INSTITUTE OF INTERNATIONAL MONETARY RESEARCH DATA PROTECTION POLICY
- In undertaking the business of the Institute of International Monetary Research (the IIMR, us, we), we create, gather, store and process data on our IIMR staff and suppliers as well as a variety of contacts who are or could potentially be interested in our research and events agenda. Our use of personal data mainly consists of processing our contacts’ details so we can keep them updated on our forthcoming events and the research we produce (mainly, our monthly newsletter and monetary note). In addition we keep records of our financial transactions with our suppliers.
- Most of the data on our contacts we collect is email addresses and/or businesses addresses; and to a lesser extent home addresses only for those who have sent us theirs.
- As our recording and use of data continues to increase, it is more important than ever that every member of IIMR staff understands the law that exists in relation to data protection and staff responsibilities in ensuring that data is secured and protected in line with the law.
- Data protection is an important part of the IIMR’s overall information security arrangements. All information must be handled safely and securely according to agreed policy. In addition to good practice, some data sets are subject to external legislation and it is vital that staff recognise both categories in their handling of IIMR’s information and data.
- Data protection legislation has existed in the UK for many years with the Data Protection Act (1998) being the current iteration. However in May 2018, new legislation will come into force - the General Data Protection Regulations (GDPR).
- As the IIMR processes ‘personal data’ of staff, students and other individuals, it is defined as a Data Controller for the purposes of the GDPR. The IIMR processes personal data strictly in accordance with Data Protection legislation and this will continue to be the case in relation to the GDPR.
- The GDPR applies to all data relating to, and descriptive of, living individuals defined in the Regulations as ‘personal data’. Individuals are referred to as ‘data subjects’. For further definitions of terms used please see the guidance on the Information Commissioner’s website (ico.org.uk).
- The GDPR places obligations on the IIMR and the way it handles personal data. In turn the staff of the IIMR have responsibilities to ensure personal data is processed fairly, lawfully and securely. This means that personal data should only be processed if we have a valid condition of processing (e.g. consent obtained from the data subject, or a contract with them) and we have provided information to the individuals concerned about how and why we are processing their information (i.e. a privacy notice). There are restrictions on what we are allowed to do with personal data such as passing personal information on to third parties, transferring information outside the EU or using it for direct marketing.
- The IIMR is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.
Purpose of Policy
- This policy sets out the responsibilities of the IIMR and its staff to comply fully with the provisions of the GDPR. It is accompanied by a list and links to other, associated policies and a Data Protection Guidance Handbook, which provides information and guidance on different aspects of data protection and data security. This policy, its associated policies and the Guidance Handbook form the framework from which staff should operate to ensure compliance with data protection legislation.
- The policy applies to all staff, and all items of personal data that are created, collected, stored and/or processed through any activity of the IIMR, across all areas we cover.
Background Data Protection principles
- The IIMR is required to adhere to the six principles of data protection as laid down in the GDPR, which means that information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. The six principles are: a) Personal data shall be processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’). b) Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes. Further processing for archiving, scientific or historical research or statistical purposes is permissible (‘purpose limitation’) c) Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed (‘data minimisation’). d) Personal data shall be accurate and where necessary kept up to date (‘accuracy’). e) Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose (‘storage limitation’). f) Personal data shall be processed in a manner that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
- Personal data is information about a living individual, who is identifiable from that information or who could be identified from that information when combined with other data which the IIMR either holds or is likely to obtain. GDPR also refers separately to ‘special categories’ of personal data which includes particularly sensitive personal information such as health details, racial or ethnic origin or religious beliefs. Further information and guidance on personal data, including a full list of ‘special categories’ of personal data, is provided in section 3 of the Data Protection Guidance Handbook.
- The definition of ‘processing data’ includes obtaining/collecting, recording, holding, storing, organising, adapting, aligning, copying, transferring, combining, blocking, erasing and destroying the information or data. It also includes carrying out any operation or set of operations on the information or data, including retrieval, consultation, use and disclosure.
- The IIMR, as data controller, remains responsible for the control of personal data it collects even if that data is later passed onto another organisation or is stored on systems or devices owned by other organisations or individuals (including devices personally owned by members of staff).
- Staff developing new projects or processes or revising existing processes need to take data protection into account as part of this process and may need to carry out a data protection impact assessment.
- In the event that there is a data protection breach this will usually have to be reported to the Information Commissioner’s Office (who is either the IIMR Office Administrator or the IIMR Director) no later than 72 hours after the breach is discovered.
