Impacting Business by Design Data Protection Policy
1. Purpose of the policy
- To set out Impacting Business by Design’s (IBbD’s) policy for the secure processing of personal data for which IBBD is the data controller.
- To ensure that IBBD complies with relevant privacy laws, most notably the Data Protection Act (DPA) 2018 the General Data Protection Regulation (GDPR) and the Privacy & Electronic Communications Regulations (PECR).
- To ensure that IBBD processes personal data fairly and lawfully, as set out by the seven key principles of the GDPR.
- To ensure that IBBD staff, including contractors and other third parties working for on or behalf of DMU, are aware of their responsibilities for the protection of personal data.
2. Scope and applicability
- Personal data
2.1 The GDPR defines personal data as information from which a natural (living) person can be identified, either directly or indirectly.
2.2 This policy covers personal data for which IBBD is the data controller. Under data protection law, the data controller is the body that legitimately determines the purpose if the processing.
- IBBD Staff
2.1 This policy is applicable to all IBBD employees, and all staff working for or on behalf of IBBD, including contractors and other third parties.
- There must be a lawful basis for the processing
3.1 One lawful basis under Article 6 of the GDPR (lawfulness of general processing) must be defined and, where applicable, one lawful basis under Article 9 (to process special categories of personal data) must also be defined.
3.2 To process criminal offence data, one lawful basis under Article 6 must be defined, and a condition for processing under the DPA 2018 must also be met. Under DPA 2018, criminal offence data is the equivalent of special category data.
3.3 The lawful basis must be clearly documented in the ‘Record of data processing activities’ and an explanation as to how the processing complies with the law included in the ‘Privacy Notice’.
- Appropriate documentation must be maintained
3.1 Record of data processing activities
Each department must maintain a ‘Record of data processing activities’. This must include:
- The purpose of the processing
- Categories of individuals whose personal information is processed, e.g. staff, partners
- Categories of personal data, i.e. whether it falls under general processing alone or includes special category, or criminal offence data.
- The source(s) of the personal data
- The lawful basis/bases for the processing under the GDPR and, for criminal offence data, the condition relied upon under the DPA 2018
- Any transfers of personal data outside the European Economic Area and to countries not deemed adequate by the EU, and what safeguards are in place where such transfers occur
- How long personal data is retained for, or how retention is determined
- The location of the information (where it is stored)
- A description of the technical and organisational security measures (or hyperlink to relevant policies and procedures).
- Where consent is the lawful basis, how this is recorded
- Information required for (or link to) privacy notice(s)
3.2 Privacy Notice
IBBD will publish or make available a Privacy Notice(s) that is understandable by all stakeholders. The privacy notice will be reviewed at least annually, taking into account feedback from interested parties. The privacy notice must include:
- The purpose(s) of the processing
- The lawful basis/bases for the processing
- The rights of individuals under the GDPR
- The source(s) of the personal data that are processed
- The existence of automated decision making or profiling
- Who the personal data may be shared with (third parties)
- How we keep personal data secure
- How to make a subject access request and exercise other rights
- That IBBD is the data controller
- Contact details of DMU’s Data Protection Officer (DPO) (DPO@dmu.ac.uk)
- Data Protection Officer (DPO)
IBBD has an appointed DPO. The DPO is responsible for providing advice to IBBD and monitoring its compliance with data protection laws. The DPO will be adequately resourced to carry out his or her duties and responsibilities.
The DPO is a statutory post. The DPO’s contact details are included in the Privacy Notice. The DPO can be contacted at DPO@dmu.ac.uk.
- Subject Access Requests (SARs)
SARs will be appropriately responded to. The GDPR requires SARs to be responded to within one calendar month.
- Data Protection Impact Assessment (DPIA)
3.1 DPIAs will be incorporated into the project management process.
3.2 A DPIA should be carried out at the earliest opportunity so that privacy is ‘by design and default’. A DPIA should be repeated whenever there is a change of processing activities which may impact on privacy.
3.3 A DPIA Screening Checklist and DPIA template are made available IBBD HEI members area.
3.4 Consideration will be given to the use of pseudonymisation and anonymization where this security measure can be practically implemented without compromising the purpose of the processing.
- Incident reporting
3.1 Information security incidents involving personal data, including near misses, will be logged and investigated by information governance staff.
3.2 Serious incidents will be immediately reported to the DPO.
3.3 Incidents will be monitored by the IBBD management team and will be reported to the DMU Governing Body.
- Staff training
IBBD will provide adequate staff training to ensure that all staff are aware of their responsibilities for data protection and information security.
Data protection and information security will be included in induction training for new staff.
All staff are required to undertake information governance e-learning, that includes a test for comprehension, at least once every two years.
- Data processor contracts
3.1 All contracts with third party data processors will ensure that full instructions as to the permissible processing are included in the contract.
3.2 Contracts must stipulate that adequate organisational and technical measures must be in place to protect personal data, and, where transfers occur to countries outside of the EEA and to countries not deemed adequatre, must include that adequate safeguards must be employed (NB: the European Commision provide standard clauses).
