-
Introduction
- We, www.dosegb.com obtain, use and retain personal information (personal data) as part of our day-to-day activities. That personal data relates to current, former and prospective customers, directors, employees, contractors, suppliers and third parties (data subjects). In doing so, we are subject to various legislative provisions including those set out in the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA18). These address how we, as data controllers and data processors, should obtain, deal with and retain personal data. We are committed to complying with our legal and regulatory obligations to manage personal data in an ap-propriate manner and to being concise, clear and transparent about how we obtain and use personal information and how (and when) we delete that information once it is no longer required.
- This policy is intended to set out how this is to take place, how we comply with our data protection obligations and seek to protect personal data and what we will expect to be done by our directors in that regard. It is intended that this policy will help to ensure that personnel understand and are able to comply with the various data protection re-quirements to which they are subject in the course of their work. This policy supports the company in its role as a provider of online pharmaceutical services and is written for the purposes of ensuring and promoting the safe sharing of information.
- The provisions in this policy apply to all personal data whether it is on paper or stored electronically and whether it is in writing or stored as verbal or video files. It applies whether the personal data is stored on our network, on individual desktop or laptop computers, on mobile devices, phones or tablets, in paper files or in any other way.
- We are also required by the UK GDPR to map out where and how we hold personal data, to show that we comply with our obligations and to provide satisfactory responses to any subject access request that is made. In the event that any data subject requests details of the personal data we hold in relation to them, or requests that we deal with their personal data in a particular manner, all personnel must know what to do and who should be informed. It is essential therefore that personnel notify Cheung Hoe Leong of the details of any request as soon as possible so that a suitable response can be made within the timeframes allowed for such a response. All personnel should note that this applies however that request is made, whether verbally, electronically or in writing, and that the data subject making the request does not need to have used the term ‘subject access request’ or ‘data processing objection’ or any such similar term for that request to be valid.
-
Scope of this policy
This policy applies to the personal data of all of those referred to in paragraph 1.1 above.
- This policy is intended to set out:
- how data is protected;
- how we comply with our data protection obligations;
- what we will expect to be done by our directors, employees, contractors, agency workers, volunteers and trainees and apprentices (personnel) in that regard.
- It is intended that this policy will help to ensure that personnel understand and are able to comply with the various data protection requirements to which they are subject in the course of their work.
- The provisions in this policy apply to all personal data whether it is on paper or stored electronically and whether it is in writing or stored as verbal messages. It applies whether the personal data is stored on our network, on individual desktop or laptop computers, on mobile devices, phones or tablets, in paper files or in any other way.
- This policy will be reviewed and updated regularly in order to ensure that we continue to act in accordance with our data protection obligations. Revised versions will be brought to the attention of all personnel as and when necessary.
- This policy is intended to set out:
-
Data protection policy statement
- We comply with all relevant legislative and regulatory provisions governing the management and storage of data in both electronic and paper formats. We are registered with the Information Commissioner under the UK GDPR and the DPA18. We comply with the data protection principles, i.e. that all data covered by the UK GDPR and the DPA18 (which includes not only electronic data, but also personal data held in any format) is:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate;
- not kept longer than necessary;
- processed in accordance with the data subject’s rights;
- secure; and
- not transferred to non-approved countries without adequate protection.
- In addition to the legislation highlighted above, we apply the Common Law Duty of Confidentiality which governs information given in confidence to a healthcare professional (about a person alive/deceased) with the expectation it will be kept confidential. We also apply the principles outlined in the Caldicott Report 2016. Finally, each healthcare professional has ethical duties of confidentiality as imposed by the relevant professional body (i.e. GPhC).
- We comply with all relevant legislative and regulatory provisions governing the management and storage of data in both electronic and paper formats. We are registered with the Information Commissioner under the UK GDPR and the DPA18. We comply with the data protection principles, i.e. that all data covered by the UK GDPR and the DPA18 (which includes not only electronic data, but also personal data held in any format) is:
-
Processing personal information
- Article 5 of the UK GDPR requires that personal data is processed in accordance with the data protection principles. Therefore, when processing personal data, we must ensure that we:
- process personal information lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
- only collect personal data for specified, explicit and legitimate purposes and not process that data in a way that is incompatible with those legitimate purposes (‘purpose limitation’);
- only process the personal data that is adequate, relevant and necessary for the purpose (‘data minimisation’);
- keep the personal data accurate and up to date and take all reasonable steps to delete or correct inaccurate personal data without delay (‘accuracy’);
- keep personal data in a way that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed subject to certain exceptions (‘storage limitation’); and
- process the personal data in a manner that ensures appropriate security in-cluding protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or or-ganisational measures (‘integrity and confidentiality’).
