Policy Code: LH.POL.0007Date first issued: 26 May 2023Date last updated: 26 May 2023
Version no: 1.0Document owner: Andrew SatherleyDate of next review: 26 May 2024

 

THS IS AN UNCONTROLLED COPY. UNCONTROLLED COPIES ARE FOR REFERENCE ONLY AND NOT SUBJECT TO AUTOMATIC UPDATE WHEN A NEW VERSION IS RELEASED. CONTACT THE COMPLIANCE MANAGER FOR UPDATES.

 

Data Protection Policy

 

  1. PURPOSE

This policy sets out how we seek to protect personal data and ensure that our Workers understand the laws governing the use of Personal Data to which they have access during their work.

 

The Company is committed to protecting the rights and freedoms of individuals by ensuring the safe and secure processing of their data in accordance with Data Protection Legislation.

 

Data Protection Legislation means the General Data Protection Regulation (GDPR), United Kingdom General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA2018) the E Privacy Directive and the Privacy and Electronic Communications Regulations 2003(PECR) and any legislation implemented in connection with the legislation. This also includes any replacement legislation coming into effect from time to time. We hold personal data about our employees, workers, clients, prospective clients, research participants, suppliers and other individuals for a variety of business purposes.

 

The Company’s leadership is fully committed to ensuring continued and effective implementation of this policy and expects all Company Workers to share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action.

 

This policy has been approved by the Company’s Joint Managing Directors: Andrew Satherley and James Whitehouse.

 

  1. SCOPE

This policy applies to all processing of personal data whether:

  • wholly or partly by automated means (i.e.by computer), or
  • by other means (i.e. paper records) that form part of filing system or are intended to form part of a filing system.

 

This policy applies to all Company Workers and anyone else working on our behalf including contractors, associates and research participants who must be familiar with this policy and comply with its terms.

 

This policy supplements our other policies such as those relating to Information Security & Acceptable Use and Remote Working. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to Workers before being implemented.

 

 

  1. DEFINITIONS & ABBREVIATIONS
CompanyLightning Health
Data controller ‘Data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law, the controller or the specific criteria for its nomination may be provided for by said law.
Data processor ‘Processor’ means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller.
Personal data Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data we gather may include: individuals’ phone number, email address, educational background, professional qualifications and experience, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.

Processing ‘Processing’ means any operation or set of operations which is performed on personal data, or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Supervisory authority These are the national bodies responsible for data protection in each EU Member State and the UK.  For the processing of personal data of UK residents this will be the Information Commissioners Office (ICO). For EU residents it will be the relevant Member States supervisory authority Our Members | European Data Protection Board (europa.eu)
Special categories of personal data Special categories of data include information about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences or related proceedings, and genetic and biometric information —any use of special categories of personal data should be strictly controlled in accordance with this policy.

Special categories of personal data we may gather include: employee health data, inferred health data from patent advocacy groups.

Workers Means the individuals who this policy is applicable to and includes the Company; Employees, workers, contractors, associates, research participants, professional advisors

 

  1. RESPONSIBILITIES
All Workers·       Fully understand your data protection obligations

·       Undertake mandatory Data Protection Training

·       Check that any data processing activities you are dealing with comply with our policy and are justified

·       Not to use data in any unlawful way

·       Not to store data incorrectly, be careless with it or otherwise cause us to breach data protection laws and our policies through your actions

·       Comply with this policy at all times

·       Researching third-party services, such as cloud services, software and application providers, the company is considering using to store or process data

·       Raise any concerns, notify the DPO of any breaches or errors, and report anything suspicious or contradictory to this policy or our legal obligations without delay

Functional headsResponsible for understanding what personal data is held in their area of responsibility, specifically:

·       What the personal data is used for (the purpose)

·       The legal basis for processing

·       What personal data is added, what is removed, how information is moved

·       Who has access to personal data and why

·       Understand how long data should be kept for

·       Ensure that that the correct privacy information is communicated to individuals

·       Ensure any processing based on consent is fully recorded and traceable

·       Identify (with the help of the DPO) and manage risks privacy and data protection risks, which the processing of personal data within the information assets in their area of responsibility creates

·       Ensuring that this policy is communicated and implemented within their area of responsibility

Joint Managing DirectorsHave overall responsibility for Data Protection legislation compliance and policy approval
Data Protection Officer (DPO)Responsible for championing Data Protection and:

