Data protection policy

Data protection legislation regulates the processing of information relating to individuals, including personal data, special categories of personal data and data relating to criminal convictions or offences.

Personal data is any information relating to a natural person (normally called the data subject) that can be used to identify the person directly or indirectly. This can include reference to identifiers such as a name, an identification number, location data or an online identifier such as an IP address.

Special categories of personal data include information about a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sex life or sexual orientation, genetic data and biometric data when used to uniquely identify an individual.

Data relating to alleged or actual criminal convictions or offences is another category of data that must be handled with care.

During our activities, we will process personal data about our stakeholders, clients, suppliers, staff, Commissioners, Committee Members and other third parties. We recognise that the correct and lawful processing of this data is important. This policy sets out how we will process all types of personal data to enable us to perform our functions in line with legal requirements.

This data protection policy is based on the requirements of data protection legislation.

Responsibilities

Our Audit and Risk Assurance Committee (ARAC) will provide oversight of data protection risk and assurance on behalf of the Board.

Our Leadership Team is the senior management team that will approve data protection documentation / processes and are accountable to the Board for data protection compliance and assurance.

The Senior Information Risk Owner (SIRO) is the Director accountable to the Leadership Team and the Board for information risk.

Our Information Governance Steering Group (IGSG) supports the SIRO to develop and improve the management of information governance and data protection related matters.

The Data Protection Officer (DPO) is responsible for advising us on data protection. More details about the DPO role can be found in the Accountability section of this policy. The DPO reports to the Leadership Team, ARAC and the Board.

Data Owners are responsible for protecting information in their business areas and will ensure that personal data is processed in line with our policies and procedures, and data protection legislation. The Information Governance Team will deal with requests from data subjects under data protection legislation in relation to their personal data.

All staff are responsible for ensuring that:

• they comply with this policy and all related policies and procedures for handling personal data
• any personal data held in either electronic or paper format is processed securely and in line with the requirements of data protection legislation
• personal information is not disclosed deliberately or accidentally, either verbally or in writing, to any unauthorised third party
• any incidents or breaches are reported immediately in line with internal reporting requirements
• they promptly forward any form of personal data related requests from data subjects to the Information Governance Team and, when asked to do so, they provide responses promptly to requests and reviews
• personal data is managed and retained in line with our Records Management and Retention Policy and Procedure, and associated retention schedule
• they only process personal data for the intended purposes
• the information provided in connection with their employment or engagement is accurate and as up to date as possible, and
• personal data they collect and use to perform their functions is as up to date as possible.

Summary of data protection principles

Data protection legislation covers both computerised and manual records containing personal data and sets out rights and principles that those who use personal data must follow. We must comply with the data protection principles of good practice which underpin the UK General Data Protection Regulation (UK GDPR). These state that personal data shall be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’)
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
• kept in a form which permits identification of data subjects for no longer
  than is necessary for the purposes for which the personal data are
  processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of the data subject (‘storage limitation’), and
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Lawful, fair and transparent processing

The UK GDPR does not intend to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.

For personal data to be processed lawfully, at least one of six lawful bases for processing under the UK GDPR must apply. These include where:

• the data subject consents to the processing
• the processing is necessary for the performance of a contract with the data subject, or to take steps at the request of the data subject prior to entering a contract
• the processing is necessary for compliance with a legal obligation to which the data controller is subject
• the processing is necessary to protect the vital interests of the data subject or of another natural person
• the processing is necessary for the performance of a task carried out in the public interest task or in the exercise of official authority vested in the data controller, or
• the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party.

When special categories of personal data or data relating to criminal convictions is being processed, additional conditions must be met. When processing this category of personal data as a data controller during our business, we will ensure that those conditions are met.

In the course of our work, we may collect and process personal data to enable us to:

• carry out our regulatory duties including, but not limited to, the consideration and investigation of complaints and policy issues, formal enforcement actions, providing advice and information
• maintain accounts and records
• support and manage staff, Commissioners and Committee Members
• send promotional communications about the services we provide
• undertake research
• maintain a public register
• carry out internal and external support functions
• carry out corporate administration, and
• use CCTV systems for staff and visitor safety and crime prevention.

