Data Protection & Confidentiality Policy

 

Contents………………………………………………………………………………………………………………………

 

  1. Purpose………………………………………………………………………………………………………………….
  2. Scope……………………………………………………………………………………………………………………..
  3. Definitions……………………………………………………………………………………………………………..
  4. Associated Legislation, Regulations and Policies…………………………………………….
  5. Policy Statement…………………………………………………………………………………………………..
  6. Management Roles and Responsibilities……………………………………………………………
  7. Data Classification………………………………………………………………………………………………..
  8. Employee Responsibilities for the Protection of Data……………………………………….
  9. GDPR Requirements for the Protection of Data…………………………………………………
  10. Data Protection and Privacy Awareness Training …………………………………………….
  11. Auditing and Monitoring…………………………………………………………………………………….
  12. Policy Compliance………………………………………………………………………………………………
  13. Exceptions…………………………………………………………………………………………………………..
  14. Non-Compliance………………………………………………………………………………………………….

1. Purpose

The purpose of this document is to help TRUTH GYM to ensure compliance with the GDPR, and provide guidelines for the lawful processing and protection of TRUTH GYM digital or non-digital data.

2.  Scope

This policy applies to all TRUTH GYM employees, contractors and third-party users with access to TRUTH GYM’s equipment and information (in any format) are responsible for ensuring that they adhere to the directions for general data protection set out in this policy.

3. Definitions

Information Asset Owner” or “Information Owner” means a senior member of the Management Team within an TRUTH GYM Business Unit who is responsible for the protection and use of a specific subset of information or data.

Information Asset Administrator” means the individual responsible for maintaining and ensuring adequate protection of a specific subset of information or data.

System” means any internally or externally facing TRUTH GYM owned (or managed) system that may store or process data owned by more than one data owner.

“System Owner” means the individual responsible for one or more internally or externally facing TRUTH GYM owned (or managed) systems.

Data Classification” means the act of classifying data according to its value and sensitivity to the organisation. TRUTH GYM uses the following classifications for the protection of digital and non-digital data:

  • Special Category: (eg for all data that may reveal information about a gym members health)
  • Personal: (eg for all contract information and demographic data about gym members)

Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Processor” means a natural or legal person, public authority, agency or any other body processing personal data on behalf of the controller.

Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.

Special Categories of Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data Breach” means a breach in security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

4.  Associated Law, Regulations and Policies

  • Common law duty of confidentiality;
  • Data Protection Act 2018;
  • The General Data Protection Regulation;
  • Privacy and Electronic Communications Regulation;
  • Information Security Policy; and
  • Acceptable Use of Information Policy

5. Management Roles and Responsibilities

The Information Asset Owner has responsibility:

  • To ensure that data within their area of the business are collected, processed, stored and destroyed in accordance with the General Data Protection Regulation and this policy and associated policies.
  • To determine what classification label should be assigned to an information asset or data under their ownership.
  • To ensure compliance with all regulatory requirements as it relates to the information asset or data.
  • To determine the criteria for accessing an information asset or data.

The Information Asset Administrator has responsibility to:

  • Ensure that adequate controls are in place to protect the confidentiality, integrity and availability of an information asset or data.
  • Assign or revoke access to an information asset or data as directed by the Information Asset Owner.
  • Ensure all access to an information asset and data is adequately logged in the Information Asset Register.
  • Ensure that all flows of personal data and special categories of personal data are mapped.

The Data Protection Officer has responsibility to: 

  • Inform and advise the controller and the processor (including its employees), who process personal data, of their obligations pursuant to the Regulation.
  • Monitor compliance with the Regulation with other Union or Member State data protection provisions, and with the policies of the controller and processor in relation to the protection of personal data, including the assignment of responsibilities including privacy awareness training of staff processing personal and special categories of personal data.
  • Provide advice with respect to Data Privacy Impact Assessments (DPIAs) and monitor its performance.
  • Respond to Subject Access Requests (SARs) within the timeframe set out in the Regulation.
  • Co-operate with, and act as a single point of contact for the Supervisory Authority.

6.  Data Classification 

It is imperative that TRUTH GYM data is classified appropriately with the correct classification label according to its value.  Correctly classifying information allows the appropriate controls to be implemented for the protection of personal or sensitive information.

7.  General Responsibilities under the GDPR

7.1       The Principles of Data Protection

TRUTH GYM employees processing personal data must comply with the existing eight enforceable data protection principles.  These principles stipulate that personal data is:

  1. Processed fairly and lawfully;
  1. Processed only for a specified and lawful purpose;
  1. Adequate, relevant and not excessive for the purpose;
  1. Accurate and up to date;
  1. Not kept longer than necessary for the purpose;
  1. Processed in accordance with the Data Subject’s rights;
  1. Kept secure; and
  1. Not transferred to people or organisations situated in countries without adequate protection.

Additionally, All TRUTH GYM employees, third party suppliers and contractors are required to ensure that:

  • Any information or data they hold, that has been identified as being ‘Restricted’ or ‘Sensitive’, is kept securely.
  • Personal data is not disclosed either orally, in writing, accidentally or otherwise to any third party, without explicit authorisation.
  • Ensure that they follow the prescribed guidelines (contained in the associated legislations, regulations and policies referred to in Section 4 of this document) for the protection of personal data and special categories of personal data.

