SEVEN, PSYCHOLOGY AT WORK – DATA PROTECTION POLICY
SEVEN, Psychology at Work understands that as a company which focuses on data to carry out our work, we have a responsibility to ensure all information that we may collect is appropriately and safely monitored, stored and destroyed according to data protection legislation.
The new data protection legislation, GDPR, provides EU citizens with strengthened data protection and increased control over their personal data. With these new regulations comes new responsibilities for companies like SEVEN. In order to meet GPDR compliancy standards, we will ensure that all practices carried out in SEVEN, Psychology at Work adhere to the new structure of the data protection regulations. This policy is a statement of SEVEN, Psychology at Work’s commitment to protect the rights and privacy of individuals in accordance with the data protection regulations.
If you have any queries about this Policy, you should contact our Data Protection Officer (DPO) Olivia Rourke firstname.lastname@example.org.
2. GENERAL OVERVIEW
WHO SHOULD READ THIS POLICY
This Data Protection Policy should be read by both staff and clients and strictly followed by members of staff at SEVEN, Psychology at Work. This Policy applies to all operations, functions, permanent and temporary staff and any third party personnel such as agents, contractors, coaches and consultants who have access to any form of personal data which is processed by SEVEN, Psychology at Work. Any staff who fail to comply with this Policy may be subject to disciplinary action, up to and including dismissal.
WHAT IS PERSONAL DATA?
Personal Data is defined as data that can be used to identify a particular individual. This can be related to SEVEN’s employees or its customer, suppliers and contractors. Personal data types include name, email, address, age as well as online identifiers such as IP address, Cookies or CCTV images and photograph IDs.
WHAT IS PROCESSING?
Within this policy, the term ‘processing’ when referring to personal data is often used. Processing personal data refers to the treatment of the data during its lifecycle. This includes collecting, storing, structuring, merging, sharing and destroying data. All personal data that is associated with SEVEN, Psychology at Work will be treated in accordance to this Policy.
WHAT PERSONAL DATA DO SEVEN PROCESS?
SEVEN, Psychology at Work ensures that all information collected is appropriate and necessary to complete our work. No special category data (data referring to race, ethnicity, religion, politics, genetics, health, sexual orientation) is collected or processed by SEVEN, Psychology at Work.
3. THE DATA PROTECTION PRINCIPLES
SEVEN, Psychology at Work undertakes to perform its responsibilities under the legislation in accordance with the eight stated Data Protection principles outlined in the Act as follows.
I. FAIR & LAWFUL PROCESSING
Processing of data must be fair, lawful and performed in a transparent manner for the specific individual.
Any personal data that is processed must adhere to the regulations of the data protection laws. Following this, personal data processing must be transparent to the appropriate individual to whom the data is concerned. SEVEN, Psychology at Work ensures that all individuals well informed regarding how their personal data is being used. Any personal data that we may pass to a third party must first have received consent from the relevant individual. Subsequent to this, if any personal data is received from a third party, SEVEN, Psychology at Work understands that consent from the individual needs to be confirmed before any action can be taken.
II. SPECIFIED LAWFUL PURPOSES
A lawful reason must exist in order to process people’s personal data when processing personal data, we must ensure to abide by all data protections laws. Personal data can only be processed when criteria listed within data protection law can be satisfied. Such criteria consists of
(i) receiving explicit consent from the involved individual to carry out any data processing operations,
(ii) performing data processing if it is a necessity under contract with the involved individual,
(iii) performing data processing if it is a necessity to comply with legal obligations and
(iv) performing data processing as necessary for our legitimate interests. Special Category Data is not processed by SEVEN, Psychology at Work and would only be processed in a exceptional circumstance where a lawful basis for doing so exists.
III. ADEQUATE & RELEVANT
Personal data must only be collected for a specific purpose and only permitted to be collected to the extent of which is necessary. A clear purpose, indicating a specific business need, must exist before any personal data is processed. To uphold this measure, SEVEN, Psychology at Work endeavours to collect as minimal data as possible to carry out operations. Only personal data is processed by SEVEN, Psychology at Work. No special category data is ever collected by SEVEN, Psychology at work unless an exceptional circumstance arises. To uphold the principles of data minimisation, any irrelevant data found to be held by SEVEN, Psychology at Work will be immediately destroyed alongside notifying the involved individual.