·       Update the senior leadership team on a regular basis on personal data risk management

·       Provide data protection advice and assistance throughout the business

·       Organising the Company’s Data Protection registration renewal

·       Correspondence with the Information Commissioner on data protection matters

·       Data breach assessment and notification requirements

·       Assessing Data Protection Impact Assessments

·       Reviewing all data protection procedures and policies on a regular basis

·       Arranging data protection training for all workers

·       Responding to individuals’ rights requests

·       Monitoring compliance with data protection legislation across the organisation

 

  1. POLICY

 

The Data Protection Principles

 

The data protection principles set out the framework under which all Workers must adhere to when any personal data is collected, stored or transmitted.

 

The Data Protection principles set out the main responsibilities for how we process personal data, and the Company must be accountable for and be able to demonstrate compliance with all six principles. The principles regulate how we obtain and use personal data. The principles apply to all personal data we process. It is important that all those who access, use, handle store, collect personal data understand and comply with this policy, and comply with the Data Protection Principles, summarised below.

 

The principles are enforceable by the Information Commissioner, other European Supervisory Authorities and the courts. A number of offences are established by the DPA2018 for breaching the principles.

 

Principle 1 Lawfulness, Fairness and Transparency

Personal data must be processed lawfully, fairly and in a transparent manner in relation to individuals.

The Company must ensure that all personal data is processed lawfully and make individuals aware of how it uses their data. The processing of personal information is only lawful if one of the following applies;

  • The data subject has freely given, specific and informed consent to the processing
  • Processing is necessary for the performance of a contract
  • Processing is necessary for compliance with a legal obligation
  • To protect the vital interests of the data subject or another natural person
  • In order to carry out a public task
  • Processing is in the legitimate interest of the data controller

 

Workers must ensure that the one of the legal bases applies to the processing of the data before they are processed. The lawful basis must be detailed in the relevant privacy notice.

 

As special category data is more sensitive and the risks to the rights and freedoms of individuals are more profound, when processing special category data, you will need to ensure that in addition to the legal basis above your processing also satisfies one of the following conditions (most relevant to the Company):

  • The individual has given explicit consent to the processing of those personal data for one or more specified purposes
  • Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment
  • Processing is necessary in the public interest in connection with ensuring high standards of quality and safety of health care and medicinal products or medical devices
  • Processing is necessary for the purposes of preventive or occupational medicine for the assessment of the working capacity of the employee
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

 

Consent should only be relied upon if no other legal basis or purpose can be found. Consent must be affirmative, informed, specific and freely given. If you are relying on consent as your lawful basis you must keep records of consent and you must ensure that you have mechanisms to manage data subjects withdrawing consent.

 

Transparency & Privacy Notices

The Company is developing a comprehensive set of privacy notices which cover for the processing of the personal information of; employees, workers, research participants, clients, leads and prospective clients, advisers and professional experts. These will be stored in the Bolt. Privacy notices, will be written in an accessible way, using concise and easy to understand language.

 

When processing, collecting, using, storing personal data you should ensure that you are transparent with all individuals and that your processing is covered in one of the privacy notices which are on our website and on Bolt.

 

Privacy Notices must include the following:

  • Identification and contact information of the Company and the DPO
  • The purpose of processing the data
  • The lawful basis for the processing
  • The right to withdraw consent at any time, if applicable
  • Any recipient or categories of recipients of the personal data
  • Existence of any transfers to third countries and the safeguards in place
  • The retention period of the data
  • The right to lodge a complaint with the ICO, and internal complaint procedures
  • The source of the personal data, and whether it came from publicly available sources (only for data not obtained directly from the data subject)
  • Any existence of automated decision making, including profiling, and information about how those decisions are made, their significances and consequences to the data subject

Where appropriate, privacy information should be communicated at the point of collection of any personal data. Where this is not, possible it must be communicated as soon as possible or no later than when the data is used. If the data is being used to communicate with the individual, then the privacy notice must be supplied when the first communication takes place at the latest.

 

Principle 2 Purpose Limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

Personal data in most circumstances should only be used for the purpose for which it was originally collected or processed. The Company has a Data Protection Impact Assessment SOP – LHSOP0008 and screening tool for all activities and projects that may involve the processing of personal data.