- The following associated policies should be consulted in conjunction with the Data Protection Policy as appropriate: Policy The Policy is set out in the following sections: i. General ii. Data Security iii. Data Retention iv. Conditions of Processing and Consent v. Privacy Notices vi. Record of Processing Activities vii. Children viii. Research ix. Subject Access Requests and Data Subject Rights x. Data Sharing xi. Transfers of Personal Data Outside the EU xii. Data Protection Impact Assessments and Data Protection by Design xiii. Direct Marketing xiv. Personal Data Breach xv. Impact of Non-compliance
- The IIMR is responsible for demonstrating compliance with the six data protection principles (see paragraph 12 above).
- Compliance with the GDPR, and adhering to these principles is the responsibility of all members of the IIMR. Any deliberate breach of this policy may lead to disciplinary action being taken, access to IIMR facilities being withdrawn, or even criminal prosecution.
- The IIMR is required to keep a record of its data processing activities as a summary of the processing and sharing of personal information and the retention and security measures that are in place. For more information about these records see section vi Records of Processing Activities.
ii. Data Security
- All IIMR users of personal data must ensure that all personal data they hold is kept securely. They must ensure that it is not disclosed to any unauthorised third party in any form either accidentally or otherwise. Data Security should be undertaken in line with the University of Buckingham Data Protection Policy. Links to these policies are provided above and guidance on data security is included in section 4 of the Data Protection Guidance Handbook.
iii. Data Retention
- Individual areas within the IIMR are responsible for ensuring the appropriate retention periods for the information they hold and manage. Retention periods will be set based on legal and regulatory requirements, sector and good practice guidance. A useful source of guidance is available at the JISC Higher Education Business Classification Scheme and Records Retention Schedules (http://bcs.jiscinfonet.ac.uk/he/default.asp).
- Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. Once information is no longer needed is should be disposed of securely. Paper records should be shredded or disposed of in confidential waste and electronic records should be permanently deleted.
- If data is fully anonymised then there are no time limits on storage from a data protection point of view (see paragraph 59).
iv. Conditions of Processing and Consent
- In order for it to be legal and appropriate for the IIMR to process personal data at least one of the following conditions must be met: a) The data subject has given his or her consent b) The processing is required due to a contract c) It is necessary due to a legal obligation d) It is necessary to protect someone’s vital interests (i.e. life or death situation) e) It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. f) It is necessary for the legitimate interests of the controller or a third party and does not interfere with the rights and freedoms of the data subject (this condition cannot be used by public authorities in performance of their public tasks).
- All processing of personal data carried out by the IIMR must meet one or more of the conditions above. In addition the processing of ‘special categories’ of personal data requires extra, more stringent, conditions to be met in accordance with Article 9 of the GDPR. To process personal data about criminal convictions or offences, conditions must be met under Article 10 GDPR.
- Whenever collecting data that will be used for marketing purposes from individuals the IIMR will state whether it will use the data for direct marketing purposes. Individuals must be provided with the opportunity to opt out receiving these direct marketing communications at any time.
- If data subjects tell us that they do not want to receive any further direct marketing from us, the IIMR will not contact them further for the purpose of direct marketing. However the IIMR will not necessarily remove your personal data from its database(s) if it considers it is necessary to retain the personal data for another legitimate purpose (e.g. because it is necessary to administer contract or because it is a legal requirement).
- For some activities, the IIMR may need the specific consent of individuals in order to process their data.
- Consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or other clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The GDPR clarifies that silence, pre-ticked boxes or inactivity does not constitute consent.
- Anyone who has provided consent has the right to revoke their consent at any time and must be informed of that right. The process for revoking consent must be kept simple and should be no more onerous than the process for giving consent in the first place.
- Further information about obtaining consent can be found in section 5 of the Data Protection Guidance Handbook.
v. Privacy Notices
- Under the ‘fair and transparent’ requirements of the first data protection principle, the IIMR is required to provide data subjects with ‘privacy notices’ to let them know what it does with their personal data.
- Privacy notices are published on the IIMR website and are therefore available to individuals from their first point of contact with the IIMR. Any processing personal data beyond the scope of the standard privacy notices will require a separate privacy notice.
- Further information on what information should be included in a privacy notice is provided in section 5 of the Data Protection Guidance Handbook.
vi. Records of Processing Activities
- As a data controller the IIMR is required to maintain a record of processing activities which covers all the processing of personal data carried out by the IIMR. Amongst other things this record contains details of why the personal data is being processed, the types of individuals about which information is held, who the personal information is shared with and when personal information is transferred to countries outside the EU.
- Staff embarking on new activities involving the use of personal data and that is not covered by one of the existing records of processing activities should inform the Data Protection Officer (firstname.lastname@example.org) before starting the new activity.
