Introduction - our commitment
We are committed to ensuring that all personal data is collected, stored, processed and used (together "processed") responsibly, fairly and in compliance with all applicable personal data protection laws, including the UK GDPR and EU General Data Protection Regulation (together "GDPR") ("Data Protection Laws").
This policy sets out the processes, policies and procedures that we adhere to in order to meet our commitment. Together these measures enable us to:
- Comply with Data Protection Laws
- Ensure that personal data will only be processed in accordance with the Data Protection Laws
- Be reasonable and fair to all individuals
This policy applies to all of our personal data processing functions. It applies to our personnel (employees and in-house contractors), and to our subcontractors and suppliers.
Our Operations Management Team ("OMT") is responsible for developing and encouraging robust information handling practices within our organisation. The role of Data Protection Officer is undertaken by our CIO who is accountable to OMT for the management of personal data. We are responsible for compliance with Data Protection Laws. Any breach of this Policy by our personnel will be dealt with under our internal disciplinary policy.
We expect our subcontractors and suppliers to comply with all Data Protection Laws and, where applicable, to comply with this policy together with any other related policies, measures or instructions that we provide.
As our subcontractor or supplier, you must protect all personal data, and must ensure that it is only used for the purpose for which it was provided in accordance with our instructions. Your obligations to us will be set out in a contract between us, and will include:
- Implementing and maintaining appropriate technical and organisational measures so that the processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject.
- Obtaining our prior written authorisation if you intend to engage another processor, and to notify us of any changes relating to additional or replacement processors.
- Obtaining our prior written authorisation if you need to transfer the personal data to a third country or international organisation. Such written authorisation will be subject to either:
- the third country/international organisation benefiting from an appropriate ‘adequacy decision’ or ‘adequcy regulation’ (EU/UK respectively), or
- the presence of approved appropriate safeguards.
- Processing the personal data in accordance with the contractual terms between us. These will include:
- Details such as: the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and our respective obligations and rights.
- Obligations that you will: process the personal data only on our documented instructions; ensure that any person processing the personal data is subject to obligations of confidentiality; implement all appropriate technical and organisational measures; assist us in responding to requests relating to the exercise of data subject’s rights; delete or return all the personal data to us after the end of the provision of services relating to the processing, and delete existing copies unless an overriding legal obligation requires storage of the personal data; and provide all information necessary to demonstrate your compliance with the contractual terms, including allowing for and contributing to audits or inspections conducted by us or our appointed auditor.
- Notifying us immediately of any suspected or actual data breaches, or loss of personal data; and assisting us in investigating and resolving such.
The policy is based on the following principles:
- We will only process personal data for the purpose for which it was provided
- We will not pass personal data to third parties without the legal right to do so
- We will implement appropriate procedures, processes and controls to protect personal data
Our processing of personal data will be conducted in accordance with the data protection principles:
- Personal data must be processed lawfully, fairly and transparently
- Personal data can only be collected for specific, explicit and legitimate purposes
- Personal data must be accurate and kept up to date with every effort to erase or rectify without delay
- Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing
- Personal data must be processed in a manner that ensures the appropriate security
- The controller must be able to demonstrate compliance with the GDPR’s other principles (accountability)
We will demonstrate compliance with the data protection principles by implementing data protection policies, technical and organisational measures, as well as adopting techniques such as data protection by design, breach notification procedures and incident response plans. A list of some of our related relevant policies, procedures and work instructions is provided below.