How we protect and make use of data across this site
1. Purpose and objectives
This policy forms part of SLSuperheroes Ltd's commitment to the safeguarding of personal data processed by its staff. Processing has a very broad definition, and includes activities such as creating, storing, consulting, amending, disclosing and destroying data.
Its objectives are:
To ensure Officers recognise personal data.
To ensure Officers understand the rights of customers in respect of their personal data and the obligations all staff have with respect to personal data.
To ensure officers comply with data protection laws
SLSuperheroes Ltd processes the personal data of living individuals such as its staff, customers and contractors. This processing is regulated by the General Data Protection Regulation (GDPR) 2016. It is the duty of SLSuperheroes Ltd as a data controller to comply with the data protection principles (see section 4 of this policy) with respect to personal data. This policy describes how the company will discharge its duties in order to ensure continuing compliance with the GDPR in general and the data protection principles and rights of data subjects in particular.
3. Legislation, guidance and standards
The company has an obligation to make sure that all information systems and processes meet the terms of all relevant legislation and contractual requirements, including the:
The General Data Protection Regulation (GDPR) 2016
The Protection of Freedoms Act 2012
The Human Rights Act 1998
Privacy and Electronic Communications Regulations 2000
E-Privacy Regulation 2018
Regulation of Investigatory Powers Act 2000
Indecent display (Control) Act 1981
Obscene Publications Act 1984
Copyright, Designs and Patents Act 1988
Theft Act 1978Common Law Duty of Confidentiality
Equality Act 2010
Terrorism Act 2006
Limitation Act 1980
The Caldicott Principles
Copyright, Designs and Patents Act 1988
Computer Misuse Act 1990
OFFICIAL 4 Data Protection Policy – May 2018
Freedom of Information Act 2000
Government Security Classification Scheme
If you are not sure of your responsibilities under any of these laws, contact the school office for further information.
4. The principles relating to the processing of personal data
The School/Organisation shall comply with the principles as stated in Article 5 of the GDPR. All staff must adhere to and comply with these principles at all times when processing any personal data as part of their work.
The principles are as follows:
Lawful, fair and transparent Data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used.
Limited for its purpose Data can only be collected for a specific purpose.
Adequate, relevant and not excessive Any data collected must be necessary and not excessive for its purpose.
Accurate The data we hold must be accurate and kept up to date.
Retention We cannot store data longer than necessary for the purpose in which it is held.
Security The data we hold must be kept safe and secure and protected against unauthorised or unlawful processing.
5. Special Categories of Data
Special categories of data create more significant risks to a person’s fundamental rights and freedoms and as such the GDPR imposing stricter conditions on the processing of such data.
Special categories of data include:
trade union membership
In cases where you will be processing such data there is a higher threshold under the Regulations. There are a separate set of conditions, one of which must be satisfied before any data above is processed. These conditions can be found on the ICO’s website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/
6. Criminal Offence Data
Under the GDPR there are specific rules regarding the processing of personal data relating to criminal convictions and offences. Such data shall be carried out only under the control of official authority or when the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects. The principles in section 4 of this policy will also apply to this data. Even if you have a condition for processing offence data, you can only keep a comprehensive register of criminal convictions if you are doing so in an official capacity.
7. Accountability and transparency
As an employee of SLSuperheroes Ltd you must ensure accountability and transparency in all use of personal data. You must show how we comply with each Principle. You are responsible for keeping a written record of how all the data processing activities you are responsible for comply with each of the Principles. This must be kept up to date and must be approved by the DPO.
To comply with data protection laws and the accountability and transparency Principle of GDPR, we must demonstrate compliance. You are responsible for understanding your particular responsibilities to ensure we meet the following data protection obligations:
- Fully implement all appropriate technical and organisational measures
- Maintain up to date and relevant documentation on all processing activities through the completion of the information inventory.
- Conducting Privacy Impact Assessments where required
- Ensuring data sharing agreements are in place when sharing personal data with third parties.
- Implement measures to ensure privacy by design and default, including: - Data minimisation - Ensuring data is accurate and up to date - Ensuring your service areas corporate privacy notice covers any sharing you do to provide transparency.
8. Processing data fairly and lawfully
When processing any personal data you must ensure that there is a sufficient legal basis to do so. This is a requirement under the GDPR, it is your responsibility to ensure that you check the lawful basis for processing or sharing any personal data you process and make sure this is clearly recorded. You must meet at least one of the six conditions before processing any personal data, the conditions can be found at the ICO’s website along with guidance as to when they might apply. Deciding which condition to rely on when making an assessment of the relevant lawful basis, you must first establish that the processing is necessary. This means the processing must be a targeted, appropriate way of achieving the stated purpose. You cannot rely on a lawful basis if you can reasonable achieve the same purpose by some other means. Our commitment to the first principle requires us to document this process and show that we have considered which lawful basis best applies to each processing purpose, and fully justify these decisions.
Consent should not be a default legal basis, you should only request where consent where you do not have an alternative legal basis such as a legal obligation or public interest reason. Under the GDPR, stricter regulations will affect how we ask for and obtain consent to use an individual’s personal data. Under the GDPR consent must be clear, informed and unambiguous and most importantly must be opt-in and provided by way of a clear and affirmative action.