Skip to main content

Data Protection Policy

1. Introduction

1.1 This policy covers all activities of Secta Research Ltd ('Secta') where personal data is controlled or processed as defined by the Data Protection Act 2018, the United Kingdom General Data Protection Regulation ("UK GDPR"), and the EU General Data Protection Regulation 2016/679 ("EU GDPR") as amended by the UK General Data Protection Act 2021 and all associated laws and regulations.

1.2 Adherence to this policy and its intent is a mandatory obligation for Secta members, trustees, and directors as well as all staff, consultants, and contractors (hereafter, collectively referred to as "staff").

1.3 It applies to these individuals regardless of their geographical location i.e., working from premises used by Secta or working from home (wfh).

2. Background

2.1 General: The UK GDPR and EU GDPR (together, 'GDPR'), applies to the protection of natural persons (i.e., living individuals), relative to the processing of personal data and the free movement of such data. The UK GDPR supersedes the EU GDPR in relation to the latter's application in the UK.

2.2 The purpose of the GDPR is to protect the "rights and freedoms" of natural persons by ensuring that data controllers are accountable for processing personal data in accordance with the six data processing principles.

2.3 Material scope: The GDPR applies to the processing of personal data wholly or partly by automated means (e.g., by computer) and to the processing other than by automated means of personal data (e.g., paper records), which form part of a filing system or are intended to form part of a filing system.

2.4 Territorial scope: The GDPR applies to all data controllers established in the UK and EU that process the personal data of data subjects, in the context of that establishment. It also applies to controllers outside of the UK and EU who process personal data to offer goods and services or monitor the behaviour of data subjects who are resident in the UK and EU.

2.5 Terminology: A comprehensive list of terms used is at Appendix 1.

3. Policy statement

3.1 Secta is committed to compliance with all relevant laws in respect of the processing of personal data, and to the protection of the "rights and freedoms" of individuals whose personal data is being collected and processed by Secta.

3.2 The compliance requirements of the GDPR are described by this policy, and in other relevant Secta policies, processes, and procedures.

3.3 The GDPR and this policy apply to all personal data processing functions, including those performed on staff's personal data, and any other personal data which Secta processes from any source.

3.4 The Data Protection Officer shall be responsible for drawing up a Record of Processing Activities (RoPA). The RoPA shall record:

  • All categories of personal data processed by Secta;
  • The legal basis for its processing;
  • The review date for each category of personal data to determine the necessity of retention and/or disposal (see Section 10);
  • Any sharing of the personal data with third parties, its lawful basis, the Data Protection Impact Assessment (DPIA) accompanying this sharing, and any Data Transfer, Non-Disclosure or other Agreements entered into by the third party (see Section 9);
  • Any authorised non-notification of any data subjects, and the DPIA accompanying this non-notification (see Section 7).

3.5 The Data Protection Officer shall ensure that the RoPA is reviewed annually in light of any changes to Secta's processing activities, and for any additional requirements identified by means of any data protection impact assessments ("DPIA").

3.6 Partners and any third parties working with or for any part of Secta and who have or may have access to personal data, will have access to this policy. No third party may ordinarily access personal data held by Secta without having first entered into an agreement with Secta which imposes on the third-party obligations no less onerous than those to which Secta is committed. Any divergence from this requirement must be approved by the Directors, and the reasons for this approval specifically recorded on the RoPA.

4. Roles and responsibilities

4.1 Secta is the data controller as defined in the GDPR.

4.2 The Directors and all those in managerial or supervisory roles throughout Secta are responsible for developing and encouraging good information handling practices within their respective areas of responsibility.

4.3 The Data Protection Officer is accountable to the Directors for the management of personal data within Secta and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes:

  • The implementation of GDPR obligations as required by this policy; and,
  • In cooperation with the Directors, the resolution of any issues raised by Secta's security and risk assessment process that may impact upon compliance with this policy.

