Image

Data Protection Policy

Data Protection Policy

Last updated: November 21, 2024

Contents

Introduction and ScopeRoles and Responsibilities

Data Protection Principles

Lawful Bases

Data Subject Rights

Records of Processing

Privacy by Design and Risk Assessments

Information Sharing

Contract Management

Records Management

Training

Complaints

Appendix One – Subject Access Requests (SARs)

Appendix Two – AI policy

Introduction and Scope

This policy is to ensure that Behaviour Smart complies with the requirements of the UK General Data Protection Regulation and the Data Protection Act 2018 in addition to associated guidance and Codes of Practice issued under the legislation.

This policy including its appendices applies to our entire workforce. This includes employees, contractors, agents and representatives, volunteers and temporary staff working for, or on behalf of, Behaviour Smart.Individuals who are found to infringe this policy knowingly or recklessly may face disciplinary action.

This policy is the organisation’s main information governance policy and applies to all personal data, regardless of whether it is in paper or electronic format. It should be read alongside the Information Security Policy.

Roles and Responsibilities

In our processing of personal data, Behaviour Smart acts as both Data Controller and Data Processor depending on the nature and purpose of processing.

Data Controller

UK GDPR defines a Data Controller as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Where Behaviour Smart acts in the capacity of Data Controller we shall act in accordance with applicable data protection legislation and be able to demonstrate compliance.

Data Processor

UK GDPR defines a Data Processor as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.

Where we act in capacity of Data Processor, Behaviour Smart will ensure a Data Processing Agreement (DPA) is in place with the Data Controller which contains the clauses required under Article 28 of the UK GDPR. Behaviour Smart will act in accordance with the DPA and any requirements of data protection legislation.

Processing of Personal data

Personal data will be processed in accordance with the requirements of UK GDPR and in compliance with the data protection principles specified in the legislation. Overall responsibility for ensuring that the organisation meets the statutory requirements of any data protection legislation lies with the Director. The following roles have day to day responsibility for compliance and provide the necessary assurance to the Director.

Data Protection Officer (DPO)

The role of the DPO is to assist the organisation in monitoring compliance with the UK GDPR and the Data Protection Act 2018 and advise on data protection issues. Behaviour Smart have appointed Veritau as our DPO. Their contact details are:


West Offices, Station Rise, York, YO1 6GA

[email protected]

01904 554025

The DPO will operate in an advisory capacity. Duties will include:


Acting as the point of contact for the Information Commissioner’s Office (ICO) and data subjects;
Facilitating a periodic review of the corporate ROPA and information governance policies;

Assisting with the reporting and investigation of information security incidents;
Providing advice on all aspects of data protection as required, including information requests, information sharing and Data Protection Impact Assessments.

Senior Information Risk Owner (SIRO)

The SIRO is a senior member of staff who has ultimate responsibility for operational risk, ensuring that the organisation’s policies and procedures are effective and comply with legislation, and promoting good practice. In our organisation this role lies with the Director.

Single Point of Contact (SPOC)

The SPOC is someone at operational level who can take responsibility for data protection, including communicating with data subjects and the DPO. In our organisation this role lies with the Director.

All staff

All staff, including contractors, agents and representatives, volunteers and temporary staff working for, or on behalf of, the organisation are responsible for collecting, storing and processing any personal data in accordance with this policy.

Data Protection Principles

We will comply with the data protection principles, as defined in Article 5 of the UK GDPR. We will ensure that personal information is:


Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
Collected only for specified, explicit and legitimate purposes (Purpose Limitation).
Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation).


Accurate and where necessary kept up to date (Accuracy).


Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (Storage Limitation).


Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).

We recognise that not only must we comply with the above principles, we must also demonstrate our compliance

(Accountability).

Lawful Bases

UK GDPR sets out several conditions under which we can process personal information lawfully. Where we rely on legitimate interests, we will only do so where we are using data in ways individuals would reasonably expect and will conduct an appropriate legitimate interest assessment (LIA) prior to starting the processing.

Where we act as a Data Processor, the Data Controller determines the lawful basis for processing.

Data Subject Rights

Under the UK GDPR, individuals have several rights in relation to the processing of their personal data:

Right to be informed

We provide individuals with privacy information at the time we collect their data, normally by means of a privacy notice, which is made easily accessible to the data subject. Privacy notices will be clear and transparent, regularly reviewed, and include all information required by data protection legislation.

Where we act as a Data Processor, the Data Controller is responsible for informing data subjects of the above information.

Right of access

Individuals have the right to access and receive a copy of the information we hold about them. This is commonly known as a Subject Access Request (SAR). We have in place a SAR procedure which details how we deal with these requests (Appendix Two).


Other rights include the right to rectification, right to erasure, right to restrict processing, right to object, right to data portability and rights related to automated decision-making, including profiling.