 

If you aren’t clear the purpose for which data was collected but wish to use it, or you wish to use it for another purpose, you must seek approval from the DPO who can confirm the purpose for which the data was collected and whether and proposed new purpose is compatible. Where the proposed use is significantly different, involves combining data from different sources, or otherwise might have a significant impact on data subjects, the DPO may require a Data Protection Impact Assessment is undertaken.

 

Any activity that involves the repurposing of personal Information collected for one purpose for an alternative use will go through a full Data Protection Impact Assessment. This assessment will objectively review the compatibility of the further processing with the original purpose.

 

The Company is registered with the ICO as a data controller. This registration summarises the purposes for which data is used by the Company and must be renewed every year. The DPO manages this process.

 

Principle 3 Data Minimisation

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Business area leads should ensure there are regular audits of data to examine quality and compliance with the data protection legislation.

 

Business area leads should ensure that the data collected from individuals and retained on the Company’s systems, applications and databases is limited only to what is required for current purposes and is sufficient to support appropriate and effective decisions. Personal data, which is not required for a specific lawful purpose, must not be processed, collected or stored.

 

Where excess data collection is identified, collection of the excess data should cease, and any existing data reviewed and deleted where such a deletion will not interfere with the accuracy or integrity of the data.

 

Principle 4 Accuracy

Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

It is vitally important, not only to comply with the data protection legislation, but also operationally, to ensure that all information is accurate.

 

You should take care when collecting and recording information to ensure it is entered accurately.

If you are in any doubt about the accuracy of information, clarify it with the source before you enter it on to the Company’s systems, applications and database. Should any inaccuracies come to light; correct them as soon as possible. Where appropriate it is a good idea to ask or prompt individuals to check the personal data we have on record is correct.

 

Principle 5 Storage Limitation

Personal data shall be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data. The Company is developing procedures to ensure that personal information, is periodically reviewed and information that is no longer required is removed from our systems, applications and databases.

 

The Company is developing retention and disposal schedules and once agreed business area leads should ensure that they routinely review their information assets and ensure that information is retained or disposed of in line with our Retention and Disposal Schedule.

 

Principle 6 Integrity and Confidentiality

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

All personal information and confidential business information must be kept secure at all times. It is everyone’s responsibility to ensure that our office and remote working environments and working practices take account of the security necessary to prevent the loss, theft, damage or unauthorised access to personal data and other confidential client information.

 

The Company’s Information Security & Acceptable Use Policy and Remote Working Policy must be complied with at all times. Our policies are available on our HR software here.

 

Security measures include (but are not limited to) the following:

  • All surplus and redundant IT equipment including USB’s and other removable media must be forwarded to the James Whitehouse who will ensure that the equipment is disposed of
  • Paper records containing personal data must be disposed of in the confidential waste bins in the office.
  • Personal information and confidential client, prospect and lead data must not be held on removable media unless encrypted (e.g. memory sticks, laptops, etc.)
  • Privately owned removal media devices must never be placed into a Company computer system
  • Personal data, client and lead data must never be stored on personal computer hard drives
  • Access to both digital and paper records should be restricted only to those who need direct access to the data contained within them
  • Access controls like passwords and other security information must not be shared or written down or reused between applications/ systems
  • Workers should use the secure printing option at all times to avoid the risk of confidential information being left on printers
  • Offices must be kept secure, and adequate measures must be in place to prevent the loss, theft or unauthorised access to paper and digital records – measures include controlling access to premises and visitor access controls
  • Workers must lock paper records containing personal data in a suitable safe, cabinet, drawer or other storage furniture when not in use. Where lockable storage is not available, the room or office door must be locked when left unattended
  • Workers must lock their computer screen when not in use
  • Do not leave Company laptops and mobile phones insecure and unattended while working remotely (for example in an empty vehicle) and that any loss or theft of these devices is reported immediately to James Whitehouse and Andrew Satherley
  • Validate who you are speaking to on the telephone before discussing any personal information by asking some basic security questions
  • Do not extract or view personal information from any database or system for any unauthorised purpose
  • Data should be regularly backed up
  • Data should never be saved directly to mobile devices such as laptops, tablets or smartphones

 

Individuals Rights

Individuals have the following rights over their data:

