Simply Connect Privacy & Data Protection Policy
Verson 1.0. Updated 11th April 2017.
We process personal data in compliance with the Data Protection Act 1998 and we ensure that our staff are aware of their obligations when processing personal data on behalf of Simply Connect.
Annex: The Data Protection Principles (Data Protection Act 1998, Schedule 1)
- The objective of this policy is to ensure that:
- Personal Data is Processed by Simply Connect in compliance with the requirements of the Data Protection Act 1998 and other relevant information governance legislation; and
- Simply Connect Personnel are aware of their obligations when Processing Personal Data on behalf of Simply Connect.
- Data Controller: the organisation (alone, jointly or in common with other organisations) which determines the manner and purposes for which Personal Data is to be processed.
- Data Processor: processes data on behalf of the Data Controller (other than an employee).
- Data Protection Legislation: the Data Protection Act 1998 (DPA), together with all secondary legislation made under it. The DPA governs the way in which Data Controllers can process an individual's Personal Data. It also gives individuals certain rights regarding the information that is held about them and obliges Simply Connect to respond to any requests from an individual to access their own Personal Data.
- Data Protection Principles: a set of statutory requirements, which all Data Controllers are obliged to adhere to. The Principles balance the legitimate need for organisations to process Personal Data against the need to protect the privacy rights of the Data Subject.
- Data Subject: an individual who is the subject of Personal Data.
- Information Commissioner: the regulator appointed by the Crown to promote public access to official information and protect personal information. Compliance with the Data Protection Legislation is enforced by the Information Commissioner.
- Internal Audit: a department within General Counsel.
- Personal Data: information which relates to a living individual who can be directly identified from either the information itself, or by combining the information with other data available to Simply Connect. Personal Data includes expressions of opinion and indications of intention, as well as factual information.
- Personal Data Breach: the loss, theft, inappropriate use or unauthorised disclosure of Personal Data.
- Personal Information Custodians: senior managers, who are responsible for the Processing of Personal Data within their assigned area of control.
- Privacy and Data Protection Team: a business unit within the Information Governance department of General Counsel.
- Privacy Risk: that part of Simply Connect's overall risk portfolio which relates to the, integrity, availability and confidentiality of Personal Data.
- Processing/Processed: includes collecting, recording, storing, retrieving, transmitting, amending or altering, disclosing, deleting, archiving and destroying Personal Data.
- Simply Connect Personnel: includes all Simply Connect employees as well as all temporary staff, contractors, consultants and any third parties with whom special arrangements (such as Data Processor, confidentiality or non-disclosure agreements) have been made.
- This policy applies to all Simply Connect Personnel and to all Personal Data Processed by Simply Connect at any time, by any means and in any format.
- Simply Connect will:
- Comply with Data Protection Legislation and adhere to the eight Data Protection Principles, as described in the Annex to this policy
- Comply with the statutory requirement to maintain accurate entries on the Information Commissioner's public register of Data Controllers which describes the purposes for which Personal Data is processed
- Comply with all other relevant legal requirements which apply to its processing of Personal Data, including:
- The Human Rights Act 1998 and the requirement to act in a way which is compatible with the right to respect for private and family life in the European Convention of Human Rights and Fundamental Freedoms
- The Privacy and Electronic Communications (EC Directive) Regulations 2003
- The common law duty of confidence
- Adhere to the requirements set out in the following standards, policies and guidance in order to support its compliance with Data Protection Legislation:
- The Information Commissioner's guidance documents and Codes of Practice
- The Payment Card Industry Data Security Standard (PCI DSS)
- Simply Connect's Code of Conduct
- Implement appropriate structures, systems and processes to manage all Personal Data fairly and lawfully and in a way that ensures its integrity, accuracy, relevance and security
- Be open and transparent about how Personal Data is Processed, providing clear privacy notices at the point at which it is collected, with access to additional supporting information provided via the Simply Connect website
- Ensure that its procurement processes and contractual arrangements with external service providers include adequate measures to ensure compliance with the Data Protection Principles and associated requirements outlined in this policy
- Approach the identification, control, mitigation and elimination of Privacy Risk in the same way as financial and operational risk. This will be reflected in corporate and local risk registers
- Give customers an opportunity to opt in to receiving future marketing communications at the point at which their Personal Data is first collected; and within any marketing communications, provide a simple and transparent process to unsubscribe
- Ensure that requests from customers to change the use of their data for the purposes of marketing and/or the provision of service updates will be acted on promptly
- Install and use Closed Circuit Television (CCTV) and similar equipment, in accordance with the requirements of the Information Commissioner's Surveillance Camera Code of Practice and the Home Office Surveillance Camera Code of Practice
- Not disclose Personal Data to third parties except where disclosures are permitted by, or required by, law
- Label Personal Data in accordance with its Information Security Classification Standard for protectively marking Information
- Ensure that any complaint about Simply Connect's processing of Personal Data or non-compliance with this policy will be passed to the relevant internal team for investigation. The complaint will be dealt with promptly and in accordance with our Privacy and Data Protection Complaints Handling Procedure
- Require all Simply Connect employees directly involved in the Processing of Personal Data to complete appropriate training
- View serious or repeated breaches of this Policy by a Simply Connect employee as misconduct
- All Simply Connect Personnel are responsible for actively supporting compliance with this policy and should only process Personal Data for legitimate business purposes directly related to the performance of their duties.
