of the data is not compromised.
Each category of personal data should only be processed for the purposes it was collected for and transferred to authorised data processor or controllers, as detailed in Appendix 1.
3.4 Processing Data Verbally
When it is necessary to process personal data verbally:
- consider the nature of the personal data you are processing and if it is appropriate to have the conversation in a closed room
- ensure that you have verified who the person is that you are processing the data with and checked that they are an authorised data controller or processor (e.g. when calling a representative of an authorised data controller).
- when processing personal data be aware of who is around you and ensure that the security of the data is not compromised.
Each category of personal data should only be processed for the purposes it was collected for and ONLY transferred to authorised data processors or controllers, as detailed in Appendix 1.
All staff are required to ensure the confidentiality and security of personal data at Midton. Any breach of this requirement may result in disciplinary action, up to dismissal.
3.6 Data Protection by Design and Default
The GDPR requires organisations to integrate privacy by design from the start of any new project or piece of work. Midton is committed to this requirement and will ensure that all projects, working practices, procedures and policies have data security and compliance integrated into them from the start.
To do this, Midton will ensure that appropriate staff have the relevant training to raise their knowledge and skills in this area to enable them to make informed decisions. In addition, there are a number of staff who have had additional training on data protection and are able to offer more specific advice and guidance to staff; they make up the are GDPR Working Group and they are:
Craig Cameron, Managing Director
Graham Ramsay, Design Director
Lewis Anderson, Production Director
Fiona McDougall, Financial Controller
Lauren Prentice, Administrator
If you are taking forward a new piece of work or project you must ensure that you consider the implications of data security and take steps to minimise the risk to that data. This should be done from the outset so that the design of your work / project takes this into account. Example of relevant work / projects are:
- designing or implementing new IT systems or processes
- developing new policies or procedures that have privacy implications
- designing of new office layout
If you require further support or guidance in doing this, please refer to the Information Commissioner’s website (www.ico.org.uk) or contact one of the above GDPR Working Group.
Taking a privacy by design approach is an essential tool in minimising privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits which include:
- potential problems are identified at an early stage, when addressing them will often be simpler and less costly.
- increased awareness of privacy and data protection across an organisation.
- organisations are more likely to meet their legal obligations and less likely to breach the GDPR.
- actions are less likely to be privacy intrusive and have a negative impact on individuals*.
In many circumstances, it may be necessary for you to carryout a Data Protection Impact Assessment (DPIA) to analyse the risk involved and to consider options to minimise that risk (please see part 3.7 below).
3.7 Data Protection Impact Assessments
If you are undertaking a new piece of work or project that includes a ‘high risk’ processing activity, a Data Protection Impact Assessment (DPIA) should be carried out. High risk processing could include processing of special category data on a large scale. DPIAs are an integral part of Data Protection by Design and Default.
What is a Data Protection Impact Assessment?
A Data Protection Impact Assessment (DPIA) is a process to systematically analyse a data controller’s processing and help them identify and minimise data protection risks. It must:
- describe the processing and the data controller’s purposes;
- assess necessity and proportionality;
- identify and assess risks to individuals; and
- identify any measures to mitigate those risks and protect the data.
It does not have to eradicate the risk, but should help to minimise risks and consider whether or not they are justified*.
A DPIA should consider the likelihood and the severity of any negative impact the data processing may have on the data subject/s. A DPIA MUST be completed BEFORE you begin processing any high risk data.
How do I know if I need to complete a DPIA?
The ICO and GDPR require a DPIA to be completed in some circumstances. The circumstances most likely to impact on job roles at Midton are:
- use systematic and extensive profiling with significant effects
- process special category on a large scale
- use new technologies
- profile individuals on a large scale
- process biometric data
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’)
- track individuals’ location or behaviour.
If you require further advice or guidance in establishing if a DPIA is required, please refer to the Information Commissioner’s website (www.ico.org.uk) or contact one of the above GDPR Working Group. In general terms, where there is a need to process personal data for a new project, it is good practice to complete a DIPA. If you decide that a DIPA is not required, you should document the reasons for this decision ensure a record of the rationale for your decision.
How do I complete a DPIA?
A DPIA, where required, should be conducted at the start of any new project. The below steps should be included:
source: ICO website
- Identify the need for a DIPA
You should establish if there is a need for a DPIA. Usually, if you are unable to answer this with a high degree of certainty, it would be advisable to conduct a DPIA. As stated above, if you decide not to complete a DPIA you should record your rationale to enable you to justify your decision at a later date.
- Describe the processing
Describe and record the nature, purpose, legal basis and context of the processing
- Consider Consultation
Consider the most appropriate way to consult with affected individuals and stakeholders, if required.
- Access necessity and proportionality
Check that the processing is entirely necessary and that it is proportionate to the purposes of the processing.
- Identify and assess risk
Identify the likelihood and severity of risks to individuals’ rights and freedoms. Seek advice of GDPR Working Group representatives.
- Identify measures to mitigate risk/s
Identify any actions / measures that can be put in place to reduce / mitigate risk/s.
