IfM Engage – Data Protection Policy
1. Purpose and scope
1.1 The purpose of this policy is to ensure compliance with the UK General Data Protection Regulation, the Data Protection Act 2018 and related legislation (‘data protection law’). *1 Data protection law applies to the storing or handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’).
1.2 This policy applies to IfM Engage Ltd (‘Engage’).
1.3 This policy applies to all staff except when acting in a private capacity. In this policy, the term ‘staff’ means anyone working in any context within Engage at whatever level or grade and whether permanent, fixed term or temporary, including but not limited to employees, workers, trainees, interns, seconded staff, agency staff and volunteers,
1.4 This policy is not, and should not be confused with, a privacy notice (a statement informing data subjects how their personal data is used by Engage).
1.5 This policy should be read in conjunction with the obligations in the following documents, which supplement this policy where applicable:
1.5.1 staff employment contracts and comparable documents (e.g. worker agreements), which impose confidentiality obligations in respect of information held by Engage;
1.5.2 information security policies, procedures and terms and conditions, which concern the confidentiality, integrity and availability of Engage information, and which include rules about acceptable use, breach reporting, IT monitoring, and the use of personal mobile devices;
1.5.3 records management policies and guidance, which govern the appropriate retention and destruction of Engage information; and
1.5.4 any other contractual obligations on Engage or individual staff which impose confidentiality or data management obligations in respect of information held by Engage, which may at times exceed the obligations of this and/or other policies in specific ways (e.g. in relation to storage or security requirements for government departments).
*1 – Links to full legislative texts are published at https://www.information-compliance.admin.cam.ac.uk/data-protection.
2. Policy statement
2.1 Engage is committed to complying with data protection law as part of everyday working practices.
2.2 Complying with data protection law may be summarised as but is not limited to:
2.2.1 understanding, and applying as necessary, the data protection principles when processing personal data;*2
2.2.2 understanding, and fulfilling as necessary, the rights given to data subjects under data protection law;*3 and
2.2.3 understanding, and implementing as necessary, Engage’s accountability obligations under data protection law.*4
*2 – The principles in relation to personal data are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality.
*3 – The data subject rights are: to be informed; access; rectification; erasure; restriction; data portability; and objection (including in relation to automated decision-making).
*4 – The accountability obligations include: implementing appropriate data protection policies; implementing data protection by design and default in projects, procurement and systems; using appropriate contracts with third party data controllers and data processors; holding relevant records about personal data processing; implementing appropriate technical and organisational security measures to protect personal data; reporting certain personal data breaches to the Information Commissioner’s Office; conducting Data Protection Impact Assessments where required; and ensuring adequate levels of protection when transferring personal data outside the UK.
3. Roles and responsibilities
3.1 Engage has a corporate responsibility as a data controller (or when acting as a joint data controller or a data processor) for:
3.1.1 complying with data protection law and holding records demonstrating this;
3.1.2 cooperating with the Information Commissioner’s Office (ICO) as the UK regulator of data protection law; and
3.1.3 responding to regulatory/court action and paying administrative levies and fines issued by the ICO.
3.2 The Engage Executive Directors are responsible for:
3.2.1 reviewing (at least once every five years) and approving this policy; and
3.2.2 assessing the overall risk profile and ensuring appropriate resources and processes are in place and implemented to enable compliance with data protection law.
3.3 The Engage Data Protection Officer is responsible for:
3.3.1 monitoring and auditing Engage’s compliance with data protection law, especially its overall risk profile, and reporting annually to the Engage Board;
3.3.2 advising Engage on all aspects of its compliance with data protection law (including its use of Data Protection Impact Assessments);
3.3.3 acting as an available point of contact with the ICO with regard to data protection law; and
3.3.4 acting as an available point of contact for complaints from data subjects.
