Introduction
The Dawn Sturgess Inquiry processes personal data in order to perform its public function. This policy sets out the framework to which all those engaged in supporting the Inquiry will adhere. It will ensure that personal data is protected so that it is seen only by those who need to see it, is stored securely, held only for as long as necessary and is deleted once it is no longer required. The policy will support compliance with the Data Protection Act 2018 (DPA) and meet the requirements for safeguarding personal data as set out in the Inquiry’s Management Statement.
Core Data Protection Principles
The Inquiry will process relevant personal data in accordance with the Data Protection principles. These principles (which are set out in Part 3, Chapter 2 of the Data Protection Act 2018) require that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
s34(3) of the Data Protection Act 2018 also requires that the controller shall be responsible for, and be able to demonstrate compliance with, the above (‘accountability’).
Definitions
Controller: the organisation (alone, jointly or in common with other organisations) which determines the manner and purposes for which personal data is to be processed.
Processor: processes data on behalf of the Controller (other than an employee), usually a third party contractor or service provider.
Data Protection Impact Assessment: a risk assessment methodology to identify the most effective way to comply with data protection legislation and meet individuals’ expectations of privacy. It allows organisations to identify and mitigate data protection risk.
Data Protection Law: The UK General Data Protection Regulation together with the Data Protection Act 2018 and all secondary legislation made under it. These laws govern the way in which controllers can process an individual’s personal data and provide individuals’ rights in relation to the processing of, and access to, their personal data.
Data Protection Principles: a set of overarching requirements defined in data protection legislation (see section 2 of the policy)
Data Protection Risk: that part of the Inquiry’s overall risk portfolio which relates to the integrity, availability and confidentiality of personal data.
Data Subject: an individual who is the subject of personal data.
All those engaged in supporting the Inquiry: includes Inquiry employees as well as all temporary staff, contractors and consultants.
Information Asset Owners: officials within the Inquiry, who are responsible for the processing of personal data within their assigned area of control.
Personal data: information that relates to a living individual who can be directly identified from either the information itself, or by combining the information with other data available to the Inquiry. Personal data includes expressions of opinion and indications of intention, as well as factual information. Where referenced in this document the term personal data includes special category data as defined below.
Personal data breach: the loss, theft, inappropriate use or unauthorised disclosure of personal data.
Process/Processed/Processing: includes collecting, recording, storing, retrieving, transmitting, amending or altering, disclosing, deleting, archiving and destroying personal data.
Restrictions: limitations which apply to the processing of personal data in specific circumstances, as expressed within legislation.
Special Category Data: personal data that is particularly sensitive because it could create more significant risks to a data subject’s fundamental rights and freedoms if compromised or processed inappropriately. It includes information about race; ethnic origin; political views; religion; trade union membership; genetics; biometrics (where used to verify identity); health; sex life; and sexual orientation. The Inquiry’s Appropriate Policy for the processing of special category data is here.
Data Protection Policy Statement
All those engaged in support of the Inquiry are expected to do whatever is necessary to ensure compliance with Data Protection Law and follow the Inquiry’s Data Protection policies and procedures
What is our Objective?
To ensure that:
- Personal data (including special category data) is processed fairly, lawfully and transparently by this Inquiry, in compliance with the requirements of data protection law and other relevant information governance obligations;
- All those engaged in supporting the Inquiry are aware of, and fulfil their responsibilities in following processes and policies, when processing personal data on behalf of the Inquiry including their responsibilities if a personal data breach occurs;
- All those involved in working on the Inquiry should establish and maintain a culture of data protection by design, ensuring that data protection obligations are taken into account whilst developing new business processes.
What is Data Protection Law?
Data Protection Law means the:
- Data Protection Act 2018 and regulations made under the Act
- UK General Data Protection Regulation (Regulation (EU) 2016/679) on the protection of natural persons regarding the processing of personal data and on the free movement of such data
- Data protection law applies to any processing of personal information that could identify living individuals. Processing is the term used for virtually anything that can be done with or to recorded information, including acquisition, storage and destruction as well as active use. The Inquiry must have a legal basis for any processing of personal data that it undertakes. DSI provides privacy information in the form of links to its Privacy Notice to individuals at the time we collect their personal data from them.
Individuals have the following rights:
The right, upon request and with proof of identity:
- to be informed whether information about them is being processed;
- to be given a description of the information;
- the legal basis for and the purpose of our processing;
- to whom it may be disclosed;
- how long it will be kept for and
- to be provided with the information electronically in intelligible form free of charge.
The requested information will be provided at the latest within one month of receipt of proof of identity and any necessary clarifications as to the information required (SARs);
Individuals also have the right:
- to request to have inaccurate personal data rectified, or completed if it is incomplete;
- to have their personal data erased in certain circumstances;
- to request the restriction or suppression of their personal data in certain circumstances;
- based on the individual’s particular situation, to object to certain kinds of processing.