  • right of access – to receive a copy of their personal data
  • right to rectification – to ask for incorrect data to be rectified
  • right to erasure – to ask where data is processed under the consent or legitimate interest lawful basis that the data is erased
  • right to restriction – to ask for a temporary hold on processing their data
  • right to data portability – where they provided their data digitally to obtain a copy of their data in a machine-readable format
  • right to object – where processing is causing unwarranted alarm or distress to ask for the processing to stop
  • rights related to automated decision-making including profiling – to ask for a human intervention in automated decision making which has an impact in the individual

 

Individuals rights request can be made to any part of the business and individuals do not have to quote the legislation. Requests can be made verbally. It is important that Workers recognise a rights request and forward it to the DPO as soon as possible as in most cases we only have one calendar month to respond. Any of the above requests should be passed to the DPO at dpo@lightning.health individuals may be required to provide identification and proof of address. For further information please see LHSOP0007 – Individuals Rights and Complaints SOP.

 

International Transfers

Personal data shall not be transferred to a country or territory outside the European Economic Area[1] unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. This includes when using application or software provider based outside the UK or EEA. Transfers of data outside of the UK/ EEA is complicated and you should consult with the DPO for further advice and assistance. All personal data processing outside of the EEA must be referred to the DPO as the levels of protection for the information may not be as comprehensive as those in UK or the EEA. Special contractual arrangements, checks and records are required for any such transfers and individuals have a right to be informed.

 

For such transfers to be lawful one of the following safeguards must apply and be documented.

  • adequacy decision
  • binding corporate rules plus a transfer Impact assessment
  • standard contractual clauses plus a transfer impact assessment
  • code of conduct/ certification plus a transfer impact assessment

 

Third Party Data Processors

Workers must ensure we have written contracts in place with any third parties that we use to process store, collect record, access personal data for us. The contract must contain specific clauses which set out our and their liabilities, obligations and responsibilities.

 

Workers must only appoint processors who can provide sufficient guarantees that the rights of individuals will be respected and who can show they have implemented the appropriate technical measures to ensure the confidentiality and security of the data.

 

Our contracts must comply with the minimum contractual requirements set out in the GDPR. The contracts must set out the subject matter and duration of the processing, the nature and stated purpose of the processing activities, the types of personal data and categories of data subject, and the obligations and rights of the controller.

 

At a minimum, our contracts must include terms that specify:

  • The processor will act only on written instructions
  • Those involved in processing the data are subject to a duty of confidence
  • Appropriate measures will be taken to ensure the security of the processing
  • Sub-processors will only be engaged with the prior consent of the controller and under a written contract
  • The controller will assist the processor in dealing with subject access requests and allowing data subjects to exercise their rights under GDPR
  • The processor will assist the controller in meeting its GDPR obligations in relation to the security of processing, notification of data breaches and performance of Data Protection Impact Assessments
  • The processor(s) and sub-processor(s) will delete or return all personal data at the end of the contract
  • Both the processor and the controller will submit to regular audits and inspections, and provide whatever information necessary for the controller and processor to meet their legal obligations
  • Nothing will be done by either the controller or processor to infringe on GDPR

 

If you are going to share data with another organisation, you must contact the DPO who can provide or advise on suitable wording. The agreement must be approved by the DPO.

 

Data Breach Reporting

A data breach is breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. This could include sending an email containing personal data to the wrong person, loss or theft of unencrypted laptops/ USB’s/ pen drives/ external hard drives, insecure disposal of paper records, cyber incidents or attacks.

 

It is important that any potential breach is reported to the DPO at dpo@lightning.health as quickly as possible. Following receipt of the report the breach will be investigated.

 

The data breach report should include the following:

  • date and time the data breach occurred
  • date and time you discovered the breach if different
  • type of data which has been compromised
  • the number of individuals that have been affected
  • the steps you have taken to retrieve the data

 

Data breaches, which pose a high risk to the rights and freedoms of individuals, must be reported to the Information Commissioner within 72 hours of the data controller becoming aware of the data breach. The DPO along with the senior leadership team will assess the breach and determine necessity to report the data breach. In some circumstances the individuals whose data has been compromised may need to be informed of the breach.

 

We have a learning approach to data breaches at the Company. We will keep a record of all breaches and undertake a root cause analysis so we can prevent a recurrence, where appropriate change our processes, policies or procedures implement additional technical controls or provide additional training to Workers.

