Options-London is registered with the Information Commissioner’s Office as a Data Controller.
1.1 Options-London is committed to complying with the requirements of data protection legislation. ( Data Protection Act 2018 and General Data Protection Regulation 2018 )
1.2 Options-London will ensure that its staff and others directly commissioned or working on our behalf that have access to any personal or sensitive personal data held by us are fully aware of and comply with their duties and responsibilities under the legislation.
1.3 Options-London is responsible for ensuring proper compliance and will source outside expertise/training if necessary.
2. The Use of Personal Data
2.1 As part of the effective provision of services, Options-London has to collect and process information about the individuals that we provide services to. These people may include, but are not limited to, members of the public, current, past and prospective employees, clients, other service users and suppliers.
2.2 Options-London will only process personal data when we are permitted to do so by law. There are circumstances where we are required by law to process personal information, for example to comply with government legislation or other requirements.
2.3 Options-London regard the lawful and appropriate treatment of personal information as key to their successful operations; promoting transparency and building trust.
2.4 When processing data we will comply with all relevant data protection legislation as well as adhering to Information Commissioners Office (ICO) guidance.
2.5 We will apply appropriate safeguards and controls to ensure that all personal data is collected, recorded and used fairly and correctly in accordance with data protection legislation, whether it is held on paper (as part of a relevant filing system), in computer records or recorded by any other means.
3. Compliance with the requirements of data protection legislation
3.1 Through appropriate management and the enforcement of strict processes and controls, we will:
· observe conditions regarding the fair collection and use of personal information;
· meet legal obligations by specifying the purpose for which personal information is used;
· only collect and process appropriate personal information to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
- ensure the quality of information used;
- apply checks to determine the length of time information is held;
· apply suitable measures to safeguard personal information;
· ensure that personal information is not transferred abroad without suitable safeguards;
· ensure that the rights of people about whom the information is held can be fully exercised under the legislation;
· issue staff with requisite procedures to ensure compliance with this statement of policy and the legislation;
- maintain records regarding data processing.
3.2 Whilst Options-London has robust policies and procedures in place which explain how personal information must be processed, there may be instances where a failure leads to a breach of data security. The Options-London ‘Data Protection Breach Procedure’ outlines the approach that must be taken in such circumstances.
3.3 Data Protection Breaches are taken very seriously as failure to comply with legislation could result in any of the following:
· A monetary penalty issued by the Information Commissioner’s Office - up to €4million or 4% annual turnover (whichever is higher)
· Other regulatory action as administered by the Information Commissioner
Ø Information notices
Ø Enforcement notices
Ø Consensual assessments (audits)
Ø Assessment notices to conduct compulsory audits
· Damage to Options-London reputation and associated negative impact on the confidence of our clients and other stakeholders.
· Disciplinary action against employees concerned (as appropriate, dependent on circumstances)
· Individuals can be criminally liable if they knowingly or recklessly process personal data in breach of the legislation.
3.4 The objectives of this policy will be met by operating policies procedures (but not limited to):
· IT Systems Procedure document
· Statement of Service
· Data Protection Breach Procedure