The Data Protection Act (DPA18).
Privacy Notice – Processing of Personal Data
- The Data Protection Act 2018 (DPA18) received Royal Assent on 23 May 2018 and brought the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) into UK law. The GDPR itself came into operation across the EU on 25 May 2018. DPA18 was necessary as Brexit would lead to the EU Regulations not having legal effect in the UK.
2) Under DPA18 individuals have the right to be informed about how their Personal Data is being processed. The Act clearly stipulates that this must be done in a concise, transparent, intelligible and easily accessible form, using clear and plain language, for any information addressed specifically to a child.
3) The aim of the GDPR is to harmonise data protection legislation across EU member states, enhancing the privacy rights for individuals. It applies to organisations processing Personal Data which have an establishment within the EU and also those organisations which operate outside the EU but offer goods or services to, or monitor the behaviour of, individuals in the EU. This includes the UK after Brexit and it is necessary that we offer the same protections.
4) Overall DPA 18 references GDPR and provides the following rights for individuals, many of which apply whatever the basis of processing, although there are some exceptions:
a. The right to be informed how Personal Data is processed
b. The right of access to their Personal Data
c. The right to rectification
d. The right to erasure
e. The right to restrict processing
f. The right to data portability
g. The right to object
h. Rights in relation to automated decision making and profiling
5) There are six lawful grounds for processing, as follows:
a. CONSENT – the individual has given their Consent to the processing of their Personal
Data.
b. CONTRACTUAL – processing of Personal Data is necessary for the performance of a contract to which the individual is a party or for the Controller to take
pre-contractual steps at the request of the individual.
c. LEGAL OBLIGATION – processing of Personal Data is necessary for compliance with a legal obligation to which the Controller is subject.
d. VITAL INTERERSTS – processing of Personal Data is necessary to protect the vital
interest of the individual or of another individual.
e. PUBLIC TASK – processing of Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
f. LEGITIMATE INTERESTS – processing is necessary under the Legitimate Interests of the Controller or Third Party, unless these interests are overridden by the
individual’s interests or fundamental rights.
6) In addition to ‘Consent’ the options under which SVGC can operate as a business allows the application of either (or both) of ‘Contractual’ and ‘Legitimate Interests’. Of these SVGC has decided that the lawful ground of ‘Legitimate Interest’ best fits the business model.
7) SVGC take the issue of data protection very seriously and have undertaken a ‘Legitimate Interests’ assessment. This assessment comprises 3 stages.
a. Stage 1 – Identify a Legitimate Interest:
For SVGC the Legitimate Interest in holding personal data is in order to successfully attract employment tasks for the company, its associates and its partner companies. To discharge this task SVGC hold Curriculum Vitae for employees, associates and partner company personnel. Bank details are also held to enable payment for work completed. In addition, for a large subset of these, SVGC also hold and maintain security clearances.
b. Stage 2 –The Necessity Test:
For SVGC the holding of personal data is a requirement for security clearances and the CV store allows the rapid identification of SQEP and a timely response to opportunities as they arise. Requesting CV data from the data subject each time an opportunity is identified would require disproportionate effort and the subsequent delay would risk losing bids. Holding the data on a secure SVGC server is considered necessary to deliver the business model.
c.Stage 3 – The Balancing Test:
Personal data on employees, associates and partner company personnel is held for the financial benefit of all parties. The assessment template requires answers to 19 questions to ensure that the rights of individuals are protected by assessing any impact on individuals and identifying any safeguards necessary.
Types of Personal Data which may be held by SVGC
8) This may include name, address, title, preferred salutation, telephone number, email address, social media username or alias and other contact information; date of birth, place of birth, gender, citizenship, country of residence, occupation, employer, employment status, income, social security or national insurance number, photographs, copies of passports or other national or government identity documents, bills or correspondence showing address, identity, occupation or income related data; marital status, financial dependants, languages spoken, lifestyle, hobbies and interests, and other background data and relationship management information; bank account details; employee numbers or other internal identifiers and names, job titles and email addresses; instant message or live chat logs; meeting, telephone or attendance notes, emails, letters or other data relating to communications, calls and meetings; data relating to regulatory checks and disclosures, and to any status, flag and other result of such checks and disclosures; account transaction details; on-going monitoring data in connection with compliance, fraud prevention and security, including : system and building login and access records, data caught by IT security programmes and filters; IP address, browser generated information, device information, geo-location markers and other digital identifiers used for tracking, profiling or location purposes; and other metadata relating to the use of SVGC Systems and applications.
How do we use your personal information?
9) We may process your personal information for our legitimate business interests as described above and are accountable in accordance with DPA18:
“Legitimate Interests” means the interests of our company in conducting and managing our business to enable us to give you the best service/products and the best and most secure experience. When we process your personal information for our legitimate interests, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests – we will not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your explicit consent or are otherwise required or permitted to by law).
10) We store your personal data on a secure SVGC server with 2 factor authentication required to gain access to the network and further user privileges used to maintain a secure data boundary. We will retain your CV until such time as you request its deletion.
11) We use your personal data to identify your suitability for opportunities which we acquire through a number of frameworks and internet sites. Should we consider you a suitable fit then we will always contact you to determine your interest and availability at which point you will be able to tailor or update your details as you think.
12) If any submission requires the transfer of your personal data outside the European Union we will request your explicit permission by way of an e-mail from you.
13) You always have the right to request that we delete any of your personal data that we hold.
14) To avoid the possibility of an unauthorised release of your personal data all documents containing such data will be transferred to third parties (ie frameworks and Prime contractors) in an encrypted form.
15) All communication concerning your personal data will be archived on our secure server.
16)The integrity of our processes will be tested at least yearly by way of penetration testing of our network.
17) Should you enter into a contract for employment then the lawful, basis for processing will alter, for the period of that contract (from ‘Legitimate Interest’ to ‘Contractual’) in order to protect your bank details to enable payment.
