Privacy Policy

GENERAL DATA PROTECTION REGULATION POLICY

This policy updates Fire Risk Solutions current Data Protection Policy and procedures to include the additional requirements of GDPR which apply in the UK from 25th May 2018. The Government hword tas confirmed that despite the UK leaving the EU, GDPR will still be a legal requirement probably via the Great Repeal Bill.

This policy explains the duties and responsibilities of Fire Risk Solutions and identifies the means by which the company will meet its obligations.

MINIMISING RISK AND IDENTIFYING ROLES

GDPR requires that everyone within the company must understand the implications of GDPR and that roles and duties must be assigned. The Managing Director is the Data Controller and the Office Manager is the Data Protection Officer (DPO).

Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes, be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for so long as is necessary for processing; and be processed in a manner that ensures its security.

Information handling is a high/medium risk to the company and will be included in the company’s Risk Assessment. Such risks can be minimised by undertaking an Information Audit; issuing privacy statements; minimising who holds information, and the safe disposal of information and training.

GDPR requires continued care by the Data Protection Office and the company in the sharing of information about individuals, whether as a hard copy or electronically. A breach could result in a fine and a payment for compensation.

THE SIX DATA PROTECTION PRINCIPLES

1. LAWFULNESS, FAIRNESS & TRANSPARENCY

Lawfulness: Processing must meet the tests described in GDPR;

Fairness: What is processed must match up with how it has been described; and Transparency: Tell the subject what data processing will be done.

2. PURPOSE LIMITATION

This will be contained in the company’s Privacy Notice, i.e. telling people why we need their data when we collect it from them, what we will do with it, who we will share it with and how long we will keep it.

3. DATA MINIMISATION

This must be adequate, relevant, and limited to what is necessary.

4. ACCURACY

Will mean that any information will need to be up to date and accurate. If found to be inaccurate, correct and delete without delay.

5. STORAGE LIMITATION

Data must not be kept longer than is necessary or legally required.

6. INTEGRITY & CONFIDENTIALITY

Data must be kept physically and electronically secure.

THE SIX LEGAL PURPOSES FOR THE LAWFUL PROCESSING OF DATE

1. CONSENT

This is the usual basis for processing data, with burden of proof higher under GDPR.

Consent means ‘freely given specific and informed indication of wishes by which data subject signifies agreement to their personal data being processed’.

Consent is not freely given if there is no real choice or refusal or withdrawing consent will cause detriment. Withdrawing consent should be as easy as giving consent. The burden of proof is on the Data Controller (The Managing Director) to prove consent was given. Consents should be regularly reviewed and updated.

2. PERFORMANCE OF CONTRACT

This means the collection and processing of data to provide the service.

3. COMPLIANCE WITH LEGAL OBLIGATION

Processing is necessary for compliance with a legal obligation to which the controller is subject.

4. VITAL INTERESTS OF DATA SUBJECT

For example, monitoring epidemics, and humanitarian emergencies.

5. PUBLIC INTEREST

For example, the use of personal data for the collection of income tax.

6. LEGITIMATE INTERESTS OF DATA CONTROLLER

For example, for the prevention of fraud.

ENHANCED RIGHTS FOR ALL INDIVIDUALS

All individuals who have dealings with the company have these rights and the company needs to take account of these rights.

REQUESTS FOR INFORMATION (SUBJECT ACCESS REQUESTS)

Under the GDPR a data controller may not charge for dealing with a request for access to personal data (a subject access request), the company must reply promptly and, in any event, within one month (for complex, or numerous, requests this period can be extended by a further two months). There is discretion to charge a reasonable fee, or refuse to comply if the request is unfounded, or excessive, but the data controller bears the burden of proving the request was unfounded or excessive. Third Parties can ask for information but must still prove they have consent, or justify why it is appropriate, as they do now.

TRANSPARENCY

People should know whether they are obliged to provide their personal data and what the potential consequences are. This needs to be clear at the point of collecting the data.

RECTIFICATION

The right to have inaccurate personal data corrected. If inaccurate data has been shared there is an obligation to inform any recipients of the correction unless this is impossible or would involve disproportionate effort.