7.2       Fair and Lawful Processing

To meet its Fair and Lawful Processing obligations under the GDPR, TRUTH GYM employees processing personal data or special categories of personal data, by automated or partially automated means, must ensure that:

  • The data subject has been provided with the Fair Processing Notice (FPN) that advises the data subject TRUTH GYM will take all reasonable measures to provide data subjects with clear, concise and up to date information, written in plain English, informing the data subject about the way that their data will be processed.
  • If personal data about a data subject is received from other sources, the data subject must be provided with the FPN as soon as possible thereafter.

Additionally, the FPN must inform the data subject about:

  • The data controller’s identity and contact details.
  • Data Protection Officer’s contact details.
  • The lawful basis relied upon for processing and storing personal data;
  • Period for which data will be stored.
  • The existence of the data subject’s right to request access, rectification, erasure or to object to processing;
  • The right to lodge a complaint with the Information Commissioner’s Office (“ICO”), and provide the ICO’s contact details;
  • The recipients or categories of the recipients of the personal data;
  • Any intention to transfer data to another country and the level of protection afforded in the destination country;
  • Whether processing of personal data is voluntary or mandatory, and of the consequences of failing to provide the personal data;
  • The existence of any profiling; and
  • The existence of processing activities deemed to be high risk.

To further emphasise the importance of ensuring that personal data and special categories of personal data are processed lawfully in accordance with GDPR, TRUTH GYM employees must ensure that personal data and special categories of personal data is only processed on the basis of one of the legal grounds set out in the Regulation, namely:

  • The data subject has given consent to the processing
  • The processing is necessary for the performance of a contract with the data subject;
  • For the compliance with a legal obligation to which the data controller is subject;
  • For the legitimate interest of the data controller or the party to whom the data is disclosed.

7.3       Specified and Lawful Processing

Additionally, the processing of personal data or special categories of personal data can only be considered lawful where TRUTH GYM employees ensure that:

  • Personal data is processed for the specific purpose(s), or in a manner compatible with the purpose or purposes notified to the data subject when personal data is first collected, or as soon as possible thereafter (i.e. in accordance with the FPN provided to the data subject).
  • Personal data is processed only in a manner compatible with the purpose or purposes for which it was obtained.

7.4       Adequate, Relevant and Not Excessive

To ensure that any personal data collected for the purposes of processing, TRUTH GYM employees must ensure that:

  • The processing of personal data or special categories of personal data is adequate, relevant and not excessive in that adequate personal data is collected to satisfy the purpose or purposes notified to the data subject, especially where the purpose or purposes have an impact upon the data subject.

7.5       Accuracy of Personal Data

To ensure that TRUTH GYM meets its obligations under the GDPR to maintain accurate and up to date information, all TRUTH GYM employees must ensure that:

  • They check the accuracy of any personal data at the point of collection and at regular intervals afterwards. TRUTH GYM employees must take all reasonable steps to destroy or amend inaccurate or out-of-date
  • They verify that mechanisms are in place to provide data subjects with the means to correct any inaccuracies in, their personal data.

7.6       Timeliness of Processing

Staff must ensure that they securely destroy, or erase from our systems, all data that are no longer required.

TRUTH GYM employees must ensure that:

  • Personal data is not kept for longer than is necessary for the purpose or purposes for which it was collected. Reasonable steps must be taken to protect the confidentiality of personal data and special categories of personal data.

7.7       Data Subjects’ Rights

It is imperative that the rights and freedom of the data subject are protected at all times when processing personal data and special categories of personal data.  As such, TRUTH GYM employees must ensure that data subjects are informed of their right to:

  • Access to a copy of the information comprising their personal data – wherever reasonably practicable (unless otherwise requested) copies must be provided in a structured and machine-readable format;
  • Object to processing that is likely to cause or is causing damage or distress;
  • Prevent processing for the purpose of direct marketing;
  • Object to decisions being taken by automated means; and
  • Have inaccurate personal data rectified, blocked, erased or destroyed.

TRUTH GYM will put procedures and processes in place to enable data subjects to exercise their rights without excessive delay or expense.  All TRUTH GYM employees must follow the guidance outlined in the said procedures and processes.

7.8       External Transfers

TRUTH GYM may process personal data outside of the European Economic Area (EEA) (including Special Category data).  Where the transfer of personal data or special categories of personal data outside the EEA is deemed necessary, TRUTH GYM employees must ensure that one or more of the following conditions has been met:

  • The country or region to which personal data is being transferred to ensures an adequate level of protection for the data subjects’ rights and freedom.
  • The data subject has given consent to the transfer.
  • The transfer is necessary for one of the reasons set out in the Data Protection Act, 2018, including the performance of a contract with the data subject, or to protect the vital interests of the data subject.
  • The transfer is legally required on important public interest grounds or for the establishment, exercise or defense of legal claims.
  • Adequate safeguards have been put in place to protect the rights and freedom of data subjects.

