Data Protection Policy

Data Subject
The data subject is the living individual to whom the person data relates.

Personal Data
Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. IP addresses and cookie strings are now seen as personal data and there is no distinction between personal data about individuals in their private, public or work roles.  

The Data Protection regulations also have a separate category of "special" personal data, more commonly referred to as sensitive personal data. This is personal data that is afforded extra protection.  See below under Sensitive Personal data. Financial data, social security numbers and child data are not protected as sensitive under the UK General Data Protection Regulations.

Relevant Policies
There are a number of other policies and procedures integral to the governance framework for protecting data that employees must be aware of:
•    The Data Protection Policy and associated policies, and Guidelines
•    The Patient Identifiable Information Policy
•    The Acceptable Use Policy for ICT
•    The Use of Removable Media Policy
•    The Disaster Recovery Policy
•    The Information Protection Policy (IT)
•    The Information Security Policy
•    The IT Access Policy
•    The IT Infrastructure Policy
•    The Mobile Phone Security Policy
•    The Subject Access Requests Procedure
•    The Data Breaches Procedure
•    The Data Protection Training Procedure
•    The Privacy Impact Assessment Procedure
•    The Paper Records Handing Procedure
•    The Secure Office Procedure
•    Privacy Notice

Sensitive Data
Sensitive Personal Data – Or Special categories of personal data, are explained under ‘Personal Data’ above. However, the following categories of data are considered sensitive under the UK GDPR Regulations. Explicit consent of the data subject is required for processing sensitive data unless you can rely on some other EU or Member State law. Sensitive data includes: -

•    A persons racial or ethnic origin;
•    Their political opinions;
•    Details of their religious or philosophical beliefs;
•     trade union membership;
•    Data concerning a person’s mental or physical health
•    Any information concerning their sex life or sexual orientation;
•    Any genetic data about that person
•    Any biometric data which when processed can uniquely identify a person
    
Separately under UK law the recording of any information relating to any actual or alleged criminal records, convictions or activities including court proceedings is also considered sensitive information.

Third Parties - Any third party the Council legitimately shares, or that it intends to share data with, including, but not limited to contractors, service providers, partners and volunteers.

Data Controller – The term that describes those legal entities who collect and use Personal Data (in our scenario WHBC is the Data Controller)
A Data Controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.  Where an organisation is required by law to process personal data, it must retain data controller responsibility for the processing. It cannot negate its responsibility by ‘handing over’ responsibility for the processing to another data controller or data processor.   
NB. The term ‘person’ is a legal reference to an individual or a legal entity whichcan include companies, public authorities or partnerships.

Data Processor – An external party who performs any activity whatsoever that involves Personal Data, held either electronically or manually, which is undertaken on behalf of the Data Controller. Sub-Data Processors can be appointed by the Data Processor but only with the permission of the Data Controller.

Protectively Marked Documents - The purpose of protective markings is to indicate the value of a particular asset in terms of the damage that is likely to result should it be compromised.  The Protective Marking System ensures that sensitive information receives a uniform level of protection and treatment according to its degree of sensitivity.

Information Commissioner’s Office - The Information Commissioner's Office is an independent authority in the UK that promotes openness of official information and protection of private information.