Womanthology_Logo
Womanthology Icon

Data protection, confidentiality and information security policy

Purpose

This policy sets out how Womanthology Limited complies with the GDPR and DPA 2018, confidentiality issues and information security.

Womanthology Limited is committed to ensuring personal data is dealt with in compliance with the GDPR and DPA 2018 and to protect the rights of individuals (data subjects) about whom Womanthology Limited holds ‘personal data’. Womanthology Limited is registered with the Information Commissioner as a data controller. The person responsible for DP compliance is Fiona Tatton.

Application

This policy applies to all employees in Womanthology Limited including those undertaking work through a consultancy arrangement, in a volunteer capacity, on a temporary basis or through an agency. The term ‘employees’ is used to refer to all members, partners, directors, managers and employees.

All employees must familiarise themselves, and comply with, this policy and related procedures.

Failure to comply with this policy and the related procedures may result in disciplinary action because of the significant risks of fines, enforcement action, reputational consequences and disciplinary action.

Responsibilities

All employees are responsible for ensuring that all types of data are properly protected. Any issues or concerns about DPA 2018 must be raised with Fiona Tatton.

Relevant legislation

The following legislation must be complied with:

  • General Data Protection Regulation (GDPR).
  • Data Protection Act 2018 (DPA 2018).
  • Computer Misuse Act 1990.
  • Regulation of Investigatory Powers Act 2000.
  • Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699).
  • Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
  • SRA’s Standards and Regulations.

Definitions

Data means information in many diverse forms. Examples include but are not limited to paper documents (printouts, paper documents), electronic documents (databases, emails, presentations, spreadsheets, etc.) or information contained in spoken conversations.

Data breach is defined as a breach of security relating to the accidental or unlawful destruction, loss, unauthorised disclosure or access to personal data that is transmitted, stored or otherwise processed.

Data controller means the natural or legal person who (alone or jointly with others) determines the purposes and the means of processing.

Data processing means the collection and manipulation of items of data to produce meaningful information.

Data subject means a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data and online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data processor means, in relation to personal data, a natural or legal person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Personal data is personal information about a living individual who can be identified from that data or from that data and other information. Examples of personal data would include someone’s name, National Insurance number, date and place of birth, mother’s maiden name, biometric records, etc.

Processing means any operation or set of operations that is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Principles

The importance of keeping clients’ affairs confidential, protecting personal and special categories of personal data and keeping information secure is fundamental. This policy is designed to cover all these areas so that all employees are clear about their obligations and how to protect data/ensure confidential information is kept confidential.

The GDPR and DPA 2018 establish a framework of rights and duties designed to protect personal data. Personal data must be processed in compliance with the GDPR and DPA 2018 and the data protection principles. Individuals have a range of rights under the legislation including the right to access data held about them and the right to be forgotten.

All personal data must be processed in accordance with the data protection principles, which require data to be:

  • Processed fairly and lawfully and in a transparent manner.
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accurate and, where necessary, kept up to date (this includes erasing or rectifying inaccurate data).
  • Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  • Processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures.

Data protection

Womanthology Limited must keep certain information on its clients, employees, third parties and suppliers to carry out its day-to-day operations, to meet its objectives and to comply with legal obligations. The data protection legislation applies to personal data and special categories of personal data but Womanthology Limited must keep all client (and employee) information confidential and all information secure.

The GDPR imposes duties on those who decide how and why such data is processed (data controllers).

Womanthology Limited and all employees must ensure there is a lawful basis for processing personal data and special categories of data.

Individuals are provided with the necessary information about how their data will be processed in the privacy notice and the client care letter/terms of business. If clients have any queries, employees must contact Fiona Tatton for advice.

Womanthology Limited and all employees must comply with the Womanthology Limited data subject rights policy.

Womanthology Limited will not transfer data outside the EEA unless the transfer is approved by the person responsible for DP compliance who will ensure that the data is appropriately protected. Employees must discuss any request to transfer outside the EEA with Fiona Tatton.

Special categories of personal data

Womanthology Limited processes data about clients and third parties that will include special categories of personal data. The privacy notice explains to individuals how their data will be processed and the lawful bases of processing. If an individual has a query about special categories of personal data, guidance should be sought from Fiona Tatton.

All employees must ensure that they recognise special categories of personal data. All employees must ensure that, wherever the data is held, it is properly protected and held securely.

