You are currently using an unsupported browser which could affect the appearance and functionality of this website. Please consider upgrading to the latest version or using alternatives such as Mozilla Firefox, Google Chrome or Microsoft Edge.

Data protection policy

Working together to handle personal data safely, respectfully and lawfully.

Scope

The Data Protection Policy (the Policy) ensures the Royal College of Obstetricians and Gynaecologists (the College) complies with Data Protection Law, namely the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018. These set out the framework for how the UK processes personal data:

  • UK GDPR, enforceable in all EU member states from 01 January 2021, covers most of the legal obligations for processing personal data in the UK
  • DPA enacts UK GDPR and replaces the DPA 1998. It sets out:
    • how other information rights legislation (e.g. Freedom of Information Act 2000) interact with the new DPA and UK GDPR
    • how personal data must be processed in the UK where it doesn't fall within UK GDPR, e.g. immigration or national security matters
    • local rules for the UK that complement UK GDPR, e.g. additional measures required for the processing of special category personal data
    • the Information Commissioner’s Office’s (ICO) role, functions and powers.

The Policy applies to:

  • all staff (employed and contracted), officers, trainees, members, College representatives and suppliers who handle and use our information (where we’re the 'Controller' for the personal data being processed), whether we hold it on our systems (manual and automated) or if others hold it on their systems for us
  • all personal data processing we carry out for others (where we’re the 'Processor' for the personal data being processed)
  • all formats, e.g. printed and digital information, text and images, documents and records, data and audio recordings.

Guiding values

In order to conduct its normal business, the College collects and uses certain types of personal information about living individuals. These include current, past and prospective trainees, members, staff, College representatives, suppliers, clients, customers, and others with whom it has business, or with whom it communicates.

The College considers the lawful and correct treatment of such personal information as essential to the efficient and successful conduct of its business. It also recognises that it is crucial to fostering and maintaining the confidence of its main stakeholders and the wider public in the College and its operations.

The College is committed to ensuring that it treats personal information lawfully and correctly, and recognises that there are safeguards to ensure this in data protection law.

Objectives

The Policy’s objectives are to:

  • comply with Data Protection Law, e.g. data protection impact assessments
  • meet our data protection standards, e.g. information sharing arrangements
  • protect the rights of our staff, officers, trainees, members, College representatives, suppliers, clients, customers and public users, e.g. procedures to govern Individual Rights’ request handling
  • protect the College from the risks of a data protection breach and related reputational, financial and legal damage, e.g. encrypt special category personal data.

Definitions

Personal Data” is all information that relates to an identifiable living person (or “Data Subject”) and thatcan be used to identify the person directly, or indirectly when used with other information. It includes but is not limited to:

  • a person's name
  • job title
  • age
  • postal or email address
  • IP address, e.g. online identifier
  • vehicle registration number
  • bank details
  • plus, any other information that relates to them, e.g. a pseudonym such as a National Training, NHS or hospital number.

There are “Special Categories” of personal data and these include but not limited to data revealing:

  • race or ethnicity
  • religious or philosophical beliefs
  • trade union membership
  • a person’s health
  • sex life or sexual orientation
  • genetic or biometric data.

“Processing” relates to all actions or handling of personal data by manual or automated means, e.g. data collection, erasure and destruction plus everything in between including recording, use, disclosure, sharing and storage.

Much of the information we process includes personal data about, e.g.:

  • trainees and members of the College
  • examination candidates
  • visitors to the College
  • users of College services, e.g. the website and library
  • staff and officers working for the College
  • contractors and suppliers of the College
  • partners with the College, e.g. specialist societies.

Please see Appendix 2 for a full glossary of data protection terms.

Roles and responsibilities 

The data protection laws have clearly defined roles and responsibilities

A “Data Controller” is an individual or organisation who:

  • decides to collect or process personal data
  • decides what the purpose or outcome of processing is to be
  • decides what personal data should be collected
  • decides which individuals to collect personal data about
  • obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller
  • processes personal data as a result of a contract between us and the data subject
  • whose data subjects are the employees
  • makes decisions about the individuals concerned as part of or as a result of the processing
  • exercises professional judgement in the processing of the personal data
  • has a direct relationship with the data subjects
  • has complete autonomy as to how the personal data is processed
  • has appointed processors to process the personal data on our behalf.

