Skip to main content
Get in Touch

© DOTS Training and Consultancy. All rights reserved. Designed by Joe Joubert.

DOTS logo for Yoast

Privacy Policy

Scope

DOTS Training and Consultancy is committed to being fully compliant with all applicable UK and EU data protection legislation in respect of personal data, as well as safeguarding the rights and freedoms of persons whose information DOTS collects pursuant to the General Data Protection Regulation, GDPR, through the use of a Customer Record Management System, CRMS.

The CRMS is developed, implemented, maintained, periodically reviewed and amended by DOTS Director Odile Waddington Jones.

The CRMS shall take into consideration the following:

  • Organisational structure
  • Management responsibility
  • Jurisdiction
  • Geographical location

The CRMS may comprise a defined part of DOTS or DOTS as a whole.

Objectives

DOTS objectives for the CRMS are as follows:

  • To enable DOTS to meet its personal data obligations in relation to how personal information is managed
  • To support DOTS objectives
  • To set appropriate systems and controls according to DOTS risk appetite
  • To ensure that DOTS is compliant with all applicable obligations, whether statutory, regulatory, contractual and professional
  • To safeguard personnel and stakeholder interests

Good Practice

DOTS shall ensure compliance with data protection legislation and good practice by:

  • Processing personal information only when doing so is necessary for organisational purposes
  • Ensuring that the least possible amount of personal data is collected, and that personal data is never processed unduly
  • Informing individuals of how their personal data is or will be used and by whom
  • Processing only pertinent and adequate personal data
  • Processing personal data in a lawful and fair manner
  • Keeping a record of the various categories of personal data processed
  • Ensuring that all personal data that is kept is accurate and up to date
  • Retaining personal data no longer than required by statute, regulatory body, or organisational purpose
  • Giving individuals the right of subject access, as well as all other individual rights relating to their personal data
  • Ensuring that all personal data is maintained securely
  • Transferring personal data outside of the EU only in situations where it is appropriately secured
  • Applying statutory exemptions where appropriate
  • Implementing a CIMS pursuant to this policy
  • Identifying stakeholders, both internal and external, and ascertaining their involvement within the operation of the CIMS
  • Identifying personnel who are responsible and accountable for the CIMS

Notification

DOTS has registered with the Information Commissioner as a data controller that engages in processing personal information of data subjects. DOTS has identified all the personal data that it processes and recorded it in its Data Inventory Schedule 92017 B.

The Data Controller shall retain a copy of all notifications made by DOTS to the Information Commissioner’s Office, ICO. The ICO Notification Handbook shall be used as a record of all notifications made.

The ICO notification shall be reviewed on an annual basis. The Director shall be responsible for each annual review of the details of the notification, keeping in mind any changes to DOTS activities. These changes shall be ascertained by reviewing the Data Inventory Schedule and the management review. Data protection impact assessments shall be used to ascertain any additional relevant requirements.

This policy applies to all workers at DOTS, including contractors and subcontractors. Breaches of the GDPR policy, including this CIMS policy, shall be dealt with according to DOTS Disciplinary Policy. If there is a possibility that the breach could amount to a criminal offence, the matter shall be referred to the relevant authorities.

All third parties working with or for DOTS who have or may have access to personal data are required to read, understand and fully comply with this policy. All third parties are required to enter into a data confidentiality agreement prior to accessing any personal data. The data protection obligations imposed by the confidentiality agreement shall be equally onerous as those to which DOTS has agreed to comply. DOTS shall always have the right to audit any personal data accessed by third parties pursuant to the confidentiality agreement.

GDPR Background

The purpose of the GDPR is to ensure the rights and freedoms of living individuals and to protect their personal data by ensuring that it is never processed without their knowledge and, where possible, their consent.

Definitions

Child

Child means anyone under the age of 16. It is only lawful to process the personal data of a child under the age of 13 upon receipt of consent from the child’s parent or legal custodian.

Data Controller

Data controller may be a natural or legal person, whether a public authority, agency or other body, which individually or jointly with others is in charge of ascertaining the purposes and means by which personal data shall be processed.

Where EU or Member State law predetermines the purposes and means of processing personal data, the data controller or the specific criteria for selecting the data controller may be provided for by EU or Member State law.

Data Subject

Data subject refers to any living person who is the subject of personal data held by an organisation. A data subject must be identifiable by name, ID, address, online identifier or other factors such as physical, physiological, genetic, mental, economic or social factors.

Data Subject Consent

Data subject consent refers to any specific indication by the data subject that signifies consent to the processing of personal data. Consent may take place by way of a written or oral statement or by clear, unambiguous action. Consent must be given freely at all times, without duress, and with the data subject being properly informed.

