Policy statement
Introduction
The Data Protection Act 2018 requires us (Essex Cares Limited, trading as ECL) as a Data Controller to have an appropriate policy document in place relating to the processing of special category personal information and information about criminal offenses.
Personal data is any information by which a living individual can be identified. Individual identification can be by information alone or in conjunction with other information. Certain categories of personal data have additional legal protections when being processed. These categories are referred to in the legislation as “special category data” and are data concerning:
- Health
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Sex life or sexual orientation
The processing of criminal offence data also has additional legal safeguards. Criminal offence data includes information about criminal allegations, criminal offences, criminal proceedings and criminal convictions.
The principles
The below information sets out our procedures for ensuring our compliance with the principles as detailed in Article 5 of the General Data Protection Regulation.
Principle 1: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
We will:
- ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful
- only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing
- ensure that data subjects receive full privacy information so that any processing of personal data is transparent
Principle 2: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
We will:
- only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice
- not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first
Principle 3: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
We will:
- only collect the minimum personal data that we need for the purpose for which it is collected.
- ensure that the data we collect is adequate and relevant.
Principle 4: Personal data shall be accurate and, where necessary, kept up to date.
We will:
- ensure that personal data is accurate, and kept up to date where necessary.
- take particular care to do this where our use of the personal data has a significant impact on individuals.
Principle 5: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
We will:
- only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.
Principle 6: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We will:
- ensure that there appropriate organisational and technical measures in place to protect personal data.
Accountability principle: The controller shall be responsible for, and be able to demonstrate compliance with these principles. Our Accounting Officer is responsible for ensuring that the department is compliant with these principles.
We will:
- ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request
- carry out a Data Protection Impact Assessment for any high risk personal data processing, and consult the Information Commissioner if appropriate
- ensure that a Data Protection Officer is appointed to provide independent advice and monitoring of personal data handling, and that this person has access to report to the highest management level of the department
- have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law
Our policies in regards retention and erasure of personal data
We will ensure, where special category or criminal convictions personal data is processed, that:
- there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data
- where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous
- data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
If you have any concerns or questions about how we use your personal information, you can speak with our Data Protection Officer
You can contact them by:
- Email: information.governance@essexcares.org
- Post: Data Protection Officer, c/o Head of Quality and Corporate Governance, Seax House, Victoria Road South, Chelmsford, Essex CM1 1QH
- Phone: 03330 135 438
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF / Tel: 03031 231 113 (local rate). Alternatively, visit ico.org.uk or email casework@ico.org.uk.