- Under GDPR the following restrictions apply to the processing of personal information relating to children. Although the IIMR does not generally process the data of children, there may be circumstances when it is necessary to do so. If it is deemed necessary to process the personal data of children, the Office Administrator or Director should be consulted prior to the processing activities to ensure that necessary steps are taken to ensure that such processing is in accordance with the GDPR.
- Data collected for the purposes of research are covered by the GDPR. It is important that staff collecting data for the purpose of research or consultancy incorporate an appropriate form of consent on any data collection form.
- Further information and guidance on data protection and research is provided in section 6 of the Data Protection Guidance Handbook.
ix. Subject Access Requests and Data Subject Rights
- The GDPR gives data subjects the right to access personal information held about them by the IIMR. The purpose of a subject access request is to allow individuals to confirm the accuracy of personal data and check the lawfulness of processing to allow them to exercise rights of correction or objection if necessary. However, individuals can request to see any information that IIMR holds about them, which includes copies of email correspondence referring to them or opinions expressed about them.
- The IIMR must respond to all requests for personal information and information will normally be provided free of charge and within 30 days of the date of request.
- References are disclosable to the person about whom they are written under the subject access provisions of the GDPR. This includes references received by the IIMR from external sources and confidential references given and received internally e.g. as part of advancement and promotions procedures. In order to maintain confidentiality and to prevent the unauthorised disclosure of information, staff should not provide references unless satisfied that person who is the subject of the reference has consented.
- For information about making a subject access request see the Information and guidance about handling subject access requests can be found in section 7 of the Data Protection Guidance Handbook.
- Data subjects have a number of other rights under the GDPR. These include: Right to Object – Data subjects have the right to object to specific types of processing which includes processing for direct marketing. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right (see section xiii on direct marketing). Online services must offer an automated method of objecting. In some cases there may be an exemption to this right for research or statistical purposes done in the public interest. Right to be forgotten (erasure) – Individuals have the right to have their data erased in certain situations such as where the data is no longer required for the purpose for which they were collected, the individual withdraws consent or the information is being processed unlawfully. There is an exemption to this for scientific or historical research purposes or statistical purposes if the erasure would render impossible or seriously impair the achievement of the objectives of the research. Individuals can ask the controller to ‘restrict’ processing of the data whilst complaints (for example, about accuracy) are resolved or the processing is unlawful. Rights in relation to automated decision making and profiling – The right relates to automated decisions or profiling that could result in significant affects to an individual. Profiling is the processing of data to evaluate, analyse or predict behaviour or any feature of their behaviour, preferences or identity. Individuals have the right not to be subject to decisions based solely on automated processing. When profiling is used, measures must be put in place to ensure security and reliability of services. Automated decision-taking based on sensitive data can only be done with explicit consent. Right to Rectification - The right to require a controller to rectify inaccuracies in personal data held about them. In some circumstances, if personal data are incomplete, an individual can require the controller to complete the data, or to record a supplementary statement. Right to Portability – the data subject has the right to request information about them is provided in a structured, commonly used and machine readable form so it can be sent to another data controller. This only applies to personal data that is processed by automated means (not paper records); to personal data which the data subject has provided to the controller, and only when it is being processed on the basis of consent or a contract.
- The availability of rights largely depends on the legal justification for processing. The table below summarises when rights are available. Legal Justification Right to: Object Erasure Automated Decision Making Rectification Portability Consent No (but Yes No (but can Yes Yes can withdraw consent) withdraw consent) Contract No Yes No Yes Yes Legal Obligation No No No Yes No Vital Interest No Yes No Yes No Public Task Yes No Yes Yes No Legitimate Interests Yes Yes Yes Yes No
- Any requests made to invoke any of the rights above must be dealt with promptly and in any case within one month of receiving the request. Members of staff should consult the Office Administrator or Director for advice if they encounter any difficulty in complying with a request. It is possible to extend the time for compliance by a further two months where requests are complex or numerous in which event it is necessary to inform the individual within one month of the receipt of the request and explain why the extension is necessary.
x. Data Sharing
- Certain conditions need to be met before personal data can be shared with a third party or before an external data processor is used to process data on behalf of the IIMR.
- As a general rule personal data should not be passed on to third parties, particularly if it involves special categories of personal data. It is however permissible or necessary in certain circumstances. Any transfers of personal data must meet the data processing principles, in particular it must be lawful and fair to the data subjects concerned (see paragraph 12). More particularly: It must meet one of the conditions of processing (see section iv). Legitimate reasons for transferring data (e.g. legal requirement); The IIMR must be satisfied that the third party will meet all the requirements of GDPR, particularly in terms of holding the information securely; Where a third party is to process personal data on behalf of the IIMR, a written contract must be in place containing appropriate Data Protection safeguards.
