This is Sanctum Recruitments Ltd’s (A&C) Data Protection Policy, which has been updated to take account of the new EU General Data Protection Regulation (GDPR). This policy applies to all staff working for Sanctum or contracted and working on behalf of the company.
During the course of its work, Sanctum collects a significant amount of personal information, through its recruitment process, engaging with our public (NHS) and Private Healthcare providers and many other forms of interaction. It also collects and manages information through incident and complaint received about our temporary workers on clinical assignment in hospital environment.
This policy sets out the principles under which A&C will manage this data in a responsible way that respects the rights of those whose information we capture and protects the reputation of the company. It is a high level; principles-based policy and should be read together with the other related policies (i.e. FOI).
The GDPR is a new piece of progressive and impactful privacy legislation which provides a legal framework for the use of personal information by organisations established in the EU. It came into effect on 25 May 2018.
Sanctum considers the GDPR to be an overwhelming win for human rights. Data protection laws such as the GDPR are crucial to protect and empower people online, ensuring that they remain in control of their personal information.
“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her
“Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data;
Mean breaches of security leading to the accidental or unlawful destruction or loss, alteration, unauthorised disclosure of, or access to, personal data.
Means the Information Commissioner’s Office, which is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
(*** The definition of Personal Data has become broader under the GDPR, reflecting changes in technology and the way organisations collect information about people).
“Processing” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller.
Sensitive Personal Data
“Sensitive Personal Data” are Personal Data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
This policy applies to the information and systems controlled by Sanctum Ltd
This policy applies to all Personal Data, including Sensitive Personal Data that is collected and processed by Sanctum Ltd in the course of its business, or data collected on the company’s behave by other parties which are processed by Sanctum Ltd in electronic format in any medium and within structured paper filing systems.
The policy applies to anyone working on behalf of Sanctum Ltd, whether permanent, temporary, a volunteer, contractor, consultant or apprentice (hereafter referred to as ‘staff’).
Data Processors and Controllers
Based on the definitions above, Sanctum is both a Processor and Controller of data in relation to its core activities. For example in relation to recruitment and complaint investigations we collect peoples personal details and determine candidates suitability for employment of the (as Controller); we then use the data in our recruitment and store it in our IT systems (as Processor).
Sanctum will maintain a Record of Processing which sets out our key processing activities and the legal grounds on which we process data.
Where Sanctum uses a third party to act as either the Controller or Processor we will put in place a data processing agreement that ensures the data will be handled in compliance with GDPR principles.
Data Protection Principles
Sanctum’s approach is underpinned by the data protection principles, which are set out at Article 5 of the GDPR, as follows. Data must be:
a) “processed lawfully, fairly and in a transparent manner in relation to individuals”;
This means there have to be lawful grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn’t expect.
a) “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, or statistical purposes shall not be considered to be incompatible with the initial purposes”;
Data should be collected for specified and explicit purposes and not used in a way someone wouldn’t expect.
b) “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”;
It must be clear why the data is being collected and what will be done with it. Unnecessary data or information without any purpose should not be collected.
c) “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”;
Reasonable steps must be taken to keep the information up to date and to change it if it is inaccurate.
d) “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals”;
Data should not be kept for longer than is needed, and it must be properly destroyed or deleted when it is no longer used or goes out of date.
e) “processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Data should be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful Processing, loss, damage or destruction, and kept safe and secure.
Article 5 says that the Controller shall be responsible for, and be able to demonstrate, compliance with the principles.
WE WILL COMPLY WITH THE GDPR PRINCIPLES IN THE FOLLOWING WAYS:
Principle a): LAWFUL BASIS FOR PROCESSING
Sanctum will document the legal basis for its key data processing activities in its Record of Processing.
Consent should be kept under review and refreshed if anything changes.
(ii) Other legal bases
The following alternative legal bases are available under GDPR:
- Where it is necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract.
- Where it is necessary to collect the data to comply with a legal obligation.
- Where it is necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent.
- Where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Where it is necessary for the purposes of legitimate interests
GDPR also allows EU members states to provide various exemptions, derogations, conditions or rules in relation to specific processing activities. One relevant area is: Processing for archiving purposes and for scientific or historical research and statistical purposes.
Examples of where Sanctum Ltd processes Personal Data under these bases are as follows:
- Legitimate interest: our processing of staff data; contact information for target audiences in our media, advocacy and campaigning work;
- Vital interests: obtaining data on human rights abuses and in some cases for safeguarding purposes.
A reasonable expiry date should be set against Consent after which Consent should be refreshed or the data should be deleted, anonymised or accessioned to the archive for research purposes. A reasonable expiry period should reflect the realistic expectation of the data subject when Consent was obtained.
Retention schedules will be implemented and reviewed regularly to ensure that data is kept for the appropriate length of time. Further details of relevant retention schedules can be found in the GDPR Suite SharePoint site.
Security and Integrity
Sanctum will ensure that Data Processing Agreements are applied to all contracts and management agreements where Sanctum is the Controller contracting out services and Processing of Personal Data to third parties (data processors).
Staff will report any actual, near miss or suspected Data Breaches to the relevant parties in line with the policy and the compliance manager will ensure that all employees are aware of their responsibilities to report Data Breaches.
Sanctum will adopt privacy by design approach when creating or adapting processes, policies and systems that are associated with Personal Data. Privacy Impact Assessments will be carried out where appropriate.
The GDPR states that a data controller must be responsible for and must be able to demonstrate compliance with the data protection principles.
At Sanctum the Compliance Team and the team manager will be responsible for monitoring the implementation of measures that meet the principles of data protection expressed in this policy.
The company will maintain a register of all systems under Sanctum Ltd. control that contain personal information and a register of all relevant Processing activities. It is the responsibility of the compliance manager to ensure that these registers are kept up-to-date.
A basic level of data protection training is mandatory for all Sanctum temporary workers and will be refreshed at regular intervals.
Everyone has the right to request a copy, free-of-charge, of the information held on them by Sanctum and to withdraw their Consent for the further Processing of that data. They may also request that it be amended or deleted if inaccurate, excessive or out-of-date.
All Sanctum employees as well as temporary staff has right to request the deletion or removal of Personal Data where there is no compelling reason for its continued Processing. A Right to be take-down process is maintained by the Compliance team.
It is the responsibility of Sanctum Ltd to provide and maintain the systems and frameworks for implementing and monitoring the use of Personal Data to ensure it complies with the data protection policy.
It is the responsibility of each Sanctum employee to process information in line with the data protection policy and the six principles of data protection.