Osmosis Training - Data Protection Policy - GDPR
Introduction to Osmosis Training
Osmosis Training provides training to healthcare workers.
1.1 The Data Protection Act 1998 (‘the Act’) has two principal purposes:
i) to regulate the use by those (known as data controllers) who obtain, hold and process personal data on living individuals, of those personal data; and
ii) to provide certain rights (for example, of accessing personal information) to those living individuals (known as data subjects) whose data is held.
1.2 The cornerstones of the Act are the eight data protection principles, which prescribe:
i) guielines on the information life-cycle (creation/acquisition; holding; processing; querying, amending, editing; disclosure or transfer to third parties; and destruction (‘the life-cycle’);
ii) the purpose for which data are gathered and held; and
iii) enshrine rights for data subjects.
The Act applies to Osmosis Training, the Data Controller for the purposes of the Act, and to anyone who holds personal information in a structured way so that retrieval is easy. Osmosis Training is fully committed to abiding, not only by the letter, but also by the spirit of the Act, and, in particular, is committed to the observation, wherever possible, of the highest standard of conduct mandated by the Act. This policy has been written to acquaint staff with their duties under the Act and to set out the standards expected by Osmosis Training in relation to processing of personal data and safeguarding individuals’ rights and freedoms.
1.3 The General Data Protection Regulations are to be read alongside The Data Protection Act 1998. The General Data Protection Regulations provides that individuals to be informed how of Osmosis Training collects and p their personal data.
The Data Protection Officer is Phil Addison at the date of the publication of the policy.
2. Staff duties
Employees of Osmosis Training are expected to:
i) acquaint themselves with, and abide by, the Data Protection Principles and the General Data Protection Regulations ;
ii) read and understand this policy document;
iii) understand how to conform to the standard expected at any stage in the life-cycle;
iv) understand how to conform to the standard expected in relation to safeguarding data subjects’ rights (e.g. the right to inspect personal data) under the Act and the General Data Protection Regulations;
v) understand what is meant by ‘sensitive personal data’, and know how to handle such data; and
vi) contact the Data Protection Officer if in any doubt, and not to jeopardise individuals’ rights or risk a contravention of the Act or the General Data Protection Regulations.
3. The Data Protection Principles
The Data Protection Principles, in summary, are:
I Personal data shall be processed fairly and lawfully.
II Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. ?
III Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
IV Personal data shall be accurate and, where necessary, kept up to date.
V Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
VI Personal data shall be processed in accordance with the rights of data subjects under this Act.
VII Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
VIII Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
4. Best-practice guidelines for the data life-cycle process
4.1 Acquisition of personal data (see Principles 1, 2, 3) Those wishing to obtain personal data must comply with guidelines issued from time to time by the Data Protection Officer and, in particular, should tell data subjects the purpose(s) for which they are gathering the data, obtain their explicit consent, and inform them that Osmosis Training will be the data controller for the purposes of the Act and the identities of any other persons to whom the data may be disclosed. If sensitive personal data are being collected, explicit consent is not only best practice, it is mandatory. No more data should be collected than is necessary for the purpose(s) declared.
4.2 Holding/safeguarding/disposal of personal data (see Principles 4, 5 and 7) Data should not be held for longer than is necessary. Osmosis Training records management policies should be consulted for guidance on what is necessary for each kind of data. Personal data should be reviewed periodically to check that they are accurate and up to date and to determine whether retention is still necessary. Adequate measures should be taken to safeguard data so as to prevent loss, destruction or unauthorised disclosure. The more sensitive the data, the greater the measures that need to be taken.
4.3 Processing of personal data (see Principles 1, 2) In this particular context, ‘processing’ is used in the narrow sense of editing, amending or querying data. In the context of the Act as a whole, ‘processing’ is very widely defined to include acquisition, passive holding, disclosure and deletion.
