02.07 – Data Protection Principles

All personal data collection, processing, retention, transfer, disclosure and destruction are conducted in accordance with the GDPR/GDPR data protection principles. <<organisation name>> d’s policies and procedures are also designed to ensure compliance the following principles, as listed below;

Lawful, Fair, and Transparent Processing of Personal Data

Processing of personal data may only be carried out on a legitimate basis and in a fair and transparent manner. In order to process data of individuals lawfully, fairly, and transparently, <<organisation name>> shall ensure to seek consent from data subjects as the primary condition for processing.

<<organisation name>> processes personal data to ensure the safety and security of persons of concern or other individuals.

Whether the data is obtained from the data subjects directly or indirectly, <<organisation name>> ensures that certain information are available to the data subjects as practicable, according to <<organisation name>>’s Transparency Requirement. Data subjects are also given an easily understandable and accessible privacy information notice, including other specific necessary information like;

  • the contact details of the Data Protection Officer;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the period for which the personal data will be stored;
  • the existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions (or lack of) relating to exercising these rights;
  • the categories of personal data concerned;
  • the recipients or categories of recipients of the personal data, where applicable;
  • where applicable, that the controller intends to transfer personal data to a recipient in a foreign country and the level of protection afforded to the data;
  • any further information necessary to guarantee fair processing.

Collection of Personal Data Only for Specific, Explicit, and Legitimate Purposes

Data obtained are for specified purposes, and will not be used for any purpose that differs from those formally notified to the data subject and supervisory authority as set out by <<organisation name>>’s GDPR register of processing and privacy procedure.

Necessity & Data Minimization

Personal data collected by <<organisation name>> shall be adequate, relevant and limited to what is necessary for processing. This means that <<organisation name>>’s Data Protection Officer is responsible for ensuring that only information that is strictly necessary is obtained. All forms of data collection (electronic or paper- based), including data collection requirements in new information systems, will include a fair processing statement or link to privacy statement, and approved by the Data Protection Officer.

The Data Protection Officer will ensure that all data collection methods are reviewed annually to ensure that collected data continues to be adequate, relevant and not excessive.

Accurate, Easy Rectification, and Deletion

Personal Data shall be accurate and kept up to date. All personal data stored by <<organisation name>> must be reviewed and updated as necessary to ensure that data is accurate and up-to-date. No personal data shall be kept unless it is reasonable to assume that it is accurate, and the Data Protection Officer is responsible for ensuring that all <<organisation name>> staff are trained in the importance of collecting accurate personal data and maintaining it.

The data subject must ensure that any data held by <<organisation name>> is accurate and up-to-date. Completion of electronic or hard copy forms by a data subject will include a statement that the data contained therein is accurate at the date of submission.

Employee/Staff/Customers/Clients and other data subjects are required to notify <<organisation name>> of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of <<organisation name>> to ensure that any notification regarding change of circumstances is recorded and acted upon.

The Data Protection Officer is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.

On at least an annual basis, the Data Protection Officer reviews the retention dates of all the personal data processed by <<organisation name>> and will identify any data that is no longer required in the context of the registered purpose. This data will be securely deleted/destroyed in line with the Secure Disposal of Storage Media Procedure.

The Data Protection Officer is responsible for responding to requests for rectification from data subjects within one month (Subject Access Request Procedure). This can be extended to a further two months for complex requests. If <<organisation name>> decides not to comply with the request, the Data Protection Officer must respond to the data subject to explain its reason and inform them of their right to complain to the supervisory authority and seek judicial remedy.

The Data Protection Officer is responsible for making appropriate arrangements that, where third- party organisations may have been passed inaccurate or out-of-date personal data, to inform them that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal data to the third party where this is required.

Storage Limitation

Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing. Where personal data is to be retained beyond the processing date, it will be [minimised/encrypted/pseudonymised] in order to protect the identity of the data subject in the event of a data breach.

Personal data will be retained in line with the Retention of Records Procedure. Once this retention date is passed, it must be securely destroyed as set out in this procedure.

The Data Protection Officer must, in written form, specifically approve any data retention that exceeds the retention periods defined in Retention of Records Procedure, and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation.

Integrity and Confidentiality

Personal data shall be processed in a manner that ensures appropriate security of personal data including protection against unauthorized and unlawful processing, accidental loss, destruction, or damage. <<organisation name>> must use appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data is maintained at all time.

In determining appropriateness, the Data Protection Officer should also consider the extent of possible damage or loss that might be caused to individuals (staff/customers) if a security breach occurs, the effect of any security breach on <<organisation name>> itself, and any likely reputational damage including the possible loss of customer trust.

When assessing appropriate technical measures, the Data Protection Officer will consider the following:

  • Password protection;
  • Automatic locking of idle terminals;
  • Removal of access rights for USB and other memory media;
  • Virus checking software and firewalls;
  • Role-based access rights including those assigned to temporary staff;
  • Encryption of devices that leave the organisations premises such as laptops;
  • Security of local and wide area networks;
  • Privacy enhancing technologies such as pseudonymisation and anonymisation;
  • Identifying appropriate international security standards relevant to <<organisation name>>.

When assessing appropriate organisational measures, the Data Protection Officer will consider the following:

  • The appropriate training levels throughout <<organisation name>>;
  • Measures that consider the reliability of employees (such as references etc.);
  • The inclusion of data protection in employment contracts;
  • Identification of disciplinary action measures for data breaches;
  • Monitoring of staff for compliance with relevant security standards;
  • Physical access controls to electronic and paper-based records;
  • Adoption of a clear desk policy;
  • Storing of paper-based data in lockable fire-proof cabinets;
  • Restricting the use of portable electronic devices outside of the workplace;
  • Restricting the use of employee’s own personal devices being used in the workplace;
  • Adopting clear rules about passwords;
  • Making regular backups of personal data and storing the media off-site;
  • The imposition of contractual obligations on the organisation to take appropriate security measures when transferring data to foreign countries.

These controls have been selected on the basis of identified risks to personal data, and the potential for damage or distress to individuals whose data is being processed.

Accountability

<<organisation name>> must be able to explicitly demonstrate compliance with accountability and governance, as well as all other GDPR/GDPR data protection principles by implementing data protection policies, adhering to codes of conducts, implementing technical and organizational measures, and adopting techniques such as Data Protection by design, Data Protection Impact Assessments (DPIAs), breach notification procedures, and incidence response plan.