GDPR Data Protection Policy
Document Reference: Centre for Health
Revision date: 10th April 2018
Revision Number: 001
The Centre for Health is committed to conducting its business in accordance with all applicable Data Protection laws and regulations in line with the highest standards of ethical conduct. This policy sets forth the expected behaviours of Centre for Health employees and third parties in relation to the collection, use, retention, transfer, disclosure and destruction of any Personal data belonging to a Centre for Health contact (i.e. the Data Subject).
Personal Data is any information (including opinions and intentions) which relates to an identified or identifiable natural person. Personal Data is subject to certain legal safeguards and other regulations which impose restrictions on how organistations may process personal data. An organisation that handles Personal Data and makes decisions about its use is known as Data Controller. Centre for Health, as a Data Controller, is responsible for ensuring compliance with Data Protection requirements outlined in this policy. Non-compliance may expose thje Centre for Health to complaints, regulatory action, fines and /or reputational damage.
Centre for Health's leadership is fully commited to ensuring continued and effective implementation of this policy, and expects all Centre for Health's employees and third parties to share in this commitment.
Any breach of this policy will be taken seriously and may result in disciplinary action or a business sanction. This policy has been approved by Centre for Health's Practice Manager, Joanne Keyte.
This policy applies to all Centre for Health Entities where a Data Subject's Personal Data is Processed;
In the context of the business activities of the Centre for Health Entity.
For the provision or offer of goods or services to individuals (including those provided or offered free-of-charge) by a Centre for Health Entity
To actively monitor the behaviour of individuals.
Monitoring the behaviour of individuals includes using data processing techniques such as persistent web browser cookies or dynamic IP address tracking to profile an individual with a view to;
Taking a decision about them.
Analysing or predicting their personal preferences, behaviours and attitudes.
This policy applies to all processing of Personal Data in electronic form (including electronic mail and documents created with word processing software) or where it is held in manual files that are structured in a way that allows ready access to information about individuals.
This policy has been designed to establish a worldwide baseline standard for the processing and protection of Personal Data by all Centre for Health Entities. Where national law imposes a requirement which is stricter than imposed by this policy, the relevant national law must be adhered to. If there are conflicting requirements in this policy and national law, please consult with the Officer for Data Protection for guidance.
The protection of Personal Data belonging to the Centre for Health employees is not within the scope of this policy.
Any country not recognised as having adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data.
Any form of automated processing of Personal Data where Personal Data is used to evaluate specific or general characteristics relating to an identifiable natural person. In particular to analyse or predict certain aspects concerning that natural person's performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.
Binding Corporate Rules
The Personal Data protection policies used for the transfer of Personal data to one or more Third Countries within a group of undertakings or group of enterprises engaged in a joint economic activity.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise processed.
The process of converting information or data into a code to prevent unauthorised access.
Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) without a 'key' that allows the data to be re-identified.
Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) by any means or by any person.
To demonstrate our commitment to Data Protection and to enhance the effectiveness of our compliance efforts the Centre for Health has established an Officer for Data Protection. The Officer operates with independence and has been granted all necessary authority. The Officer for Data Protection reports to the Centre for Health board of Directors and the role includes;
Informing and advising the Centre for Health and its employees who carry out processing pursuant to Data Protection regulations, national law or union based Data Protection provisions;
Ensuring the alignment of this policy with Data Protection regulations, national law or union based Data Protection provisions;
Providing guidance with regards to carrying out Data Protection Impact Assessments (DPIAs);
Acting as a point of contact for and cooperationg with Data Protection Authorities (DPAs);
Determining the need for notifications to one or more DPAs as a result of the Centre for Health's current or intended Personal Data processing activities;
Making and keeping current notifications to one or more DPAs as a result of the Centre for Health's current or intended Personal Data processing activities;
The establishment and operation of a system providing prompt and appropriate responses to Data Subject requests;
The ongoing administration and management of customer services.