4.4 The Data Protection Officer, whom the Directors consider to be suitably qualified and experienced as required by GDPR, has been designated to take responsibility for Secta's compliance with this policy on a day-to-day basis, and has direct responsibility for ensuring that Secta complies with GDPR, as do all staff in respect of data processing that takes place within their area of responsibility.

4.5 The Data Protection Officer responsibilities in respect of procedures such as processing Data Subject Access Requests, and is the first point of call for staff seeking clarification on any aspect of data protection compliance.

4.6 Compliance with data protection legislation is the responsibility of all staff who process personal data.

4.7 Secta's induction process sets out specific data protection requirements in relation to specific roles and staff generally.

4.8 Secta's staff are responsible for ensuring that any personal data about them and supplied by them to Secta is accurate and up to date.

5. Data protection principles

5.1 All processing of personal data must be conducted in accordance with the data protection principles as set out in Article 5 of the UK GDPR and equivalent EU legislation, as detailed below. Secta policies and procedures are designed to ensure compliance with the principles. Individual policies and procedures define the responsibilities of staff in respect to their accountabilities.

5.2 Principle 1: Personal data must be processed lawfully, fairly and transparently.

5.2.1 Lawful: A lawful basis must be identified before you can process personal data. These are often referred to as the "conditions for processing", for example consent or legitimate interests.

5.2.2 Fairly: For processing to be fair, the data controller has to make certain information available to the data subjects as practicable. This applies whether the personal data was obtained directly from the data subjects or from other sources.

5.2.3 Transparency: GDPR includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. Information must be communicated to the data subject in an intelligible form using clear and plain language. The specific information that must be provided to the data subject must, as a minimum, include:

(i) the identity and the contact details of the controller and, if any, of the controller's representative;

(ii) the contact details of the data controller;

(iii) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(iv) the period for which the personal data will be stored;

(v) the existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions (or lack of) relating to exercising these rights, such as whether the lawfulness of previous processing will be affected;

(vi) the categories of personal data concerned;

(vii) the recipients or categories of recipients of the personal data, where applicable;

(viii) where applicable, that the controller intends to transfer personal data to a recipient in a third country and the level of protection afforded to the data;

(ix) any further information necessary to guarantee fair processing.

5.3 Principle 2: Personal data can only be collected and processed for specific, explicit and legitimate purposes.

5.3.1 Personal data collected must not be processed in a manner which is incompatible with the purpose for which it originally was collected.

5.4 Principle 3: Personal data must be adequate, relevant and limited to what is necessary for processing.

5.4.1 The Data Protection Officer is responsible for ensuring Secta does not collect information which is not strictly necessary for the purpose for which it is obtained.

5.4.2 All data collection forms (electronic or paper-based), including data collection requirements in new information systems, must include a privacy notice or link to a privacy notice that is approved by the Directors.

5.4.3 On a regular basis, the Data Protection Officer will review all data collection methods to ensure that collected data continues to be adequate, relevant and not excessive.

5.5 Principle 4: Personal data must be reasonably accurate, kept up to date in the context of the purposes for which it was collected, and reviewed regularly for retention or disposal.

5.5.1 Data stored by Secta must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that it is accurate.

5.5.2 Secta is responsible for ensuring that all staff are trained appropriately in the importance of collecting accurate data and maintaining it.

5.5.3 Staff are responsible for ensuring that data held by Secta is accurate and up to date.

5.5.4 Staff are required to notify Secta of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of Secta to ensure that any notification regarding change of circumstances is recorded and acted upon.

5.5.5 Secta is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.

5.5.6 The Data Protection Officer will regularly — not less than every 12 months — review the retention dates of all the personal data processed by Secta and will identify any data that is no longer required in the context of the registered purpose. This data will be securely deleted/destroyed.

5.5.7 Secta is responsible for responding to requests for rectification from data subjects within one month.

5.5.8 If, for legitimate reasons, the request is denied, the Data Protection Officer must respond to the data subject to explain the reasoning and inform the data subject of their right to complain to the UK's Information Commissioner's Office and to seek judicial remedy. This activity does not preclude normal data quality improvement actions that are managed under business as usual.