3.3 Legal services must formally approve all contract templates.
- Information Sharing Agreements (ISAs)
Where personal data is to be shared with other data controllers, this will be in accordane with an Information Sharing Agreement that will be agreed between all parties to the agreement.
Stand alone ISAs provide a secure framework for the sharing of personal data. They are not binding agreements.
4. Roles and responsibilities
All staff are responsible for the protection of personal data. Staff should ensure that they follow IBBD’s policies and procedures that relate to the protection of personal data.
The Data Protection Officer (DPO) is responsible for monitoring IBBD’s compliance with data protection laws, IBBD data protection policies and procedures, awareness raising, training and audits.
The IBBD Principal Investigator/Project Manager is responsible for managing information security incidents, and for mitigating information security incidents and risks.
The IBBD Principal Investigator/Project Manager is responsible for reviewing and updating this policy and for managing SARs.
5. Other laws, regulations, and guidance
- Privacy and Electronic Communications Regulations 2003
- Human Rights Act 1998 (Article 8)
- Common law duty of confidence
- Computer Misuse Act 1990
- Regulation of Investigatory Powers Act 2000
- Limitations Act 1980
- ICO Code of Practise for Anonymization
- Rehabilitation of Offenders Act 1974
Impacting Business by Design (IBBD) Privacy Notice
Data protection and privacy laws
The main laws are the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). We also adhere to the duty of confidence and the Human Rights Act (Article 8).
For electronic communications, including email and cookies, we comply with the Privacy and Electronic Communications Regulations (PECR).
The GDPR defines some types of information as special category data because it is more sensitive. We must have an additional lawful basis to process special category data.
The GDPR gives you rights over how your personal information is used:
- The right to be informed – we must tell you how we process your personal information.
- The right of access – you can ask to see what personal information we hold about you. This is called a Subject Access Request (SAR).
- The right of rectification – where information about you is inaccurate, you can ask us to correct it.
- The right to erasure – in some circumstances, or where IBBD has no compelling reason to retain your personal information, you can request deletion of that information.
- The right to restrict processing – in some circumstances, you can ask us to restrict the processing of your personal data. This right, where it applies, also allows you to ask us to retain your personal information but not to use it.
- The right to data portability – in some circumstances, you can request a copy of the personal data you have provided to us in a machine-readable form, so you can transfer it to another organisation for a similar purpose.
- Right to object – where there is no legal obligation for IBBD to process your data, you can object to us processing your personal information.
- Rights in relation to automated decisions and profiling – where computers make decisions about you, including automated profiling, you have a right to challenge the decision or ask for a human to check an automated decision.
To discuss any of these rights, please contact firstname.lastname@example.org and let us know how we can help.
Impacting Business by Design is the data controller
Impacting Business by Design is the data controller. This means that we determine the purpose of the processing and are responsible for the adequate protection of personal information.
All our staff are appropriately trained and understand their responsibilities for protecting personal data.
When we purchase services or support from a third party, or outsource a service or function to a third party, we remain the data controller, and our suppliers and service providers must adhere to our contract terms and conditions, which include data protection and information security requirements.
How to make a Subject Access Request (SAR)
You can make a Subject Access Request (SAR) to find out what information IBBD holds about you. We will respond to your request within one calendar month.
There is not normally a fee for a SAR, but if your request is involves an excessive amount of information, we may charge an administration fee. We will let you know beforehand if we intend to apply an administration fee.
To help us locate your information, please include with your request your name (and any other names you have been known by, if relevant), the period for which the information relates (the calendar year(s), your date of birth and your address at the time. We will send the information to you by email.
Before we can disclose any information to you, we will need to see evidence of your identity. We ask for photo ID if possible. Please include either a copy of your passport (showing your photo, name, date of birth and signature), or a copy of your driving licence (UK or EEA photo card driving licence).
If you do not have either of the above, please send us a copy of your original birth certificate.
If you don’t have any of the above documents, please send us two documents from the below list. These must be addressed to you and cannot both be bank statements or from the same utility company.
- Utility bill
- Council tax bill
- Bank statement
- Old style driving licence
- Official notification letter from either the DWP or HMRC
You can ask someone else to make a SAR on your behalf. We will need to see evidence that the person making the request is entitled to act on your behalf and they will also need to provide us with evidence of your identity.
How to complain
If you have any concerns or wish to complain about a data protection issue, please contact our Data Protection Officer at DPO@dmu.ac.uk
If you are dissatisfied with the way IBBD has handled your complaint, you have a right to complain to the Information Commissioner’s Office at ICO.org.uk
We use information posted publicly on social media to so we can make information available where it may be relevant or of interest. We never attempt to access private social media accounts.
If you raise a query or a complaint through IBBD’s social media, we’ll of course have a record of your user name. We will only use this to resolve your query or complaint and to improve your user experience with the university.
How to report a data protection incident
Please let us know about any data protection or information security incident as soon as possible, by writing to us at dataprotection@DMU.ac.uk
- your contact details
- the nature of incident
- the date and time of incident
- how the incident was discovered
- the type of information (and number of records if known)
- the circumstances of the incident