Data Security & Protection Guidance

Anonymous data This is data that is not personally identifiable in any way and that could not be re-identified by combining it with any other data. Aggregated/statistical data is usually anonymous. There are no legal implications connected with processing anonymous data.

Anonymisation A form of processing that creates or extracts anonymous data from personal data. This is a one-way process such that it is impossible to recreate personal data from the output. Whilst the anonymous data created can be transferred to and processed by anyone free of any data protection or legal issues, the process of anonymisation itself is a form of personal data processing, requiring a lawful purpose.

Breach A deliberate or accidental disclosure of personal data.

BYOD or Bring Your Own Device is about using personal devices to connect to the Company’s IT and communications systems or do work for an employer

Consent is one of the six lawful bases needed to process personal data legally.

Consent is appropriate when you can offer people real choice and control over how you use their information.

If you’re relying on consent, it must be:

• freely given (and usually not as a precondition of a service);
• specific and informed;
• indicated by a positive action to opt-in (which means you can’t use pre-ticked boxes or other types of default consent);
• separate from your other terms and conditions wherever possible;
• easy for the person to withdraw at any time; and
• kept under review and refreshed if anything changes.

Contractual Obligation is one of the six lawful bases needed to process personal data legally.

This is appropriate when using a person’s information to deliver a contractual service to them, or because they’ve asked you for something e.g. a quote, before entering into a contract.

Controller A person or organisation deciding the purposes and means of the processing of personal data.

Data Breach (See Breach)

Data Protection Act, 2018 This is the main law controlling the use of personal data in the UK. It incorporates the UK GDPR (General Data Protection Regulation).

Data Protection Impact Assessment A DPIA is a process designed to help a controller analyse, identify and minimise the data protection risks of a project or plan. It is a key part of the accountability obligations under the UK GDPR, and when done properly demonstrates compliance with data protection obligations.

Data Subjects are living, identified, or identifiable natural persons about whom a controller holds personal data

Data Subject Access Requests or DSARs are the most common Subject Rights Request. Subjects can request details of their personal data and its processing from a controller at any time and in any form. They can’t normally be charged for this and the controller has a month to respond.

GDPR (UK) (General Data Protection Regulation) is an important piece of EU legislation that was retained after the UK’s withdrawal from the European Union as the UK GDPR.

Information Commissioner is the statutory body regulating Privacy in the United Kingdom.

Lawful Basis Controllers must have (at least) one lawful basis  for each use of or processing of personal data they undertake.

The six lawful bases are

• Consent
• Contractual obligation
• Legal Obligation
• Legitimate Interest
• Public Task
• Vital Interest

Legal Obligation is one of the six lawful bases needed to process personal data legally.

This applies where it is necessary  to collect or use personal data in order to comply with the law. For example, there may be specific legislation in place that directing the processing of personal information, such as a requirement to report a serious accident at work under health and safety legislation.

Legitimate Interest is one of the six lawful bases needed to process personal data legally.

It applies where using personal data is in the legitimate interests of yourself, an individual or a third party, and can include commercial interests or wider benefits for society. You must be able to justify this.

To rely on this lawful basis you must:

• identify a legitimate interest;
• show the collection and use of personal information is necessary to achieve this; and
• balance your own or someone else’s interests against the person’s interests, rights and freedoms.

This lawful basis is likely to be most appropriate when you use personal data in ways that people would reasonably expect, and the privacy impact is minimal. For example, you hold contact details for an employee’s next of kin because it’s in your employee’s legitimate interest for you to let someone know if they are taken ill whilst at work.

There may also be times when you have a compelling justification for your use of someone’s information even though there’s a higher impact on that person. You can rely on legitimate interests here, but you must make sure you can demonstrate that any impact is justified.

Nothing here yet

PECR (Privacy in Electronic Communications Regulations)

These regulations sit alongside the Data Protection Act and the UK GDPR and give people specific privacy rights in relation to electronic communications.

There are specific rules on:

• marketing calls, emails, texts and faxes;
• cookies (and similar technologies);
• keeping communications services secure; and
• customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

As with the Data Protection Act and the UK GDPR, the PECR are regulated in the UK by the ICO.

Personal Data means any information relating to a data subject who can be identified, directly or indirectly

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data

Processors are any parties that process personal data on behalf of another party (a controller). The law requires that the processing should be subject to a contract or other legally binding agreement between the controller and the processor.

Processing means any operation or set of operations performed on personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction…

Pseudonymisation means the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately to ensure that the personal data is not made identifiable again.

Public Task is one of the six lawful bases needed to process personal data legally.

This lawful basis is used by public authorities or organisations carrying out specific tasks in the public interest.

Special Category Personal Data
is Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric, or genetic data.

Subject Access Request (also known as a DSAR) This is the most common Subject Rights Request. Subjects can request details of their personal data and its processing from a controller at any time and in any form. They can’t normally be charged for this and the controller has a month to respond.

Vital Interest is one of the six lawful bases needed to process personal data legally.

Vital interest applies where there is a need to use or share personal data to protect someone’s life. For example, giving relevant information to the ambulance crew who are helping someone who is unconscious.

Nothing here yet