7.9       Disclosure and Sharing

We may disclose personal data we hold to third parties, namely:

  • In the event that TRUTH GYM buys or sells any business assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets.
  • If we, or substantially, all of our assets are acquired by a third party in which case personal data we hold will be one of the transferred assets.
  • In order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject; or to protect our rights, property, or the safety of our employees and customers.
  • For the purposes of fraud protection and credit risk reduction.
  • In accordance with the Fair Processing Notice.

7.10    Direct Marketing

Where a data subject or subjects have given consent to the processing of personal data or special categories of personal data:

  • Only direct marketing materials consistent with the recipient’s consent must be sent;
  • Marketing lists should only be made available to third parties for direct marketing purposes within the scope of the recipient’s consent.
  • All direct marketing materials must include relevant particulars of the business and any promotional offer, be clearly identifiable as a commercial communication, and must provide the recipient with the ability to withdraw or modify their consent.

7.11    Data Subject Access Requests (SARs)

Under existing legislation data subjects must make a formal request for information we hold about them. This must be made in writing.  As such:

  • TRUTH GYM Employees who receive a written request should forward it to the Data Protection Officer immediately.
  • Where such requests are received by telephone, personal data should only be disclosed where the identity of the data subject or their representative has been confirmed.
  • The data subject should then be directed to submit their request in writing, providing proof of identification (in the form of a copy of a passport or drivers licence and two utility bills) if we cannot verify the identity of the caller, and where their identity cannot be checked.
  • Copies of the information requested must, subject to any applicable exemptions, be provided within one calendar month.

8. Mandatory Requirements for the Protection of Data

8.1       Pseudonymisation

The primary aim of pseudonymisation is to decouple ‘personal’ attributes from within a dataset.  Pseudonymisation is achieved where a process, similar to encryption, is used to translate personal identifiers into unique artificial identifiers, i.e. pseudonyms.  It should be noted that the use of pseudonymisation for data protection does not render data completely anonymous and data subjects could still potentially be identified.  However, pseudonymised data is still classed as personal data and as such it should be treated appropriately.

8.2       Anonymisation

Data anonymisation provides a greater degree of data protection than afforded with pseudonymisation alone.  Data anonymisation involves the removal of all personal identifiers to the extent that the data subject can no longer be identified.  The data owner must consider the use of pseudonymisation and anonymisation as a means of data protection for the following reasons:

  • As part of a wider ‘Privacy by Design’ strategy;
  • As part of a risk minimisation strategy;
  • To reduce the likelihood of an inadvertent data breach whilst personal data is being accessed;
  • As part of a data minimisation strategy where the aim is to reduce the risk of a data breach on data subjects. 

8.3       Data Masking

Data masking can be performed to protect the confidentiality of sensitive information in situations where encryption is not appropriate or cost-effective, i.e. during authentication or for analytical use cases.  Where masking is chosen as an option for the protection of sensitive data, the masked data should be realistic and should satisfy the same business rules as real data.

8.4       Encryption 

Encryption should be used to protect the confidentiality of personal data where applicable.

9. Data Protection and Privacy Awareness Training

TRUTH GYM employees must undertake annual privacy and data protection awareness training as a means of reinforcing their obligations with regard to the correct handling and protection of personal and sensitive personal data.  Annual privacy and data protection awareness training will seek to provide employees with up to date training in relevant areas according to employee roles and responsibilities.  The outcome of any privacy awareness training that an employee receives must be documented and/or recorded appropriately.

10. Auditing and Monitoring

The DPO and Information Asset Owner have the responsibility of auditing and monitoring the guidance outlined in this Policy to ensure that TRUTH GYM is meeting its obligations with respect to the correct handling of personal data and special categories of personal data. Compliance audits must be conducted, at least on an annual basis, or sooner if there are risks or incidents which give rise to a need to conduct an audit.

  1. Breach Reporting and Escalation

Any TRUTH GYM employee who suspects that a breach has occurred where it is likely to result in a risk to the rights and freedoms of individuals, they must inform the Data Protection Officer as a matter or urgency (in any event no less than 12 hours of the breach being identified).

12. Policy Compliance

All TRUTH GYM employees, third parties and contractors should adhere to relevant local, regional, national and global privacy requirements in conjunction with this policy. The TRUTH GYM will verify and monitor compliance to this policy through various methods including, but not limited to, technical tools, software, business reports and internal audits.

13. Exceptions  

The TRUTH GYM Data Protection Officer (DPO), in conjunction with the information Asset Owner and System Owner, must approve exceptions to this policy.

14.  Non-Compliance

Non-compliances to this policy or relevant local, regional, national and global privacy requirements should be notified to the Information Asset Owner and the Data Protection Officer.  TRUTH GYM employees, third parties and contractors who violate this policy could be subject to disciplinary or legal action.

15. Risks

Any risks which are identified must be reported to the Information Asset Owner (IAO) of the relevant business area, whom in turn must report any significant risks to the Data Protection Officer. The IAO must ensure that all risks are recorded in the Information Risk Register and that adequate controls are implemented to mitigate risks in proportion to the threat they pose.