ERASURE (THE RIGHT TO BE FORGOTTEN)

This is not an absolute right and it does not apply if there is a lawful reason for continued processing. This might be a factor, for example where the company has employment records and someone requests that details of a grievance, or a disciplinary matter, be removed.

RESTRICTION OF PROCESSING

Where there is a dispute about the processing of the data then affected personal data may only be processed with the data subject’s consent, for establishing or defending legal claims, for the protection of another natural or legal person’s rights or for reasons of important public interest. This restriction continues until the dispute is resolved.

DATA PORTABILITY

This allows a data subject to instruct a data controller to transmit their personal data to another controller where it is technically feasible to do so. There is no obligation to maintain, or adopt, technically incompatible systems.

OBJECTION TO PROCESSING

A data subject can object to the processing of their data and a data controller must respond within one month (within a potential two month extension for complex, or numerous, requests). Processing includes profiling for the public interest, for direct marketing and for historical research or statistical purposes. Other than direct marketing the request is subject to the application of the public interest test.

DATA PROTECTION PRINCIPLE SIX

INTEGRITY & CONFIDENTIALITY – KEEPING PERSONAL DATA SECURE

Keeping personal data secure means keeping IT systems secure. For example, strong passwords, regular back-ups, keeping software updated, and applying patches as soon as possible; and covers encryption, protecting data and having guidance for the storage of the company’s business tablets or phones, and having a company email address.

IMMEDIATE IMPACT OF GDPR ON Fire Risk Solutions

1. Notification is abolished. The company needs to continue to maintain the record of processing what it already has and keep it updated.

2. Appoint a Data Protection Officer, who must have:

· Appropriate expertise;

· Be able to report to the company;

· Be able to operate independently

· Cannot be dismissed for carrying out their role properly.

The tasks will be:

· Dealing with subject access requests and ‘right to be forgotten’ requests;

· Reporting data breaches to ICO and affected data subjects;

· Implementing and updating policies and procedures;

· Dealing with enquiries and complaints from data subjects.

3. The need to review policies on data security, retention and responding to requests for information because they all should work together. This includes a clear process (that everyone is aware of) for identifying a breach of data security and deciding whether it needs to be reported to the ICO.

4. Put in place a Privacy Notice and to ensure the company has appropriate privacy wording whenever personal data is collected.

5. Check IT security – regular back-ups undertaken, and updates need to be applied as soon as available. Patches issued to deal with holes in security need to be applied as appropriate.

6. Check explicit consent is being obtained to use personal data and do not rely on implied consent, pre-ticked boxes or inactivity.

7. When considering using cloud services look for the Cloud Infrastructure Service Providers in European Code of Conduct.

An Information Audit will need to be reviewed annually. Or when services or projects change.

This policy will be reviewed annually or when further advice is issued by the ICO.

All employees are expected to comply with this policy at all times to protect privacy, confidentiality and the interests of Fire Risk Solutions.

See following eleven steps that Fire Risk Solutions have implemented.

1. AWARENESS

Everyone in the company is aware of what is happening.

2. INFORMATION THE COMPANY HOLDS (INFORMATION AUDIT)

The company has checked what information it holds (and why) and have decided whether it needs to keep it.

3. COMMUNICATING PRIVACY INFORMATION

The company needs to tell people why it is collecting their data, what it will be used for, who it will share it with and how long it will be kept for, and this needs to be done every time data is collected.

4. INDIVIDUAL’S RIGHTS

The company needs to ensure its policy makes clear the rights individuals have to see their information, correct it, delete it or transfer it.

5. SUBJECT ACCESS REQUESTS

The company has ensured this policy is easily available and easy to understand.

6. LAWFUL BASIS FOR PROCESSING INFORMATION

The company needs to ensure they are processing data by consent.

7. CONSENT

The company needs to receive informed consent.

8. DATA BREACHES

The company has a process for identifying breaches and reporting them.

9. DATA PROTECTION BY DESIGN & DATA IMPACT ASSESSMENTS

Systems and policies have safeguards for personal data built in.

10. DATA PROTECTION OFFICER

The company has appointed a Data Protection Officer. The company has ensured that all employees understand the duties and responsibilities.

11. INTERNATIONAL TRANSFER

If the company uses ‘cloud services’ this could result in an international transfer.

Fire Risk Solutions April 2018