- Personal Information Custodians are responsible for:
- Ensuring that Simply Connect Personnel within their area of control are aware of this policy and are adequately trained in the handling of Personal Data
- The assessment and reporting of Privacy Risk linked to the Processing of Personal Data within their area of control
- Implementing appropriate procedures to ensure compliance with restrictions on the Processing of Personal Data within their area of control
- All Simply Connect Personnel are responsible for reporting actual or suspected Personal Data Breaches to relevant senior Simply Connect managers.
- This policy will be subject to periodic review as considered appropriate by Simply Connect’s Management Board.
Responsibility for privacy and data protection compliance
Approval and amendments
Annex: The Data Protection Principles (Data Protection Act 1998, Schedule 1)
Personal data should be processed fairly and lawfully.
Simply Connect will use Personal Data both fairly and lawfully. In any circumstance in which individuals provide Simply Connect with their Personal Data for the first time, or for a new purpose, they will be informed of the identity of the Data Controller, the use to which their data will be put and whether any disclosure may be made to third parties.
This is known as a Privacy Notice and any such wording must be approved by the Privacy and Data Protection Team.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Simply Connect will only process Personal Data for the purpose(s) which the Data Subject was previously informed of and it will not be used for any other purpose that is incompatible with the original purpose(s).
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Simply Connect will ensure that only the minimum Personal Data necessary for the purpose is processed and will not collect or hold Personal Data solely on the basis that it might be useful in the future. There should always be a legitimate business reason for the Processing of Personal Data linked to a specific ongoing purpose.
Personal data shall be accurate and, where necessary, kept up to date.
This Principle covers the integrity of Personal Data. Data will be inaccurate where it is incorrect or misleading as to any matters of fact.
There must be processes in place to maintain the quality of data capture at the point data is first collected or obtained by Simply Connect, and to accurately amend, update or correct Personal Data.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Business areas must ensure that Personal Data is securely destroyed once the purpose(s) for processing the Personal Data has come to an end; and there is no legal requirement or valid business/operational reason for its continued retention.
Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
These rights are to:
- Gain access to their data
- Seek compensation for substantial damage or distress caused by their data not being processed in accordance with the Act
- Prevent their data being processed in certain circumstances
- 'Opt out' of having their data used for direct marketing at any time
- Have automated decisions reconsidered
Requests from Data Subjects to access their Personal Data will be managed in accordance with the Information Commissioner's Subject Access Code of Practice.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Simply Connect's standard contractual clauses on data protection must be used in any circumstances where Processing of Personal Data on behalf of Simply Connect is carried out by a service provider or other third party.
The Privacy and Data Protection Team must be consulted in the early stages of any project or proposed change to a business process that has any significant implications for the Processing of Personal Data.
Simply Connect Personnel must report any actual or suspected incident, which either has or is likely to, result in the loss, theft, unauthorised disclosure, accidental destruction or other compromise of Personal Data directly to Simply Connect Senior Management.
Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Simply Connect will comply with the restrictions in the Data Protection Act 1998 on the transfer of Personal Data outside the European Economic Area (which consists of the 28 member states of the European Union plus Norway, Iceland and Lichtenstein). The Privacy and Data Protection Team must be consulted in advance of any such transfers being undertaken or agreed.