Personal data must not be processed except for the purpose(s) for which they were obtained or for a similar, analogous purpose. If the new purpose is very different, the data subject’s consent must be obtained.
4.4 Disclosures and transfers of personal data (see Principles 1, 2, 7, 8)
4.4.1 Sharing and Disclosures
i) Employees of Osmosis Training may not disclose any information about agencies, candidates or other employees, including information as to whether or not any person is or has been an agency, candidate or employee of Osmosis Training unless they are clear that they have been given authority by Osmosis Training to do so. Particular care should be taken in relation to any posting of personal information on the internet.
ii) Osmosis Training shares and disclosures where there is a ‘legal basis’ to do so. Please note the criteria by Osmosis Training will share an individual’s data:
Lawful Basis 1 - The processing of data and sharing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject, the data subject prior to entering into a contract
This means that Osmosis Training will communicate and share your data with an organisation seeking to arrange your training and update them of progress towards the completion of your training
Lawful Basis 2 and 3 - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
This means Osmosis Training will share information in relation to external compliance audits.
This means Osmosis Training will share information in relation to any professional or criminal investigation.
This means we will confirm the training an individual has undertaken with employing organisations
Lawful Basis 4 - You, the data subject give consent to the processing of your personal data for one or more specific purposes
This means Osmosis Training will ask for an individual’s consent in relation to sharing your data with organisations in circumstances other than grounds 1 - 3 above.
Where circumstances change, Osmosis Training will seek fresh consent in relation to the sharing and processing of data.
iii) No employee of Osmosis Training may provide references to prospective employers or others without the consent of the individual concerned. It is therefore essential that where Osmosis Training is given as a referee, the subject of the reference should provide Osmosis Training with the necessary notification and consent.
iv) No employee may disclose personal data to the police or any other public authority unless that disclosure has been authorised by Osmosis Training’s Data Protection Officer.
v) It is recognised that Osmosis Training operates within the health regulation field therefore disclosure for the public benefit may be necessary to recognised bodies to protect the public.
Personal data should not be transferred outside Osmosis Training, and in particular not to a country outside the EEA
i) except with the data subject’s consent; or
ii) unless that country’s data protection laws provide an adequate level of protection; or
iii) adequate safeguards have been put in place in consultation with the Data Protection officer; or
iv) in consultation with the Data Protection Officer, it is established that other derogations apply.
5.Destruction of personal data
(see Principles 5 and 7) Personal data must not be held for longer than necessary; and when such data have been earmarked for destruction, appropriate measures must be taken to ensure that the data cannot be reconstructed and processed by third parties. Osmosis Training will destroy data will delete data five years after the last interaction with individual
6. Data subjects’ rights of access
Osmosis Training is committed to facilitating access by data subjects (‘applicants’) to their personal data.
The data controller, Phil Addison, will respond to any subject access request within a month.
Osmosis Training can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others'.
Additionally, certain training information falls within a broad definition of ‘intellectual property rights and trade secrets.’ Therefore certificates and other confirmation of training may not be provided via a subject access request where an organisation has facilitated your training.
This policy will be reviewed periodically to take account of changes in the law and guidance issued by the Information Commissioner. This document will be reviewed June 2019.
8. Data protection contacts
For general enquiries about Osmosis Training’s Data Protection Policy and for formal subject access requests under the Act:
Data Protection Officer at Osmosis Training Ltd
Devonshire House, 164-168 Westminster Bridge Rd,
London, SE1 7RW, Telephone: 0207 928 1160, E-mail: firstname.lastname@example.org
9. Disciplinary consequences of this policy
Unlawful obtaining or disclosure of personal data (including the transfer of personal data outside the EEA in contravention of paragraph 4.4.2 above) or any other breach of section 55 of the Data Protection Act 1998 by staff will be treated seriously by Osmosis Training and may lead to disciplinary action up to and including dismissal or may raise professional concerns that warrant discussion or action.
Dated: June 2018