Special categories of personal data is personal data about an individual’s:

  • race;
  • ethnic origin;
  • politics;
  • religion;
  • trade union membership;
  • genetics;
  • biometrics (when used for ID purposes);
  • health;
  • sex;
  • sexual orientation.

Criminal convictions or offences (previously sensitive data) must be treated in the same way as special category data.

Employees

Womanthology Limited also processes data about prospective and current employees in accordance with Womanthology Limited’s HR policies and the employment legislation, for example:

  • Information on applicants for posts, including references.
  • Employee information – contact details, bank account number, payroll information, supervision and appraisal notes.

All employee data must be protected in the same way as client data.

Data controllers/processors

Personal data must not be disclosed to another party unless they are a data controller or a data processor (as defined by this policy) and it is for the purposes of the matter. The client must always be advised to whom the data will be disclosed and why.

Before sending data to a data controller or a data processor, the employee must ensure that proper contractual arrangements are in place to protect the data. Alternatively, the employee must contact the Fiona Tatton to determine whether there is already a contractual arrangement or what further steps need to be taken. Womanthology Limited must ensure that the data controller or data processor is clear as to the basis on which they will hold the data, when they will return it, what the security arrangements are and what will happen if there is any data loss.

Fiona Tatton is responsible for ensuring that appropriate due diligence is undertaken and that Womanthology Limited is registered with the ICO. Fiona Tatton will record the details of the data controller or data processor on the data controller/data processor log. If an employee has any queries about the way in which a data controller or data processor is dealing with data, he or she must contact Fiona Tatton.

Data subject access requests (DSARs) and other rights

The GDPR and DPA 2018 give individuals a range of rights including the right to access personal data held about them and the right to be forgotten. Any person wishing to exercise these rights should apply in writing to Fiona Tatton. The privacy notice/terms of business provide details of how to exercise those rights.

If a request is made referring to data protection or if an individual makes a data subject access request (DSAR) or other request, that must be referred to Fiona Tatton immediately. Individuals may also ask for details of information held about them without mentioning the word ‘data’ or the data protection legislation; all such requests must be forwarded immediately to Fiona Tatton as that request may still be a DSAR or other request.

There are strict timescales for compliance with an individual’s request and failure to comply can result in a significant fine from the ICO. Employees must comply with Womanthology Limited’s policy for dealing with data subject rights.

Accuracy of data

Employees must ensure that data is as accurate as possible. If data is or appears to be inaccurate, misleading or not up to date, employees must take every reasonable step to amend/update the information as soon as possible. Data only has to be kept up to date where necessary and employees should seek guidance if they are not sure whether the data should be updated. Individuals have the right to prevent processing of their personal data in some circumstances and the right to correct or rectify information regarded as wrong. Any concerns must be discussed with Fiona Tatton.

Retention and destruction of data

Personal data must be retained or disposed of securely in accordance with Womanthology Limited’s data retention and destruction policy.

Duty of confidentiality

Womanthology Limited has effective systems and controls that are set out in the conflicts and confidentiality policy and procedures to identify risks to client confidentiality and to mitigate those risks. Employees must comply with Womanthology Limited’s policies and procedures.

Employees must ensure conversations about client matters which take place outside a secure environment, e.g. in the reception area, the lift and outside the office (especially mobile phone conversations in public places, including trains), cannot be overheard.

Employees cannot provide an address of a client or an employee to a third party (but can offer to pass on a letter to a client) and must refer all enquiries to Fiona Tatton.

All employees must be aware of their duties under this policy and keep clients’ affairs confidential except in the following situations:

  • The client consents or asks that confidential information be provided.
  • Confidential information has to be provided by law.

All employees must comply with this policy and related procedures, attend training provided, raise any queries with Fiona Tatton and report any breaches or allegations or suspicions of breaches of confidentiality to Fiona Tatton.

While the above provisions relate to clients, employees must ensure that they also keep information about other employees, third parties and suppliers confidential, as required by the law of confidence.

Information security

The sixth data protection principle requires Womanthology Limited to have appropriate security to prevent personal data from being accidentally or deliberately compromised.

All files, laptops, smartphones and mobile phones must be kept securely by the employee to minimise the risk of breaches of confidentiality and ensure that information is kept securely.