We may process data received directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data received from other sources (including, for example, in court proceedings, or from business partners, sub-contractors and others).

Special categories of personal data, or information relating to criminal convictions or offences, may be processed for several reasons, including but not limited to:

• equal opportunity monitoring
• meeting the needs of individuals with protected characteristics
• disciplinary or grievance proceedings
• fulfilling a legal obligation, and / or
• fulfilling our role and function including for purposes of litigation.

Any personal, special categories, or criminal conviction data will only be processed for the purposes in which it was gathered. All staff must be aware of and respect their obligations in relation to the confidential nature of the information that they handle, and in particular any duty of confidentiality that may exist.

We will process personal data in line with the individual’s reasonable expectations, ensuring fairness.

We will ensure that individuals are informed about how their personal data will be processed and will make this information available to them. We will be clear from the outset (at the point of collection) why personal data is collected and what we intend to do with it, and we will provide such notices to the relevant individuals.

Collected for specified and legitimate purpose(s)

We will identify a specific purpose or purposes for data that we process, and we will ensure that the data is not used for any other purpose(s) that is incompatible with the original purpose(s).

Adequate, relevant and limited data processing

We will only collect the minimum personal data required for the specific purpose notified to the data subject. We will anonymise and pseudonymise personal data whenever possible to ensure that data is further protected.

Accuracy

We will ensure that personal data is accurate and kept up to date and we will check the accuracy of personal data at regular intervals. Inaccurate or outdated personal data will be deleted or amended and all reasonable steps will be taken to maintain accurate records.

Retention

We hold different types of information for different lengths of time, depending on both legal and operational requirements, and we will keep some personal data longer than others in line with financial, legal or archival requirements.

We will not keep personal data longer than is necessary for the purpose or purposes for which it was processed. When personal data is no longer needed, it will be disposed of securely unless there are any legal or other grounds for retaining the data.

Security of personal data

We will ensure that appropriate security measures are in place so that personal data is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Personal data will only be transferred to third parties with appropriate assurance of security and with appropriate security controls in place.

We will implement and maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

• Confidentiality: only people who are authorised and need to access the data can access it
• Integrity: personal data will be accurate and trustworthy for the purpose for which it is needed
• Availability: authorised users will be able to access the data when they need it for authorised purposes

The steps we will take to ensure the security of personal data include:

• managing access to personal data on a ‘need-to-know’ basis
• putting in place policies, procedures and processes to ensure the security of personal data
• ensuring ongoing training and awareness for staff
• obtaining security assurance from third parties and putting agreements in place to protect personal data
• where appropriate, using pseudonymisation and encryption of personal data
• maintaining ongoing review and testing of processing systems and services
• undertaking data quality checks to ensure data is accurate
• restoring access to personal data in a timely manner in the event of a physical or technical incident, and
• regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

We will maintain a comprehensive data protection framework across the organisation and an internal governance structure to foster a culture of data protection across the organisation. This will include:

• an information asset register (IAR) which incorporates our record of processing activities (ROPA)
• data protection by design and by default
• undertaking data protection impact assessments (DPIAs) where required
• policies and procedures including security incident management processes
• contracts with third parties, and
• appointment of a Data Protection Officer (DPO).

We will also ensure that we pay the required data protection fees to the Information Commissioner’s Office (ICO) under the Data Protection Act 2018.

Information asset register and record of processing activities

An IAR will be maintained containing details of what information assets we hold and how we comply with the data protection principles for any assets containing personal data.

The IAR incorporates the record of processing activities (ROPA) required under data protection legislation, which includes information relating to all  our data processing activities. The ROPA will be made available to the ICO upon request.

Data protection by design and by default

We will have measures in place to ensure that new or changed data processing activities consider the data protection principles as part of the activity design process. One of these measures is through the completion of DPIAs.

We will ensure that the default position of activities relating to data processing is to protect the privacy and data protection rights of individuals, for example, by restricting access.

Data protection impact assessments

We will conduct DPIAs as and when required.