“Joint Data Controllers” are two or more individuals or organisations who:

  • has a common objective with others regarding the processing
  • processes the personal data for the same purpose as another controller
  • use the same set of personal data (e.g. one database) for this processing as another controller
  • designs the processing with another controller
  • has common information management rules with another controller.

A “Data Processor” is an individual or organisation who:

  • follows instructions from someone else regarding the processing of personal data
  • is given the personal data by a customer or similar third party, or told what data to collect
  • does not decide whether to collect personal data from individuals
  • does not decide what personal data should be collected from individuals
  • does not decide the lawful basis for the use of that data
  • does not decide what purpose or purposes the data will be used for
  • does not decide whether to disclose the data, or to whom
  • does not decide how long to retain the data
  • make some decisions on how data is processed, but implements these decisions under a contract with someone else
  • is not interested in the end result of the processing.

The College is predominantly a “data controller” when processing personal data, e.g. when we procure a service from a supplier under contract and the supplier is the “data processor”. Sometimes we are a “joint data controller”, e.g. many of our clinical quality projects and reviews involve sharing the “data controller” responsibilities with our NHS partners.

A “Data Subject” is a living individual who can be identified from the personal data or from additional information held, or obtained, by the RCOG.

The Policy defines the College’s data protection roles and responsibilities:

  • Staff must
    • understand, keep up-to-date with, and comply with the Policy
    • complete their mandatory Data Security Awareness training every year, and within four weeks of joining the College – completion of the training is monitored and reported to Executive Director and Directors
  • Line managers’ mustapply the Policy across their team(s)cascade data protection awareness communications to their team(s)
    • make sure their staff comply with the Policy
      • make sure their staff complete the mandatory Data Security Awareness training within given timescales
      • monitor suppliers and partners' compliance with the Policy through routine procurement and contract management activities, e.g. use appropriate contractual clauses and supporting information sharing agreements.
  • Information Asset Ownership across the College has been delegated to Directors and some Information Governance Leads who mustunderstand what information assets their team(s) process(es)understand its value to the College and the related approach, appetite and capacity for risks and opportunities in conjunction with the College’s risk management standards
    • make sure the information is managed according to the Policy.
    This includes making decisions about how information is processed e.g. what’s collected, how it’s used, who it’s shared with, when it’s deleted, and whether information risks are mitigated further or accepted by us.
  • Information Governance (IG) Leads are staff who have been nominated by the Information Asset Owners and must
    • champion IG, including data protection, within their departments
    • be the first point of contact on all IG related matters, including data protection, within their departments
    • raise and monitor awareness of good IG practice within their departments, especially the processing of personal data
    • facilitate an annual assessment across their departments for the Data Security and Protection Toolkit.
  • The Information Governance Management Group is responsible for overseeing all aspects of Information Governance (IG) at the College, including data protection. They must
    • ensure College compliance with statutory and regulatory requirements, e.g. UK GDPR and DPA
    • report to the Audit and Risk Committee.
  • The Senior Information Risk Officer (SIRO) is responsible for implementing and leading on IG risk assessment and management processes with the College and must
    • Advise the Executive Team and Chief Executive Officer on the effectiveness of information risk management
    • lead on the management of security incidents and data protection breaches
    • Chair the IGMG.
  • The Caldicott Guardian is primarily responsible for the protection of confidential, personal information and ensure it is used in line with the Caldicott Principles.
  • The Information Governance Officer is part of the Research and Information Services Team and must
    • provide day to day management of IG and data protection compliance across the College
    • provides advice and support to the IG Leads, Information Asset Owners and the wider organisation
    • act as Administrator for the Toolkit
    • implement records management best practice
    • investigate security incidents and breaches
    • coordinate Individual Rights requests, e.g. Subject Access Requests (SARs).
  • The Head of Information and Governance is responsible for the delivery of IG best practice and must
    • report to the SIRO
    • lead on data protection matters, including this Policy
    • be the named contact for external authorities, e.g. the ICO and NHS Digital.
  • Officers and Committee Members to comply with the Policy when handling personal data on behalf of the College.
  • Trainees, members, College representatives and suppliers must follow all the data protection requirements in their respective role descriptions, contracts, terms and conditions and/or Code of Conduct.

