Data Protection Act 2018 and General Data Protection Regulation (GDPR)

Aims:

Cosmedic Skin Clinic aims to ensure that all personal data is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR) and the provisions of the Data Protection Act 2018 (DPA 2018) as set out in the Data Protection Bill.

This policy applies to all personal data, regardless of whether it is in paper or electronic format.


Legislation and guidance

This policy meets the requirements of the GDPR and the provisions of the DPA 2018. It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR and the ICO’s code of practice for subject access requests.

In addition, this policy complies with regulation 5 of the (England) Regulations 2005.


Data Protection Act 2018 and GDPR

The Act sets out the framework for data protection law in the UK. It sits alongside the GDPR, and tailors how the GDPR applies in the UK and sets out the Information Commissioner’s functions and powers. The GDPR is the General Data Protection Regulation (EU) 2016/679. It sets out the key principles, rights and obligations for most processing of personal data.


General Data Protection Regulation Principles

Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime. Article 5(1) requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality),

Article 5(2) adds that:

“The controller shall be responsible for, and be able to demonstrate compliance with paragraph 1 (accountability).

Cosmedic Skin Clinic have a responsibility to ensure that their activities comply with the data protection principles. The Directors of Cosmedic Skin Clinic have responsibility for the type of personal data they collect and how they use it. Cosmedic Skin Clinic employees will not disclose personal data outside the organisation’s procedures, or use personal data held on others for their own purposes. Personal data is data that relates to an identified or identifiable individual and is:

  • processed electronically
  • kept in a filing system
  • part of an accessible record, for example an education record
  • held by a public authority.

This includes data that does not name an individual but could potentially identify them.


How long can information be kept

Information must not be kept for longer than is necessary and while there is no set period of time set out within the GDPR, some records must be kept for a certain period of time in accordance with other legislation.


Disposal of records

Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it.

For example, we will shred or incinerate paper-based records, and overwrite or delete electronic files.


Disposal of records

Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it.

For example, we will shred or incinerate paper-based records, and overwrite or delete electronic files.


The data protection principles of the Data Protection Act 2018

There are eight data protection principles that are central to the Act. Cosmedic Skin Clinic and all its employees must comply with these principles at all times in its information-handling practices.  The Act Principles require that the controllers and processors of individuals personal data is:

Principle 1 – Used fairly and lawfully – i.e. you must have legitimate grounds for the collection and use of personal data. The data must not be used in unlawful ways or to the detriment of the individual and it must be clear to the individual how you intend to use their personal data. At least one condition of Schedule 2 must be met and in the case of sensitive data, at least one of the conditions of Schedule 3 must also be met.

Principle 2 – Used for limited and specifically stated purposes – The data controller and processor must make it clear why the personal data is being requested and for what purpose it is intended to be used. It may not be used for any other purpose other than stated.

Principle 3 – Used in a way that is adequate, relevant and not excessive – only hold data about an individual that is sufficient for the purpose you have collected it for and do not hold more information than required.

Principle 4 – Accurate – this means that the controller or processor need to take reasonable steps to ensure the accuracy of personal data collected and ensure it is clear and up to date. Consideration needs to be made to update information when necessary.

Principle 5 – Kept for no longer than is absolutely necessary – personal data will need to be securely destroyed or archived once the purpose for its collection has been fulfilled, or the information is out of date.

Principle 6 – Handled according to people’s data protection rights – Individuals have the right to access their personal data collected and object to the way it is being used. They also have the right to have inaccurate data altered or destroyed.

Principle 7 – Kept safe and secure – this requires the data controller and data processor to install appropriate security measures to prevent the unlawful or accidental loss, damage or use of personal data. The security measures relate to electronic safety, such as encryption of data, as well as authorised personnel usage.

Principle 8 – Not transferred outside of the European Economic Area without adequate protection – firstly it is important to ensure the individual whose data has been collected is aware of the intention to transfer their data outside of the EU. There is a checklist of rules to adhere to regarding the transfer of data outside of the EEA which a legal advisor will be able to help you with. It is often necessary to use data encryption or anonymity when transferring data to avoid any misuse of the individual’s personal data.

Personal data is about living people and could be: their name, address, medical details or banking details.

Sensitive personal data is also about living people but there is stronger legal protection for more sensitive information, such as:

  • racial or ethnic origin
  • political opinion
  • religious beliefs
  • membership of a trade union
  • health
  • sexual
  • criminal records

Processing of special categories of personal data

For entering into and managing contracts with the individuals concerned, for example our employees the legal basis is:

Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Where we process special categories data, for example data concerning including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the condition is:

  • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…

Where we process special categories data for employment or safeguarding purposes the condition is:

  • Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…

We may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
  • Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.
  • Where we process special categories of personal data for these purposes, the legal basis for doing so is:
  • Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or

Article 9(2)(g) – processing is necessary for reasons of substantial public interest.


Article 9 of the GDPR and paragraph 1 and 2

  1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies:

a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

e) processing relates to personal data which are manifestly made public by the data subject;

f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.


Who do the Data Protection Act Principles apply to

Rights and duties under the Act are designed to be applied generally. However, there are a few exemptions depending on the purpose for processing the personal data in question.

For example, if the criminal justice service or taxation office require information held on an individual, then we may be granted the right to disclose that information. However, any exemptions from the Acts Principles are judged on a case-by-case basis, so it is highly recommended that legal advice is sought prior to departing from the Acts general requirements.


Common Data Protection Act risks for data controllers

The Acts Principles are concerned with fairness to the individual from whom we are collecting the data from. As a vast area, it can be difficult without advice to establish what is considered under the Act as ‘fair’. In general, we will be required to state who we are, the purpose for gathering the data, and any other information we will need to provide to the individual to ensure fair processing of the information gathered.