DPIAs will set out the details of the data processing activity and include an assessment of the risks posed to individuals. Where risks arise, we will put measures and safeguards in place to minimise these risks.

Policies and procedures including security incident management

We will put policies and procedures in place to ensure compliance with data protection legislation. This will include a security incident management process.

In the event of a personal data breach, we will respond promptly, and we will notify the ICO within 72 hours of becoming aware of the breach unless it is unlikely to result in a high risk to the data subjects. Where notification of a breach is not made within 72 hours, we will provide a reasonable justification for the delay. We will also have due consideration as to whether it is appropriate or required to notify data subjects of the breach.

Where we process special categories of personal data or data relating to criminal convictions or offences, we will have an appropriate policy document in place as set out in the Data Protection Act 2018.

Contracts with third parties

There will be instances where we work with third parties in relation to the processing of personal data.                        

When we use data processors to process personal data, we will ensure an appropriate contract or data processing agreement is in place to direct third parties to only process the data according to our documented instructions, unless otherwise required by law. We will only work with data processors that can demonstrate security appropriate to the risk associated with the type of data they will be processing. We will ensure that our data processors provide information necessary to demonstrate compliance with their obligations under data protection legislation. We will also ensure that our Information Security Policy is followed.

Where we work collaboratively or jointly with other organisations, we will ensure that an appropriate agreement is in place to ensure data protection and security, for example, through a data sharing agreement.

Appointment of a Data Protection Officer (DPO)

As a non-departmental public body, we are required to appoint a DPO to advise on our obligations under data protection legislation. The DPO is responsible for advising the organisation; raising awareness and training staff; monitoring compliance with data protection legislation and internal data protection related policies, and related audits; the assignment of responsibilities; advising on the need for, completion of, and approach to DPIAs; and acting as the point of contact with the Information Commissioner’s Office (ICO).

When providing advice, the DPO will have due consideration to the risk associated with data processing activities, considering their nature, scope, context and purpose.

The DPO will also be available to data subjects with regards to our processing of their data.

We will provide the ICO with the name and contact details of the DPO.

We will process all personal data in line with data subjects’ rights. Data subjects include, but are not limited to, members of the public, staff (past and present), Board and Committee Members and others who have dealings with us.

The UK GDPR gives certain rights to individuals in respect of personal data that we hold about them. These rights are:

• the right to be informed
• the right of access (subject access requests)
• the right to rectification
• the right to erasure (the right to be forgotten)
• the right to restrict processing
• the right to data portability
• the right to object, and
• rights related to automated decision-making and profiling.

A request can be made verbally or in writing, including via social media. It does not have to cite ‘data protection’ or the name of the right that the person is using, and the request can be made to any person or business area. All staff will be reminded of the rights during annual mandatory training to assist them in recognising when a request is being made.

We will respond to individual rights requests submitted by data subjects within one month of receipt, but this can be extended by up to two months in the case of complex and / or numerous requests. In such cases, the data subject will be informed of the need for the extension.

Right to be informed

Data subjects have a right to be informed on how their data is being processed and this is normally referred to as a privacy notice.

We will publish, or make available, transparent and easily accessible privacy notices to data subjects in line with the right to be informed.

Right of access

A data subject may make a subject access request (SAR) at any time to find out what personal data we hold about them and to obtain a copy of that data.  

We will not charge a fee for the handling of SARs, but we reserve the right to charge reasonable fees for additional copies of data that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

There may be instances where we apply exemptions to the release of certain data, for example, data relating to a third party, or we may refuse to provide information if a request is manifestly unfounded or excessive.

Right to rectification

If a data subject informs us that the personal data we hold about them is inaccurate or incomplete, requesting that it be rectified, the personal data in question will be rectified, and the data subject informed of that rectification.

If any affected personal data has been disclosed to third parties, those parties will be informed of any rectification of that personal data.

This right will be complied with in so far as it applies in law to the circumstances of the case.

Right to erasure

In some circumstances data subjects may request that we erase the personal data we hold about them.

When such valid requests are made, requests for erasure will be complied with, and the data subject informed of the erasure. Data will be erased from live and back-up systems.

