Data Protection Policy

1  Purpose

This policy explains how the Society complies with the requirements of the General Data Protection Regulation. The Society is committed to being transparent about how it collects and uses the personal data of its members and employees, and to meeting its data protection obligations. This policy sets out the Society's commitment to data protection and individual’s rights and obligations in relation to personal data.

2  Scope

This policy applies to all personal data handled by the Society, data held in paper files AND electronically. 

This policy applies to all Society’s staff, whether permanent, temporary, contractors, consultants, volunteers and trustees and includes the Society’s Council and working groups.  It sets out the requirements to be compliant under the UK General Data Protection Regulation and the Data Protection Act 2018 and explains the requirements for colecting, storing, processing and deleting data.

ResponsibilitiesThe Society has appointed Sarah Hall, Head of Finance and Internal Operations as  the person with responsibility for data protection compliance within the Society. They can be contacted at: info@ics.ac.uk. Questions about this policy, or requests for further information, should be directed to them.  

4  Definitions

"Personal data" is defined in Article 4 of the General Provisions of the UK GDPR as:

“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

“Processing” is defined under UK GDPR as “Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

"Special categories of personal data or sensitive personal data" means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetics and biometric data.

"Criminal records data" means information about an individual's criminal offences and convictions, and information relating to criminal allegations and proceedings.

5  Data protection principles

The Society processes personal data in accordance with the following data protection principles:

  • the Society processes personal data lawfully, fairly and in a transparent manner in relation to individuals
  • the Society collects personal data only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
  • the Society processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing
  • the Society keeps accurate and up to date personal data and takes all reasonable steps to ensure that personal data that are inaccurate, having  regard to the purposes for which they are processed, are erased or rectified without delay
  • the Society keeps personal data  in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals
  • the Society puts in place appropriate security measures to make sure that personal data is secure, and protected against unauthorised access or unlawful processing, and accidental loss, destruction or damage, using appropriate technical or organisational measures.

6  Legal basis for processing personal or sensitive data

The Society will only process personal data if it can satisfy at least one of the following conditions in relation to that data:

  1. consent – the data subject whom the personal data is about has consented to the processing
  2. contractual – processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract eg for an employment contract
  3. legal obligation – processing is necessary for compliance with a legal obligation
  4. protection of vital interests of a data subject – where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person
  5. public interest/official authority  processing is necessary for the performance of tasks carried out by a public authority or private organisation acting in the public interest
  6. legitimate interests  processing is necessary for purposes of legitimate interests pursued by the Society or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

The Society will only process special category data or criminal records where:

  • the data subject has given explicit consent to the processing of the personal data for one or more specified purposes. For the consent to be explicit, the data subject must signify their agreement and there must be some statement or a clear affirmative action that signifies agreement to the processing of personal data relating to them
  • the information is required by law to process the data for employment purposes
  • the information is needed to protect the vital interests of the data subject or another, and consent cannot be given or reasonably sought.

The Society has a Data Retention Policy to ensure that personal data processed for any purpose(s) shall only be kept for as long as a business process requires or to fulfil legal obligations to record keeping, depending on which is the longest.  

The Society will ensure that its processing activities are registered with the Information Commissioners Office (ICO).

The Society will make its Privacy Policy available on its website.

7  Individual Rights

Individuals have the right to access their personal data and supplementary information. It also allows individuals to be aware of and to verify the lawfulness of the processing.

Subject Access Requests (SAR) Individuals are entitled to access the information that the Society holds about them.

If an individual makes a subject access request, the Society will comply with the relevant legislation:

  • confirm whether any personal data is being processed
  • provide a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people
  • provide a copy of the information comprising the data; and details of the source of the data (where this is available).

This will normally be in electronic form if the individual has made a request electronically, unless they agree otherwise.

If a request is mainfestly unfounded or excessive, particularly if it is repetitive, a reasonable fee can be charged. In extreme circumstances the request can be refused and in these circumstances all guidelines from the Information Commissioner’s Office must be followed.

When a request is received, the identity of the individual must be verified using

“reasonable means”. The most appropriate means will depend upon the nature of the records (for example whether a photo is held) and should be recorded with the data access request information.

If the individual wants additional copies, the Society may charge a fee that will be based on the administrative cost to the Society of providing the additional copies.

To make a subject access request, the individual should send the request to the Head of Finance & Internal Operations at info@ics.ac.uk. They will act in accordance with the Society’s Subject Access Request Procedure and ask the individual to complete a Subject Access Request Form before the request can be processed.  

8  Other Rights

The GDPR provides the following rights for individuals in relation to their personal data: 

The right to be informed - Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR. The Society will communicate this information using records of consent that include the purposes for processing, retention periods and details of anyone we may need to share the data with. Consent requests must be sent to all individuals at the time that data is first collected.

The right to rectificatin - This allows individuals to have inaccurate personal data rectified or made complete if it is incomplete. This can be requested verbally or in writing. The request must be responded to within one calendar month.

If the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature, it may be possible to refuse it or to charge a reasonable fee to deal with it.

The right to erasure - This right is also known as “the right to be forgotten”. It allows the individual to requested that all the personal data held for them be deleted. This right is not absolute and only applies in certain circumstances, as detailed on the link below.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/individual-rights/right-to-erasure/

If an individual makes a valid request, the action must be completed within one month and confirmation must be given to the individual. If the request does not meet the required circumstances the individual must be informed with an explanation and details of how to complain to the Information Commissioner’s Office.

