Home » About » Privacy Policy

Privacy Policy

Who we are

Our website address is: https://www.bestpracticegroup.com/.

Best Practice Group is Registered in England: 03903926 | VAT: 732-457-338
Head Office: Office 16, Crows Nest Business Park, Ashton Road, Wigan WN5 7XX
Tel: 0845 345 0130
Email: advice@bestpracticegroup.com

1.0 Introduction

Best Practice Group (BPG) undertakes to comply with applicable data protection legislation as part of its everyday working responsibilities. BPG is fully committed to full compliance with the requirements of the General Data Protection Regulation (2016/679) and the Data Protection Act 2018.

BPG will ensure that all staff, associates, volunteers, contractors and agency staff who have access to personal data held by BPG are made fully aware and trained on their responsibilities under data protection legislation.

2.0 Purpose

The purpose of this document is to define the Data Protection Policy for BPG and to ensure compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This Policy should be read in line conjunction with the BPG’s Information Security Policy.

BPG is committed to ensuring compliance with relevant data protection laws and will:

  •  have processes in place to ensure that the rights of data subjects, as defined under data protection legislation, are appropriately honoured;
  •  implement processes and policies to ensure that the data protection principles are adhered to when processing personal or special category information;
  •  ensure that BPG is sufficiently accountable for its information processing activities, as described within Articles 5 and 24 of the GDPR;
  •  ensure that records of all processing activities are maintained and regularly reviewed;
  •  ensure that all information processing activities have an appropriate legal basis.

3.0 Scope

This Policy is applicable to all staff at BPG, including temporary, casual, volunteers, associates, contractors and agency staff where acting on behalf of BPG. It also applies to third party organisations who may hold information, subject to the GDPR or the Data Protection Act 2018, on behalf of BPG.

4.0 Definitions
4.1 Personal information

Data which includes information relating to a living person who can be identified or who is identifiable, directly from the data in question, or who can be indirectly identified from that information in combination with other information.

4.2 Special Category information

Personal information, which the GDPR states is more sensitive, and requires more protection. A full list of special category data items is available from the Information Commissioner’s Office website.

4.3 Information Commissioner’s Office (ICO)

The ICO is the data protection supervisory authority for the UK. The ICO has specific responsibilities set out in both the General Data Protection Regulation and the Data Protection Act 2018. The ICO has a range of powers where they believe organisations are not meeting their statutory requirements, ranging from criminal prosecution, the imposition of monetary penalties on organisations and the power of audit.

4.4 Data Controller

A data controller is the organisation that determines the purposes and means of processing of personal information.

4.5 Data Processor

A data processor is anyone (other than an employee of the data controller) who processes data on behalf of the data controller.

4.6 Anonymisation

Anonymisation is the process of turning personal information into a form which does not identify individuals and where identification is not likely to take place. This allows for much wider use of the information.

4.7 Pseudonymisation

Pseudonymisation is a process where information is replaced with a pseudonym, e.g. names replaced with numbers. Pseudonymisation only provides limited protection of identity of data subjects and there is often a ‘key’, which will allow re-identification of individuals.

5.0 Responsibilities

5.1 Directors

The Directors have overall responsibility for the strategic and operational management of BPG and ensuring that BPG’s policies comply with all legal, statutory and good practice guidance requirements.

5.2 Data Protection Officer

The Data Protection Officer (DPO) has overall responsibility for professional services and the operation of effective implementation, governance and monitoring at BPG. The DPO will be the first point of escalation for any issues that require senior management input. The DPO will report to the Directors where appropriate, such as where a data security breach requires consideration for reporting to the Data Protection Regulator.

The DPO will be responsible for:

  •  day-to-day responsibility for monitoring compliance with this policy;
  •  maintaining the appropriate data protection registrations with the Information Commissioner’s Office;
  •  ensuring that Privacy Notice(s) are kept accurate and up to date;
  •  advise staff on any data protection issues which may arise;
  •  maintaining a suite of policies and standard operating procedures to ensure BPG is compliant with appropriate data protection legislation;
  •  logging and investigating any reported personal data security breaches;
  •  advising on the strategic direction of the data protection agenda;
  •  monitoring compliance and reviewing the success of Induction and Refresher Information Security training and awareness raising activities.

5.3 IT Security Manager

The IT Security Manager is responsible for the day-to-day monitoring of BPG’s computers, networks and data, to protect against threats such as security breaches, computer viruses and attacks by cyber criminals. It is the responsibility of individual systems owners to work to recommended standards, carrying out Data Protection Impact Assessments where appropriate, and to respond to concerns identified by the IT Security Manager.

The IT Security Manager will be responsible for assisting the DPO in investigating reported personal data security breaches, in line with BPG’s Data Security Breach Procedure as outlined in the Information Security Policy.

5.4 All Staff

All staff, including associates, temporary, casual, volunteer and agency staff have a responsibility for compliance with this policy. All staff are responsible for being aware of the information governance requirements, including the need to maintain the confidentiality and security of personal information and the requirement to report any breaches of this policy or any applicable data protection legislation.