3.4 The Engage Executive Directors are responsible for:
3.4.1 providing advice, guidance, training and tools/methods, in accordance with Engage’s overall risk profile and having taken into account the advice of the Engage Data Protection Officer, relevant case law and ICO/other regulatory guidance, to help staff comply with this policy;
3.4.2 publishing and maintaining core privacy notices and other Engage data protection documents (including this policy);
3.4.3 handling data subject rights requests; and
3.4.4 in collaboration with Engage Data Protection Officer, managing and/or handling Data Protection Impact Assessments, data subject complaints and personal data breaches, including liaising with the ICO on these and any other matters as necessary.
3.5 The Leadership Team are responsible for:
3.5.1 making all staff within their team aware of this policy as necessary;
3.5.2 ensuring that appropriate processes, training and assurance activities are implemented and/or carried out within their team to enable compliance with data protection law; and
3.5.3 ensuring that appropriate processes are implemented within their team, Records of Processing Activities are fully completed and current and compliance checklists are done thoroughly annually.
3.6 Individual staff, as appropriate for their role and in order to enable Engage to comply with data protection law, are responsible for:
3.6.1 completing relevant data protection training;
3.6.2 following relevant advice, guidance and tools/methods provided by the ICO website and Executive Directors depending on their role, regardless of whether access to and processing of personal data is through Engage-owned and managed systems, or through their own or a third party’s systems and devices;
3.6.3 when processing personal data on behalf of Engage, only accessing and using it as necessary for their contractual duties and not disclosing it unnecessarily or inappropriately;
3.6.4 recognising, reporting internally, and cooperating with any remedial work arising from personal data breaches;
3.6.5 recognising, reporting internally, and cooperating with the fulfilment of data subject rights requests; and
3.6.6 only deleting, copying or removing personal data when leaving Engage as agreed with the Head of their team and as necessary.
3.7 Non-observance of the responsibilities in paragraph 3.6 may result in disciplinary action.
3.8 The roles and responsibilities in paragraphs 3.1 to 3.7 do not waive any personal liability for individual criminal offences for the wilful misuse of personal data under data protection law.
4. Personal data breaches
4.1 The GDPR requires data controllers like Engage to notify any personal data breach to the applicable regulator and, in certain instances, the data subject.
4.2 Engage has put in place procedures to deal with any suspected breach of personal data and will notify data subjects or any applicable regulator where Engage is legally required to do so.
4.3 If staff know or suspect that a personal data breach has occurred, they should not attempt to investigate the matter themselves. Following the Personal Data Breach Policy, staff must immediately contact the COO/ CFO designated as the key point of contact for personal data breaches. Staff should preserve all evidence relating to the potential breach of personal data breach.
5. Data subjects’ rights and requests
5.1 Data subjects have rights when it comes to how Engage handles their personal data. These include rights to:
a) withdraw consent to processing at any time (provided that consent is the lawful basis on which processing is being carried out);
b) receive certain information about the data controller’s processing activities;
c) request access to their personal data that Engage holds;
d) prevent Engage’s use of their personal data for direct marketing purposes;
e) ask Engage to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
f) restrict processing in specific circumstances;
g) challenge processing which has been justified on the basis of Engage’s legitimate interests or in the public interest;
h) request a copy of an agreement under which personal data is transferred outside of the EEA;
i) object to decisions based solely on automated processing, including profiling;
j) prevent processing that is likely to cause damage or distress to the data subject or anyone else;
k) be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
l) make a complaint to the supervisory authority;
m) in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format.
5.2 All employees must immediately forward any Data Subject request received to the COO/ CFO designated as the key point of contact for data subject access requests and comply with the company’s Data Subject Access Request Policy.
Staff must verify the identity of an individual requesting data under any of the rights listed above (as Engage cannot allow third parties to persuade staff into disclosing personal data without proper authorisation)
6. Sharing personal data
6.1 Generally Engage does not share personal data with third parties unless certain safeguards and contractual arrangements have been put in place.
6.2 Engage should only share the personal data held with third parties, such as service providers, if:
– they have a need to know the information for the purposes of providing the contracted services;
– sharing the personal data complies with the privacy notice provided to the data subject and, if required, the data subject’s valid consent has been obtained;
– the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
– the transfer complies with any applicable cross-border transfer restrictions; and
– a fully executed written contract that contains GDPR-approved third party clauses has been obtained.