1.1 DATA PROTECTION POLICY
Everyone has rights with regard to how their personal information is handled. During the course of our activities, TRI will collect, store and process personal data (which may be held on paper, electronically, or otherwise) about our staff, donors, funding partners, patients, suppliers, customers and any other business contacts and we recognise the need to treat it in an appropriate and lawful manner, in accordance with the European Union (EU) General Data Protection Regulation (GDPR). The purpose of this notice is to make you aware of how we will handle your personal data.
1.1.1 Data protection principles
We will comply with the eight data protection principles of good practice, which say that personal data must be:
(a) Processed fairly, lawfully and in a transparent manner;
(b) Processed for limited purposes and in an appropriate way;
(c) Adequate, relevant and not excessive for the purpose;
(e) Not kept longer than necessary for the purpose;
(f) Processed in line with individuals’ rights
(h) Not transferred to people or organisations situated in countries without adequate protection.
“Personal data” means recorded information we hold about you from which you can be identified. It may include contact details, other personal information, photographs, and expressions of opinion about you or indications as to our intentions about you. “Processing” means doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.
1.1.2 Personal details
It is really important that the personal data that we hold for you is correct. Thrombosis Research Institute is responsible for maintaining up-to-date details of current, past and prospective employees, suppliers , customers and others that we communicate with.
We will request this information when the contract starts and you should advise of any changes straight away. Information is held in confidence and used in accordance with our General Data Protection Policy.
1.1.3 Fair and lawful processing
GDPR allows processing of data for specific purposes, which are where it is needed:
a) for the performance of a contract, such as an employment contract
b) to comply with a legal obligation
c) in order to pursue our legitimate interest (or those of a third party) and where the interests and fundamental rights of the data subject do not override those interests
d) to protect the data subject’s vital interests
e) in the public interest, or
f) in situations where the data subject has given explicit consent.
We will only process data on the basis of one or more of the above lawful bases.
We will usually only process your personal data where you have given your consent or where the processing is necessary to comply with our legal obligations. In other cases, processing may be necessary for the protection of your vital interests, for our legitimate interests or the legitimate interests of others.
We will only process “sensitive personal data” about ethnic origin, political opinions, religious or similar beliefs, trade union membership, health, sex life, criminal proceedings or convictions, where a further condition is also met. Usually this will mean that you have given your explicit consent, or that the processing is legally required for employment purposes.
You are able to withdraw consent easily at any time and any withdrawal will be promptly honoured.
1.1.4 How we are likely to use your personal data
We will process data for legal, personnel, administrative and management purposes and to enable us to meet our legal obligations as an organisation, in order to comply with the contract.
1.1.5 Adequate, relevant and non-excessive processing
Your personal data will only be processed to the extent that it is necessary for the specific purposes notified to you.
1.1.6 Accurate data
We will endeavour to keep the personal data we store about you accurate and up to date. Data that is inaccurate or out of date will be destroyed. Please notify us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you.
1.1.7 Data retention
We will not keep your personal data for longer than is necessary for the purpose. This means that data will usually be destroyed or erased from our systems when it is no longer required.
1.1.8 Processing in line with your rights
You have the right to:
• Request access to any personal data we hold about you.
• Prevent the processing of your data for direct-marketing purposes.
• Ask to have inaccurate data held about you amended.
• Withdraw consent when the only legal basis for processing Data is consent.
• Object to any decision that significantly affects you being taken solely by a computer or other automated process.
• Be informed about processing of data.
• Have information deleted.
• Object to the inclusion of data.
• Be notified of a data breach which is likely to result in high risk to your rights and freedoms.
• Make a complaint to the Information Commissioner’s Office or other supervisory authority.
1.1.9 Data security
We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only usually transfer personal data to a third party if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves.
1.1.10 Providing information to third parties
We will not disclose your personal data to a third party without your consent unless we are satisfied that they are legally entitled to the data. Where we do disclose your personal data to a third party, we will have regard to the eight data protection principles.
1.1.11 Subject access requests
If you wish to know what personal data we hold about you, you must make the request in writing. All such written requests should be forwarded to Institute Secretary.
1.1.12 Breaches of data protection principles
If you consider that the data protection principles have not been followed in respect of personal data about yourself or others you should raise the matter with Institute Secretary/ Data Protection Officer. Any breach of the data protection policies will be taken seriously and may result in disciplinary action against individual(s). Any person who is not an employee but who breaches this policy may have their contract terminated with immediate effect.
Where a data breach is likely to result in a risk to the rights and freedoms of the individual(s) concerned, we will report it to the Information Commissioner’s Office within 72 hours of us becoming aware of it.
We will keep full and accurate records of all our data processing activities
1.1.14 Monitoring and Review of the policy
We will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.
Last updated on May, 2018
© Copyright TRI 2018