General Data Protection Regulation

1 Purpose Scope & Users

The Data Protection policy details arrangements to ensure the company fulfils its legal responsibilities to protect the rights and privacy of individuals when processing personal information.

This policy applies to all individuals working for, or contracted to, Dolby Medical HRC Ltd. (Vivisol). This includes permanent staff, temporary / fixed term contract staff, vendor staff and any other persons who access the company’s information assets.

Users of this document are all employees of Dolby Medical Home Respiratory Care Ltd ( Vivisol), as well as relevant external parties.

2 Reference Document

• ISO/IEC 27001 standard
• ISO/IEC 27001 controls
• DPA
• GDPR

3 Policy Statement

• The purpose of this Policy is to set standards for ensure that data protection requirements are met
• The Technology Management Group (TMG) has approved the Data Protection Policy and it has been endorsed by the Executive Management Team
• It is the Policy of Vivisol to ensure that:
  • comply with the requirements of the Data Protection act as stated in the 8 principles
  • comply with the requirements of the GDPR
  • management demonstrates commitment to Data Protection by giving clear direction, explicit assignment and acknowledgement of data protection responsibilities
  • resources are available and roles and responsibilities are assigned for Data Protection across the organisation
  • all staff are aware of their responsibility for Data Protection
  • safeguard the movement of personal identifiable data within the organisation
  • regulatory and legislative requirements relating to Data Protection are met
• Roles and Responsibility
  • the Data Protection Officer has direct responsibility for maintaining the policy and providing advice and guidance on its implementation
  • all Managers are responsible for implementing the policy within their business areas, and for ensuring adherence by their staff
  • It is the responsibility of each employee to adhere to this policy
• Documents will be produced to support the policy. These will include
  • Data Protection Register Entry Details
  • Information Security Policy – Asset Management
  • File & Records Management Policy

4 Policy Details

The General Data Protection Regulation updates the Data Protection Act 1998 which enhanced and broadens the scope of the Data Protection Act 1984. Its purpose is to protect the rights and privacy of living individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, is processed with their consent.

Vivisol is committed to a policy of protecting the rights and privacy of individuals including staff, customers and others, in accordance with the Data Protection Act and the General Data Protection Regulation. The company needs to process certain information about its staff, customers and other individuals it has dealings with for administrative purposes (eg. to recruit and pay staff, for order processing, to record progress, to collect payment and to comply with legal obligations to the NHS and government. To comply with the law, information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

4.1 Terms and Definitions

For the purposes of this document the following terms apply

4.2 Responsibilities

The Data Protection policy is endorsed by the Senior Management Team and the Board of Dolby Medical HRC Ltd. This ensures the correct management commitment and signals to the organisation the importance of good data protection.

The Technology Management Group (TMG) has overall responsibility for Data Protection. TMG is composed of senior representatives from across the organisation and reports in to the senior management team.

The Finance Director is the TMG member responsible for Data Protection. The role and responsibility for managing Data protection, referred to as the Data Protection Officer, will be performed by the Caldicott Guardian as part of their governance remit. The Data Protection Officer has responsibility for creating and maintaining the policy and supporting procedure documents.

Directors/Managers are responsible for implementing the policy within their business areas, and for ensuring adherence by their staff.

4.3 Data Protection Tasks

The Data Protection Officer is responsible for ensuring the following DP issues are addressed;

• ensure the appropriate details relating to company data processing activity are entered an maintained in the ICO Data Protection Register
• coordinate the efforts of staff to ensure all information is correctly classified and protected
• process subject access requests

4.4 Data Protection Principles

All processing of personal data must be done in accordance with the eight data protection principles.

1. Personal data shall be processed fairly and lawfully.
   Those responsible for processing personal data must make reasonable efforts to ensure that data subjects are informed of the identity of the data controller, the purpose(s) of the processing, any disclosures to third parties that are envisaged and an indication of the period for which the data will be kept.
2. Personal data shall be obtained for specific and lawful purposes and not processed in a manner incompatible with those purposes.
   Data obtained for specified purposes must only be used for that purpose and no other.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is held.
   Information, which is not strictly necessary for the purpose for which it is obtained, should not be collected. If information is given or obtained which is excessive for the purpose, it should be immediately deleted or destroyed.
4. Personal data shall be accurate and, where necessary, kept up to date.
   Data, which are kept for a long time, must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that they are accurate. It is the responsibility of individuals to ensure that data held by the organisation is accurate and up-to-date. Completion of an appropriate registration or application form will be taken as an indication that the data contained therein is accurate. Individuals should notify the organisation of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of the organisation to ensure that any notification regarding change of circumstances is noted and acted upon.
5. Personal data shall be kept only for as long as necessary. (see Section 12 on Retention and Disposal of Data)
6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act. (see Section 7 on Data Subjects Rights)
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data. (see Section 9 on Security of Data)
8. Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

4.5 Data Subject Rights

• Data Subjects have the following rights regarding data processing, and the data that is recorded about them:
• To make subject access requests regarding the nature of information held and to whom it has been disclosed.
• To prevent processing likely to cause damage or distress.
• To prevent processing for purposes of direct marketing.
• To be informed about mechanics of automated decision making process that will significantly affect them.
• Not to have significant decisions that will affect them taken solely by automated process.
• To sue for compensation if they suffer damage by any contravention of the Act.
• To take action to rectify, block, erase or destroy inaccurate data.
• To request the Commissioner to assess whether any provision of the Act has been contravened.

