GDPR Guidance Document

Policy prepared by:	Penny Wosahlo
Approved by board / management on:	08.02.2024
Policy became operational:	08.02.2024
Next Review date:	08.02.2024
Signed:
Designation:	Penny Wosahlo, Managing Director
Last Review Date:	08.02.2024
Version:	1.0

 

Introduction

TT1st is committed to being compliant with regulations around data. This guidance document lays down rules relating to the protection of natural persons regarding the processing of personal data and rules relating to the free movement of personal data.

What is the GDPR?

The GDPR is a data privacy regulation from Europe that grants rights to individuals in the EU/EEA over how their personal information gets processed, whether online or offline.

It applies to natural persons, businesses, public authorities, or organisations involved in legal data processing.

The GDPR is technology-neutral and outlines the requirements for lawful data processing. Who does the GDPR protect?

It protects any individual physically located in the European Union (EU) or the European Economic Area (EEA), regardless of nationality or citizenship status.

Whether their information is processed online or offline, the GDPR ensures their rights are respected1. Who does the GDPR apply to?

• The GDPR applies to businesses within the EU/EEA that process personal data as part of their activities, regardless of where the data processing occurs.
• It also extends to businesses established outside the EU/EEA if they process personal information from individuals within the EU/EEA. This includes offering goods/services accessible in the region or monitoring behavior1.
• What rights does the GDPR grant to individuals?
• Data subjects have several rights, including:
• Accessing their data
• Correcting, amending, or restricting data
• Deleting personal information
• Data portability (copying and transferring data in a reusable format) What do we use your personal information for?
• To be able to contact you
• To customise documents with your personal details
• To enable you to be compensated financially How long do we keep your personal data for?

According to the GDPR, companies can only keep personal data for as long as they need it for the purpose. There is no specific time limit on how long companies can hold personal data, but they must follow the principle of storage limitation and delete data when it is no longer necessar3. The only exception is if the data is kept for archiving, research or statistical purposes, in which case it can be stored indefinitely.

 

The length of time a business should keep paperwork depends on the type of document. Below are some general guidelines:

• Most documents a business will create are covered by Section 5 of the Limitations Act 1980 and should be kept for six years after they expire.
• Records relevant to HMRC and Companies House should be kept for 3-10 years.
• Employee records must be kept for four years.
• Business formation records, deeds, patents and trademark registrations, property appraisals, bill of sale documents and other ownership records should be kept indefinitely

Medical Records:

• Medical records and clinical documentation is kept for 8 years (Adults)
• For children data is kept for 8 years from their 18th birthday

There will be occasions where care specialties will create digital records that have different retention periods. For example, a radiology scan might need to be kept for the minimum of 8 years, and then destroyed as the record is no longer required. Yet a different image for a similar case may need to be kept for longer due to the nature of that particular case. In these situations, organisations can apply different retention times and this should be picked up at the review stage once the 8 years has expired.

(NHS. August 2023. Records Management Code of Practice. Appendix 2. p49 NHSE Records Management CoP 2023 (england.nhs.uk)

Appendix –

The 6 principles of sharing personal data:

1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be incompatible with the initial purposes (‘purpose limitation’)
3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

GDPR Definitions for the purposes of this Regulation:

‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

‘Restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

‘Processor’ means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

‘Consent’ of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

‘Genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.

‘Data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.