Introduction
1.1 The General Data Protection Regulations (GDPR) came into force on 25 May 2018, replacing the EU Data Protection Directive and superseding the Data Protection Act 1998. It was transposed into UK law through the Data Protection Act 2018. The purpose of the GDPR is to protect the rights and freedoms of individuals and ensure that personal data is not processed without their knowledge, and wherever possible, that it is processed with their consent.
1.2 This policy sets out how ARB will handle the personal data it handles in the course of its business, and will comply with the Data Protection principles set out in GDPR.
Data Protection Principles
2.1 ARB is committed to processing data in accordance with its responsibilities under data protection legislation.
2.2 Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Data Protection Officer (DPO)
3.1 ARB shall appoint a DPO to support the organisation in upholding the rights of Data Subjects as it relates to ARB’s processing activities.
3.2 The DPO shall be the Head of Professional Standards.
3.3 The DPO shall:
3.3.1 respond to enquiries from Data Subjects in a timely manner;
3.3.2 establish and maintain a programme to monitor compliance with this policy;
3.3.3 establish and maintain a General Data Protection training and awareness programme;
3.3.4 not be responsible for decisions on how ARB processes personal data on a day to day basis (so as to maintain independent scrutiny of those processes);
3.3.5 be responsible to responding to Data Subject Access requests and requests for information under FOIA;
3.3.6 report data breaches to the ICO as required under this policy;
3.3.7 be provided with information, resource and support by the SLG to assist in the discharge of these responsibilities.
3.4 The DPO shall create and maintain the following:
i) Register of Data Processing Activities;
ii) Register of Data Subject Enquiries and requests for information under FOIA;
iii) Register of Data Protection Impact Assessments;
iv) Register of data breaches;<
v) Retention and Destruction Policy.
3.5 The DPO shall be responsible for ensuring that ARB is appropriately registered with the ICO.
3.5 Contact details of the DPO shall be made publicly available.
Lawful, fair and transparent processing
4.1 It is the responsibility of all ARB staff, Board members and Service Providers to ensure that personal data is processed lawfully, and in line with the Data Protection Principles.
4.2 All data processed ARB must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public duty or legitimate interests.
4.3 As a statutory body, much of the data processed by ARB will be done so on the basis of legal obligation, public duty or contract.
4.4 Where consent is relied upon for processing, that consent must be kept in a format that can be connected to the data it relates to. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is actioned by ARB’s systems.
Register of Processing Activities
4.5 ARB shall maintain a Register of its data processing activities, which describes
i) the purposes of processing the data;
ii) the description of the data and data subjects it belongs to;
iii) details of third-party processors the data is shared with;
iv) the retention period for the data;
v) any technical or security measures that apply to that data.
4.6 Processing of data shall cease immediately where there are no longer lawful grounds for processing.
4.7 Data shall only be retained for the period as defined within the Retention & Destruction policy.
Special Category Data
4.8 Special category data is personal data which is more sensitive, and so needs more protection. The types of special category data identified by GDPR are information on:
- race;
- ethnic origin;
- politics;
- religion;
- trade union membership;
- genetics;
- biometrics (where used for ID purposes);
- health;
- sex life; or
- sexual orientation
4.9 Where special category data is being processed, ARB must satisfy one of the specific conditions under Article 9(2) GDPR. These conditions [1] include
- explicit consent
- required for compliance with employment, social security or social protection law;
- processing is vital for the interests of the data subject and they are incapable of giving consent;
- the personal data is already public;
- processing is necessary in relation to a legal claim;
- necessary for the public interest on the basis of law;
- necessary for archiving purposes in the public interest.
Retention & Destruction policy
4.10 ARB shall maintain a Retention & Destruction policy, detailing standard periods for holding different types of information to meet the operational and statutory obligations of the organisation and to comply with legal and other requirements.