Establishment

Establishment refers to the administrative head office of the data controller in the EU, where the main decisions regarding the purpose of its data processing activities are made.

Data controllers based outside of the EU are required to appoint a representative within the jurisdiction in which they operate to act on their behalf and liaise with the relevant regulatory and supervisory authorities.

Filing System

Filing system refers to any personal data set which is accessible on the basis of certain benchmarks or norms and can be centralised, decentralised or dispersed across various locations.

Personal Data

Personal data means any information relating to a data subject.

Personal Data Breach

Personal data breach refers to a security breach which results in the disclosure, alteration, destruction or loss of personal data, as well as unauthorised access to personal data that is stored, transmitted or processed by any other means, whether accidentally or unlawfully.

All personal data breaches must always be reported to the relevant regulatory authority by the data controller. The data subject need only be informed of a data breach when it is likely that the breach will have an adverse effect on their privacy or personal data.

Processing

Processing refers to any action taken in relation to personal data, including but not limited to:

  • Collection
  • Adaptation
  • Alteration
  • Recording
  • Storage
  • Retrieval
  • Consultation
  • Use
  • Disclosure
  • Dissemination
  • Combination
  • Deletion

This applies whether processing is by automated means or otherwise.

Profiling

Profiling refers to any form of personal data processing that is automated, with the intention of assessing personal aspects of a data subject or analysing a data subject’s employment performance, economic status, whereabouts, health, personal preferences or behaviour.

The data subject has a right to object to profiling and a right to be informed that profiling is taking place, as well as the intended outcomes of the profiling.

Special Categories of Personal Data

Special categories of personal data refer to personal data covering such matters as:

  • Racial or ethnic origin
  • Religious, political or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric identification
  • Health
  • Sexual orientation
  • Sex life

Territorial Scope

The GDPR applies to all EU based data controllers who engage in the processing of data subjects’ personal data, as well as to data controllers located outside of the EU that process data subjects’ personal data in order to provide goods and services, or to monitor EU based data subject behaviour.

Third Party

Third party is a natural or legal person other than the data subject who is authorised to process personal data, whether a public authority, agency, other body controller, processor or any other person under the direct authority of the controller or processor.

Responsibilities Under the GDPR

DOTS is a data controller pursuant to the GDPR.

The appointed Director of DOTS Disability, with managerial or supervisory responsibilities, is responsible for ensuring that good personal data handling practices are developed, reviewed and encouraged within DOTS as per their individual job description.

Data Controller

The position of Data Controller, which involves the management of personal data within DOTS as well as compliance with the requirements of the DPA and demonstration of good practice protocol, is to be taken up by an appropriately qualified and experienced member of the DOTS senior management team.

The Data Controller is the Director of DOTS and is accountable for the development and implementation of the CIMS and for day to day compliance with this policy, both in terms of security and risk management.

In addition, the Data Controller is directly responsible for ensuring that DOTS is GDPR compliant, and that workers for DOTS are compliant in respect of data processing that occurs within their field of responsibility or oversight.

The Data Controller shall always be the first point of contact for any workers for DOTS who require guidance in relation to any aspect of data protection compliance.

The Data Controller is also responsible for other procedures, such as the Subject Access Request Policy 92017 C.

It is not merely the Data Controller who is responsible for data protection. All members and associates of DOTS who process personal data are responsible for ensuring compliance with data protection laws.

The DOTS GDPR Training Policy 92017 D provides specific training for such associates.

Risk Assessment

It is vital that DOTS is aware of all risks associated with personal data processing. It is via its risk assessment process that DOTS is able to assess the level of risk.

DOTS is also required to carry out assessments of the personal data processing undertaken by other organisations on its behalf and to manage any identified risks, so as to mitigate the likelihood of potential non compliance with this policy.

Where personal data processing is carried out using new technologies, or when a high risk is identified in relation to the rights and freedoms of natural persons, DOTS is required to engage in a risk assessment of the potential impact.

More than one risk may be addressed in a single assessment, also known as a Data Protection Impact Assessment, DPIA.

If the outcome of a DPIA points to a high risk that DOTS intended personal data processing could result in distress or may cause damage to data subjects, it is up to the Data Controller to decide whether DOTS ought to proceed. The matter should be escalated to them.

In turn, the Data Controller may escalate the matter to the regulatory authority if significant concerns have been identified.

It is the role of the Data Controller to ensure that appropriate controls are in place to ensure that the risk level associated with personal data processing is kept to an acceptable level, as per the requirements of the GDPR and DOTS documented risk acceptance criteria.