Policy

Statement

The College commits to processing all personal data in compliance with the data protection principles (unless a data protection law exemption applies).

Personal data must:

  1. Be processed lawfully, fairly and in a transparent manner (Lawful, fair and transparent)
  2. Be obtained only for specific, lawful purposes (Purpose limitation)
  3. Be adequate, relevant and limited to what is necessary (Data minimisation)
  4. Be accurate and, where necessary, kept up to date (Accuracy)
  5. Not be held for any longer than necessary (Storage limitation)
  6. Be protected in appropriate ways (Integrity and confidentiality/Security)

The College must demonstrate how we comply with the above principles (a) - (f) (Accountability), therefore the Policy governs or is integral to the following policies, procedures and ways of working:

  • Privacy Notice - principles (a) and (b)
  • Data Protection Impact Assessment and Guidance – principle (c) and (f)
  • Guidance Notes on Handling Personal Data – principles (a), (b) and (c)
  • Information Asset Register – all the principles plus all flows of information within and outside of the College
  • Records Management Policy and procedures, e.g. Retention Schedule – principles (c), (d) and (e)
  • Data Security and Protection Incident Handling Policy - principle (f)
  • IT Security Policy - principle (f)
  • Individual Rights Requests Guidance - all the principles
  • Information Governance Policy – the overarching Accountability principle.

All personal data processing must have a lawful basis for processing from the following:

  • the Data Subject consents to the processing of their personal data
  • the processing is necessary:
    • to enter into or carry out a contract with the Data Subject
    • to comply with our (or another Controller’s) legal obligations
    • to protect the vital interests of the Data Subject
    • to exercise our (or another Controller’s) official authority or perform a public interest task
    • to meet the legitimate interests of a Controller or another third party.

Of these lawful bases, the College most frequently uses the following three which then determine which of the College’s procedures and ways of working must be adopted:

  • contract – where this applies, the contracts must:
    • be written
    • include/based the College’s mandatory data protection clauses and schedules whether we are the Client or the Contractor
    • be monitored for compliance
    • be up-to-date.
  • legitimate interests – where this applies, the Data Subject must be notified using either the College’s Privacy Notice and/or a supplementary notification using the College’s Privacy Checklist
  • consent – where this applies, the Data Subject must provide explicit and informed consent which is then managed to enable them to withdraw consent at any time; all consent notices must follow the College’s Consent Checklist (available on request).

We must also meet additional conditions where we process special categories of personal data which are defined by UK GDPR with the DPA determining additional requirements:

  1. the data subject has given explicit consent
  2. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
  3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  4. processing is carried out in the course of its legitimate activities with appropriate safeguards by specific organisations, on condition that the processing relates solely to the members or to former members of that organisation
  5. processing relates to personal data made public by the data subject
  6. processing is necessary for the establishment, exercise or defence of legal claims
  7. processing is necessary for reasons of substantial public interest
  8. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
  9. processing is necessary for reasons of public interest in the area of public health
  10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical.

The College commits to the processing of all personal data in compliance with the Data Subjects’ Individual Rights (unless a data protection law exemption applies).

Data Subjects have:

  1. the right to be informed - e.g. Fair processing/privacy notices
  2. the right of access - e.g. subject access requests (SARs)
  3. the right to rectification - e.g. have their data corrected
  4. the right to erasure – e.g. have their data deleted/removed
  5. the right to restrict processing – e.g. stop their data being used
  6. the right to data portability – e.g. transfer their data easily
  7. the right to object – e.g. challenge what we’re doing with their data
  8. rights in relation to automated decision making and profiling – e.g. safeguards to make sure we don’t make potentially damaging decisions about them without human involvement.

As part of these rights, Data Subjects can:

  • make a verbal request against any of the rights listed above
  • complain to the ICO about data protection breaches and can bring court proceedings for compensation where a data protection breach has caused them damage (including distress).