The right to restrict processing - This is where individuals have the right to request the restriction or suppression of their personal data. Again, this is not absolute and only applies in certain circumstances, as detailed in the link below.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/individual-rights/right-to-restrict-processing/

The right to data portability - This right allows individuals to obtain and reuse their personal data for their own purposes across different services.

In order to be valid the request must meet the requirements detailed on the Information Commissioner’s website. The same response times apply as those for a data access request, one month that can be extended by two months in some instances.

The data must be supplied in a structured, commonly used and machine readable form (for example as a CSV file).

The right to object - An individual has the right to object to the processing of their data and the objection should be assessed to check if it is valid.

Where an objection is found to be valid processing must stop immediately.

Rights in relation to automated decision making and profiling:

The Society does not currently operate an automated decision making or profiling activities.

To ask the Society to take any of these steps, the individual should send a request to info@ics.ac.uk.

9  Data security

The Society takes the security of personal data seriously. The Society has internal policies and controls in place to protect personal data at rest or in transit against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by staff in the proper performance of their duties.

Where the Society engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, ie a data sharing agreement and/or under contractual agreement. Third party suppliers are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

10  Impact assessments

Some of the processing that the Society carries out may result in risks to privacy. Where processing would result in a high risk to individual's rights and freedoms, the Society will carry out a Data Privacy Impact Assessment (DPIA) to determine the necessity and proportionality of processing.  This will include considering the purposes for which the activity is carried out, the risks to individuals and the measures that can be put in place to mitigate those risks.

11  International data transfers

The Society will not transfer personal data to countries outside the EEA unless there are suitable safeguards, and the country or territory can ensure an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data. 

12  Roles and Responsibilities

Individual obligations - Members, employees and job applicants are responsible for helping the Society keep their personal data accurate and up to date.  

Staff may have access to the personal data of other individuals (in the course of their, employment, contract, volunteer period, internship or apprenticeship). Where this is the case, the Society relies on individuals to help meet its data protection obligations to staff and to members, customers and clients.

Staff who are processing personal data on behalf of the Society are required:

  • to only access data that they have authority to access and only for authorised purposes
  • not to disclose data except to individuals (whether inside or outside the Society) who have appropriate authorisation
  • to keep data secure (for example by complying with rules on access to premises, computer access, password protection, and secure file storage and destruction)
  • not to remove personal data, or devices containing or that can be used to access personal data, from the Society's premises without adopting appropriate security measures (such as encryption and password protection) to secure the data and the device; and
  • not to use personal email addresses to conduct Society business

13  Provision of data to police and other third parties

Specific procedures apply to the provision of data to third parties.

Personal data requests will occasionally be received from the police or the GMC; requests must be made in writing and must be referred to the Head of Finance & Internal Operations (info@ics.ac.uk)

for approval. The exemption given to the police and GMC to pursue their enforcement functions does not cover the disclosure of all personal information held on an individual. It only allows the Society to release personal information for the stated purpose(s) and only if not releasing it would be likely to prejudice legitimate investigations.

If a subject data request is received from an individual after a personal data request has been made by the police, the relevant police force must be consulted before any decision is made to release details of the personal data request to the individual.

In addition, staff must ensure the following in relation to sharing any personal data with a third party:

  • when bulk sharing personal data with another organisation, advice is routinely sought from the Data Protection Officer and a Data Sharing Agreement (or other such contractual arrangement) is in place
  • where personal or sensitive information is being collected for a new operational purpose, the Data Protection Officer should always be informed
  • ensure that all requests for disclosures for personal or sensitive information are sent to the Data Protection Officer in the first instance

14  Data incidents

Potential personal data incidents should be reported immediately to the Head of Finance & Internal Operations and include details on who reported the incident, a description of the breach (if there has been one), the data involved, and the number of people affected. The Society will keep a log of this information, including any remedial action taken.  

Personal data incidents are classified in the Society’s Data Incident Log according to the severity of risk.  Depending on the severity, an incident may be reported to the ICO. This should be done within 72 hours of the Society becoming aware of the breach, where feasible.

If the breach is likely to result in a high risk of adversely affecting the rights and freedoms of individuals, the Society will inform the affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures taken. For more information, please refer to the Personal Data Incident Policy and Management Procedures.

15  Patient Data

For research purposes, the Society has access to and/or is a Data Controller for NHS patient data. Separate Information Governance Procedures and policies are available for individual research programmes. For more information, please contact the Data Protection Officer at info@ics.ac.uk

16  Professional Codes of Conduct

All healthcare professionals employed by the NHS will be subject to standard NHS confidentiality agreements and be familiar with code of conduct documents

17  Freedom of Information Act 2000

The Freedom of Information Act 2000 makes provision for the disclosure to members of the public information held by public authorities or by persons providing services for them.

The Act does not apply to the Society. However, the Society’s policy is to provide information to the public unless there is a compelling reason not to do so.  

Any requests for information should be passed to the Head of Finance & Internal Operations.

18  Training

The Society provides information and training to all staff about their data protection responsibilities as part of the induction process and at regular intervals thereafter.

Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.

19  Breach of Policy

Failing to observe these requirements may amount to a disciplinary offence that will be dealt with under the Society's disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or members’ data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

20  Policy Owner

This policy is owned by the Head of Finance & Internal Operations for the Intensive Care Society.