IV. ACCURATE & CURRENT
All personal data that is held by SEVEN, Psychology at Work must be entirely accurate and kept up-to- date.
All individuals must have the ability to alter or correct their personal data that is held by an organisation. All clients of SEVEN, Psychology at Work have the option to view the personal data that is relevant to them. If any inaccuracies or out-of-date data is present, the individual has the right to amend this. Once we are made aware of any inaccurate data, the appropriate steps will be taken to either rectify or destroy said data without delay.
Personal data is kept in a form, which permits data subject identification only for as long as is permitted while following fair and lawful processing.
No personal data will be kept for a period longer than necessary. As SEVEN, Psychology at Work builds profiles of clients over time to ensure a clear path of progression is visible, personal data may be stored for long periods. This personal data will only be kept as long as it falls under a legitimate interest of the company. Due to potential data being stored for long periods, appropriate security measures are undertaken to safeguard the rights and freedoms of individuals.
Appropriate security measures are implemented in order to protect our clients personal data.
Security measures refer to physical security in the office (e.g. securely locked filing cabinets etc.) as well as implementing appropriate cyber security measures. Such measures must be strictly adhered to in order to prevent any accidental or unauthorised access, interference, damage, loss or disclosure. No employee of SEVEN, Psychology at Work may access any form of data unless provided with explicit authorisation. Physical security measures are implemented within all offices while cyber security software has been put in place to protect all data processed by SEVEN, Psychology at Work. All computer equipment has installed up-to-date security software to ensure all data being transferred is encrypted and/or password protected and aims to prevent access from any malicious threat. This principle extends to any service provider handling personal data on our behalf. Only service providers who implement appropriate security measures are used by SEVEN, Psychology at Work.
Pseudonymisation is actively upheld in our filing system to ensure no data subject may be identified in the unlikely event of a security breach.
VII. INDIVIDUAL RIGHTS
Individuals have access to the personal data held by SEVEN, Psychology at Work that is directly related to them.
All individuals have the right to access and modify or erase any relevant information. Individuals also have the right to object to any personal data relating to them being used for certain purposes. Complete transparency is granted to all clients of SEVEN, Psychology at Work, enabling them to understand how their personal data is being used. SEVEN, Psychology at Work does not share any personal data of clients to external organisations from commercial use. All requests made regarding personal data are responded to in accordance with our legal obligations.
Processors and Controllers of personal data are responsible for compliance with the above principles.
All steps necessary to become GDPR compliant will be taken by SEVEN, Psychology at Work. SEVEN, Psychology at Work understand that it is solely our responsibility to ensure that our processing of personal data follows the laws set out under Data Protection legislation. This Data Protection Policy sets the standard for which SEVEN, Psychology at Work will follow. All employees will be briefed in GDPR compliancy to ensure all responsibilities are understood and upheld. Training in cyber security will be provided to all employees where it is deemed necessary.
4. DATA TRANSFER
SEVEN, Psychology at Work does not transfer any personal data outside of the European Economic Area (“EEA”). Personal data held by SEVEN, Psychology at Work is transferred to an external data storage location with a verified and established organisation. Apart from transferring personal data for secure storage reasons, no other form of data transfer takes place. Prior to any data transfer, all external organisations in question are appropriately investigated to ensure an adequate level of security exists within their system.
5. DATA SECURITY BREACH
SEVEN, Psychology at Work ensures to consistently uphold any and all activities, which focus on preventing or reducing the risk of data security breaches. However, in the circumstance that a security breach does occur, whether it be a physical break in or a cyber attack, SEVEN, Psychology at Work will follow the necessary steps as outlined by GDPR. Such actions include, but are not limited to:
(i) identifying the severity of the data breach and the repercussions, if any, that will exist as a result of this breach;
(ii) notifying the appropriate and relevant parties if the resulting risk is thought to harm people’s rights and freedoms;
(iii) reporting the breach regardless if the resulting risk is damaging to people’s rights and freedoms no later than 72 hours after said breach;
(iv) establishing an investigation into the breach to gather details such as the exact starting location and all parties involved.