Data Protection Policy V2.3

1.  Introduction

1.1. This policy provides a framework for ensuring that Clearglass Insights meets its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 18). 

1.2. Clearglass Insights complies with data protection legislation guided by the six data protection principles. In summary, they require that personal data is: 

  • processed fairly, lawfully and in a transparent manner. 
  • used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes.
  • adequate, relevant, and limited to what is necessary. 
  • accurate and, where necessary, up to date. 
  • not kept for longer than necessary; and 
  • kept safe and secure. 

1.3. In addition, the accountability principle requires us to be able to evidence our compliance with the above six principles and make sure that we do not put individuals at risk because of processing their personal data. Failure to do so, can result in breach of legislation, reputational damage, or financial implications due to fines. To meet our obligations, we put in place appropriate and effective measures to make sure we comply with data protection law. 

1.4. Our staff have access to a number of policies, operational procedures and guidance to give them appropriate direction on the Data Protection Policy 3 application of the data protection legislation, this includes an overarching; 

  • Information Management Policy 
  • Retention and Disposal Schedule 
  • Appropriate Policy Document - Our Processing of Special Categories of Personal Data and Criminal Offence Data 
  • Appropriate Policy Document - Law Enforcement Processing 

2.  Information Covered by Data Protection Legislation 

2.1. The UK GDPR definition of "personal data" includes any information relating to an identified or identifiable natural living person. 

2.2. Pseudonymised personal data is covered by the legislation, however anonymised data is not regulated by the UK GDPR or DPA 18, providing the anonymisation has not been done in a reversible way. 

2.3. Some personal data is more sensitive and is afforded more protection, this is information related to: 

  • Race or ethnic origin; 
  • Political opinions; 
  • Religious or philosophical beliefs; 
  • Trade union membership; 
  • Genetic data; 
  • Biometric ID data; 
  • Health data; 
  • Sexual life and/or sexual orientation; and 
  • Criminal data ( convections and offences)+

3. Our Commitment 

3.1. Clearglass Insights is committed to transparent, lawful, and fair proportionate processing of personal data. This includes all personal data we process about customers, staff or those who work or interact with us.

3.2. Privacy Notices - we publish a privacy notice on our website and provide timely notices where this is required. We track and make available any changes in our privacy notice. 

3.3. Training - we require all staff to undertake mandatory training on information governance and security. 

3.4. Breaches - we consider personal data breach incidents and have a reporting mechanism that is communicated to all staff. We assess whether we need to report breaches to the ICO as the Regulator of DPA. We take appropriate action to make data subjects aware if needed. 

3.5. Information Rights - we have clear processes to handle subject access requests and other information rights requests. 

3.6. Data Protection by Design and Default - we have a procedure to assess processing of personal data perceived to be high risk, that needs a Data Protection Impact Assessment (DPIA) carried out, and processes to assist staff in ensuring compliance and privacy by design is integral part to any product, project or service we offer. 

3.7. Policies and Procedures - we produce policies and guidance on information management and compliance that we communicate to staff. 

3.8. Communications - We foster clear communication which seeks to embed a culture of privacy and risk orientation. 

4. Roles and Responsibilities 

4.1. Clearglass Insights roles and responsibilities comprises of the below. 

Data Protection Officer (DPO). The Data Protection Officer (DPO) is primarily responsible for advising on and assessing our compliance with the DPA and UK GDPR and making recommendations to improve compliance. 

4.2. Other roles. Specific roles are assigned throughout our corporate hierarchy to manage personal data we process and the associated risks in terms of responsibilities, decision making and monitoring compliance. 

4.2.1. Information Asset Owners (IAOs): IAOs have local responsibility for data protection compliance in their area/directorate. 

5. Monitoring 

5.1. Compliance with this policy will be monitored via the DPO and alterations made as necessary to ensure compliance. 

This policy was last updated on 2nd October 2024.

 

 

©Copyright. All rights reserved.

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.