The College must apply additional controls when processing special categories personal data (SCPD) in order to retain compliance with the UK Data Protection Act 2018 – please see Definitions above. Where the College is the Data Controller for the processing of SCPD, we must consider application of the following controls using the SCPD Policy Template in Appendix 2:

  • Schedule 1: condition for processing
  • Procedures for ensuring compliance with the principles (see above)
  • Retention and erasure protocols.

The main Directorates and Departments affected by this are:

  • Education, Quality and Projects – Clinical Quality, Education and Exams
  • Finance and Resources – People and IM&T
  • Membership and Global – Membership Department.

These directorates and department must have bespoke policy and procedures to govern their processing of SCPD.

The College commits to processing all personal data in compliance with all data protection obligations outlined above(unless a data protection law exemption applies) plus committing to:

  • maintaining a record of our processing activities (RoPA), e.g. the College’s Information Asset Register
  • appointing a 'Data Protection Officer' (DPO) or equivalent – the College has less than 250 employees so does not require a DPO therefore the function is shared between the Head of Information and Governance and the SIRO
  • adopting a 'Privacy by Design and Default' approach to personal data processing, including completing data protection impact assessments (DPIA) on all high-risk data processing, e.g. the College’s data protection impact assessment
  • paying the ICO an annual data protection fee (DP Fee)
  • notifying the ICO within 72 hours of information security incidents (IS Incidents) involving personal data, unless they don’t risk data subject’s rights and freedoms
  • processing personal data within the EU and only transferring it outside the EU if appropriate safeguards are in place
  • implementing sufficient technical controls to enforce this policy, e.g. to ensure all SCPD is encrypted when “at rest”, and to avoid the inappropriate copying, downloading or sharing of any personal data
  • compliance with the NHS Digital Data Security and Protection Toolkit
  • compliance with the National Data Opt Out Policy, e.g. only processing health/patient data where the Data Subjects have not opted out of their data to be used for secondary purposes such as research.

Data protection law exemptions are applied only once they’ve been considered with reference to the law, ICO issued guidance, the College’s other information management and information governance policies and, where appropriate, following guidance from the Research and Information Services Team.

Implementation

In summary:

  • All staff must receive training, appropriate to their role, to help them understand how to process personal data in line with the Policy - e.g. complete the annual, mandatory data security awareness training and other training as and when required, such as Privacy and Consent (includes marketing consent), Data Protection Impact Assessments and Information Sharing. Please see the current Learning and Development Programme for details of scheduled sessions
  • All staff processing special category personal data or with a dedicated IG role to attend the Advanced Data Protection training course and follow their departmental Special Category Personal Data Handling policy
  • All staff must assess and manage the risks around how they process personal data to make sure it’s classified and handled appropriately using the appropriate College tool - e.g. complete a DPIA for all projects/initiatives/procurements involving personal data and follow the relevant guidance notes to handling Personal Data
  • All Trainees, members, College representatives and suppliers must follow all the data protection requirements in their respective role descriptions, contracts, terms and conditions and/or Code of Conduct
  • All staff, officers, trainees, members and College representatives to inform the IG Officer of any Individual Rights Request received relating to the College
  • All staff, officers, trainees, members and College representatives must promptly report potential or actual breaches of the Policy or data protection law to the IG Officer in the Research and Information Services Team, in line with the Security Incident and Reporting Policy
  • All staff, officers, trainees, members, College representatives and suppliers must fully co-operate with any investigation, audit or enforcement activity undertaken by the ICO.

The College, or our suppliers, may log staff, officer, trainee, member or College representative activity to:

  • monitor compliance with our policies to provide assurance on adherence to the Policy
  • respond to incidents
  • prevent, detect, or investigate crime.

We will take appropriate action against staff, officer, trainee, member, College representatives or suppliers found breaching the Policy where appropriate to them. Such action may include but not be limited to disciplinary investigations, dismissal, civil or criminal proceedings and fines.

Data Protection Regulator: the ICO

The Information Commissioner’s Office (ICO) is the UK's independent body set up to uphold information rights. Find out more about their organisation and structure on their website: https://ico.org.uk/about-the-ico/

For further advice concerning any aspect of this policy, please contact the Information Governance (IG) Team by email or call +44 20 7772 6200.

