Our Blood Pressure UK Data Protection Policy
Blood Pressure UK controls and processes personal information about its customers, staff and board members. We comply with the Data Protection Act 2018 / GDPR.
The Data Protection Act 2018 (the ‘Act’) covers all personal information that relates to living individuals. These individuals are given rights by the Act. We will not share this information with other organisations without the consent of the individual concerned unless we are required by law to do so.
This Policy will set out what Blood Pressure UK will do to comply with the GDPR.
1. Personal data shall be processed fairly, lawfully and transparently.
2. Personal data shall only be obtained and further processed for specified and lawful purposes.
3. Personal data shall not be excessive in relation to the purpose that it is processed.
4. Personal date shall be accurate.
5. Personal data shall not be kept longer than necessary.
6. Personal data must be kept with assured integrity and confidentiality.
7. We are accountable for our storage of personal data.
This policy applies to all employees, board members and others who may be involved in the collection of and processing of personal information on behalf of Blood Pressure UK and extends to data whether it is help on paper or by electronic means.
Partnership arrangements – where Blood Pressure UK work in partnership with external service providers this policy is applicable.
1. Statement of commitment
Blood Pressure UK is committed to maintaining high standards of security and confidentiality for information in our custody and control. Safeguarding this information is critical to the successful operation of Blood Pressure UK. Blood Pressure UK will treat all information in its care and control with the same degree of security and confidentiality, and this Policy applies to all organisations within Blood Pressure UK and all of its employees.
The objectives of this Data Protection Policy are:
- To comply with the Data Protection Act 2018.
- To comply with the European General Data Protection Regulation, May 2018
- To outline, guide and monitor the coordination of the information, security and data handling procedures in force within Blood Pressure UK.
- To promote confidence in Blood Pressure UK’s information, security and data handling procedures.
- To provide assurances for third parties dealing with Blood Pressure UK - To provide a benchmark for employees on information, security, confidentiality and data protection issues.
GDPR provides the following rights for individuals (Article 5):
1. The right to be informed
2. The right of access
3. The right of rectification
4. The right to erase
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling
In order to support these objectives, Blood Pressure UK will:
- Delegate the responsibility of gathering and disseminating and dealing with issues relating to information, security, the DPA, GDPR and other legislation.
- Ensure that all activities that relate to the processing of personal data have appropriate safeguards and controls in place to ensure information, security and compliance with GDPR and DPA.
- Ensure that all contracts and service level agreements between any part of Blood Pressure UK and external third parties (including contract staff), where personal data is processed, make reference to the Act where appropriate.
- Ensure that third parties acting on behalf of Blood Pressure UK are given access to personal information that is appropriate to the duties they are undertaking and no more.
Ensure that all staff (including contract staff) and board members understand their responsibilities regarding data protection and information security under the Act.
3. Data Sharing
There are a few occasions where it will be necessary for Blood Pressure UK to share personal data collected. All contacts are told the nature of the data sharing including what will be shared and the reason for sharing it.
This policy ensures our processes for sharing is legal, how the accuracy of the data will be maintained and what security measures are in place prior to any sharing of information. It also provides the correct parameters of when it is appropriate to share and/ or disclose data. Blood Pressure UK have appropriate data sharing agreements (DSA) or similar with all parties which are reviewed on a regular basis and recorded on a central DSA log. All decisions to share data are well founded, reflect the current needs of Blood Pressure UK and compliant under the requirements of the Regulations. The contract confirms that the third party organisation acts a Data Processor for personal data to perform the service or any other obligation. Blood Pressure UK remain the data controller throughout the contract to deliver the services and have overall control over the purpose for which, and the manner in which, personal data is processed and carry out data protection responsibility for it.
In some circumstances, it may be appropriate to disclose information held by Blood Pressure UK to specific third parties for example to prevent a criminal offence from being committed, or to prevent the continuation of a criminal offence.
