Data Protection Policy

Working together to handle personal data safely, respectfully and lawfully

Scope

The Data Protection Policy (the Policy) ensures the Innovative College of Professional Studies (Pvt) Ltd, aka ICPS (Pvt) Ltd complies with Data Protection Law.

The Policy applies to:

  • All staff (employed and contracted), officers, trainees, members, College representatives and suppliers who handle and use our information (where we’re the ‘Controller’ for the personal data being processed), whether we hold it on our systems (manual and automated) or if others hold it on their systems for us
  • All personal data processing we carry out for others (where we’re the ‘Processor’ for the personal data being processed)
  • All formats, e.g. Printed and digital information, text and images, documents and records, data and audio recordings.

Guiding values

In order to conduct its normal business, the College collects and uses certain types of personal information about living individuals. These include current, past and prospective trainees, members, staff, College representatives, suppliers, clients, customers, and others with whom it has business, or with whom it communicates.

The College considers the lawful and correct treatment of such personal information as essential to the efficient and successful conduct of its business. It also recognises that it is crucial to fostering and maintaining the confidence of its main stakeholders and the wider public in the College and its operations.

The College is committed to ensuring that it treats personal information lawfully and correctly, and recognises that there are safeguards to ensure this in data protection law.

Objectives

The Policy’s objectives are to:

  • Comply with Data Protection Law, e.g. Data protection impact assessments
  • Meet our data protection standards, e.g. Information sharing arrangements
  • Protect the rights of our staff, officers, trainees, members, College representatives, suppliers, clients, customers and public users, e.g. Procedures to govern Individual Rights’ request handling
  • Protect the College from the risks of a data protection breach and related reputational, financial and legal damage, e.g. Encrypt special category personal data.

Definitions

“Personal Data” is all information that relates to an identifiable living person (or “Data Subject”) and that can be used to identify the person directly, or indirectly when used with other information. It includes but is not limited to:

  • A person’s name
  • Job title
  • Age
  • Postal or email address
  • Ip address, e.g. Online identifier
  • Vehicle registration number
  • Bank details
  • Plus, any other information that relates to them, e.g. A pseudonym such as a national training or hospital number.

There are “Special Categories” of personal data and these include but not limited to data revealing:

  • Race or ethnicity
  • Religious or philosophical beliefs
  • Trade union membership
  • A person’s health
  • Sex life or sexual orientation
  • Genetic or biometric data.

“Processing” relates to all actions or handling of personal data by manual or automated means, e.g. data collection, erasure and destruction plus everything in between including recording, use, disclosure, sharing and storage.

Much of the information we process includes personal data about, e.g.:

  • Trainees and members of the College
  • Examination candidates
  • Visitors to the College
  • Users of College services, e.g. The website and library
  • Staff and officers working for the College
  • Contractors and suppliers of the College
  • Partners with the College, e.g. Specialist societies.

Roles and responsibilities

The data protection laws have clearly defined roles and responsibilities A “Data Controller” is an individual or organisation who:

  • Decides to collect or process personal data
  • Decides what the purpose or outcome of processing is to be
  • Decides what personal data should be collected
  • Decides which individuals to collect personal data about
  • Obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller
  • Processes personal data as a result of a contract between us and the data subject
  • Whose data subjects are the employees
  • Makes decisions about the individuals concerned as part of or as a result of the processing
  • Exercises professional judgement in the processing of the personal data
  • Has a direct relationship with the data subjects
  • Has complete autonomy as to how the personal data is processed
  • Has appointed processors to process the personal data on our behalf.

“Joint Data Controllers” are two or more individuals or organisations who:

  • Has a common objective with others regarding the processing
  • Processes the personal data for the same purpose as another controller
  • Use the same set of personal data (e.g. One database) for this processing as another controller
  • Designs the processing with another controller
  • Has common information management rules with another controller.

A “Data Processor” is an individual or organisation who:

  • Follows instructions from someone else regarding the processing of personal data
  • Is given the personal data by a customer or similar third party, or told what data to collect
  • Does not decide whether to collect personal data from individuals
  • Does not decide what personal data should be collected from individuals
  • Does not decide the lawful basis for the use of that data
  • Does not decide what purpose or purposes the data will be used for
  • Does not decide whether to disclose the data, or to whom
  • Does not decide how long to retain the data
  • Make some decisions on how data is processed, but implements these decisions under a contract with someone else
  • Is not interested in the end result of the processing.

The College is predominantly a “data controller” when processing personal data, e.g. when we procure a service from a supplier under contract and the supplier is the “data processor”. Sometimes we are a “joint data controller”, e.g. many of our clinical quality projects and reviews involve sharing the “data controller” responsibilities with our partners.

The Policy defines the College’s data protection roles and responsibilities:

Staff must

  • Understand, keep up-to-date with, and comply with the Policy
  • Complete their mandatory Data Security Awareness training every year, and within four weeks of joining the College – completion of the training is monitored and reported to Executive Director and Directors
  • Line managers’ must
  • Apply the Policy across their team(s)
  • Cascade data protection awareness communications to their team(s)
  • Make sure their staff comply with the Policy
  • Make sure their staff complete the mandatory Data Security Awareness training within given timescales
  • Monitor suppliers and partners’ compliance with the Policy through routine procurement and contract management activities, e.g. Use appropriate contractual clauses and supporting information sharing agreements.

Information Asset Ownership across the College has been delegated to Directors and some Information Governance Leads who must

  • Understand what information assets their team(s) process(es)
  • Understand its value to the college and the related approach, appetite and capacity for risks and opportunities in conjunction with the college’s risk management standards
  • Make sure the information is managed according to the policy.