Using personal data already collected for a new purpose is also strictly controlled. Unless the customer has agreed, Cosmedic Skin Clinic may not share a customer’s information with another company. Cosmedic Skin Clinic will ensure that customers have full clarity of any data we intend to share, and that we will obtain their permission prior to any alternative use of their data.

Secure, technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, data. Personnel files are confidential and are stored in locked filing cabinets where required. Only authorised staff have access to these files.  Files will not be removed from their normal place of storage without good reason.  Data stored on diskettes or other removable media will be kept in locked filing cabinets.  Data held on computer will be stored confidentially by means of password protection, encryption or coding and again only authorised employees have access to that data. Cosmedic Skin Clinic has network backup procedures to ensure that data on computer cannot be accidentally lost or destroyed.


Your consent to personal information being held

Cosmedic Skin Clinic will hold personal data about you and, by signing the consent form for a procedure with Cosmedic Skin Clinic you have consented to that data being processed by us and the compliance any legal requirements we must uphold.


Your right to access personal information

You have a right to access information that we may hold on you. This could include information regarding any grievances or disciplinary action, or information obtained through monitoring processes or your personnel file, and to demand that any inaccurate data be corrected or removed.  You have the right on request:

  • to be told by Cosmedic Skin Clinic whether and for what purpose personal data about you is being processed
  • to be given a description of the data and the recipients to whom it may be disclosed
  • to have communicated in an intelligible form the personal data concerned, and any information available as to the source of the data

Upon request, Cosmedic Skin Clinic will provide you with a statement regarding the personal data held about you.  This will state all the types of personal data we hold and processes about you and the reasons for which they are processed.  If you wish to access a copy of any personal data being held about you, you must make a written request for this and the Company reserves the right to charge you a fee of up to £10.

If you wish to make a complaint that these rules are not being followed in respect of personal data that Cosmedic Skin Clinic holds about you, you should raise the matter with Dr Martyn King, the Data Protection Officer.  If the matter is not resolved to your satisfaction, it should be raised as a formal grievance under the Company’s grievance procedure. We must inform you within one month if we are refusing this request and state:

  • why we have refused the request
  • that you have the right to complain to the supervisory authority and to a judicial remedy

Personal data breach procedure

The GDPR imposes strict regulations for organisations that are found to be in breach of the Data Protection Principles. These regulations include obtaining the consent of subjects for data processing, anonymising collected data to protect privacy, notifying the ICO and the individuals concerned of any breach of data and for larger companies the need to appoint a data protection officer to oversee the GDPR compliance.

All data collected will be secure as per the Acts requirements. This may involve digital encryption to avoid any breaches in data stored, depending on the sensitivity of the information held.

If a request is made for a copy of the data Cosmedic Skin Clinic holds on the data subject, we are required by law to provide it, a small fee of £10.00 may be applied for this service. There are certain exemptions to this. We may withhold information, for example if the information is about:

  • the prevention, detection or investigation of a crime
  • national security or the armed forces
  • the assessment or collection of tax
  • judicial or ministerial appointments

We are not obliged to inform the data subject of our reasons for refusal, but they must be lawful.

Where the ICO must be notified, the DPO will do this via the ‘report a breach’ page of the ICO website within 72 hours. As required, the DPO will set out:

  • A description of the nature of the personal data breach including, where possible:
  • The categories and approximate number of individuals concerned
  • The categories and approximate number of personal data records concerned
  • The name and contact details of the DPO
  • A description of the likely consequences of the personal data breach
  • A description of the measures that have been, or will be taken, to deal with the breach and mitigate any possible adverse effects on the individual(s) concerned

If all the above details are not yet known, the DPO will report as much as they can within 72 hours. The report will explain that there is a delay, the reasons why, and when the DPO expects to have further information. The DPO will submit the remaining information as soon as possible.

The DPO will also assess the risk to individuals, again based on the severity and likelihood of potential or actual impact. If the risk is high, the DPO will promptly inform, in writing, all individuals whose personal data has been breached. This notification will set out:

  • The name and contact details of the DPO
  • A description of the likely consequences of the personal data breach
  • A description of the measures that have been, or will be, taken to deal with the data breach and mitigate any possible adverse effects on the individual(s) concerned

The DPO will notify any relevant third parties who can help mitigate the loss to individuals – for example, the police, insurers, banks or credit card companies

The DPO will document each breach, irrespective of whether it is reported to the ICO. For each breach, this record will include the:

  • Facts and cause
  • Effects
  • Action taken to contain it and ensure it does not happen again (such as establishing more robust processes or providing further training for individuals)

Cosmedic Skin Clinic data protection officer is Dr Martyn King and this procedure is based on guidance on personal data breaches produced by the ICO.


Processing credit cards

Payment security – We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We will never store your credit/debit card information on our website. All electronic transactions you make to or receive from us will be encrypted using SSL technology via GEOTrust and will be transferred and processed by SagePay. Of course, data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet. If you have a password you are responsible for keeping your password and user details confidential. We will not ask you for your password.

We are obliged to comply with the Payment Card Industry Data Security Standard. We comply with the specific technical and organisational measures that the payment card industry considers applicable whenever such data is being processed and is in line with the PCI-DSS outline.

Compliance with the PCI-DSS is not necessarily equivalent to compliance with the GDPR’s security principle, but if we process card data and suffer a personal data breach, the ICO will consider the extent to which we have put in place measures that PCI-DSS requires particularly if the breach related to a lack of a particular control or process mandated by the standard.


Links

Information Commissioning Office

Thomson Reuters Practical Law

Privacy and Cookies Policy

Data Protection Act 2018

General Data Protection Regulation (GDPR)

Terms and Conditions

Policy reviewed and last updated 30th June 2020