4.6 Consent

Wherever possible, personal data or sensitive data should not be obtained, held, used or disclosed unless the individual has given consent. Dolby Medical understands "consent" to mean that the data subject has been fully informed of the intended processing and has signified their agreement, whilst being in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing. There must be some active communication between the parties such as signing a form and the individual must sign the form freely of their own accord. Consent cannot be inferred from non-response to a communication. For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.

In most instances consent to process personal and sensitive data is obtained routinely (eg a new member of staff signs a contract of employment, or a customer places an order). Any company forms or websites that gather data on an individual should contain a statement explaining what the information is to be used for and to whom it may be disclosed.

If an individual does not consent to certain types of processing (eg direct marketing), appropriate action must be taken to ensure that the processing does not take place.

If any member of staff is in any doubt about these matters, they should consult the Data Protection Officer.

4.7 Security of Data

All staff are responsible for ensuring that any personal data (on others) which they hold is kept securely and that it is not disclosed to any unauthorised third party (see Disclosure of Data for more detail).

All personal data should be accessible only to those who need to use it. You should form a judgement based upon the sensitivity and value of the information in question, but always consider keeping personal data:

• in a lockable room with controlled access, or
• in a locked drawer or filing cabinet, or
• if computerised, password protected, or
• kept on disks which are themselves kept securely.

Care should be taken to ensure that PCs and terminals are not visible except to authorised staff and that computer passwords are kept confidential. PC screens should not be left unattended without password protected screen-savers and manual records should not be left where they can be accessed by unauthorised personnel.

Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data. Manual records should be shredded or disposed of as "confidential waste". Hard drives of redundant PCs should be wiped clean before disposal.

4.8 Rights of Access to Data

Members of staff have the right to access any personal data which are held by the company in electronic format and manual records which form part of a relevant filing system. This includes the right to inspect confidential personal references received by the company about that person.

Any individual who wishes to exercise this right should apply in writing to the Data Protection Officer. The company reserves the right to charge a fee for data subject access requests (currently £10). Any such request will normally be complied with within 40 days of receipt of the written request and, where appropriate, the fee.

In order to respond efficiently to subject access requests the company needs to have in place appropriate records management practices. See File & Records Management policy for details.

4.9 Disclosure of Data

Dolby Medical must ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, and colleagues. All staff should exercise caution when asked to disclose personal data held on another individual to a third party. For instance, it would usually be deemed appropriate to disclose a colleague's work contact details in response to an enquiry regarding a particular function for which they are responsible. However, it would not usually be appropriate to disclose a colleague's work details to someone who wished to contact them regarding a nonwork related matter. The important thing to bear in mind is whether or not disclosure of the information is relevant to, and necessary for, the conduct of the company’s business. Best practice, however, would be to take the contact details of the person making the enquiry and pass them onto the person concerned.

This policy determines that personal data may be legitimately disclosed where one of the following conditions apply:

1. the individual has given their consent (e.g. a member of staff has consented to the company corresponding with a named third party)
2. where the disclosure is in the legitimate interests of the company (e.g. disclosure to staff - personal information can be disclosed to other employees if it is clear that those members of staff require the information to enable them to perform their jobs)
3. where the institution is legally obliged to disclose the data (e.g. to comply with legislation relating to Health & Safety, Disability, Diversity etc.)
4. where disclosure of data is required for the performance of a contract

The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes and the request includes appropriate authorisation;

• to safeguard national security
• prevention or detection of crime including the apprehension or prosecution of offenders
• assessment or collection of tax or duty
• discharge of regulatory functions (includes health, safety and welfare of persons at work)
• to prevent serious harm to a third party
• to protect the vital interests of the individual, this refers to life and death situations

Unless consent has been obtained from the data subject, information should not be disclosed over the telephone. Instead, the enquirer should be asked to provide documentary evidence to support their request. Ideally a statement from the data subject consenting to disclosure to the third party should accompany the request.

4.10 Retention and Disposal of Data

Dolby Medical discourages the retention of personal data for longer than it is required. Considerable amounts of data are collected on current staff and customers. However, once someone leaves the organisation, or is no longer a customer, it will not be necessary to retain all the information held on them. Some data will be kept for longer periods than others. See the Files & Records policy for details.

Personal data must be disposed of in a way that protects the rights and privacy of data subjects (e.g. shredding, disposal as confidential waste, or secure electronic deletion). See the Files & Records policy for details.