Your rights may be subject to exemptions or limitations.
Data Sharing
The Inquiry shares data with core participants as part of the legal disclosure process for its investigations and public hearings. The Inquiry has its own obligations under data protection legislation and will review all documents prior to their disclosure to ensure compliance with this legislation and that a consistent approach to DPA redactions is applied.
Data Processors
Anyone working for the Inquiry is responsible for ensuring that any data processor such as a contractor or third party service provider only processes personal data in compliance with Inquiry’s policy and Data Protection Officer (DPO) instructions, including any deletions at the end of any contract, as appropriate.
Data Breaches
A personal data breach is:
- a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted stored or otherwise processed
- This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just losing personal data.
Examples of a personal data breach can include:
- Access by an unauthorised third party;
- Sending personal data to an incorrect recipient;
- Unencrypted computing devices containing personal data being lost or stolen;
- Alteration of personal data without permission;
- Loss of availability of personal data.
All those engaged on behalf of the Inquiry discovering or responsible for any security incidents that may or may not lead to a personal data breach MUST report this as soon as possible to the DPO in order to establish if a personal data breach has occurred. They should inform the DPO or use the data breach report form. If a data breach has occurred, the DPO will:
- Take prompt steps to advise on how to mitigate the impact of the breach;
- Establish the likelihood and severity of the resulting risk to people’s rights and freedoms;
- Consult with other Security teams or the sponsoring department, as appropriate.
- If deemed ‘high risk’, the DPO will promptly inform those affected and advise them of any immediate risk of damage and help them take steps to protect themselves from the effects of the breach. If there are any significant risks to rights and freedoms of individuals, they will notify the Information Commissioner’s Office as soon as possible, but within 72 hours of becoming aware of the breach.
Compliance activity
The Inquiry will comply with data protection law by:
- Enabling the relevant individuals working on the inquiry to handle personal data lawfully and correctly, adhering to the data protection principles. This will be done by providing appropriate and mandatory staff training (day 1 and annual refresher) and requiring staff to comply with policies and processes, which are mandated;
- Always requiring a legitimate and proportionate reason for the processing of personal data, ensuring that only the minimum necessary for a specified purpose(s) is processed;
- Being open and transparent about how the Inquiry processes personal data and for what purposes. This includes providing appropriate privacy information, through the Inquiry’s Privacy Notice when personal data is collected or obtained for the first time or is processed for a new purpose;
- Managing requests from data subjects to access their personal data and providing mechanisms which allow data subjects to exercise their other rights, including to amend, update, delete, or restrict the processing of personal data where appropriate;
- Implementing processes and procedures designed to ensure the accuracy and quality of personal data at the point it is collected or obtained and throughout its lifecycle;
- Undertaking a Data Protection Impact Assessment (DPIA) and consulting with the Data Protection Officer (DPO) before new personal data processing is deployed that is likely to significantly affect individuals;
- Managing the lifecycle of the personal data including securely destroying personal data once the purpose(s) for its processing have come to an end, provided that there is no other specified legal requirement or valid business/operational reason for its continued retention;
- Ensuring that the Inquiry procurement processes and contractual arrangements with external service providers (or any other third party) processing personal data on its behalf, include adequate measures for compliance with data protection law and any associated requirements outlined in this policy;
- Notifying the DPO of implementing or agreeing any proposed transfer arrangements of personal data to countries or territories outside the European Economic Area;
- Adhering to other relevant legal requirements, policies or guidance which apply to its processing of personal data;
- Ensuring that any complaint about the processing of personal data or non-compliance with this policy will be dealt with promptly, and in accordance with the relevant procedure. The DPO will be notified of any such complaints;
- Approaching the identification, control and mitigation of data protection risks in the same way as other risks and reflecting them in risk registers;
- Maintaining accurate records on personal data processing.
Roles and Responsibilities
All individuals engaged in supporting the Inquiry must:
- Actively comply with this policy;
- Only process personal data for lawful and legitimate purposes directly related to the performance of their duties;
- Report actual or suspected personal data breaches to the Data Protection Officer immediately and keep the DPO fully informed so that they can assess risk and assist in the Inquiry’s response and advise on any required remedial actions.
- Immediate notification allows for prompt action to mitigate the risk to the data subject, but also supports compliance with the requirement to notify the Information Commissioner’s Office (ICO) within 72 hours of the discovery of the breach.
