General Data Protection Regulation (GDPR) – Individuals and Service Users
The GDPR replaces the EU Data Protection Directive of 1995. Its purpose is to protect “the rights & freedoms” of living individuals and or Service Users and to ensure that personal data is not processed without their knowledge. The new rules are intended to meet the needs of the digital age.
TESA need to collect and use certain types of information about Individuals or Service Users who come into contact with TESA in order to carry out our work. This personal information must be collected and dealt with appropriately whether it is collected on paper, stored in a computer database, or recorded on other material and ensure safeguards are in place and adhered to.
Personal data is any information that can identify an individual i.e. name, address, date of birth etc. It does not include date where the identity has been removed (anonymous data). Sensitive data is any information relating to an individual’s racial or ethnic origin, political opinions, sexual orientation, health or medical conditions, criminal records etc.
Data Controller – TESA is the Data Controller, which means that it determines what purposes the personal information is held for, and what it will be used for. Under the General Data Protection Regulation a controller should only appoint a processor which provides “sufficient guarantees” to implement appropriate technical and organisational measures in such a manner that the processing of personal data will meet the requirements of the GDPR and ensure the protection of the rights of data subjects
Informed Consent – is when an Individual/Service User clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data and then gives their consent.
TESA regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal and will only use your personal information for the purposes of legal, contractual and legitimate compliance.
TESA may share data with other agencies involved in the specified project to which the Individual/Service User is involved in. Under these circumstances the Individual/Service User will be made aware of how and with whom their information will be shared.
There are circumstances where the law allows TESA to disclose data (including sensitive data) without the data subject’s consent. These are:
a) Carrying out a legal duty or as authorised by the Secretary of State
b) Protecting vital interests of a Individual/Service User or other person
c) The Individual/Service User has already made the information public
d) Conducting any legal proceedings, obtaining legal advice or defending any legal rights
e) Monitoring for equal opportunities purposes – i.e. race, disability or religion
Data Protection Principles
TESA can confirm that we comply with the principles set out within the Data Protection Act. For the purpose of this policy, personal information we hold on all Individuals/Service Users must be:
a) Used lawfully, fairly and in a transparent way
b) Used for limited, specifically stated purposes
c) Used in a way that is adequate, relevant and not excessive
e) Kept for no longer than is necessary
f) Kept safe and secure
TESA will, through appropriate management and strict application of criteria and controls:
a) Observe fully conditions regarding the fair collection and use of information
b) Meet its legal obligations to specify the purposes for which information is used
c) Collect and process appropriate information, and only to the extent that it is needed to
fulfil its operational needs or to comply with any legal requirements
d) Ensure the quality of information used
e) Take appropriate technical and organisational security measures to safeguard personal information
f) Ensure that personal information is not transferred abroad without suitable safeguards
g) Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
h) Set out clear procedures for responding to requests for information
Lawful Bases for Processing Data
The GDPR sets out lawful bases for processing data, as detailed below.
Legal Obligation – The processing of data is necessary for TESA to comply with the law (not including contractual obligations).
Contractual Obligation – The processing of data is necessary for the contract TESA has with you, the Individual/Service User, to be binding.
Legitimate Interest – The processing is necessary for the legitimate interests of TESA or the legitimate interest of a third party, unless there is a good reason to protect the individual’s personal data, which overrides those legitimate interests.
TESA will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected verbally, via completion of a form or electronically.
When collecting data, TESA will ensure that the Individual/Service User:
a) Clearly understands why the information is needed
b) Understands what it will be used for and what the consequences are should the
Individual/Service User decide not to give consent to processing
c) As far as reasonably possible, grants explicit consent, either written or verbal for data
to be processed
d) Is, as far as reasonably practicable, competent enough to give consent and has given
so freely without any duress
e) Has received sufficient information on why their data is needed and how it will be used
Data Storage and Retention
Information and records relating to Individuals/Service Users will be stored securely in one of two formats; password protected software and/or locked cabinets and will only be accessible to authorised staff for as long as necessary to fulfil the purposes for which it was collected, including (but not restricted to) for the purposes of complying with any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which the data is processed and whether TESA can achieve those purposes through other means, and the applicable legal requirements.
It is TESA’s responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.
Individual/Service Users Duty to Inform TESA of Changes
It is important that the personal information held by TESA is accurate and current. If any personal information changes during the working relationship, please inform TESA as soon as possible.
Rights of Access, Correction, Erasure and Restriction of Personal Data
Under certain circumstances, by law Individuals/Service Users have the right to:
a) Request access to personal information (commonly known as a “data subject access request”). This enables Individuals/Service Users to receive a copy of the personal information held by TESA.
b) Request correction of the personal information TESA hold. This enables Individuals/Service Users to have any incomplete or inaccurate information held by TESA to be corrected.
c) Request erasure of personal information. This enables Individuals/Service Users to ask TESA to delete or remove personal information where there is no good reason for TESA continuing to process it. Individuals/Service Users also have the right to ask TESA to delete or remove personal information where they have exercised the right to object to processing (see below).
d) Object to processing of personal information where TESA are relying on a legitimate interest (or those of a third party) and there is something about the Individuals/Service Users particular situation which makes the Individuals/Service Users want to object to processing on this ground.
e) Request the restriction of processing of personal information. This enables Individuals/Service Users to ask TESA to suspend the processing of personal information if for example the employee want TESA to establish its accuracy or the reason for processing it.
f) Request the transfer of personal information to another party.
Requests by Individuals/Service Users to review, verify, correct or request erasure of personal information, or to object to the processing of personal data, or request a transfer of personal information to another party, must be made in writing to the Managing Director. In the event of a request being made, TESA may need to request specific information from the Individuals/Service Users in order to confirm identity and ensure right to access the information. This also serves as another security measure to ensure personal information is not disclosed to any person who has no right to receive it.
In addition, TESA will ensure that:
a) Everyone processing personal information understands that they are contractually responsible for following good data protection practice
b) Everyone processing personal information is appropriately trained to do so
c) Everyone processing personal information is appropriately supervised
d) Anybody wanting to make enquiries about handling personal information knows what to do
e) It deals promptly and courteously with any enquiries about handling personal information
f) It describes clearly how it handles personal information
g) It will regularly review and audit the ways it hold, manage and use personal information
h) It regularly assesses and evaluates its methods and performance in relation to handling personal information
i) All TESA employees are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them
Right to Withdraw Consent
In the limited circumstances where Individuals/Service Users have provided consent to the collection, processing and transfer of personal information for a specific purpose, Individuals/Service Users have the right to withdraw consent for that specific processing at any time. In order to withdraw consent, a request must be made in writing to the Managing Director. Once TESA have received notification that consent has been withdrawn, TESA will no longer process information for the purpose or purposes originally agreed to, unless TESA have a legitimate basis for doing so in law.
Changes to this GDPR Policy and Privacy Notice
TESA reserve the right to update this policy at any time and will inform Individuals/Service Users when doing so.
In case of any queries or questions in relation to this policy please contact Clare Leigh at: TESA (Western) Ltd, Unit 2, The Courtyard, Barns Ground, Kenn, Clevedon, BS21 6TB, 0844 811 7523, firstname.lastname@example.org
Service Users GDPR Policy May 2018 – Version 1