Principles of Data Protection

The principles of personal data processing are as follows:

  • All personal data must always be processed lawfully and fairly, as per DOTS Fair Processing Policy 92017 E
  • Policies must also be transparent, meaning that DOTS must ensure that its personal data processing policies, as well as any specific information provided to a data subject, are readily available, easily accessible and clear
  • Policies must be drafted using clear and plain language

The data subject must be provided with the following information:

  • Controller: the identity and contact details of the Data Controller and any representatives
  • Purpose: the purpose or purposes and legal basis of processing
  • Storage period: the length of time for which the data shall be stored
  • Rights: confirmation of the existence of relevant data rights
  • Categories: the categories of personal data
  • Recipients: the recipients and categories of recipients of personal data, if applicable
  • Location: whether the controller intends to transfer personal data to a third country and the levels of data protection provided for by the laws of that country, if applicable
  • Further information: any further information required by the data subject in order to ensure that the processing is fair and lawful

The rights include:

  • Right to request access
  • Right of rectification
  • Right of erasure
  • Right to raise an objection to the processing of personal data

Personal data may only be collected for specified, explicit and legitimate reasons. When personal data is obtained for specific purposes, it must only be used in relation to that purpose and cannot be different from the reasons formally notified to the Information Commissioner as part of DOTS GDPR ICO registration.

Personal data must be adequate, relevant and restricted to only what is required for processing.

In relation to this, the Data Controller shall at all times:

  • Ensure that personal data which is superfluous and not required for the purpose for which it is obtained is not collected
  • Approve all data collection forms, whether in hard copy or electronic format
  • Carry out an annual review of all methods of data collection, checking that they are still appropriate, relevant and not excessive
  • Securely delete or destroy any personal data that is collected in a manner that is excessive or unnecessary according to DOTS GDPR policies

Personal data must be accurate and up to date.

Data should not be kept unless it is reasonable to assume its accuracy. Data that is kept for long periods of time must be examined and amended if necessary.

All associates must receive training from DOTS to ensure they fully understand the importance of collecting and maintaining accurate personal data.

Individuals are personally responsible for ensuring that the personal data held by DOTS is accurate and up to date. DOTS will assume that information submitted by individuals via data collection forms is accurate at the date of submission.

All employees of DOTS are required to update the HR department as soon as reasonably possible of any changes to personal information, to ensure records are up to date at all times.

The Data Controller must ensure that relevant and suitable additional steps are taken to ensure that personal data is accurate and up to date.

The Data Controller shall, on an annual basis, carry out a review of all personal data controlled by DOTS, referring to the Data Inventory Register, and ascertain whether any data is no longer required to be held for the purpose notified to the ICO. The Data Controller shall arrange for that data to be deleted or destroyed in a safe manner.

The Data Controller shall also ensure that where inaccurate or out of date personal data has been passed on to third parties, those third parties are duly informed and instructed not to use the incorrect or out of date information as a means for making decisions about the data subject involved. The Data Controller shall also provide an update to the third party, correcting any inaccuracies in the personal data.

The form in which the personal data is stored must be such that the data subject can only be identified when it is necessary to do so for processing purposes.

The following principles apply:

  • Personal data that is kept beyond the processing date must be either encrypted or pseudonymised and kept to an absolute minimum, to ensure the protection of the data subject’s identity should a data breach incident occur
  • Personal data must be retained according to the Retention Requirements Policy 2017 F and must be destroyed or deleted in a secure manner as soon as the retention date has passed
  • Should any personal data be required to be retained beyond the retention period set out in the Records Retention Procedure, this may only be done with the express written approval of the Data Controller, which must be in line with data protection requirements

The processing of personal data must always be carried out in a secure manner.

Personal data should not be processed in an unauthorised or unlawful manner, nor should it be accidentally lost or destroyed at any time. DOTS shall implement robust technical and organisational measures to ensure the safeguarding of personal data.

Security Controls

Security controls are necessary to ensure that risks to personal data identified by DOTS are appropriately mitigated as much as possible. This is to reduce the potential for damage or distress to data subjects whose personal data is being processed.

Security controls are subject to regular audit and review. Please refer to DOTS Information Security Management System Policy, ISMS.

Personal data shall not be transferred to a country outside of the EU unless the country provides appropriate protection of the data subject’s rights and freedoms in relation to the processing of personal data.

Adequacy of Transfer

The following safeguards and exceptions are in place to ensure that data is not transferred to a country outside of the EU unless one or more of the safeguards or exemptions listed below apply.