If any personal data that is to be erased in response to a data subject request has been disclosed to third parties, those parties will be informed of the erasure unless it is impossible or would require disproportionate effort to do so.

The right to erasure may not apply in situations where we are legally obliged to retain the data, where we obtained the data under a legal basis other than consent or legitimate interests, or where there is another overriding reason to retain it. The right to erasure has particular weight when it applies to data collected from children.

Right to restrict processing

In certain circumstances, data subjects may request that we cease to process personal data that we hold about them.

If a data subject makes a valid request, we will retain only the amount of personal data pertaining to that data subject that is necessary to ensure that no further processing of their personal data takes place.

If any affected personal data has been disclosed to third parties, those parties will be informed of the applicable restrictions on processing it unless it is impossible or would require disproportionate effort to do so.

This right primarily applies when a data subject has contested the accuracy or legitimacy of the processing activity, and while the accuracy or consideration is in question.

Right to data portability

If a data subject has directly provided information to us, they may have a right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes across different services. This right will only apply:

• to personal data an individual has provided to a controller
• where the processing is based on the individual’s consent or for the performance of a contract, and
• when the processing is carried out by automated means.

Right to object

Data subjects have the right to object to the processing of their personal data. This right applies where data is processed for:

• direct marketing purposes
• a task carried out in the public interest
• the exercise of any official (statutory) authority, or
• the legitimate interests of the Equalities and Human Rights Commission.

The right to object also applies to processing for scientific or historical research, or statistical purposes, however it is more limited.

Where a data subject objects to the processing of their personal data, and it meets the conditions of the UK GDPR, we will cease such processing.

Rights related to automated decision-making and profiling

If we use personal data for the purposes of automated decision-making or profiling and those decisions have a legal (or similarly significant) effect on a data subject, the data subject has the right to challenge such decisions under the UK GDPR, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the organisation. We will respect these rights in so far as they apply in the circumstances of the case.

How to make a request relating to personal data

Requests relating to personal data held by the Equalities and Human Rights Commission can be made by:

Email: dp@equalityhumanrights.com

or

Letter sent to the following address:

Data Protection Officer
Equality and Human Rights Commission
3rd floor Arndale House
The Arndale Centre
Manchester
M4 3AQ

or

By calling 0161 829 8100.

Once we receive a request, we will send an acknowledgement letter to the data subject, or their representative. Once full details of a request have been confirmed and any necessary identification provided, we will provide a full response within one month, but this can be extended by up to two months in the case of complex and / or numerous requests. In such cases, the data subject will be informed of the need for the extension.

We do not need to comply with a request where we have received an identical or similar request from the same individual unless a reasonable interval has elapsed between compliance with the original request and the current request.

Identity

We must take steps to confirm the identity of the data subject before responding to a request. The checks made will be reasonable and proportionate.

Reviews

If the data subject is not satisfied with the outcome of their request, they can ask for a review. Review requests should be made in writing using the contact details provided above.

Where an individual is unable to contact us in writing and requires a reasonable adjustment because they are disabled, they may contact us on 0161 829 8100.

Review requests will be acknowledged within five working days and a response will be provided within 20 working days of receipt. If following the review, the data subject remains dissatisfied with the outcome of their request, they may complain to the Information Commissioner at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

The Information Commissioner will not normally deal with a complaint unless our internal review process has been exhausted.

In most cases, your data remains within the UK or within the European Economic Area (EEA), which is recognised in UK law as having adequate safeguards in place to protect your data protection rights.

We may transfer (‘transfer’ includes making available remotely) your personal data to countries outside the UK, EEA and / or to an international organisation, but only where:

• the transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation) that the UK has determined as having adequate levels of protection for personal data, or
• an approved appropriate safeguard is in place.