Appendices

Appendix 1: Glossary of Data Protection Terms

Data Controller: an individual or organisation who:

  • decides to collect or process personal data
  • decides what the purpose or outcome of processing is to be
  • decides what personal data should be collected
  • decides which individuals to collect personal data about
  • obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller
  • processes personal data as a result of a contract between us and the data subject
  • whose data subjects are the employees
  • makes decisions about the individuals concerned as part of or as a result of the processing
  • exercises professional judgement in the processing of the personal data
  • has a direct relationship with the data subjects
  • has complete autonomy as to how the personal data is processed
  • has appointed processors to process the personal data on our behalf.

Joint Data Controllers: two or more individuals or organisations who:

  • has a common objective with others regarding the processing
  • processes the personal data for the same purpose as another controller
  • use the same set of personal data (e.g. one database) for this processing as another controller
  • designs the processing with another controller
  • has common information management rules with another controller.

Data Processor: an individual or organisation who:

  • follows instructions from someone else regarding the processing of personal data
  • is given the personal data by a customer or similar third party, or told what data to collect
  • does not decide whether to collect personal data from individuals
  • does not decide what personal data should be collected from individuals
  • does not decide the lawful basis for the use of that data
  • does not decide what purpose or purposes the data will be used for
  • does not decide whether to disclose the data, or to whom
  • does not decide how long to retain the data
  • make some decisions on how data is processed, but implements these decisions under a contract with someone else
  • is not interested in the end result of the processing.

Data Protection Act 2018: is an Act of Parliament which enacted UK GDPR and established UK only derogations.

Data quality: is a recognition that the accuracy, coverage, timeliness and completeness of data can significantly impact on the value of its use.

Data subject: a living individual who can be identified from the personal data or from additional information held, or obtained, by the RCOG. For example, a CCTV image which can identify someone when linked to building access control codes.

Freedom of Information Act 2000: provides the public with a general right of access to all information held by, or on behalf of, public authorities. Any individual or organisation may request any information held by a public authority. The public authority must tell the applicant (normally within 20 working days) whether it holds the information. If it does, it must supply it, unless an exemption applies. The RCOG, as an independent charity, is not a public authority, and is not directly subject to the Act. However, the College may hold information ‘on behalf of’ a public authority since it performs work for them under contract. Information relating to these activities may be caught by the Act.

General Data Protection Regulation (UK) (UK GDPR): sets out data protection and privacy rights of all individuals within the United Kingdom. It also applies to transfer (export) of personal data outside the UK. UK GDPR comes into force on 01 January 2021.

Information Commissioner or ICO: is responsible for the regulation of the UK GDPR and DPA 2018 throughout the UK. The Information Commissioner is appointed by the Queen and is independent of the UK Government.

Information governance compliance: ensures compliance with all statutory requirements governing the management of information, including rights of access under Freedom of Information and Data Protection legislation.

Information Governance Framework: is a suite of policies, procedures, guidance and standards covering the following areas;

  • information asset and records management, including data quality
  • information rights compliance (such as UK GDPR, FOIA, and PECR)
  • information risk assurance and management, and
  • information security (IM&T).

Information Notice: can be issued by the Information Commissioner and requires a data controller to provide his office with information that he requires to carry out his functions. Failure to comply with an Information Notice is a criminal offence.

Information security: ensures that RCOG information is not compromised by unauthorised access, modification, disclosure or loss.

Information sharing: ensures that RCOG information is shared in a compliant, controlled and transparent manner.

Notification: the RCOG is required to notify the Information Commissioner annually about the categories of personal information it processes and the purposes the personal information is being processed for. Failure to notify is a criminal offence. The Information Commissioner maintains, and publishes, a Register of Data Controllers.

Personal data: is all information that relates to an identifiable living person who can be identified from that information or from additional information held, or obtained, by the RCOG. Examples of personal data are contained in paper files, electronic records and visual and audio recordings.

Processing: is all actions relating to personal data. Gathering, recording, analysing, amending, using, sharing, disclosing, storing and destroying personal data are all covered by this definition.

