Data Protection & Security
8.1 Data Protection
We are committed to ensuring that all personal data handled by the company is done so in accordance with the Data Protection Laws, its principles and any additional regulations and/or guidance laid out by government or the ICO.
We are passionate about ensuring the safe, secure, ethical and fair use of all personal data and uphold the highest standards of data handling and processing. Through our strong commitment and robust controls, we ensure that all staff understand, have access to and can easily interpret the Data Protection laws and its defining Principles.
8.1.1 General Data Protection Regulation (GDPR) & DPA18
The General Data Protection Regulation (GDPR) (EU)2016/679) was approved by the European Commission in April 2016 and applied to all EU Member States from 25th May 2018. As a ‘Regulation‘ rather than a ‘Directive’, its rules apply directly to the Member States, replacing their existing local data protection laws and repealing and replacing Directive 95/46EC and its Member State implementing legislation.
Each Member State can also enforce the GDPR’s derogations and certain conditions through their own local legislation, which for the UK takes the form of the Data Protection Act 2018 (DPA18), which replaced the 1998 version. This legislation enacts the GDPR into UK law and covers extended data protection and privacy requirements specific to the UK.
As the company processes personal information regarding individuals (data subjects), we are obligated under the General Data Protection Regulation (GDPR) and DPA18 to protect such information, and to obtain, use, process, store and destroy it, only in compliance with the data protection laws.
Information protected under the GDPR/DPA18 is known as “personal data” and is defined as: –
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The company ensures that even greater care and attention is given to personal data falling within the GDPR’s ‘special categories’ (previously referred to under the DPA as sensitive personal data), due to the assumption that this type of information could be used in a negative or discriminatory way and is of a sensitive, personal nature to the persons it relates to.
In relation to the ‘Special categories of Personal Data’ the GDPR advises that: –
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies.
The GDPR regulates the processing of personal data, which includes organisation, altering, adapting, retrieving, consulting on, storing, using, disclosing, transmitting, disseminating or destroying any such data. As the company uses personal data in one or more of the above capacities, we have put into place robust measures, policies, procedures and controls concerning all aspects of personal data handling.