Obtaining of Data
- This policy will be reviewed annually.
- Manoj Rupasinghe has overall responsibility for this policy.
- Personal data is any information about any individual.
- Personal data shall only be obtained in accordance with the GDPR.
- Personal data shall only be obtained where there are one or more lawful bases on which to do so.
- Personal data shall not be obtained unless it is necessary to do so for the purpose for which it is being obtained and it is not excessive to do so.
- Where personal data is obtained the lawful basis on which it is obtained shall be recorded.
- Where the lawful basis is consent only explicit consent will be relied upon.
Disclosure of Data
- Data will only be disclosed to a third party where the subject has consented, it is necessary for the performance of a contract with the subject or in performance of a legal obligation.
- Where the basis for disclosure is consent this shall be recorded.
- A Personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
- As soon as a staff member has become aware of an actual or potential personal data breach they will bring it to the attention of Manoj Rupasinghe.
- As soon as Manoj Rupasinghe becomes aware of an actual or potential personal data breach he will decide whether to inform the subjects affected in accordance with the requirements of the GDPR.
- As soon as Manoj Rupasinghe becomes aware of an actual or potential personal data breach he will decide whether to inform the Information Commissioner’s Office in accordance with the requirements of the GDPR.
- Subject to paragraph 16client files will be retained for the period of six years after which they will be destroyed if they have not been retrieved for further work. If they have been retrieved for further work then they will be destroyed six years after they were last retrieved.
- Subject to paragraph 16employee files will be retained for the period of 2 years after the employee’s employment is terminated.
- Subject to paragraph 16personal data relating to unsuccessful job applicants will be retained for the period of 2 years after the applicant is informed of the outcome of their application.
- Before personal data is obtained the subject shall be informed of the purpose for which the data is obtained, the lawful basis of the processing, the recipients or categories of recipients of the data, the details of any transfers to non-EU countries and their rights set out below.
- A subject may request a copy of their personal data. This copy will be provided within one month of the request being received. There will be no charge unless a charge is allowed by law (i.e. manifestly unfounded and excessive requests).
- A subject may request that their personal data be corrected or completed where that data is inaccurate or incomplete. The data will be corrected/completed unless the inaccurate/incomplete data needs to be retained in accordance with the law, e.g. to preserve evidence.
- A subject may request that their personal data be erased. Any decision on a request for erasure will be made in accordance with the law and without undue delay. The subject will be informed of the decision and outcome without undue delay. Where data is erased it must be erased in such a manner that it becomes irrecoverable.
Staff Accessto Data
- Staff members must not access personal data unless it is necessary to do so for the effective performance of their role.
- Staff members must not use personal data for purposes which are not necessary for the effective performance of their role.
Transfer of Data
- Personal data will only be stored or sent outside the European Union in accordance with the GDPR.
- Any transfer of data to a non-EU country will be documented.