6.0 Data Protection Policy

6.1 Data Protection Principles

BPG is required to comply with the six principles of data protection contained within Article 5 of the GDPR. These principles share similarities with the eight principles contained within the Data Protection Act 1998. The six principles of GDPR are:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (also known as ‘data minimisation’);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) of the GDPR also requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”.

6.2 Lawful basis for processing

In order to process personal information, BPG must meet one of the legal basis contained within Article 6(1) of the GDPR. In order to process special category personal information, BPG must also meet one of the legal basis contained within Article 9(2).

The legal basis for processing must be determined before the processing commences and should be recorded within BPG’s Privacy Notice(s).

For the processing of personal data to be legal under GDPR, BPG must determine which legal basis the data is being processed under. There are six legal basis listed in Article 6(1) of the GDPR:

  1. a)  Consent: the data subject has given clear consent for you to process their personal data for a specific purpose.
  2. b)  Contract: the processing is necessary for a contract you have with the data subject, or because they have asked you to take specific steps before entering into a contract.
  3. c)  Legal Obligation: the processing is necessary for you to comply with the law.
  4. d)  Vital Interests: the processing is necessary to protect someone’s life.
  5. e)  Public Task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. f)  Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is good reason to protect the data subject’s personal data which overrides those legitimate interests.

If it is decided that consent is the appropriate legal basis for the processing of personal information, this will affect data subject’s rights. Generally, when relying on consent as a legal basis the data subject would have stronger rights than if one of the other legal bases were utilised, such as the right to erasure and the right to data portability.

6.2.1 Lawful basis for processing special category data

For the processing of special category data to be legal under GDPR, two lawful bases of the GDPR must be met. One of the lawful bases from the six listed in Article 6(1) must be met, and one of the ten lawful bases listed in Article 9(2) must also be met.

The choice of legal basis under Article 6(1) does not necessarily dictate which lawful basis under Article 9(2) is most appropriate. For example, using Consent under Article 6(1) does not mean that ‘Explicit Consent’ under Article 9(2) must be chosen.

The ten lawful bases for processing special category data listed in Article 9(2) are –

  1. a)  Explicit Consent: the data subject has given explicit consent to the processing of special category data for one or more specified purposes;
  2. b)  Obligations and Rights: processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  3. c)  Vital Interests of the data subject or another person: processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  4. d)  Legitimate Activities: processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  5. e)  Public Domain: processing relates to personal data which are manifestly made public by the data subject;
  6. f)  Legal Claims: processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  7. g)  Substantial Public Interest: processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  8. h)  Health & Social Care: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to above;
  9. i)  Public Health: processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  10. j)  Archiving / Research: processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

6.3 Privacy Notices / Fair Processing Notices

In order to comply with GDPR and national data protection legislation, BPG is required to inform data subjects of how their data will be processed. Privacy Notices / Fair Processing Notices were previously required under the Data Protection Act 1998, under GDPR however the Privacy Notice is required to be more detailed. The GDPR states that data controllers must create Privacy Notices that are:

  •  concise, transparent, intelligible and easily accessible;
  •  written in clear and plain language, particularly if addressed to a child; and
  •  free of charge

BPG has developed a Privacy Notice which covers its processing activities.

6.4 Information Security

All staff are responsible for ensuring the security of information that they process as part of their role. Staff must ensure that personal information is not disclosed to any unauthorised third party. All staff must appraise themselves of BPG’s Information Security Policy.

All new staff are required to complete an ‘Information Security and Data Protection’ induction training on commencement of their employment.

6.5 Refresher Training

Staff who routinely have access to personal and/or special category data will be mandated to complete refresher training on data protection and information security annually. The DPO will monitor training compliance.

6.6 Retention of Information

The DPO is responsible for ensuring that data is only kept for the period required to fulfil the purpose of why it was processed. This is enshrined in GDPR principle 5(e).

6.7 Subject Access

Under the GDPR any individual can make a ‘subject access request’ (Recital 63). Subject access requests allow data subjects to access or view their personal data and to verify the lawfulness of processing.

6.8 Data Subject Rights

Under the GDPR and the Data Protection Act 2018, data subjects have certain rights in relation to how their own personal information is processed. Some of these rights existed previously, such as the right to rectification; some existed but have been amended, such as the right to subject access, and some new rights have been bestowed upon individual’s, such as the right of data portability.

The rights bestowed upon data subjects are:

  •  Right to be informed
  •  Right of access
  •  Right to erasure
  •  Right to restrict processing
  •  Right to data portability
  •  Right to object
  •  Rights related to automated decision-making including profiling

Not all of these rights are absolute and some only apply in specific circumstances.

6.9 Personal Data Security Breaches

BPG is responsible for ensuring that any data that it holds is subject to appropriate technical and organisational security (Article 5(f)). This means protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage to the data. BPG takes all possible steps to ensure the security of the data in its possession however; it is still possible for a breach to occur.

Personal data security breaches can happen for a number of reasons, including:

  •  the disclosure of confidential data to unauthorised individuals;
  •  loss or theft of paper records;
  •  inappropriate access controls allowing unauthorised access and use of information;
  •  attempts to gain unauthorised access to computer systems, i.e. hacking;
  •  confidential information being left unlocked in accessible areas;
  •  leaving IT equipment unattended when logged-in to a user account without locking the screen;
  •  publication of confidential data on the internet in error and accidental disclosure of passwords. (This list is not exhaustive.)