Safeguards

Assessing the adequacy of the transfer by reference to the following:

  • The nature of the personal data intended to be transferred
  • The country of origin and country of intended destination
  • The nature and duration of the personal data use
  • The legislative framework, codes of practice and international obligations of the data subject’s country of residence
  • The security measures to be implemented in the country of intended destination in relation to the personal data

Binding Corporate Rules

DOTS is free to implement approved binding corporate rules in relation to personal data transfer outside of the EU, but only with prior permission from the relevant regulatory body.

Model Contract Clauses

DOTS is free to implement model contract clauses in relation to personal data transfer outside of the EU. There will be an automatic recognition of adequacy of transfer should the model contract clauses receive approval from the relevant regulatory body.

Exceptions

In the absence of an adequacy decision, including binding corporate rules and model contract clauses, no transfer of personal data to a third country may take place unless one of the following preconditions is satisfied:

  • Explicit consent has been provided by a fully informed data subject, who has been made aware of all possible risks involved in light of appropriate safeguards and an adequacy decision
  • The personal data transfer is a prerequisite to the performance of a pre existing contract between the data controller and the data subject, or when the data subject requests that pre contractual measures are implemented
  • The personal data transfer is a prerequisite to the conclusion or performance of a pre existing contract between the data controller and another person, whether natural or legal, if it is in the interest of the data subject
  • The personal data transfer is in the public interest
  • The personal data transfer is required for the creation, exercise or defence of legal claims
  • The data subject is not capable of giving consent, whether due to physical or legal limitations or restrictions, and the personal data transfer is necessary for the protection of the key interests of the data subject or of other persons
  • The personal data transfer is made from an approved register, confirmed by EU or Member State law as having the intention of providing public information, and which is open to consultation by the public or by an individual demonstrating a legitimate interest, but only so far as the legal requirements for consultation are fulfilled

Accountability

According to the GDPR accountability principle, the data controller is responsible both for ensuring overall compliance with the GDPR and for demonstrating that each of its processes is compliant with GDPR requirements.

To this extent, data controllers are required to:

  • Maintain all relevant documentation regarding processes and operations
  • Implement proportionate security measures
  • Carry out Data Protection Impact Assessments, DPIAs
  • Comply with prior notification requirements
  • Seek the approval of relevant regulatory bodies
  • Appoint a DPO where required

The Rights of Data Subjects

Data subjects enjoy the following rights in relation to personal data that is processed and recorded:

  • The right to make access requests in respect of personal data that is held and disclosed
  • The right to refuse personal data processing when to do so is likely to result in damage or distress
  • The right to refuse personal data processing when it is for direct marketing purposes
  • The right to be informed about the functioning of any automated decision making processes which are likely to have a significant effect on the data subject
  • The right not to be solely subject to any automated decision making process
  • The right to claim damages should they suffer any loss because of a breach of the provisions of the GDPR
  • The right to take appropriate action in respect of the rectification, blocking and erasure of personal data, as well as the destruction of any inaccurate personal data
  • The right to request that the ICO carry out an assessment as to whether any of the provisions of the GDPR have been breached
  • The right to be provided with personal data in a format that is structured, commonly used and machine readable
  • The right to request that their personal data is sent to another data controller
  • The right to refuse automated profiling without prior approval

Data Access Requests

Subject Access Request Policy 92017 C sets out the procedure for making data access requests to data subjects and outlines how DOTS Disability will comply with the requirements of the GDPR regarding this.

Complaints

All complaints about the DOTS processing of personal data may be lodged by a data subject directly with the Data Controller by filling in the appropriate form and providing details of the complaint.

The data subject must be provided with Fair Processing Policy 92017 E at this stage.

Complaints may also be made by a data subject directly to the relevant regulatory body.

All complaints in relation to how a complaint has been handled, and any appeals following the submission of a complaint, shall be dealt with by the Data Controller. The data subject is required to submit a further complaint.

Consent

Consent to the processing of personal data by the data subject must be:

  • Freely given and never given under duress
  • Given when the data subject is in a fit state of mind
  • Not based on misleading or false information
  • Explicit
  • Specific
  • A clear and unambiguous indication of the wishes of the data subject
  • Informed
  • Provided either in a statement or by unambiguous affirmative action
  • Demonstrated by active communication between the data controller and the data subject
  • Never inferred or implied by omission or lack of response to communication

In relation to sensitive data, consent may only be provided in writing, unless there is an alternative legitimate basis for the processing of personal data.

Employees

Usually, DOTS will obtain consent to process personal and sensitive data when a new associate is brought on board or during induction programmes.

Data subjects have the right to withdraw consent at any time.

