Data Protection Policy and Procedure

Note: This policy was last updated in November 2021 and is due for a full rewrite. The content below is carried over from the previous version for continuity; it will be replaced with a reviewed and updated version shortly.

Introduction

Careful Systems Limited (CAREFUL) is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with all of our legal obligations.

This document sets out how we seek to protect personal data and ensure that CAREFUL contractors and staff understand the rules governing their use of the personal data to which they have access in the course of their work.

Responsibilities

1. The Careful Systems Limited Board is overall responsible for ensuring the organisation's compliance with data protection legislation. The task of reviewing ongoing compliance and assurance is delegated to the Risk, Safety and Compliance Meeting.
2. The CEO is overall responsible for ensuring the policy and procedures meet the legal and professional standards required.
3. The Data Protection Officer (DPO) assists with the monitoring of internal compliance, informs and advises on data protection obligations, provides advice regarding Privacy Impact Assessments, and acts as a contact point for data subjects and the supervisory authority.
4. CAREFUL managers are responsible for ensuring this policy and procedure is implemented and followed by staff and contractors.
5. CAREFUL staff and contractors are responsible for following this policy and its procedures.
6. The Risk, Safety and Compliance Committee is responsible for reviewing and approving all Policy and Procedure documents.

Scope

This policy applies to the CAREFUL organisation and to all activities relating to the collection, storage, processing and sharing of personal data.

Lawful Basis for Processing

There are six lawful bases for processing data. CAREFUL processes different data using four of these:

1. Consent — the individual has given clear consent for a specific purpose.
2. Contract — processing is necessary for the performance of a contract with the data subject.
3. Legal obligation — processing is necessary for compliance with a legal obligation.
4. Legitimate interests — processing is necessary for the purposes of legitimate interests pursued by CAREFUL or a third party.

Data Subject Rights

All data subjects have the following rights, which CAREFUL is committed to upholding:

• Right of access — to request a copy of the personal data held about them.
• Right to rectification — to request correction of inaccurate personal data.
• Right to erasure — to request deletion of personal data ("the right to be forgotten"), subject to legal obligations.
• Right to restriction — to request that processing is restricted in certain circumstances.
• Right to data portability — to receive personal data in a structured, commonly used format.
• Right to object — to object to processing based on legitimate interests or for direct marketing.

Data Security

CAREFUL takes all reasonable technical and organisational measures to protect personal data against unauthorised access, loss or destruction. This includes:

• Encryption of data in transit and at rest.
• Role-based access controls.
• Regular security testing and review.
• Staff training on data protection obligations.

Data Retention

Personal data is retained only for as long as necessary for the purpose for which it was collected, or as required by law. Retention periods are defined in our Data Retention Schedule.

Data Breaches

In the event of a personal data breach, CAREFUL will notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms. Affected data subjects will be notified where the breach is likely to result in a high risk.

Contact

For any questions relating to this policy or the exercise of data subject rights, contact the Data Protection Officer at privacy@careful.online.