Records management: processes and practices that ensure RCOG records are systematically controlled and maintained, covering the creation, storage, management, access, and disposal of records, in compliance with best practice, legal obligations and policy requirements.

Special Categories of personal data: include data revealing:

  • race or ethnicity
  • religious or philosophical beliefs
  • trade union membership
  • a person’s health
  • sex life or sexual orientation
  • genetic or biometric data.

Subject Access Request (or Data Subject Access Request): the right given by Data Protection legislation, to an individual to ask for a copy of personal data being processed by the College. The information must be supplied in an intelligible and permanent form unless this involves a disproportionate effort or the individual agrees otherwise. The RCOG may have to consider the Disability Discrimination Act requirements when providing personal data to an individual who may require the information to be provided in a certain format to take a special need into account. Individuals have a right to access information we hold on them and to correct inaccuracies in that information. This includes information in searchable electronic format (shared drives, Integra, Exchequer, Exchange server etc.) AND information held on paper in a structured format that can be searched. Individuals also have the right to ask for the information we hold about them to be deleted.

Following a request, the College must search and collate this information and return it within 40 days. This deadline decreases to 29 days from 25 May 2018. The IG Manager currently deals with Subject Access Requests.

Appendix 2: Special Category Personal Data Policy Template

Scope

The Policy applies to:

  • all staff (employed and contracted), officers, College representatives and suppliers who handle and use RCOG special categories personal data (SCPD) within the directorate or department concerned, where the College is the 'Controller' for the personal data being processed), whether we hold it on our systems (manual and automated) or if others hold it on their systems for us
  • all special categories personal data processing we carry out for others (where we’re the 'Processor' for the personal data being processed)
  • all formats, e.g. printed and digital information, text and images, documents and records, data and audio recordings.

Where we process SCPD for a number of different purposes, you do not need a separate policy document for each condition or processing activity – one document can cover them all – and you may reference policies and procedures which are relevant.

Objectives

The objective of this policy is to demonstrate the College is processing of special categories personal data (SCPD) based on specific Schedule 1 conditions within the DPA and requirements of UK GDPR. In particular, it outlines our retention policies with respect to this data as per Schedule 1, Part 4 of the DPA.

Definitions

See Data Protection Policy – Appendix 1: Glossary of Data Protection Terms.

Roles and responsibilities

See Data Protection Policy plus:

  • Information Asset Owner – [insert job title here]
  • Information Asset Administrator – [insert job title here]
  • IG Lead – [insert job title here].

Policy

Description of data processed

Provide a brief description of each category of SCPD being processed. You may wish to refer to the College Information Asset Register and/or Retention Scheduled for that particular data. This will assist you in ensuring any supplementary Privacy Notices provided to your Data Subjects contain sufficient detail for them to understand how you are processing their SCPD and how long you will retain it for.

This policy therefore complements your section on the Information Asset Register.

Schedule 1: condition for processing

Provide one of the following to demonstrate compliance with the “condition for processing”:

  • the name and paragraph number of your relevant Schedule 1 condition(s) for processing
  • a link to the College Privacy Policy
  • a link to the relevant information assets in your Information Asset Register:

Procedures for ensuring compliance with the principles

You need to explain, in brief and with reference to the conditions outlined above, how your procedures ensure your compliance with the principles below.

In explaining your compliance with the principles you must consider the specifics of your processing with respect to the SCPD you identified above.

There is no requirement for you to reproduce information is recorded elsewhere – questions may be answered with a link or reference to other documentation, to your policies and procedures, Data Protection Impact Assessments (DPIAs) or to your privacy notices.

Accountability principle

  1. Do we maintain appropriate documentation of our processing activities?
  2. Do we have appropriate data protection policies?
  3. Do we carry out data protection impact assessments (DPIA) for uses of personal data that are likely to result in high risk to individuals’ interests?

See general checklist for Accountability and Governance.

Principle (a): lawfulness, fairness and transparency

  1. Have we identified an appropriate lawful basis for processing and a further Schedule 1 condition for processing SC/CO data?
  2. Do we make appropriate privacy information available with respect to the SC/CO data?
  3. Are we open and honest when we collect the SC/CO data and do we ensure we do not deceive or mislead people about its use?