This includes making decisions about how information is processed e.g. what’s collected, how it’s used, who it’s shared with, when it’s deleted, and whether information risks are mitigated further or accepted by us.

Information Governance (IG) Leads are staff who have been nominated by the Information Asset Owners and must

  • Champion IG, including data protection, within their departments
  • Be the first point of contact on all IG related matters, including data protection, within their departments
  • Raise and monitor awareness of good IG practice within their departments, especially the processing of personal data
  • Facilitate an annual assessment across their departments for the Data Security and Protection Toolkit.

The Information Governance Management Group is responsible for overseeing all aspects of Information Governance (IG) at the College, including data protection. They must

  • Ensure College compliance with statutory and regulatory requirements
  • Report to the Audit and Risk Committee.

Policy

Statement

The College commits to processing all personal data in compliance with the data protection principles (unless a data protection law exemption applies).

Personal data must:

  • Be processed lawfully, fairly and in a transparent manner (Lawful, fair and transparent)
  • Be obtained only for specific, lawful purposes (Purpose limitation)
  • Be adequate, relevant and limited to what is necessary (Data minimisation)
  • Be accurate and, where necessary, kept up to date (Accuracy)
  • Not be held for any longer than necessary (Storage limitation)
  • Be protected in appropriate ways (Integrity and confidentiality/Security)

The College must demonstrate how we comply with the above principles (a) – (f) (Accountability), therefore the Policy governs or is integral to the following policies, procedures and ways of working:

Privacy Notice – principles (a) and (b)

Data Protection Impact Assessment and Guidance – principle (c) and (f) Guidance Notes on Handling Personal Data – principles (a), (b) and (c)

Information Asset Register – all the principles plus all flows of information within and outside of the College

Records Management Policy and procedures, e.g. Retention Schedule – principles (c), (d) and (e)

Data Security and Protection Incident Handling Policy – principle (f) IT Security Policy – principle (f)

Individual Rights Requests Guidance – all the principles

Information Governance Policy – the overarching Accountability principle.

All personal data processing must have a lawful basis for processing from the following:

  • The Data Subject consents to the processing of their personal data
  • The processing is necessary:
  • To enter into or carry out a contract with the Data Subject
  • To comply with our (or another Controller’s) legal obligations
  • To protect the vital interests of the Data Subject
  • To exercise our (or another Controller’s) official authority or perform a public interest task
  • To meet the legitimate interests of a Controller or another third party.

Of these lawful bases, the College most frequently uses the following three which then determine which of the College’s procedures and ways of working must be adopted:

  • Contract – where this applies, the contracts must:
  • Be written
  • Include/based the college’s mandatory data protection clauses and schedules whether we are the client or the contractor
  • Be monitored for compliance
  • Be up-to-date.
  • Legitimate interests – where this applies, the data subject must be notified using either the college’s privacy notice and/or a supplementary notification using the college’s privacy checklist
  • Consent – where this applies, the data subject must provide explicit and informed consent which is then managed to enable them to withdraw consent at any time; all consent notices must follow the college’s consent checklist (available on request).

The College commits to the processing of all personal data in compliance with the Data Subjects’ Individual Rights (unless a data protection law exemption applies).

Data Subjects have:

  • The right to be informed – e.g. Fair processing/privacy notices
  • The right of access – e.g. Subject access requests (sars)
  • The right to rectification – e.g. Have their data corrected
  • The right to erasure – e.g. Have their data deleted/removed
  • The right to restrict processing – e.g. Stop their data being used
  • The right to data portability – e.g. Transfer their data easily
  • The right to object – e.g. Challenge what we’re doing with their data
  • Rights in relation to automated decision making and profiling – e.g. Safeguards to make sure we don’t make potentially damaging decisions about them without human involvement.

As part of these rights, Data Subjects can:

  • Make a verbal request against any of the rights listed above
  • Complain about data protection breaches and can bring court proceedings for compensation where a data protection breach has caused them damage (including distress).

Implementation

In summary:

All staff must receive training, appropriate to their role, to help them understand how to process personal data in line with the Policy – e.g. complete the annual, mandatory data security awareness training and other training as and when required, such as Privacy and Consent (includes marketing consent), Data Protection Impact Assessments and Information Sharing. Please see the current Learning and Development Programme for details of scheduled sessions

All staff processing special category personal data or with a dedicated IG role to attend the Advanced Data Protection training course and follow their departmental Special Category Personal Data Handling policy

All staff must assess and manage the risks around how they process personal data to make sure it’s classified and handled appropriately using the appropriate College tool – e.g. complete a DPIA for all projects/initiatives/procurements involving personal data and follow the relevant guidance notes to handling Personal Data

All Trainees, members, College representatives and suppliers must follow all the data protection requirements in their respective role descriptions, contracts, terms and conditions and/or Code of Conduct

All staff, officers, trainees, members and College representatives to inform the IG Officer of any Individual Rights Request received relating to the College

All staff, officers, trainees, members and College representatives must promptly report potential or actual breaches of the Policy or data protection law to the IG Officer in the Research and Information Services Team, in line with the Security Incident and Reporting Policy

All staff, officers, trainees, members, College representatives and suppliers must fully co- operate with any investigation, audit or enforcement activity undertaken by the ICO.

The College, or our suppliers, may log staff, officer, trainee, member or College representative activity to:

  • Monitor compliance with our policies to provide assurance on adherence to the Policy
  • Respond to incidents
  • Prevent, detect, or investigate crime.

We will take appropriate action against staff, officer, trainee, member, College representative or suppliers found breaching the Policy where appropriate to them. Such action may include but not be limited to disciplinary investigations, dismissal, civil or criminal proceedings and fines.