5.5.9 The Data Protection Officer is responsible for making appropriate arrangements, where third-party organisations may have been passed inaccurate or out-of-date personal data, to inform them that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned, and for passing any correction to the personal data to the third party where this is required.

5.6 Principle 5: Personal data processed must be kept for no longer than is necessary for the purpose for which it is processed.

5.6.1 Where personal data is retained beyond the period defined within the RoPA, it will be minimised, encrypted or pseudonymised where possible to protect the identity of the data subject in the event of a data breach. Prior to this happening a lawful basis to do so must be established and approved by the Data Protection Officer, see section 5.6.3.

5.6.2 Personal data will be retained in line with RoPA and, once its retention date is passed, it must be securely destroyed.

5.6.3 The Data Protection Officer must specifically approve any data retention that exceeds the retention period defined in the Data Protection Officer's last review (see 5.5.6), and must ensure that the justification is identified clearly and in line with the requirements of the data protection legislation. This approval must be in writing.

5.7 Principle 6: Personal data must be processed in a manner that ensures appropriate security.

5.7.1 Where necessary, the Data Protection Officer will ensure a risk assessment is completed taking into the account the processing operations of Secta.

5.7.2 In determining the appropriateness of the processing, Data Protection Officer should also consider the extent of possible damage or loss that might be caused to staff if a security breach occurs, the effect of any security breach on Secta and any likely reputational damage, including the possible loss of public trust.

5.8 Accountability. As a data controller, Secta must be able to demonstrate compliance with the six data processing Principles detailed above. To this end, the Data Protection Officer shall ensure that this policy is reviewed annually. This review shall determine the ongoing suitability of the policy that the policy is deployed effectively throughout Secta and that adequate resources are available to ensure its ongoing effectiveness.

6. Data subjects' rights

6.1 Data subjects have the following rights regarding data processing, and the data that is recorded about them:

  • The right to be informed — Article 12.
  • The right of access — Article 15.
  • The right to rectification — Article 16.
  • The right to erasure (right to be forgotten) — Article 17.
  • The right to restrict processing — Article 18.
  • The right to data portability — Article 20.
  • The right to object — Article 21.
  • Rights in relation to automated decision making and profiling — Article 22.

6.2 Secta is required to facilitate the rights of data subjects for instance, responding to subject access requests.

7. Basis of processing

7.1 Secta will determine the appropriate lawful basis of processing for all personal data obtained directly or indirectly from data subjects, including staff.

7.2 Data subjects will be informed of the purpose for processing using privacy notice published on Secta's website or by similar means.

7.3 Where personal data is obtained from third parties, the data subject will be sent a notice in compliance with Article 14 of the UK GDPR, unless non-notification is justified (see section 7.4).

7.4 Any instance where data subjects are not informed that their data is processed by Secta must have a lawful basis, must be subject to a DPIA conducted by the Data Protection Officer, and must be approved by the Directors.

7.5 Where a special category of personal data, as defined by Article 9 of the GDPR, is processed, this shall be on the basis of one of the defined 10 exceptions as defined in the Article 9.

8. Security of data

8.1 All staff are responsible for ensuring that any personal data which Secta holds and for which it is responsible is kept secure and is not, under any conditions, disclosed to any third party unless that third party has been specifically authorised to receive the personal data and, where required, has entered into a relevant agreement (see Section 9).

8.2 Staff at all levels, as part of their induction process, are given guidance on where this policy, model agreements and other relevant documents can be found within Secta's shared file storage.

9. Disclosure of data

9.1 Secta is under a lawful obligation to ensure that personal data is not disclosed to unauthorised third parties.

9.2 Notwithstanding 9.1 the disclosure of personal data is often relevant to, and necessary for, the conduct of Secta's lawful activities.

9.3 All staff should notify the Data Protection Officer in writing via email if asked to disclose personal data held on another individual to a third party.