All electronic devices issued by the company will be encrypted so that the risk of data loss is reduced. Employees must comply with Womanthology Limited’s policy in relation to any confidential information that may be held on their personal devices.

Employees are not permitted to use USB sticks, or other mechanisms of transferring data, on electronic devices owned by Womanthology Limited unless approval has been received from Fiona Tatton.

When out of the office, files/papers must not be carried in a way which shows information that can identify the client (e.g. Mrs McGregor, 43 Acacia Avenue, interview). Files/papers must not be left in unlocked cars, and in no circumstances in cars overnight. If it is unavoidable, e.g. due to another appointment during the day, files/papers [may/must] be kept in the boot of a locked car.

All waste/unwanted letters and documents (including drafts and unwanted photocopies) must be disposed of securely [in the confidential waste/other].

Employees must not:

  • Install any software without authorisation.
  • Disclose their password to anyone else.
  • Use other people’s login details.
  • Take equipment, data, information sources or software offsite unless they have written authority to do so.
  • Copy files from the network server into a personal directory without authority.

Employees must:

  • Log off when leaving their PC or workstation unattended.
  • Change their password, if it appears to have been discovered/in accordance with Womanthology Limited’s policy.
  • Ensure that no-one other than an employee has access to the computer system.
  • Always ensure laptops and mobile devices are secured in unattended offices.
  • Ensure data is transferred between laptops/mobile devices and the main system as soon as possible to preserve its integrity and in accordance with Womanthology Limited’s policy.
  • Keep master copies of important data on the network server and not on a PC’s local drive or USB sticks. Data will not be backed up unless it is on the network server and so it is at risk.
  • Ask for advice from Fiona Tatton if it is necessary to store, transmit or handle large quantities of data, e.g. DVDs or images.

If there is any loss of data or risk of loss, employees must immediately contact Fiona Tatton, who will advise what to do next. Employees must comply with the practice’s data incident/ breaches policy.

Employees are reminded that under the Computer Misuse Act 1990, there are three criminal offences:

s.1:     Unauthorised access to computer material.

s.2:    Unauthorised access with intent to commit or facilitate the commission of further offences.

s.3:    Unauthorised modification of computer material.

Employees who are unsure as to whether they are able to access or modify material must contact Fiona Tatton for guidance. Any commission of or attempt to commit a criminal offence by an employee will be dealt with in accordance with Womanthology Limited’s disciplinary policy.

All employees must keep information about the clients and Womanthology Limited secure at all times. If an employee is concerned that data or confidential information is at risk, he or she must immediately contact Fiona Tatton.

Communications and training

All new employees are given training on the GDPR and DPA 2018 and their obligations in relation to personal data. The training is mandatory so that they understand what is meant by personal data and special categories of personal data and what their obligations are.

The department heads are responsible for ensuring appropriate ongoing awareness of all employees in respect of the GDPR obligations and the data subject rights requests procedure.

Monitoring and review

The policy will be reviewed by Fiona Tatton if there are changes to the law and they will annually monitor the suitability of and effectiveness of the processes, systems and controls through the firm’s audit programme. The results will feed into the annual report prepared by Fiona Tatton. Where applicable, additional monitoring will be carried out to comply with any additional client requirements.

Record keeping

Records must be kept of all data breaches and incidents (and follow-up action), data subject rights requests and training.

All records must be maintained for at least five years and will be maintained by Fiona Tatton, who will identify common errors and trends and follow up with the relevant teams.

Breaches of policy

Breaches of this policy may require that a report may have to be made to the ICO under Womanthology Limited’s policy on reporting to the ICO.

Further advice

If there are concerns regarding a client and potential breaches of confidentiality, employees must contact Fiona Tatton immediately for advice.

Related policies and procedures

The following policies and procedures must be considered when complying with this policy:

  • Disciplinary policy.
  • Data subject rights policy and procedure.
  • Responding to requests from third parties policy.
  • Reporting to the ICO policy.
  • Data retention and destruction procedure.
  • Ongoing monitoring procedure.
  • Data loss policy.
  • Data protection complaints policy.
  • Training procedure.

Glossary

DP           data protection

DPA 2018 Data Protection Act 2018

DSAR       data subject access request

EEA         European Economic Area

GDPR       General Data Protection Regulation

ICO          Information Commissioner’s Office

Date of effect/date of review

This policy shall come into effect on 15th July 2020 and will be reviewed annually.