The GDPR places a requirement on BPG to notify the Information Commissioner’s Office (ICO) of a security breach within 72 hours of BPG being made aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.

More information is available on how BPG will manage, investigate and report these types of breaches can be found in the Information Security Policy.

6.10 Data Minimisation

BPG’s collection and processing of personal data will be limited to only what is necessary to achieve the purpose and aims of the processing.

6.11 Use of email to share personal data

The use of email is a ubiquitous method of communication for almost all modern businesses and organisations. However, it is accepted that email is inherently unsafe for the transfer of large volumes of personal or special category data. In order to mitigate any risks associated with sending personal or special category data via email, staff are expected to follow these principles:

  •  Limit the amount of personal data shared via email – only include what is absolutely necessary. If personal data is included in the email then this should be marked as Confidential in the ‘Subject’ line.
  • Multiple recipients should be added into the ‘BCC’ field rather than the ‘To’ or ‘CC’ fields to limit the chances of personal data be disclosed inappropriately.
  •  Consider alternatives to sharing personal or special category data via email.

6.12 Storing and sharing personal /special category data in the Cloud

BPG holds its data in the Cloud with Microsoft (Azure/Office 365); Microsoft has strict protocols governing data security.

6.13 Direct marketing

BPG is subject to GDPR rules when marketing to prospects and customers. BPG’s marketing is business to business and ensures any material is of ‘legitimate interest’ to the data subject’s business activities. All email correspondence provides opportunity for data subjects to opt out. Opt outs are actioned in a timely manner and contact details are suppressed as soon as possible, retaining just enough information to ensure that marketing preferences are respected in the future.

6.14 Privacy by design and data protection impact assessments (DIPA)

BPG is required to implement privacy by design measures when processing personal data by implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the data protection legislation.

Where a type of data processing, e.g. the launch of a new product or the adoption of a new process or IT system which is likely to result in a high risk to the rights and freedoms of data subjects, a DIPA will be undertaken by the DPO. This includes (but is not limited to):

  • Systematic and extensive automated processing and automated decision-making activities, including profiling, and on which decisions are based that have legal effects, or similar significant effects, on data subjects;
  • Large-scale processing of special categories of personal data or criminal records personal data.

A DPIA will comprise a review of the new technology, process or system and it must contain a description of the processing operations and the purposes, an assessment of the necessity and proportionality of the processing in relation to those purposes, an assessment of the risks to individuals and the measures in place to address or mitigate those risks and demonstrate compliance.

6.15 Automated processing and automated decision-making

Automated processing is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, and automated decision-making occurs when an electronic system uses an individual’s personal data to make a decision without human intervention.

BPG does not carry out any automated processing and does not take any decisions based solely on automated decision-making, including profiling.

6.16 Transferring personal data outside the European Economic Area

The data protection legislation restricts transfers of personal data to countries outside the European Economic Area (EEA) in order to ensure that the level of data protection afforded to data subjects is maintained.

BPG may transfer personal data to countries outside the EEA, provided one of the following applies:

  • There is an adequacy decision by the European Commission in respect of the particular country, i.e. that country is deemed to provide an adequate level of protection for personal data.
  • Appropriate safeguards are in place, such as binding corporate rules or standard data protection clauses approved by the European Commission.
  • The data subject has provided their explicit consent to the proposed transfer after being informed of any potential risk.

7.0 Cookie Policy

Our website uses cookies. A cookie is a small file of letters and numbers that we put on your computer. These cookies allow us to distinguish you from other users of the website which helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

Some cookies on this site are essential, and the site will not work as expected without them. These cookies are set when you submit a form or interact with the site by doing something that goes beyond clicking on simple links.

Some cookies we use are ‘analytical’ cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the site when they’re using it. This helps us to improve the way our website works, for example by making sure users are finding what they need easily.

Google Analytics tracking
Google Analytics tracking (and most web tracking software) uses cookies in order to provide meaningful reports about site visitors. However, Google Analytics cookies do not collect personal data about website visitors.

More information
For more information about cookies please visit www.allaboutcookies.org .

Preventing Cookies
If you decide that you would like to prevent cookies from our site, then you will need to adjust your web browser settings. Click on the link for your browser below to get information on how to prevent cookies from being created on your particular browser.

Netscape Navigator 3.0
Netscape 4.0+
Netscape 6.0+
Firefox 2.0+ / 3.0+ / 4.0+/8.0+
Internet Explorer 3.0
Internet Explorer 4.0
Internet Explorer 5.0+
Internet Explorer (IE) 7.0+
Internet Explorer (IE) 8.0+
Internet Explorer (IE) 9.0+
Google Chrome
Safari
Opera

 

Grab your free download now

Free eBook: 8 Steps to Improve Outsourcing Performance

This 43-page guide will show you 8 little-known ways to help you to improve outsourcing performance

Read more
improving outsourcing relationships
View all our guides >