- Sign off and record outcomes
Sign off completed DIPA and confirm the outcomes of your assessment, justifying the outcome.
- Integrate outcomes into plan
Implement the recommended actions from the DPIA into project plan. If required, consult with the Information Commissioner's Office, if high risk processing cannot be mitigated (legal requirement).
- Keep under review
Diarise a review of the DPIA and data processing, as required.
When undertaking a DPIA you should use the DPIA template in Appendix 2.
What do I do once I have completed the DPIA?
Once completed a DPIA you will need to ensure that you integrate the recommendations and actions into your project / work, before progressing. This may include consulting the Information Commissioner's Office (although this is unlikely to be the case at Midton).
You may also have to review the DPIA at appropriate times to ensure that the risk remains reduced and that further remedial action is taken, if required.
It is your responsibility to document the DPIA for your own work and projects. You may be required to refer to them at a later date to evidence your consideration of data protection in your work / project and to justify your actions.
3.8 Data Subject Rights Request
Data subjects, be they job applicants, employees, workers, ex-employees or customers, have a number of rights with regards to their personal data (please see Section 1 for a summary). If you receive a request from any data subject regarding their rights, as detailed in Section 1, you MUST advise your line manager immediately. Their request may require immediate action therefore it is imperative that you advise your line manager as soon as you receive the request. Additionally, any responses are usually time bound therefore Midton ensure the request is processed as quickly as possible to ensure that the timescales are adhered to.
3.9 Privacy Notices
Midton must ensure that where is collects personal data, either directly or indirectly, it is transparent about what it will do with this information. Information is usually provided to data subjects in a Privacy Notice.
If you are required to collect personal data as part of your role, you must ensure that you provide data subjects with information about how you process their data; this must be:
- concise, transparent, intelligible and easily accessible
- written in clear and plain language
- free of charge.
Privacy notices should be written in line with the Information Commissioner's Office Privacy Notice Guidance (ICO).
If you require any support or guidance in doing this you can either contact the ICO’s helpline (0303 123 1113) or a member of the internal GDPR Working Group.
3.10 Data Transfers outwith the EU
You may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
Adequate safeguards may be provided for by:
- a legally binding agreement between public authorities or bodies;
- binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
- standard data protection clauses in the form of template transfer clauses adopted by the Commission;
- standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission;
- compliance with an approved code of conduct approved by a supervisory authority;
- certification under an approved certification mechanism as provided for in the GDPR;
- contractual clauses agreed authorised by the competent supervisory authority; or
- provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.
An example of an adequate safeguard is the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks which treat certified companies as compliant.
If looking to use a processor or controller which requires data to be transferred outside the EEA then one of the prior mentioned safeguards must be in place.
Section 4: Data Breach Procedure
4.1 At a glance
- The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
- You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
- You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
Preparing for a Data Breach
- Study the guide to recognising a data breach
- Understand that a personal data breach isn't only about loss or theft of personal data
- Study the response plan for addressing any personal data breaches that occur
- Report all breaches to your immediate superior using the following form
- If a member of your team detects a data breach liase with a member of the GDPR working group
- If you are unsure if a data breach has occured but have any concerns please consult a member of the GDPR working group.
4.2 What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Personal data breaches can include:
access by an unauthorised third party;
deliberate or accidental action (or inaction) by a controller or processor;
sending personal data to an incorrect recipient;
computing devices containing personal data being lost or stolen;
alteration of personal data without permission; and
loss of availability of personal data.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
Recital 87 of the GDPR makes clear that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.
4.3 What breaches do we need to notify the ICO about?
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.
In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for individuals. Recital 85 of the GDPR explains that:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. You need to assess this case by case, looking at all relevant factors.
The theft of a customer database, the data of which may be used to commit identity fraud, would need to be notified, given the impact this is likely to have on those individuals who could suffer financial loss or other consequences. On the other hand, you would not normally need to notify the ICO, for example, about the loss or inappropriate alteration of a staff telephone list.
So, on becoming aware of a breach, you should try to contain it and assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen.
For more details about assessing risk, please see section IV of the Article 29 Working Party guidelines on personal data breach notification.
4.4 What role do processors have?
If your organisation uses a data processor, and this processor suffers a breach, then under Article 33(2) it must inform you without undue delay as soon as it becomes aware.
Your organisation (the controller) contracts an IT services firm (the processor) to archive and store customer records. The IT firm detects an attack on its network that results in personal data about its clients being unlawfully accessed. As this is a personal data breach, the IT firm promptly notifies you that the breach has taken place. You in turn notify the ICO.
This requirement allows you to take steps to address the breach and meet your breach-reporting obligations under the GDPR.
If you use a processor, the requirements on breach reporting should be detailed in the contract between you and your processor, as required under Article 28.
4.5 How much time do we have to report a breach?
You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
Section II of the Article 29 Working Party Guidelines on personal data breach notification gives more details of when a controller can be considered to have “become aware” of a breach.