Home FAQs
SECTION MENU

FAQ

FAQsRSS FeedAtom Feed

Answer:

When processing personal data it is necessary for there to be a ‘lawful basis’ for the processing to take place. There are numerous forms of lawful basis under which an organisation can process data including:

  • Consent – an individual has given you clear and informed consent to process their personal data.
  • Fulfilling a contract – for example, it would be necessary to hold and process the personal data of an employee in order to fulfil their contract of employment.
  • Legitimate interest – for example, information about the health of an employee or volunteer.
  • Legal obligation – for example, if the organisation becomes aware of a safeguarding concern or crime that they are required to disclose to the relevant authority.
Answer:

Special category data refers to personal data that is regarded as particularly sensitive. This kind of data is subject to stricter processing laws due to the increased levels of harm that a disclosure of special category data could do to the individual involved. Forms of special category data include information about health, racial or ethnic origin, political opinion, trade union membership, and gender and sexuality.

In addition to identifying a legal basis for processing special category data organisations must also identify an additional ‘condition for processing’. The ICO sets out what these are here: Special category data | ICO. Organisations that are processing special category data need to ensure that they take extra care and document how they are ensuring the safety of the data.

Answer:

The Information Commissioners Office (ICO) is the independent regulator set up to support data protection and enforce data protection laws in the UK. In the case of a breach of security of personal data it is the organisation’s legal responsibility to report the breach to the ICO.

Data controllers and data processors

The terms ‘data controller’ and ‘data processor’ are related to the organisation or individual who is processing data and the level of responsibility they are subject to.

  • Data Controller: A data controller is the decision maker around how and why data is collected and used. This will generally be an organisation.
  • Data Processor: A data processor acts upon instruction from a data controller. Generally individuals within organisations are data processors.
Answer:
A Data Protection Officer (DPO) is a named individual who is responsible for supporting an organisation to comply with data protection regulations. It is unlikely a small VCS organisation will be statutorily required to appoint a DPO but it may be good practice, especially for organisations who process special category data.
Answer:

The first step is to carry out an information audit to find out what personal data your organisation holds and where it is. You should then know:

  • What kind of data do you process? For example do you process special category data that requires a high level of security?
  • Who processes that data? - Who within your organisation processes and has access to data. Are they aware of their responsibilities? Do they need training? How do you keep data safe? What systems do you use? If you keep information internally then is the information kept somewhere secure. If you use electronic systems what are their security arrangements? • How do you process consent? Are people aware of what information you collect about them and do they give their consent for you to do this?
  • Why are you collecting that data? What is the purpose for collection? If this is understood then it will be possible to identify the lawful basis for collecting data. This may require the consideration of a legitimate interests assessment.
Answer:
This is a process which helps organisations assess if their data processing meets the legitimate interests of their organisation whilst also balancing the rights of individuals. More information about legitimate interests assessments can be found here.
Answer:

A personal data breach refers to a breach of security that has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Example: A list of client details is accidentally attached to an email.

An organisation needs to have processes in place that tell individuals what to do in the case of a personal data breach. This will depend on the severity of the breach and the kind of personal data that has been involved.

In the event of a data breach an organisation is required to assess the severity of the breach. The main concern is to assess the potential for any negative consequences that could happen for an individual as a result of the breach. This assessment should also take into consideration whether any special category data was involved in the breach. If a decision is made not to report the breach then this decision must be justifiable and documented.

If the organisation determines that the breach could cause potential negative consequences then there two actions they must take:

  • Report the breach to the ICO within 72 hours of its occurrence.
  • Inform individuals involved that their data has been compromised.

Failure to report a breach can result in a fine of up to £8.7 million or 2 per cent of the organisation’s global turnover.

Answer:

There are certain documents that every organisation which is processing personal data will need. These documents support good practice in data protection, enable organisations to meet their legal requirements, and enable organisations to demonstrate how they are complying with the law. A checklist is provided at the bottom of this resource.

Privacy notice: A privacy notice is a legal requirement. It is a publicly facing document which outlines the ways in which an organisation collects, uses, and protects personal data. It gives individuals the information they need in order to be confident that their data is secure and to be able to access and exercise control over their personal data.

Data protection policy: This is an internally facing document which outlines the processes the organisation employs to ensure data is safe and that they comply with the law. It will document the lawful basis for data processing.

Consent: An organisation needs to document how it obtains consent from individuals and keep a record of that consent.

Roles and responsibilities: An organisation needs to document that it knows who is processing data and levels of responsibility such as if they have appointed a DPO.

Processing activities: Organisations processing special category data or large volumes will need to have a record of processing activities including categories of data processed, purposes of processing, legal bases for processing, data sharing arrangements, data retention periods and security measures.

Answer:

Equality, equity, diversity and inclusion (often shortened to EEDI) is the term used for policies and practices to ensure fair treatment and opportunity.   The terms around EEDI are used in slightly different ways depending on context, but when putting together a policy these definitions are helpful to consider:

Equality means ensuring that people have equal opportunities. Organisations should ensure that people are treated fairly and are not treated less favourably because of their protected characteristics.

Equity means ensuring people are not unfairly prevented from accessing resources or opportunities, and also that others do not benefit from unfair advantages. For example, an equitable approach to project planning would consider what changes might be needed to help people get equal outcomes from a project, service or process, and might mean - e.g. providing different opening hours, facilities or support for key groups of clients.

Diversity is about recognising and respecting differences. This can mean working with and including people with different protected characteristics, but can cover other factors like class background, nationality and working style. A diverse environment is one with a wide range of backgrounds, life experiences and mindsets.

Inclusion means creating an environment where everyone feels welcome and valued. An inclusive environment can only be created once issues of bias, prejudice and inequality are identified and actively challenged.

Answer:

In the UK, the primary legal obligations around equality, diversity, and inclusion are set out in the Equality Act 2010. This Act brings together elements of equalities law that were previously addressed by separate legislation. It prohibits discrimination based on nine protected characteristics:

  • Age.
  • Disability.
  • Gender reassignment.
  • Marriage and civil partnership.
  • Pregnancy and maternity.
  • Race.
  • Religion or belief.
  • Sex.
  • Sexual orientation.

The Act requires organisations, in their role as both employers and service providers, to treat everyone equally and take steps to prevent discrimination against any of these characteristics.  The Equality and Human Rights Commission (EHRC) is responsible for upholding the Equality Act and investigating complaints of discrimination.

Displaying 681 to 690 of 825
Previous 67 68 69 70 71 Next