- In addition to only processing data in accordance with the data protection principles, Article 6 of the UK GDPR requires that we must also ensure that personal data is pro-cessed lawfully and in such a way that at least one of the following bases applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes (‘consent’);
- the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (‘contract’);
- the processing is necessary for compliance with a legal obligation to which we are subject (‘legal obligation’);
- the processing is necessary for the protection of the vital interests of the data subject or another natural person (‘vital interest’);
- the processing is necessary for the performance of a task carried out in the public interest or exercise of official authority (‘public interest’);
- the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (‘legitimate interest’).
- Where processing is based on consent, we must be able to demonstrate that the data subject has consented to the processing of his or her personal data and that such consent has been given in such circumstances that it is able to be clearly distinguishable from the other matters and in an intelligible and easily accessible form, using clear and plain language. The data subject shall have the right to withdraw his or her consent at any time which shall not, however, affect the lawfulness of processing based on consent before its withdrawal. When assessing whether consent is freely given regard must be had to the fact that the performance of a contract or provision of a service must not be made to be conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
- Other than where the processing is based on consent, we must satisfy ourselves at all times that the processing is necessary for the purpose of the relevant lawful basis set out above and that there is no other reasonable way to achieve that purpose. In order to demonstrate compliance, we must document our decision as to which lawful basis ap-plies and record information both concerning the purposes of the processing and the lawful basis relied upon. Where sensitive personal information or criminal offence in-formation is to be processed, we must, in addition to the bases set out above, identify a lawful special condition for processing that information and document it.
- Where we are relying upon legitimate interest as the appropriate basis for lawful pro-cessing, we must conduct a legitimate interest assessment (LIA) and keep a record of it, to ensure that we can justify our decision. In the event that the LIA identifies a significant privacy impact we must consider whether we also need to conduct a data protection impact assessment (DPIA).
- If the personal data in question is special category personal data (sensitive personal data), then we can only process that data provided that we have a lawful basis for doing so as set out in paragraph 4.2 above, and at least one of the conditions set out below is met. Sensitive personal data is that which reveals racial or ethnic origin, political opin-ions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orienta-tion. The conditions are:
- the data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless UK domestic law prohibits them from doing so);
- processing is necessary for the purposes of carrying out our obligations and exercising specific rights or those of the data subject in the field of em-ployment and social security and social protection law in so far as it is au-thorised by UK domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
- the processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally in-capable of giving consent;
- processing is carried out in the course of its legitimate activities with ap-propriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside that body without the consent of the data subjects;
- the processing relates to personal data which is manifestly made public by the data subject;
- the processing is necessary to establish, exercise or defend legal claims or whenever courts are acting in their judicial capacity;
- the processing is necessary for substantial public interest reasons, on the basis of UK domestic law and it is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of UK domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in Article 9(3) of the UK GDPR;
- the processing is necessary for public interest reasons in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of UK domestic law which pro-vides for suitable and specific measures to safeguard the rights and free-doms of the data subject and in particular, professional secrecy;
- the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accord-ance with Article 89(1) of the UK GDPR based on UK domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
- If the personal data is sensitive personal data then the Data Protection Manager must be notified, before processing commences, of the proposed processing so that they may assess whether the processing complies with the criteria set out above. No processing will commence until that assessment has taken place and the data subject has been informed and no automated decision-making (including profiling) will be based on any data subject’s sensitive personal information.
- Article 5 of the UK GDPR requires that personal data is processed in accordance with the data protection principles. Therefore, when processing personal data, we must ensure that we:
-
Data protection impact assessments
- Article 25 of the UK GDPR requires that privacy by design principles be applied to all new projects or uses of personal data especially where they involve the use of new technologies and where the processing involved is likely to result in a high risk to the rights and freedoms of data subjects.
- A data protection impact assessment (DPIA) shall in particular be required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1) of the UK GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
- a systematic monitoring of a publicly accessible area on a large scale.
- In such circumstances we will carry out a DPIA to assess:
- the purposes of the processing, including, where applicable, the legitimate interest we are pursuing;
- whether the processing is necessary and proportionate in relation to its purpose;
- the risks to data subjects; and
- the measures that can be put in place in order to address those risks and protect personal information.
- In doing so, regard will be had to:
- the nature, scope, context, and purpose or purposes of the collection, holding, and processing;
- the state of the art of all relevant technical and organisational measures to be taken;
- the cost of implementing such measures; and
- the risks posed to data subjects and this organisation, including their like-lihood and severity.
