This chapter summarises our commitment to keeping information safe.

Confidentiality Policy

1. Introduction

The General Data Protection Regulation (GDPR) was adopted by the EU in April 2016 and replaced the current EU Data Protection Directive 95/46/EC.  The GDPR introduced obligations to data processors and data controllers, including those based outside the EU.

Given that, infringement can lead to fines, it is important that staff employed are aware of how GDPR will affect them and prioritise preparations expected of us to comply.

2. Principles of Data Protection

The GDPR will bring harmonisation across the EU regarding data privacy.  The effect of the GDPR means its scope will apply to non-EU data controllers and processors monitoring the behaviours of or offering goods or services to individuals located within the EU.  The regulation will affect many industries particularly financial services where firms tend to hold large volumes of personal data.

There are many aspects to be considered to ensure full compliance.  For example, there will be requirements for explicit consent to be freely given by individuals for their data to be used for specific purposes.  As well as the right for individuals to request details of information held and for data to be deleted.  Some organisations will need to carry out assessments, ensure effective procedures are in place and designate a Data Protection Officer to meet new accountability requirements.

Organisations will be required to confirm explicit and unambiguous consent from their stakeholders based on specific purpose for use of their data and for specific periods of time.  Individual will have the right to request a copy of all data that is held on them, including an explanation of how such data is used and if their parties have access.  Individuals will also have the right to withdraw consent and to request for data that is no longer needed to be deleted.

3. Criteria and Controls

Employees of Caregallant must consider appropriate security measures such as encryption, ongoing confidentiality of data and evaluating the effectiveness of the measures in place.  Notifications of data breaches that are likely to result in a risk for the rights and freedom of individuals should be sent to the Data Protections Act within 72 hours.

International data transfer rules from the Data Protection Directive are maintained in the GDPR.  Personal data can only be transferred outside of the EU to recipients in countries that are considered as having ‘adequate protection’. Personal data may proceed to be transferred to these countries on the basis of data transfer agreements.

Although the previous Data Protection Act 1998 is no longer in force, some of the documents contain practical examples and advice which may still be of help in applying the new legislation.  These documents sit alongside the GDPR policy and focuses on the additional individuals’ specific considerations.

The GDPR contains provisions intended to enhance the protection of individuals’ personal data and to ensure that individuals are addressed in plain clear language that they can understand.  Transparency and accountability are important where individuals’ data is concerned, and this is especially relevant when they are accessing online services.  However, in all circumstances you need to carefully consider the level of protection you are giving that data.

The guidance will help you understand the individuals’ specific considerations you need to thing about when deciding on your lawful basis for processing individuals’ personal details.

The GDPR does not represent a fundamental change to many of the rights that individuals have over their personal data.  The Data Protection Act 1998 does not specifically mention individuals; however, its provisions apply to them as individuals in their own right.  For example, individuals have the right to request that you stop processing their data.

Unlike the GDPR, the 1998 Data Protection Act does not explicitly require that individuals’ data is protected and does not require that privacy notices are clear and accessible to individuals and or tailored specifically for them.

Fairness and compliance with data protection principles remain the key concepts under the GDPR and should be central to all processing.

The concept of competence (the individuals’ capacity to understand the implications of their decisions) remains as valid under the GDPR as under the 1998 Act.  If an individual is not competent to exercise their own data protection rights or consent to processing themselves then it will usually be in their best interest to allow an individual with parental responsibility to act on their behalf.  If an individual is competent, then your over-riding consideration should still be what is in their best interests.  However, in most cases it should be appropriate to allow the individuals decide for themselves.

The GDPR specifically states that individuals’ personal data merits specific protection and also introduced new requirements for the online processing of a individuals’ personal data.

The GDPR also specifically states that specific protection is required where individuals’ person data is used for marketing purposes or creating personality or user profiles.  The GDPR states that you should not subject individuals to decisions based solely on automated processing (including profiling) if these have a legal or similarly significant effect on them.  Although, there are exceptions to this prohibition they only apply if suitable measures are in place to protect the rights, freedom and legitimate interests of the individuals.

The GDPR requires the provision of age-appropriate privacy notices for individuals and states that the right to have personal data erased is particularly relevant when processing is based upon the individuals’ consent of a individuals.

The GDPR requires all organisations to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights.  This is data protection by design and default.  This means all employees must integrate data protection into the processing of activities and business practices from the design state right through their life cycle.

If you process individuals’ personal data then you should think about the need to provide the specific protection required from the outset and design the processing, products and systems with this in mind.

Transparency is the key.  You can raise individuals’ awareness of data protections risks, consequences, safeguards and rights by:

• Telling them what you are doing with their personal data.
• Being open about the risks and safeguards involved; and
• Letting them know what to do if they are unhappy

This will also help them make informed decisions about what personal data they wish to share.

Your approach should be privacy by design, considering the age of the individuals as far as you can, and the personal data you will be processing.  For example, to protect individuals from sharing data inappropriately you could set privacy settings on apps to ‘not to share’ by default and when activating ‘sharing mode’ include a clear, friendly explanation of the increased functionality and its risks.

As with any other processing, fairness and compliance with the data protection principles should be at the heart of all your processing of individuals’ personal data.  The purpose of these principles is to protect the interests of the individuals, and this is particularly important where individuals are concerned.  They apply to everything that you do with personal data (except where you are entitled to rely upon and exemption) and are key to complying with the GDPR.

If you are not sure whether your data subjects are individuals, or what age range they fall into, then you usually need to adopt a cautious and risk-based approach.  This may mean:

• Designing your processing so that it provides sufficient protection for individuals.
• Putting in place proportionate measures to prevent or deter individuals from providing their personal data.
• Taking appropriate actions to enforce any age restrictions you have set; or
• Implementing up-front age verifications systems

The choice of solutions may vary depending upon the risks inherent in the processing, the rights and freedoms of the individuals, and the provisions of the GDPR that apply to your processing.  You should always think about both the target age range for your processing and the potential for individuals outside this age range providing their personal data.

It is good practice to invite the view of individuals themselves when you are designing your processing, including diverse groups who can provide a range of feedback.  This will help you to identify risks, design safeguards and assess understanding, as well as giving you an opportunity to test your system.

It is also consistent with the UN Convention on the rights of the individuals which provides that every individual has the right to express their views, feelings and wishes in all matters affecting them and to have their view considered and taken seriously.

The GDPR allows you to process personal data based on consent.

There may be circumstances in which you will process an individual’s personal data using consent as your lawful basis for processing.  This may be appropriate if you are truly able to give individuals (or their parents) informed choice(s) and control over how you use their personal data.

However, consent should not be used as a way of avoiding your own responsibility for assessing the risk inherent in the processing.  Although consent is a lawful basis for processing individuals’ personal data, using it does not necessarily guarantee that the processing is fair, and that it is not always the most appropriate basis.

You should also consider any imbalance of power in your relationship with the individuals to ensure that if you accept their consent that it is freely given.

Where the individual is not competent in data protections terms, their consent is not ‘informed’ and it, therefore, is not valid.  If you wish to rely upon consent in this situation, you need the consent of a person with parental authority over those individuals unless it is evident that it would be against the best interest of the individuals to seek such parental consent.

If you accept parental consent from a holder of parental responsibility over an individual, then you also need to think about how you let the individuals know that he or she has a right to withdraw that consent once they are competent to make such a decision.  You should provide this information in any case as part of any privacy information directed at the individuals.

If you are processing ‘special categories’ of personal data, such as a health data, then as well as needing lawful basis for processing you also need to identify a condition for processing.  This is because processing is prohibited of this kind of personal date unless specific conditions are met.