We will not transfer data outside the UK without an adequacy decision or an approved appropriate safeguard unless:

• the transfer is made with the explicit consent of the relevant data subject(s)
• the transfer is necessary for the performance or conclusion of a contract with the data subject, or for pre-contractual steps taken at the request of the data subject
• the transfer is necessary for important reasons of public interest
• the transfer is necessary for the establishment, exercise or defence of legal claims
• the transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally incapable of giving their consent
• the transfer is made from a register that, under UK law, is intended to provide information to the public and which is open for access by the public, in general or otherwise, to those who can show a legitimate interest in accessing the register, or
• the transfer is a one-off restricted transfer, and it can be clearly demonstrated to be in the compelling legitimate interests of the Equality and Human Rights Commission.

We sometimes need to share information with other organisations, for example, if we are under a duty to disclose or share a data subject's personal data to comply with any legal or regulatory requirements to protect rights, property or the safety of staff, Commissioners, Committee Members, stakeholders, suppliers or others (including those that we work with, advise or support).

Where necessary or required, we may also share data with:

• family, associates and representatives of the data subject
• professional advisers and consultants
• service providers / suppliers
• police forces and other law enforcement agencies
• examining bodies
• central and devolved governments
• financial organisations
• persons making an enquiry or complaint
• organisations subject to a complaint or assessment
• prosecuting authorities
• local authorities
• courts, and
• ombudsman or other regulators.

Restrictions on disclosing certain information

Some legislation restricts disclosure of information, for example, the Gender Recognition Act 2004 and the Equality Act 2006.

Gender Recognition Act 2004

The Gender Recognition Act makes it an offence for a person who has acquired protected information in an official capacity to disclose that information to any other person. The legislation does permit disclosure in limited circumstances.

The Equality Act 2006

The Equality Act limits information that can be shared externally where we have obtained it by undertaking our functions, particularly where information has been gathered in the course of an inquiry under section 16, an investigation under section 20, an assessment under section 31, a notice under section 32 or an agreement under section 23. The legislation does permit disclosure in limited circumstances.

The following definitions are used in this policy and mean the following:

Anonymisation: the process of irreversibly de-identifying personal data so that an individual cannot be identified from the data.

Consent: freely given, specific, informed and unambiguous indication of wishes by a statement or clear affirmative action signifying agreement.

Data: information which is stored electronically, on a computer or in certain paper-based filing systems.

Data controller: the legal entity (organisation) that determines the purposes, conditions and means of the processing of personal data.

Data processor: the legal entity (or organisation) that processes data on behalf of the data controller.

Data protection by design: a principle that calls for data protection to be considered at the start of, and throughout, any new project including systems, services, products or processes.

Data protection by default: a principle that calls for the default position to restrict or limit processing, for example, access is set to the minimum necessary.

Data protection impact assessments: a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data.

Data protection legislation: (i) Data Protection Act 2018 (DPA 18) (ii) the UK General Data Protection Regulation (UK GDPR) (created by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended)) and (iii) all applicable Law relating to the processing of personal data and privacy. 

Data protection officer: an expert on data protection who works independently to advise an organisation on their compliance with data protection laws.

Data subject: a living individual whose personal data is processed by a controller or processor.

Personal data: any information related to a natural person (normally called data subjects) that can be used to identify the person directly or indirectly.

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Processing: any operation or set of operations performed on personal data, whether or not by automated means, including, for example, the collection, use, recording, storing, altering, disclosing and erasing of personal data.

Pseudonymisation: the processing of personal data so that it can no longer be attributed to a single data subject without the use of additional data, so long as the additional data stays separate to ensure non-attribution.

We reserve the right to change this policy at any time. Where appropriate, we will notify the data subject.

This publication and related equality and human rights resources are available from our website.

Questions and comments regarding this publication may be addressed to: correspondence@equalityhumanrights.com. We welcome your feedback.

For information on accessing one of our publications in an alternative format, contact: correspondence@equalityhumanrights.com.

Keep up to date with our latest news, events and publications by signing up to our e-newsletter.

EASS

For advice, information or guidance on equality, discrimination or human rights issues, contact the Equality Advisory and Support Service, a free and independent service.

Telephone    0808 800 0082

Hours           09:00 to 19:00 (Monday to Friday)

                     10:00 to 14:00 (Saturday)

Post              FREEPOST EASS HELPLINE FPN6521

© 2024 Equality and Human Rights Commission

Published January 2024