Other Data Subjects, Customers, Supporters or Members

If using consent as a condition to process data, DOTS will obtain consent in accordance with the procedures outlined in the policy framework.

Consent is a positive action on behalf of the data subject, having read a clear, transparent and unambiguous privacy notice. It does not necessarily have to be a box that is ticked. It could be the completion of a form or the supply of contact information.

We understand that according to PECR, consent does not have to be explicit. We will use our judgement to decide how to obtain consent in different circumstances.

However, we will always uphold the rights and freedoms of data subjects by making it as easy to opt out as it was to opt in.

We mostly use consent when promoting the aims and objectives of our organisation, DOTS. We reserve the right to use it wherever we believe a data subject has indicated their wishes and where we have collected the data for that particular purpose.

We only use data for the purpose for which it was collected.

Parental Consent

Parental or custodial consent is required if or when DOTS is a provider of online services to children, defined as being under the age of 16.

Data Security

All employees of DOTS are personally responsible for keeping secure any personal data held by DOTS for which they are responsible.

Under no circumstances may any personal data be disclosed to any third party unless DOTS has provided express authorisation and has entered into a confidentiality agreement with the third party.

Accessing and Storing Personal Data

Access to personal data shall only be granted to those who need it and only according to the principles of DOTS Access Policy 92017 G.

All personal data must be stored:

  • In a locked room, the access to which is controlled
  • In a locked cabinet, drawer or locker
  • If in electronic format and stored on a computer, encrypted according to the corporate requirements set out in the Access Control Policy
  • If in electronic format and stored on removable media, encrypted as per Disposal of Removable Storage Media 92017 H

Before being granted access to any organisational data, all staff of DOTS must understand and have a copy of Access Policy 92017 G.

Computer screens and terminals must not be visible to anyone other than staff of DOTS with the requisite authorisation.

No manual records may be accessed by unauthorised employees of DOTS and may not be removed from the business premises in the absence of explicit written authorisation.

Manual records must be removed from secured archiving when access is no longer needed on a day to day basis.

All deletion of personal data must be carried out in accordance with DOTS Retention Requirements 92017 F.

Manual records which have passed their retention date must be shredded and disposed of as confidential waste. Any removable or portable computer media, such as hard drives and USB sticks, must be destroyed as per Disposal of Removable Storage Media 92017 H Policy prior to disposal.

Personal data that is processed off site must be processed by authorised DOTS staff, due to the increased risk of its loss, damage or theft.

Data Access Rights

Data subjects have the right to access all personal data in relation to them held by DOTS, whether as manual records or in electronic format.

Data subjects may therefore at any time request to have sight of confidential personal references held by DOTS, as well as any personal data received by DOTS from third parties.

To do so, a data subject must submit a Subject Access Request as per Subject Access Request Policy 92017 C.

Disclosure of Data

DOTS must take appropriate steps to ensure that no personal data is disclosed to unauthorised third parties.

This includes friends and family members of the data subject, governmental bodies and, in special circumstances, even the Police.

All employees of DOTS are required to attend specific training in order to learn how to exercise due caution when requested to disclose personal data to a third party.

Disclosure is permitted by the GDPR without the consent of the data subject under certain circumstances, namely:

  • In the interests of safeguarding national security
  • In the interests of crime prevention and detection, which includes the apprehension and prosecution of offenders
  • In the interests of assessing or collecting a tax duty
  • In the interests of discharging various regulatory functions, including health and safety
  • In the interests of preventing serious harm occurring to a third party
  • In the interests of protecting the vital interests of the data subject, in a life and death situation only

The Data Controller is responsible for handling all requests for the provision of data for these reasons. Authorisation by the Data Controller shall only be granted with the support of appropriate documentation.

Data Retention and Disposal

DOTS must not retain personal data for longer than is necessary.

Once an employee has left DOTS, it may no longer be necessary for DOTS to retain all the personal data held in relation to that individual. Some data will be kept longer than others, in line with DOTS data retention and disposal procedures in Disposal of Removable Storage Media 92017 H Policy.

Personal data must be disposed of according to DOTS secure disposal procedure, Disposal of Removable Storage Media 92017 H, to ensure that the rights and freedoms of data subjects are always protected.

Document Owner

The Data Controller is the owner of this policy document and must ensure that it is periodically reviewed according to the review requirements contained herein.

The latest version of this policy document is available to all employees of DOTS from the admin files.

This policy document was approved by DOTS Director Odile Waddington Jones and is issued by Odile Waddington Jones on a version controlled basis.

Contact

DOTS Training and Consultancy
Email: odile@dotstrainingandconsultancy.co.uk