Human’s data protection policy (GDPR compliant)
Aim and scope of policy
This policy applies to the processing of personal data in manual and electronic records kept by Human in connection with its human resources function as described below. It also covers Humans response to any data breach and other rights under the General Data Protection Regulation.
This policy applies to the personal data of personal clients, class attendee’s, online enquires and members of Human, these are referred to in this policy as relevant individuals.
“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.
“Special categories of personal data” is data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).
“Criminal offence data” is data which relates to an individual’s criminal convictions and offences.
“Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Company makes a commitment to ensuring that personal data, including special categories of personal data and criminal offence data (where appropriate) is processed in line with GDPR and domestic laws and all its employees conduct themselves in line with this, and other related, policies. Where third parties process data on behalf of Human, Human will ensure that the third party takes such measures in order to maintain Humans commitment to protecting data. In line with GDPR, the Company understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.
Types of data held
Personal data is kept in personnel files or within Human’s systems. The following types of data may be held by Human, as appropriate, on relevant individuals:
- name, address, phone numbers – for individual and next of kin
- job title, job descriptions
- medical or health information
- training details.
- Previous training details
Relevant individuals should refer to Human’s privacy notice for more information on the reasons for its processing activities, the lawful bases it relies on for the processing and data retention periods.
Data protection principles
All personal data obtained and held by Human will:
- be processed fairly, lawfully and in a transparent manner
- be collected for specific, explicit, and legitimate purposes
- be adequate, relevant and limited to what is necessary for the purposes of processing
- be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay
- not be kept for longer than is necessary for its given purpose
- be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
- comply with the relevant GDPR procedures for international transferring of personal data.
How we get the information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- To provide appropriate fitness and health programs.
- To market future programs that are relevant to yourself
- To see if you are suitable to work with Human
In addition, personal data will be processed in recognition of an individuals’ data protection rights, as follows:
- the right to be informed
- the right of access
- the right for any inaccuracies to be corrected (rectification)
- the right to have information deleted (erasure)
- the right to restrict the processing of the data
- the right to portability
- the right to object to the inclusion of any information
- the right to regulate any automated decision-making and profiling of personal data.
Human has taken the following steps to protect the personal data of relevant individuals, which it holds or to which it has access:
- it is responsible for:
- the processing and controlling of data
- the comprehensive reviewing and auditing of its data protection systems and procedures
- overviewing the effectiveness and integrity of all the data that must be protected.
- it provides information to its clients on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions relevant individuals can take if they think that their data has been compromised in any way
- it can account for all personal data it holds, where it comes from, who it is shared with and also who it might be shared with
- it carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing, and to take measures to reduce the risks of mishandling and potential breaches of data security.
- it recognises the importance of seeking individuals’ consent for obtaining, recording, using, sharing, storing and retaining their personal data, and regularly reviews its procedures for doing so. The Company understands that consent must be freely given, specific, informed and unambiguous. The Company will seek consent on a specific and individual basis where appropriate. Full information will be given regarding the activities about which consent is sought. Relevant individuals have the absolute and unimpeded right to withdraw that consent at any time
- it has the appropriate mechanisms for detecting, reporting and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the Information Commissioner, and is aware of the possible consequences
Access to data
Relevant individuals have a right to be informed whether Human processes personal data relating to them and to access the data that Human holds about them. Requests for access to this data will be dealt with under the following summary guidelines:
- a form on which to make a subject access request is available from Human directly. The request should be made to Alec Warren – email@example.com
- Human will not charge for the supply of data unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request
- Human will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within one month as a maximum. This may be extended by a further two months where requests are complex or numerous.
Relevant individuals must inform Human immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. Human will take immediate steps to rectify the information.
Human adopts procedures designed to maintain the security of data when it is stored and transported.
In addition, we ensure that:
- ensure that all files or written information of a confidential nature are stored in a secure manner and are only accessed by myself Alec Warren
- ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised people
- All hard copies are stored in a secure filing cabinet.
Where personal data is recorded on any device such as USB and Laptop it should be protected by:
- ensuring that data is recorded on such devices only where absolutely necessary
- using an encrypted system — a folder should be created to store the files that need extra protection and all files created or moved to this folder should be automatically encrypted
- ensuring that laptops or USB drives are not left lying around where they can be stolen.
Failure to follow Human rules on data security may be dealt with via the Human disciplinary procedure. When appropriate.
Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of Human becoming aware of it and may be reported in more than one instalment.
Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.
If human is to employee in the future it will ensure that:
New employees must read and understand the policies on data protection as part of their induction.
All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.
The nominated data controller/auditors/protection officers for the Company are trained appropriately in their roles under the GDPR.
All employees who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of the Company’s policies and procedures.
Records will be kept as long as the client is receiving service from Human. It will be deleted a 1 month after the client has terminated their relationship with Human.
Data protection compliance
Alec Warren is the Company’s appointed compliance officer in respect of its data protection activities. He can be contacted at firstname.lastname@example.org or 219 501
Complaints can be made to the Isle of man information commissioner’s office.