Requests exercising these rights can be made to any member of staff, but we encourage requests to be made in writing, wherever possible, and forwarded to the SIRO who will acknowledge the request and respond within one calendar month. Advice regarding such requests will be sought from our DPO where necessary.

A record of decisions made in respect of the request will be retained; recording details of the request, whether any information has been changed, and the reasoning for the decision made.

Where we act as a Data Processor, we will pass any data subject rights requests to the Data Controller and provide assistance as necessary to allow the Controller to comply with their obligations.

Records of Processing

In accordance with Article 30 of UK GDPR, we must keep a record of our processing activities. We will do this by developing and maintaining a Record of Processing Activities (ROPA).

When processing personal data in our capacity as a Data Controller, our ROPA will include the following details (as a minimum):


The name and contact details of the Controller and, where applicable, the joint Controller, the Controller's representative and the DPO,


The purposes of the processing,


A description of the categories of data subjects and of the categories of personal data;


The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;


Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where required, the documentation of suitable safeguards,


The envisaged retention period(s) for the different categories of data,


A general description of the technical and organisational security measures.

We will include links to relevant documentation, such as data processing contracts, information sharing agreements, and risk assessments, wherever possible.

When acting in our capacity as a Data Processor, our ROPA will include the following details (as required by UK GDPR):


The name and contact details of the Processor or Processors and of each Controller on behalf of which the Processor is acting, and, where applicable, of the Controller's or the Processor's representative, and the DPO,


The categories of personal data processed on behalf of each Data Controller,

Details of any transfers to third countries, and the appropriate safeguards,


A general description of the technical and organisational security measures.

We will review the above records at least annually to ensure they remain accurate and up to date, consulting with the DPO as necessary.

Privacy by Design and Risk Assessments

We will adopt a privacy by design approach and implement appropriate technical and organisational security measures to demonstrate how we integrate data protection into our processing activities.

We will conduct a Data Protection Impact Assessment (DPIA) when undertaking new, high-risk processing, or making significant changes to existing data processing. The purpose of the DPIA is to consider and document the risks associated with a project prior to its implementation, ensuring data protection is embedded by design and default.

All of the data protection principles will be assessed to identify specific risks. These risks will be evaluated and solutions to mitigate or eliminate these risks will be considered. Where a less privacy-intrusive alternative is available, or the project can go ahead without the use of special category data, we will opt to do this.

All DPIAs are signed by our SIRO and reviewed by our DPO.

Information Sharing

In order for Behaviour Smart to effectively fulfil our duties it is sometimes necessary for us to share information with third parties. Routine and regular information sharing arrangements will be documented in our privacy notices and in our ROPA.

Any further or ad-hoc sharing of information will only be done so in compliance with legislative requirements, including the ICO’s data sharing code of practice. We will only share personal information where we have a lawful basis to do so, ensuring any disclosure is necessary and proportionate. All disclosures will be approved by the relevant staff member and recorded in a disclosure log.

Contract Management

All third-party contractors who process data on our behalf must be able to provide assurances that they have adequate data protection controls in place. Where personal data is being processed, we will ensure that there is a written contract in place which includes all the mandatory data processing clauses, as required by UK GDPR.

We will maintain a record of our Data Processors, and regularly review the data processing contracts, with support from the DPO, to ensure continued compliance.

International Transfers

Usually, personal information processed by us is not transferred outside of the European Economic Area (EEA), which is deemed to have adequate data protection standards by the UK government. If personal data is transferred outside the EEA, we will take reasonable steps to ensure appropriate safeguards are in place.

We will consult with the DPO for any processing which may take place outside of the EEA prior to any contracts being agreed.

Records Management

A programme is in place for managing our records throughout their lifecycle, including using methods such as version control and file plans to ensure that records can be easily searched and accessed in the event of an information request.

Email management

We have a process in place to ensure that emails are also managed in line with this policy and our retention schedule. Emails discussing organisational business or reflecting significant actions or decisions concerning organisational business will not be stored in personal email inboxes but will be removed and stored securely in the appropriate filing system.

Personal email inboxes are regularly reviewed by staff to ensure any unnecessary emails are deleted.

Storage and security

All records, especially where containing personal data, will be stored securely to maintain confidentiality, whilst also keeping information accessible to those authorised to see it. Electronic records will have appropriate security and access controls in place, and systems will have robust audit functions in place wherever possible.

Paper records will be stored in secure, lockable storage areas with restricted access.

When sharing or transferring records containing personal information, we will ensure appropriate transmission security controls are in place, in line with our Information Security Policy.

Retention and disposal

The retention period for particular types of records is determined by legal, regulatory or functional requirements.

We will ensure that any records containing personal or confidential information are disposed of appropriately and securely when they have reached the end of their retention period as per our Retention Schedule.