 

Data Protection by Design

GDPR and UK GDPR places an emphasis on accountability and data protection by design. This means that privacy considerations and data subject’s rights should be at the forefront of an organisations planning, thinking, decision-making and design.

 

Data Protection Impact Assessments (DPIA) are mandatory before you begin any processing which will have a widespread and serious impact on the privacy rights of individuals. They are intended to help you identify and minimise the data protection risks in a project or processing activity. Specifically, the Regulation state that you will need to carry out a DPIA where you plan to:

  • use systematic and extensive profiling with significant effects
  • process special category or criminal offence data on a large scale
  • or systematically monitor publicly accessible places on a large scale

 

The Company also requires you to do a DPIA if you plan to do any of the following:

  • use new technologies
  • use profiling or special category data to decide on access to services
  • profile individuals on a large scale
  • process biometric or genetic data
  • match data or combine datasets from different sources
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’)
  • track individuals’ location or behaviour
  • profile children or target services at them
  • process data that might endanger the individual’s physical health or safety in the event of a security breach

The Company is developing a DPIA Standard Operating Procedure. There will be more information on when and how to complete a DPIA in the DPIA Standard Operating Procedure.

 

All projects, decisions, contracts, information sharing and any new processing activities involving the use of personal data undertaken by the Company must go through the Data Protection Impact Assessment screening tool.

 

Training

The Company will train Workers who deal with personal data on a regular basis via face to face and e-learning. Workers undertaking marketing or accessing special category data on a regular basis will receive Refresher training will be disseminated from time to time to all Workers, Data Protection and Information Security training is mandatory for all Workers.

 

Failure to undertake the mandatory training will lead to performance management processes being invoked in line with the Company Handbook.

 

Accountability

The Company and all those working for it are required to take responsibility for how personal data is processed and ensure processing complies with the data protection legislation. We must have measures and records in place in order to demonstrate compliance. Our measures in place include:

  • Appointing a Data Protection Officer (DPO)
  • Conducting audits of compliance
  • Our Data Protection and Information Security policies
  • Carrying out data protection impact assessments and screening
  • Data Breach Reporting
  • Data Protection and Information Security Risk Register
  • Training
  • Appropriate contracts and checks on data processors

 

Advice or assistance regarding this Policy or Data Protection Legislation in general is available from the DPO. Any Workers with privacy, data protection or retention and disposal concerns or queries should contact the DPO on dpo@lightning.health. The DPO will investigate and or provide objective and independent advice and guidance on any matters raised.

 

Audits & Monitoring

Regular data audits to manage and mitigate risks will be carried out. This includes information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant. You must conduct a regular data audit as required by the DPO and normal procedures.

 

Everyone must observe this policy. The DPO has overall responsibility for this policy. The Company will keep this policy under review and amend or change it as required. You must notify the DPO of any breaches of this policy. You must comply with this policy fully and at all times.

 

Disciplinary issues

Workers at the Company have access to confidential client data and the personal data of research participants, employees, workers, clients, leads and prospective clients. All Workers have a key role in protecting the confidentiality and security of all the information we hold.

 

The damage to the reputation of our business as a consequence of a Worker accidentally or unlawfully accessing, disclosing, holding or processing personal data will harm our future growth and undermine client retention. The unlawful access and disclosure of information and the unauthorised processing of personal data held by the Company may be considered to be serious disciplinary or even a criminal matter.

 

A deliberate or reckless breach of the Data Protection Legislation could result in Workers facing disciplinary action in line with the Company Handbook. All personal data recorded in any format must be handled securely and appropriately, and Workers must not disclose information for any purpose outside their normal work role without proper authorisation. Workers should be aware that it could be a criminal offence to deliberately or recklessly disclose personal data without the authority of the Company.

 

 

  1. RELATED DOCUMENTS
Policies·       Information Security and Acceptable Use (LHPOL0008)

·       Remote Working (LHPOL0009)

SOPs·       Data Protection Impact Assessments (LHSOP0008)

·       Data Breaches (LHSOP0006)

·       Individuals Rights and Complaints (LHSOP0007)

 

  1. REFERENCES

 

  1. APPENDICES
 

 

  1. DOCUMENT HISTORY
VersionEffective date (superseded versions)Summary of changes