4.11 To meet the requirements of GDPR Article 5, the data must be held no longer than is necessary. Deeming how long it will be necessary to retain information will depend on a number of factors, including
- statutory requirements and limitation periods;
- known industry best-practice and regulatory requirements;
- the operational needs of ARB;
- the difficulty of ensuring that the information remains accurate;
- the costs, risks and liabilities of data retention
4.12 Where personal data is destroyed or deleted, it must be done securely, and in a way that ensures it is put ‘beyond use’ (see para 5.10).
Privacy Notices
4.13 ARB shall have in place a Privacy Notice, available at all appropriate occasions where data is being collected.
4.14 The Privacy Notice shall explain what data is being collected and for what purpose, and detail the data subject’s rights under GDPR.
Data Security
5.1 The Sixth principle of the data protection principles requires Data Controllers and Data Processors to processed data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5.2 ARB shall ensure that all of its security measures are sufficiently robust and state of the art and that they are appropriate to protect the risks of the processing activity. Those risks will vary in relation to the different types of data being processed.
5.3 Those security measures shall be reviewed periodically to ensure they remain effective and commensurate with the risks of processing.
5.4 The greatest risk to data security at ARB comes not from technological factors, but from human error. All staff must receive training appropriate to their role in handling data on the requirements of data protection legislation, the importance of data security, and the risks involved in their own data processing.
5.5 Particular care must be taken if staff members are take personal data outside of ARB’s premises. Personal data shall not be taken out of the ARB office without informing the DPO.
5.6 Portable equipment (including but not limited to laptop computers and removable media such as USB drives and SD cards) shall not be used to store personal data for which ARB is responsible.
5.7 Where work is undertaken on laptops, personal data shall only be accessed via a remote, password-protected log-in to ARB servers.
5.8 Any transfers of data must only be made after seeking advice from the DPO and the IT Administrator as appropriate.
5.9 ARB shall have in place a Clear Desk Policy, which will reduce the risk of personal data being improperly disclosed or disposed of.
5.10 Where data is deleted it must be done so securely and in a way that puts the information ‘out of use’. In respect of online data, this means that it must be deleted from backups, recycle folders and from any computer history from where it may be restored. In respect of physical documents, this means it must be shredded or removed by an appropriately licensed or certified document destruction service.
Sharing of data
6.1 ARB will regularly outsource a variety of its functions to third-parties, and this will include the need to transfer personal data outside of the organisation.
6.2 Where ARB uses a third-party to process its data it shall have a written contract in place to evidence and govern the working relationship. The contract shall contain the following provisions:
6.2.1 the subject matter and duration of processing;
6.2.2 the nature and purpose of processing;
6.2.3 the type of personal data and categories of data subject;
6.2.4 the obligations and rights of ARB;
6.2.5 the obligations of the processor, including:
- Only to act on written instructions of ARB;
- A duty of confidence;
- Not to share the information without written consent of ARB;
- Appropriate measures to ensure the security of the data;
- To assist ARB in dealing with requests for information;
- To delete or return personal data at the end of the contract
- To assist ARB in complying with GDPR
6.3 ARB shall not transfer any data outside of the EU without first taking specialist advice on the procedures for doing so.
Data Requests
Subject Access Requests
7.1 Under Article 15 GDPR all individuals have a right to know whether ARB holds any of their personal data, and access to that personal data. Requests for access to that personal data are known as Subject Access Requests (SARs).
7.2 SARs can be recognised as requests from an individual about information held about them. The requests will pertain to information held both by ARB as Data Controller, and by any Data Processors ARB has shared their personal data with.
7.3 All SARs shall be passed to the DPO without delay.
7.4 SARs are generally free of charge, though a reasonable fee can be charged if the request is manifestly unfounded or excessive.
7.5 ARB shall respond to the request for information within one calendar month, and in conjunction with ARB’s procedure for dealing with requests for information and the ICO’s Subject Access Code of Practice
Freedom of Information Act (FOIA) Requests
7.6 FOIA gives a general right of access to all types of recorded information held by public authorities, sets out exemptions from that right, and places a number of obligations on those authorities. Subject to any exemptions, anyone who makes a request to ARB for information must be informed whether ARB holds that information. If it does, that information must be supplied, subject to certain conditions.