Information Asset Owners
The Information Asset Owners (IAOs) are the Inquiry’s Deputy Secretary, who is responsible for the information generated or acquired by the Inquiry Secretariat, and the Solicitor to the Inquiry, who is responsible for the information generated or acquired by the Inquiry Legal Team (ILT). The Solicitor to the Inquiry is also the joint data controller for personal data held in ILT documents. The IAOs must:
- Ensure that staff within their business areas are aware of this policy and are adequately trained in the handling of personal data;
- Assess and report data protection risks linked to the processing of personal data within their business area;
- Ensure that Data Protection Impact Assessments are carried out as part of the development and implementation of any new business process, including new IT systems that are to be used to process personal data;
- Implement appropriate procedures to ensure compliance with data protection law and relevant restrictions to the processing of personal data within their business area;
- Manage and resolve actual or suspected personal data breaches.
Data Protection Officer (DPO)
The Inquiry has appointed a DPO, whose duty it is under the GDPR, to assist in monitoring internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner. The DPO must be consulted at all stages of processing personal data.
The DPO must:
- Provide advice and guidance to Inquiry staff about their obligations under data protection legislation, ensuring service delivery is balanced with compliance;
- Provide advice and guidance to colleagues on the implementation and interpretation of this policy;
- Monitor compliance with data protection legislation, including the assignment of responsibilities;
- Conduct a programme of risk-based audits to test compliance;
- Provide advice on the mitigation of data protection risks, including those risks identified as a result of DPIAs;
- Provide advice and recommendations following both data processing audits and data breaches;
- Devise, manage and maintain the strategy, policies, processes and procedures for meeting the requirements of data protection legislation;
- Advise the Inquiry Chair and Secretary on Data Protection Act related matters. Ensure they are able to make fully informed decisions on Inquiry data policies;
- Manage the notification of registration with the Information Commissioner’s Office (ICO) and, where necessary, report data protection breaches within the statutory timeframe (72 hours) and any communication with the ICO;
- Ensure that the rights of data subjects are upheld and that subject access and other data subject requests are dealt with correctly and to deadline;
- Deliver mandatory Data Protection training and ensure awareness procedures are in place and monitor that all relevant individuals involved with working on the Inquiry are appropriately trained and updated as necessary.
Information Management Team
These staff support compliance with data protection legislation by:
- Auditing the business processes, operating procedures and working practices of the Inquiry and its service providers including where appropriate, assessment of compliance with this policy, consulting cybersecurity expertise as required;
- Sharing audit findings which identify instances of non-compliance with this policy and or data protection law with the Data Protection Officer.
Information Governance
Information Governance will be a regular agenda item for the Senior Management Team meeting and where appropriate the Executive Management Team, which oversees effective information management and compliance with data protection by:
- Setting the policies that govern the Inquiry’s overall adherence to the data protection law and its processing of personal data;
- Agreeing information management and security policies and procedures;
- Agreeing organisational measures and controls required to protect the security and integrity of personal data processed by the Inquiry;
- Monitoring, through regular reporting, the effectiveness of technical and organisational measures put in place by the IM Team.
Application of this policy
This policy applies to all those involved with working on the Inquiry and to all processing activities. This includes consultants, contractors, partnership organisations, third party suppliers and service providers who must adhere to this policy.
There are sanctions to ensure compliance with data protection law. The Information Commissioner has powers to enter premises where an offence under the Act is suspected of having been committed and to inspect or seize material. The Information Commissioner also has the right to prosecute offenders, including any third-party processors of personal data, and compensation or fines may be payable.
Audit Logging and Monitoring
Management reserves the right to monitor and audit, any and all, use of our information resources, whether that use is business or personal. The outcomes of monitoring and audit activities is used to identify suspicious activity which could lead to the confidentiality, integrity and the availability of our information resources coming under threat. Therefore:
- User activity shall be monitored, logged and log files kept until no longer required in line with data protection laws;
- Where unacceptable activity, unlawful or illegal activity is detected, the individual issued with the account and / or computer equipment assigned to them shall be held culpable unless they can prove otherwise;
- logs shall only be made available to authorised personnel;
- logs shall be used internally to pursue disciplinary action;
- logs shall be handed to external entities if requested by law to pursue legal proceedings.
Policy Information
About this policy:
- any deviation or exceptions to the clauses within this policy, will be documented, reviewed and authorised by all relevant parties before exceptions are permitted;
- It will be supplemented with other policies to further mandate information security controls;
- It will be reviewed annually or when there are changes to the organisation to determine whether all aspects of the policy are up to date and applicable in the current business environments and revised as necessary;
- Will be referred to when investigating any suspected violations reported by an individual. During the investigation it may be recommended to enforce disciplinary action in accordance with the organisation’s conduct policies, or applicable laws;
Sanctions may include one or more of the following:
- suspension or termination of access;
- disciplinary action up to and including termination of employment;
- civil or criminal penalties;
- or any combination of the above