See general checklist for Lawfulness, fairness and transparency.

Principle (b): purpose limitation

  1. Have we clearly identified our purpose(s) for processing the SC/CO data?
  2. Have we included appropriate details of these purposes in our privacy information for individuals?
  3. If we plan to use personal data for a new purpose (other than a legal obligation or function set out in law), do we check that this is compatible with our original purpose or get specific consent for the new purpose?

See general checklist for purpose limitation.

Principle (c): data minimisation

  1. Are we satisfied that we only collect SC/CO personal data we actually need for our specified purposes?
  2. Are we satisfied that we have sufficient SC/CO data to properly fulfil those purposes?
  3. Do we periodically review this particular SC/CO data, and delete anything we don’t need?

See general checklist for Data minimisation.

Principle (d): accuracy

  1. Do we have appropriate processes in place to check the accuracy of the SC/CO data we collect, and do we record the source of that data?
  2. Do we have a process in place to identify when we need to keep the SC/CO data updated to properly fulfil our purpose, and do we update it as necessary?
  3. Do we have a policy or set of procedures which outline how we keep records of mistakes and opinions, how we deal with challenges to the accuracy of data and how we ensure compliance with the individual’s right to rectification?

See general checklist for Accuracy.

Principle (e): storage limitation

  1. Do we carefully consider how long we keep the SC/CO data and can we justify this amount of time?
  2. Do we regularly review our information and erase or anonymise this SC/CO data when we no longer need it?
  3. Have we clearly identified any SC/CO data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes?

See general checklist for Storage limitation.

Principle (f): integrity and confidentiality (security)

  1. Have we analysed the risks presented by our processing and used this to assess the appropriate level of security we need for this data?
  2. Do we have an information security policy (or equivalent) regarding this SC/CO data and do we take steps to make sure the policy is implemented? Is it regularly reviewed?
  3. Have we put other technical measures or controls in place because of the circumstances and the type of SC/CO data we are processing?

See general checklist for Security.

Retention and erasure protocols

Please explain your retention and erasure policies with respect to each category of SCPD or link to the relevant sections in the College Retention Schedule.

Appendix 3: Data Protection – Policy on a Page

What is personal data?

“Data which relates to a living, identifiable individual, that is biographical in nature and has them as its focus” – an ‘identifier’

What does data protection mean: busting the jargon?

In plain English, you should only use personal data you are allowed to, be transparent (a), and use it for a specific purpose (b) then…

  • only collect what you need (c)
  • keep it accurate and up to date (d)
  • get rid of it when you no longer need it (e)
  • keep it safe and protect it from wrongful use (f)
  • be accountable and document how we use it (g).

What are the reasons for processing information?

There are 6 lawful bases for processing personal data, the College uses the following 3:

  • Consent
  • Contract
  • Legitimate interests.

What rights do individuals have?

  1. the right to be informed
  2. the right of access
  3. the right to rectification
  4. the right to erasure
  5. the right to restrict processing
  6. the right to data portability
  7. the right to object
  8. rights in relation to automated decision making and profiling.

What does it mean for me?

  • All staff must receive training, appropriate to their role - e.g. complete the annual, mandatory data security awareness training and other training as and when required
  • All staff processing special category personal data to attend the Advanced Data Protection training course and follow departmental Special Category Personal Data Handling policy
  • All staff must assess and manage the risks around how they process personal data - e.g. complete a DPIA when planning to process “high risk” personal data
  • All trainees, members, College representatives and suppliers must follow all the data protection requirements in their respective role descriptions, contracts, terms and conditions and/or Code of Conduct
  • All staff, officers, trainees, members and College representatives to inform the IG Team of any Individual Rights Request received relating to the College
  • All staff, officers, trainees, members and College representatives must promptly report potential or actual breaches of the Policy or data protection law to the IG Team
  • All staff, officers, trainees, members, College representatives and suppliers must fully co-operate with any investigation, audit or enforcement activity undertaken by the ICO.

The College will take appropriate action against staff, officers, trainees, members, College representatives or suppliers found breaching the Policy where appropriate to them. Such action may include but not be limited to disciplinary investigations, dismissal, civil or criminal proceedings and fines.