4. Data Retention
Personal data must only be kept for the length of time necessary to perform the process for which it was collected. This applies to both electronic and non-electronic data
Under GDPR a new requirement is the right to be forgotten. Individuals can request deletion of certain types of information about them deleted where one of a number of circumstances apply:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
Where personal and confidential information is no longer required, it will be destroyed.
5. Individuals’ rights of access to data (Subject Access Requests (SARs))
Individuals have a right of access to personal information held by Blood Pressure UK if they are the “data subject” of that information. Requests must be made in writing, signed by the data subject and addressed to Blood Pressure UK. The person requesting the data must complete the Access Request Form providing details of the information required as well as their current address and some form of identification. There is no charge for responding to the request (other than a reasonable administrative fee for providing additional copies of information, unless the request can be said to be “manifestly unfounded or excessive”, for example where repetitive requests are made. In those rare cases a data controller may choose to refuse the request entirely, or comply subject to reasonable administrative fee being paid. Timescales for responding to a SAR should be without undue delay or within one month.
If a SAR is received directly or indirectly the responsibility for responding will be assigned to Blood Pressure UK’s data Protection Officer (DPO). The DPO will ensure the SARs are processed efficiently and in accordance with GDPR; and ensure the documented process has been approved by senior management and made readily available to personnel.
Blood Pressure UK has appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively. Blood Pressure UK has mechanisms in place to assess and then report relevant breaches to the ICO where the individual is likely to suffer some form of damage e.g. through identity theft or confidentiality breach. There are also appropriate mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
Any wilful disregard or intentional breach of the Data Protection Policy by employees shall be regarded as a disciplinary offence and handled within Blood Pressure UK Disciplinary Procedures. Any wilful disregard or intentional breach of the Data Protection Policy by data processors (and identified data controllers in their own right) acting on Blood Pressure UK’s behalf under contract shall be regarded as a breach of contract and treated as such.
7. Policy promotion and training
The Policy will be made available within Blood Pressure UK as part of the induction process to all new and temporary employees, board members.
The Policy will be promoted to current employees by requiring acknowledgement and acceptance of its aims and objectives. There will be a continuing series of awareness raising initiatives relating to security and privacy issues by the Data Protection Champions nominated around Blood Pressure UK in order to ensure that all staff understand their responsibilities under GDPR.
All employees will be provided with education and training where appropriate and will be expected to comply with data protection legislation and adhere to the policies and procedures used to meet the objectives of the Blood Pressure UK’s Data Protection Policy.
8. Monitoring and feedback
This policy will be monitored by the Data Protection Officer It will be reviewed periodically as set out above capturing best practice, customer feedback and any legislative changes.
The Data Protection Officer is responsible for all data compliance and monitors Blood Pressure UK’s approach to Data Protection.
9. Internal Personal Data
Blood Pressure UK maintain appropriate technical and organisational processes and procedures to safeguard against any unauthorised or unlawful processing of personal data. Data audits are carried out annually to monitor the information we hold on employees, including former employees. For the purposes of HMRC compliance, financial information is held for 3 years and then destroyed. All HR files relating to former employees are kept up to a year after leaving the employment of Blood Pressure UK.
10. Contact Us About Your Data
If you would like to have your data removed from our system, or you have another enquiry about the data we hold, please contact us at firstname.lastname@example.org.
Changes to this Data Protection Policy
The Data Protection Officer reserves the right to make changes to this Data Protection Policy at any time by giving notice to its Users on this page. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom. If a User objects to any of the changes to the Policy, the User must cease using this Application and can request that the Data Protection Officer remove the Personal Data. Unless stated otherwise, the then-current Data Protection Policy applies to all Personal Data the Data Protection Officer has about Users.
Effective date: Aug 2020
Review date: April 2021
Approved: Professor Graham MacGregor CBE
Data Protection Officer: Katharine Jenner
Version Control: V1