7.7 ARB is required to adopt and maintain a publication scheme, setting out how it will publish the different classes of information it holds. ARB’s publication scheme is posted on the website.
7.8 General ‘course of business’ requests for information do not need to be considered under FOIA, where the information can be supplied. For example, where the information is already publicly accessible, the requestor can be directed to that information.
7.9 Where the information requested is not publicly available, then the request shall be passed to the DPO, who will provide a response in line with ARB’s procedure for dealing with requests for information and the ICO’s FOI requests Code of Practice
Data Breaches
8.1 Article 4(1) of GDPR defines a data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
8.2 Anyone aware of a Data Breach shall immediately inform the DPO of the circumstances surrounding the breach. In the event that the DPO is not immediately available, the breach should be reported a member of the SLG.
8.3 Upon notification of the breach the DPO shall take appropriate steps to assess the extent and details of the breach, to mitigate any loss or damage, and to contain any further breaches.
8.4 DPO shall assess the risk to people’s rights and freedoms, and if appropriate report this breach to the ICO within 72 hours of it being detected. That report shall include
i) the nature of the personal data breach;
ii) the extent of the breach and the number of data subjects likely to be affected;
iii) the contact details of the DPO;
iv) the likely consequences of the breach;
v) the measures taken to address and mitigate the possible adverse effect of the breach.
8.5 The DPO shall also complete the data breach register, which will contain the same information as in 8.4, even if the breach is not reported to the ICO.
Data Protection Impact Assessments (DPIA)
9.1 A DPIA is a process to help ARB identify and minimise any data protection risks on a project.
9.2 A DPIA must be carried out where the processing is likely to result in a high risk to individuals’ interests. ARB shall, for example, carry out a DPIA if we plan to:
- Use extensive profiling to make automated decisions;
- Process data without a privacy notice;
- Change processing of sensitive or special category data;
- Adopt an innovative technological solution;
- Process personal data which could result in physical harm in the event of a data breach;
- Process personal data in a way which will track individuals’ online or offline location.
9.3 ARB shall always consider carrying out a DPIA when there is any significant change to the nature, scope, context or purpose of data processing planned. Where no DPIA is carried out, the reasons shall be documented.
9.4 A DPIA will include:
i) a description of the data processing;
ii) a check that the processing is proportionate and minimum as required;
iii) that we have consulted with Data Processors and any affected stakeholders (as appropriate)
iv) that we have in place measures to mitigate risk;
v) identification of any additional contractual agreements required with Data Processors;
vi) what steps can be taken to measure ongoing compliance;
vii) evidence that advice has been sought from the DPO.
9.5 All competed DPIAs will be provided to the DPO and added to the Register of DPIAs.
Glossary of Terms
“ARB” – Architects Registration Board
“Data Breach” – the intentional or unintentional release of secure or private/confidential information to an untrusted environment
“Data Controller” – any person or entity which determines the purposes and manner in which any personal data is processed
“Data Processor” – any person who processes data on behalf of the data controller
“Data Protection Impact Assessment” – an assessment to identify and minimise data protection risks where processing is likely to result in high risk to individuals’ interests
“DPO” – The Data Protection Officer appointed under GDPR to monitor internal compliance with data protection obligations, and act as a contact point for data subjects and the supervisory authority
“Data Subject” – the individual who is the subject of personal data
“GDPR” – General Data Protection Regulation
“FOIA” – Freedom of Information Act 2000
“ICO” – Information Commissioner’s Office
“SLG” – ARB’s Senior Leadership Group
“Personal Data” – Any information relating to an identified or identifiable person
“Service Provider” – any person or company employed by ARB to carry out a function on its behalf
[1] Only conditions relevant to ARB are included