- The DPIA will be overseen by the Data Protection Manager and shall address:
- the type of personal data collected, held and processed;
- why and how personal data is to be used;
- our objectives;
- who is to be consulted;
- the necessity and proportionality of the data processing;
- the risks to data subjects and to us; and
- the measures taken to minimise and deal with those risks identified.
-
Documentation and record keeping
- We will keep internal written records of those processing activities which we undertake in our role as data controller. In all cases those records will contain:
- the name and contact details of the Data Protection Manager;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data has been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an interna-tional organisation, including the identification of that third country or inter-national organisation and, in the case of transfers referred to in Article 49(1)(b), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different cate-gories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
- We will keep internal written records of those processing activities which we undertake in the role of data processor and shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor or processors and the data protection manager;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an interna-tional organisation, including the identification of that third country or inter-national organisation and, in the case of transfers referred to in Article 49(1)(b), the documentation of suitable safeguards;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
- As part of our record of processing activities we will document:
- information required for privacy notices;
- records of consent;
- controller-processor contracts;
- the location of personal information;
- DPIAs; and
- records of data breaches.
- In the event that we process sensitive personal information, we will keep written records of:
- the purposes of the processing, including where relevant why it is necessary for that purpose;
- the lawful basis for our processing; and
- whether we retain and erase the personal information in accordance with our policy document and, if not, the reasons for not following our policy.
- We will keep internal written records of those processing activities which we undertake in our role as data controller. In all cases those records will contain:
-
Information provided to, and the rights of, data subjects
- We will provide all data subjects with the information set out in paragraph 7.2 below. This will take place at the time of collecting the data where that data is obtained directly from the data subject or, where the data is obtained from a third party:
- when the first communication is made if the personal data is used to com-municate with the data subject;
- before a transfer is made where the personal data is to be transferred to another party;
- in all other cases, as soon as reasonably possible and in any event not more than one month after the personal data is obtained.
- The following information shall be supplied:
- our details including contact details and the names and details of our Data Protection Manager;
- the purposes for which the personal data is being collected, how it will be processed and the lawful basis for that collection and processing;
- any legitimate interests justifying its collection and processing;
- where we have not obtained the personal data directly from the data subject, the categories of personal data collected and processed;
- where we plan to transfer the personal data to one or more third parties, details of those parties;
- where the transferee of the personal data is located outside the UK, details of that transfer, including any safeguards in place;
- any relevant data retention periods;
- the data subject’s rights under the UK GDPR;
- the data subject’s right to withdraw their consent to our processing their personal data;
- the data subject’s right to complain to the Information Commissioner’s Of-fice;
- where we have not obtained the personal data directly from the data subject, details about the source of that personal data;
- where relevant, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it; and
- any automated decision-making or profiling that will take place using the personal data, including information on how decisions will be made, the significance of those decisions, and any consequences.
- We will issue privacy notices from time to time, informing data subjects as to the per-sonal information collected about them, how it is held and how they can expect that personal information to be used and for what purposes. Any information provided in privacy notices will be in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
- We will ensure that data subjects are informed that they have the following rights in re-lation to their personal data
- to be informed about how, why and on what basis their data is processed;
- to obtain confirmation that their data is being processed and to obtain access to it and certain other information, by making a subject access request;
- to have data corrected if it is inaccurate or incomplete;
- to have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing;
- to restrict the processing of personal information where the accuracy of the information is contested, or the processing is unlawful (but they do not want the data to be erased), or where the personal information is no longer needed but it is required to be retained to establish, exercise or defend a legal claim;
- to restrict the processing of personal information temporarily where they do not think it is accurate or where they have objected to the processing and we are considering whether our legitimate aims override their interests;
- to receive the personal data concerning him or her, which he or she has provided to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from us, where the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) and the processing is carried out by automated means.
- A data subject may make a subject access request (SAR) at any time in order to find out more about the personal data which we hold about them, the processing we are carrying out and the purpose of that processing. We must normally respond to a SAR within one month of receipt. This may, however, be extended by up to two months if the SAR is complex and/or numerous requests are made but the data subject must be informed if we are to rely on this. All SARs received must be dealt with by the Data Protection Manager. We do not charge a fee for dealing with a SAR in normal circumstances although we may charge a reasonable fee for further copies of information already provided or for requests that are manifestly unfounded or excessive, particularly where those requests are repetitive.
- A data subject has the right to require us to rectify any personal data that is inaccurate or incomplete. We must do so within one month of the data subject informing us and we must inform the data subject that we have done so. We can extend this period by up to two months where the requests are complex, but the data subject must be informed if we are to rely on this. If the personal data in question has been sent to third parties, those third parties should wherever possible be informed of the rectification.