9.4 No personal data will be disclosed to third parties without the authorisation of the Data Protection Officer.

9.5 Before giving such authorisation, the Data Protection Officer will conduct a DPIA regarding the disclosure, and shall only authorise the disclosure if (i) the disclosure has a lawful basis, (ii) impacts can be lowered to 'medium' or lower through mitigation measures.

10. Retention and disposal of data

10.1 The retention period for each category of personal data will be set out in the RoPA along with the criteria used to determine this period including any statutory obligations to retain personal data.

10.2 Personal data must be disposed of securely in accordance with the sixth data processing principle — processed in an appropriate manner to maintain security, thereby protecting the "rights and freedoms" of data subjects.

10.3 Such disposal shall be made as soon as is reasonably practical, and in any case no longer than 20 working days after retention of the data was identified as no longer justified.

10.4 Secta is not responsible for the disposal or retention of data of any third party with whom it shares personal data.

11. Data transfers

11.1 All transfers of personal data to non-European Economic Area (EEA) countries are unlawful unless there is an appropriate "level of protection for the fundamental rights of the data subjects".

11.2 The transfer of personal data to non-European Economic Area (EEA) countries is prohibited unless one or more of the specified safeguards, or exceptions apply:

  • Adequacy decision
  • EU Standard Contractual Clauses (with the UK Addendum) or an International Data Transfer Agreement issued by the Information Commissioner
  • Binding corporate rules ("BCRs")
  • International Agreements
  • Derogation e.g. transfers made with the consent of the data subject

11.3 In the absence of an adequacy decision, binding corporate rules and/or model contract clauses, a transfer of personal data to a third country or international organisation shall only take place on one of the following conditions:

  • the data subject has consented explicitly to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise, or defence of legal claims; and/or
  • the transfer is necessary to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

11.4 Secta will only undertake any such non-EEA transfer following the Data Protection Officer's assessment of the lawfulness of the transfer under these conditions, and with a Data Protection Impact Assessment.

12. Information Technology

12.1 Data Protection by Design/Default: Inasmuch as:

(i) none of Secta's Directors are data protection professionals;

(ii) it would be a disproportionate use of funds to employ a data protection professional, given the scale and nature of the personal data held by Secta;

the Directors will seek appropriate professional advice commensurate with Secta's data protection requirements whenever significant changes are planned to the ways in which Secta processes personal data, or any material changes to the UK-GDPR are made.

12.2 Data Processing Equipment: Personal data held by Secta will only be processed on devices authorised by the Data Protection Officer and Directors.

12.3 Data storage: All personal data will be stored only in Secta's shared file storage, and not locally on devices. Staff are responsible for deleting all interim working data transferred to such devices for processing, once processing has been completed.

12.4 The Data Protection Officer will include in the RoPA a list of all devices used for the storage and processing of personal data, their location, and their authorised user(s).

12.5 Devices issued by Secta to staff, trustees, consultants or other personnel must not be used for the storage of any personal data which is unrelated to Secta's processing of personal data.

13. Disciplinary Action

13.1 All staff are to adhere to this policy and its intent. Failure to do so may result in disciplinary action being taken. Such action might include written or verbal warnings or dismissal in circumstances that amount to gross misconduct.

13.2 Secta reserves the right to take appropriate action against contractors and self-employed service providers who fail to comply with this policy. Such actions include, but are not limited to, the termination of any contract with Secta.

14. Data Breach

14.1 In the event of any data breach coming to the attention of Secta's staff or Directors, the Data Protection Officer will immediately notify all Directors and the UK Information Commissioner's Office (ICO).

14.2 In the event that full details of the nature and consequences of the data breach are not immediately accessible, the Data Protection Officer will bring that to the attention of ICO and undertake to forward the relevant information as soon as it becomes available.

Appendix 1 — Definitions

Data controller — the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data subject — any living individual who is the subject of personal data held by an organisation.

Data subject consent — means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

Filing system — any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Personal data — any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data breach — a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.

Processing — any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Profiling — is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person's performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.

Special categories of personal data — personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Third party — a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.