- Staff should consult with the Office Administrator or Director if they are entering into a new contract that involves the sharing or processing of personal data or if they have any concerns about the Data Protection safeguards in existing contracts.
- Staff who receive requests for personal information from third parties such as relatives, police, local councils etc. should consult the section 9 of the Data Protection Guidance Handbook on Requests for Personal Information from Third Parties.
xi. Transfers of Personal Data Outside the EU
- Personal data can only be transferred out of the European Union under certain circumstances. The GDPR lists the factors that should be considered to ensure an adequate level of protection for the data and some exemptions under which the data can be exported. In many cases, the IIMR will require consent of the data subjects before personal information can be transferred out of the EU.
- Information published on the internet must be considered to be an export of data outside the EU. This covers data stored in the cloud unless the service provider explicitly guarantees data storage only takes place within the EU.
- The IIMR’s Office Manager on the use of Cloud Computing should be consulted before any use of external computing resources or services via a network which may involve personal data.
- Staff involved in transferring personal data to other countries should consult section 10 of the Data Protection Guidance Handbook.
xii. Data Protection Impact Assessments and Data Protection by Design
- Under the GDPR the IIMR has an obligation to consider the impact on data privacy during all processing activities. This includes implementing appropriate technical and organisational measures to minimise the risk to personal data.
- It is particularly important to consider privacy issues when considering new processing activities or setting up new procedures or systems that involve personal data. GDPR imposes a specific ‘privacy by design’ requirement, emphasising the need to implement appropriate technical and organisational measures during the design stages of a process and throughout the lifecycle of the relevant data processing to ensure that privacy and protection of data is not an after-thought.
- Further information about techniques that can be used to reduce the risks associated with handling personal data including Anonymisation and Pseudonymisation see section 12 of the Data Protection Guidance Handbook on Data Protection by Design and Default.
- For some projects the GDPR requires that a Data Protection Impact Assessment (DPIA) is carried out. The types of circumstances when this is required include: those involving processing of large amounts of personal data, where there is automatic processing/profiling, processing of special categories of personal data, or monitoring of publicly assessable areas (i.e. CCTV). The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimise or reduce risks. Information about when and how to carry out a DPIA can be found in section 11 of the Data Protection Guidance Handbook on Data Protection Impact Assessments.
xiii. Direct Marketing
- Direct marketing relates to communication (regardless of media) with respect to advertising or marketing material that is directed to individuals e.g. mail shots for fund raising, advertising courses etc. Individuals must be given the opportunity to remove themselves from lists or databases used for direct marketing purposes. The IIMR must cease direct marketing activity if an individual requests the marketing to stop.
- Direct marketing must also comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) 2, which covers marketing via telephone, text and email. For more information about direct marketing and PECR please see section 13 of the Data Protection Guidance Handbook.
xiv. Personal Data Breach
- The IIMR is responsible for ensuring appropriate and proportionate security for the personal data that we hold. This includes protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage of the data. The IIMR makes every effort to avoid personal data breaches, however, it is possible that mistakes will occur on occasions. Examples of common personal data breaches include: Loss or theft of data or equipment on which data is stored or accessible; Inappropriate access controls allowing unauthorised use; Equipment failure; Unauthorised disclosure (e.g. email sent to the incorrect recipient); Human error; and Failure to maintain effective firewalls resulting in successful hacking attacks.
- If a data protection breach occurs the IIMR is required, in most circumstances to report this as soon as possible to the IIMR’s Office Manager (email@example.com) , and not later than 72 hours after becoming aware of it.
- If staff become aware of a data protection breach they must report it immediately to the Data Protection Officer (either the IIMR Office Manager or Director). Details of how to report a breach and the information that will be required are included in section 14 of the Data Protection Guidance Handbook on Personal Data Breaches.
xv. Impact of Non-compliance
- All staff of the IIMR are required to comply with this Data Protection Policy, its supporting guidance and the requirements specified in the GDPR. Any member of staff who is found to have made an unauthorised disclosure of personal information or breached the terms of this Policy may be subject to disciplinary action. Staff may also incur criminal liability if they knowingly or recklessly obtain and/or disclose personal information without the consent of the IIMR i.e. for their own purposes, which are outside the legitimate purposes of the IIMR.
- The IIMR could be fined for non-compliance with the GDPR. There are two tiers of fines depending on the type of infringement. Further information about the fines are in section 15 of the Data Protection Guidance Handbook. University Contacts
- The IIMR’s named Data Protection Officer is Gail Grimston whose contact details are as follows: Email: firstname.lastname@example.org Telephone: 01280 827524 Address: IIMR, Prebend House. University of Buckingham, Buckingham MK18 1EG
- In the first instance all enquiries or requests for further information or guidance relating to data protection should be addressed to the Data Protection Officer.