- The data subject has the right to request that we erase the personal data we hold about them in the following circumstances:
- where it is no longer necessary for us to retain that personal data having regard to the purpose for which it was originally collected or processed;
- where the data subject wishes to withdraw consent to holding and processing personal data previously given to us;
- where the data subject objects to us holding and processing their personal data and no overriding legitimate interest permitting us to continue doing so exists;
- the personal data has been processed unlawfully;
- we need to erase the personal data in order to comply with a particular legal obligation or the personal data is being held and processed for the purpose of providing information society services to a child. Unless we have rea-sonable grounds for refusing to erase personal data, all erasure requests shall be complied with within one month from the receipt of the data subject’s request. The data subject must be informed. We can extend this period by up to two months where the requests are complex, but the data subject must be informed if we are to rely on this. In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties are to be informed of the erasure unless to do so is impossible or would require disproportionate effort.
- A data subject may request that we cease processing their personal data in which case we may retain only that personal data that is necessary to ensure that the data subject’s personal data in question is not processed further. In the event that this data has been disclosed to third parties, those parties are to be informed of the processing restriction unless to do so is impossible or would require disproportionate effort.
- A data subject has the right to object to the processing of their personal data by us when it is based on legitimate interests, for direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes. Where such an objection is received based on our legitimate interests, we must cease such processing immediately unless we can demonstrate that our legitimate grounds for such processing override the data subject’s interests, rights and freedoms, or that the processing is necessary for the conduct of legal claims. Where such an objection is received based on our use of the data for direct marketing purposes, we must cease such processing promptly. Where the objection is based on the processing of their personal data for scientific and/or historical research and statistics purposes, the data subject must demonstrate ‘grounds relating to his or her particular situation’. We will not be required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.
- A data subject has the right not to be subject to a decision based solely on auto mated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her unless it is necessary for entering into, or the performance of, a contract between the data subject and a data controller; is authorised by UK domestic law to which we are subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or is based on the data subject’s explicit consent.
- Note that we are subject to certain rules concerning direct marketing which exist not just in the UK GDPR but which can also be found in other regulations such as the PECR. The prior consent of data subjects is required for electronic direct marketing including email, text messaging, and automated telephone calls subject to the exception that we may send marketing text messages or emails to a customer provided that their contact details have been obtained in the course of a contract, the marketing relates to similar products or services, and the customer has been given the chance to opt-out of any marketing not only when their details were first collected but also on each subsequent occasion that we contacted them.
- We will provide all data subjects with the information set out in paragraph 7.2 below. This will take place at the time of collecting the data where that data is obtained directly from the data subject or, where the data is obtained from a third party:
-
Confidentiality and information security
- All personnel must keep confidential data about all data subjects for which they are responsible or to which they have access. Failure to do so would be a breach of our duties under the UK GDPR, DPA18 and any professional or similar regulations to which we are subject.
- Personnel who have access to personal data must:
- only access the personal data which they have authority to access, and only for authorised purposes;
- only allow other personnel to access personal data if they have appropriate authorisation;
- only allow individuals who are not members of our staff to access personal data if specific authority to do so exists;
- keep personal data secure, for example by complying with rules on access to premises, computer access, password protection and secure file storage and destruction and other precautions set out in our information security policy;
- whenever passwords are used to protect personal data they must be changed regularly and common or easily guessed words or phrases should not be used.
- not remove personal data, or devices containing personal data (or which can be used to access it), from our premises unless appropriate security measures are in place (such as pseudonymisation, encryption or password protection) to secure the data and the device and they have authority to do so;
- ensure that if personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, that the computer and screen are locked before the user leaves it;
- not store their own personal information on local drives or on personal de-vices that are used for work purposes or store work-related information on local drives or on personal devices that are used for personal purposes.
- In the event that any personnel have any concerns or suspicions that any of the matters set out below are taking place, they should immediately inform the Data Protection Manager of those concerns or suspicions:
- personal data is being processed without a lawful basis or, in the case of sensitive personal information, without one of the conditions in paragraph 4.6 above being met;
- a data breach;
- personal data is being accessed without the proper authorisation;
- personal data is not being retained or deleted securely;
- personal data, or devices containing personal data, are being removed from our premises without appropriate security measures being in place;
- any other breach of this policy or of any of the data protection principles set out in paragraph 4.1 above.