Records held in databases or electronic management systems with the functionality for automatic destruction of records after a specified period of time will be used wherever possible. A review of the records will be conducted prior to destruction, where practical.

Where automatic disposal is not in place, for example for paper records, we will conduct a manual review, at least annually, to ensure they are deleted in line with retention guidelines.

The disposal of all information is documented to ensure that we maintain a record of when it has been deleted and by whom. This allows us to evidence that a record no longer exists in the event of a subject access request being received.

Where we act as a Data Processor, the Data Controller determines the retention periods of their information and our systems allow them to delete information as necessary.

Training

We will ensure that appropriate guidance and training is given to our workforce and other authorised users on data protection, records management and access to information. Training will be delivered as part of the induction process and as refresher training at appropriate intervals.

Specialised roles or functions with key data protection responsibilities, such as the SIRO and SPOC, will also receive additional training specific to their role.

We will keep a record of all training that has been completed and ensure that data protection awareness is raised in staff briefings and as standard agenda items in meetings, where appropriate.

We will ensure that any third-party contractors have adequately trained their staff in information governance by conducting the appropriate due diligence.

Complaints

We take complaints seriously, and any concerns about the way we have handled personal data or requests for further information in relation to data protection, should be raised with the SPOC. We will then consult with the DPO, where necessary, for advice and guidance.

If an individual remains dissatisfied after we have concluded our investigation, they may complain to the Information Commissioner’s Office. Their contact details are below:

Phone: 0303 123 1113 or via their live chat

Their normal opening hours are Monday to Friday between 9am and 5pm (excluding bank holidays). You can also report, enquire, register and raise complaints with the ICO using their web form on

Contact us | ICO

Appendix One – Subject Access Requests (SARs)

Under the UK GDPR, individuals have the right to make a Subject Access Request (SAR) to any member of our workforce, contractor or agent working on behalf of Behaviour Smart. Requests need not be made in writing, but we encourage applicants to do so where possible. Requests should be forwarded to the SIRO who will log the request and acknowledge it within five working days.

We must be satisfied of the requestor’s identity and may have to ask for additional information to verify this, such as:


valid photo ID, such as driver’s licence or passport,
proof of address, such as a utility bill or council tax letter,
confirmation of email address, or


further information for Behaviour Smart to be satisfied of the applicant’s identity.

Only once we are confident of the requestor’s identity and have sufficient information to understand the request will it be considered valid. We will then respond to the request within the statutory timescale of one calendar month.

We can apply a discretionary extension of up to a further two calendar months to comply if the requested information would take a considerable amount of time to respond, due to either the complexity or volume of the records. If we wish to apply an extension, we will firstly seek guidance from our DPO, then inform the applicant of the extension within the first calendar month of receiving the request.

If we think it necessary to apply any exemptions, we will seek guidance from our DPO. In limited circumstances, we may also refuse a request on the basis that it is manifestly unreasonable or excessive.

Internal Review

Complaints in relation to SARs and other data subject rights will be processed as an internal review request.

An internal review will be dealt with by an appropriate member of staff who was not involved in the original request. They will examine the original request and response and decide whether it was dealt with appropriately under the legislation. The reviewing officer will decide whether to uphold or overturn any exemptions. A full response will be provided within one calendar month where possible.

If an individual remains dissatisfied after we have concluded our investigation, they may appeal to the Information Commissioner’s Office. Their contact details are below:

Phone: 0303 123 1113 or via their live chat

Their normal opening hours are Monday to Friday between 9am and 5pm (excluding bank holidays). You can also report, enquire, register and raise complaints with the ICO using their web form on Contact us | ICO

Appendix Two – AI policy

Introduction

This document outlines the procedures for using AI at Behaviour Smart Ltd to ensure that staff members utilise AI responsibly and effectively while maintaining the integrity of our systems.

General Use of AI

Staff are encouraged to use AI tools to support their work processes, enhance productivity, and improve service delivery.

AI should be used as a supplementary resource, assisting in tasks but not generating final documentation or decision-making outputs independently.

Authorisation for Changes

Any changes to the AI prompts, system messages, or underlying configurations must be authorised by Dean Cotton, the Director of Behaviour Smart Ltd.

Behaviour Smart staff should document any suggested changes and submit them for review to Dean Cotton for consideration.

Guidelines for AI Interaction

When using AI, staff should ensure that inputs are clear and specific to achieve the best possible output.

Staff must critically assess any information provided by AI, verifying its accuracy and relevance before incorporating it into their work.

Confidentiality and Data Protection

Staff must not input any confidential or sensitive information into AI systems.

All interactions with AI should comply with Behaviour Smart Ltd’s Data Protection and Information Security Policies.

Training and Support

Training sessions on the effective use of AI will be provided regularly.

Staff should reach out to their supervisor or the designated AI support team for assistance or clarification regarding AI usage.