- We will use all appropriate technical and organisational measures in order to keep personal data secure and to protect it from unauthorised or unlawful processing and accidental loss, destruction or damage. Those measures may include:
- ensuring that wherever possible personal data is pseudonymised or en-crypted;
- ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- ensuring that, in the event of a physical or technical incident, availability and access to personal data can be restored in a timely manner; and
- the regular testing, assessing and evaluating of effectiveness of technical and organisational measures for ensuring the security of the processing.
- In the event that we use external organisations to process personal data on our behalf, we will ensure that additional security arrangements are implemented in contracts with those organisations in order to safeguard the security of personal data. In particular, contracts with external organisations will provide that:
- the external organisation may act only on our written instructions;
- those processing the data are subject to a duty of confidentiality similar to that set out above;
- appropriate measures are taken to ensure the security of processing;
- sub-contractors are only engaged with our prior consent and only under a written contract;
- the external organisation will assist us in providing subject access and al-lowing individuals to exercise their rights in relation to data protection;
- the external organisation will assist us in meeting our obligations in relation to the security of processing, the notification of data breaches and data pro-tection impact assessments;
- the external organisation will delete or return all personal information to us as requested at the end of the contract; and
- the external organisation will submit to audits and inspections, provide us with whatever information we need to ensure that they are meeting their data protection obligations; and
- the external organisation will inform us immediately if it is asked to do something infringing data protection law.
- No one may enter into an agreement with an external organisation to process personal data on our behalf without the consent of the Data Protection Manager.
-
Storage and retention of personal information
- We must not retain personal data (and in particular sensitive personal data) for any longer than necessary. The length of time over which data may be retained is dependent upon the circumstances including why the personal information was obtained in the first place.
- We will ensure that the following measures are taken as to the storage of personal data:
- All electronic copies of personal data will be stored securely using pass-words and appropriate data encryption;
- We will store securely in a locked box, drawer, cabinet, or similar all hard-copies of personal data. This will include electronic copies of data that are stored on physical or other removable media;
- Suitable backups will be made of all personal data that is stored electroni-cally. We will adopt the 3-2-1 method for backups, keeping at least three (3) copies of our data, store two (2) backup copies on different storage media and keep one (1) of them located offsite. All backups will be encrypted;
- Personal data must not be stored on mobile devices (including memory sticks, laptops, tablets, and smartphones) without the consent of the Data Protection Manager and, in the event that such approval is granted, for no longer than is absolutely necessary;
- Personal data will not be transferred to any device personally belonging to any member of personnel.
- We must delete permanently from our information systems any personal data (and sensitive personal data) that is no longer required and destroy any hard copies securely in accordance with our data retention policy.
-
Data breaches
- A data breach is any loss of data or information in whatever form it is held and by whatever means the data was lost including data that is destroyed or rendered unusable. It may take many different forms, including:
- loss or theft of data or equipment on which personal information is stored unauthorised access to or use of personal information either by a member of staff or third party such as from hacking;
- loss of data resulting from an equipment or systems (including hardware and software) failure;
- human error, such as accidental deletion or alteration of data
- unforeseen circumstances, such as a fire or floods
- deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and
- social engineering such as phishing and vishing, where information is obtained by deception.
- All personal data breaches must be reported immediately to the Data Pro tection Manager.
- In the event that any personnel become aware of a data breach, or suspect that a data breach has occurred, they must not attempt to investigate it themselves as this can lead to further issues arising. They must instead report all evidence relating to the personal data breach to the Data Protection Manager.
- Where a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects occurs, the Data Protection Manager must ensure that the Information Commissioner’s Office (ICO) is informed of that breach without delay, and in any event, within 72 hours after having become aware of it.
- Where a personal data breach may result in a high risk that the rights and freedoms of data subjects will be compromised, the Data Protection Manager must ensure that all data subjects affected by that breach are notified directly and without undue delay.
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection Data Protection Manager or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
A data breach notification shall at least:
-
Training
- We will ensure that all personnel receive adequate training as to their data protection responsibilities and as to how to act and respond as and when they receive requests for matters such as subject access requests, objections and requests for erasure and rectification. Those whose roles require regular access to personal information, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.
- Information will be provided to all new personnel as part of their induction training.
-
Failure to comply
- We regard compliance with this policy as an extremely serious matter. Failing to comply puts at risk those individuals whose personal information is being processed, carries the risk of significant civil, criminal and regulatory sanctions for us and our personnel and may, in some circumstances, amount to a criminal offence by the individual.
- Because of the importance of this policy, any failure to comply with provisions setout in this policy by any personnel will be taken seriously and may lead to disciplinary action being taken against that person under our usual disciplinary processes. Breaches may result in dismissal for gross misconduct for employees and immediate contract termination for non-employees.