Data protection principles are governed by the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) which came into effect on 25 May 2018.
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles.’ They must make sure the information is:
- Used fairly, lawfully and transparently
- Used for specified, explicit purposes
- Used in a way that is adequate, relevant and limited to only what is necessary
- Accurate and, where necessary, kept up to date
- Kept for no longer than is necessary
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
There is stronger legal protection for more special categories of personal data including:
- Race
- Ethnic background
- Political opinions
- Religious beliefs
- Trade union membership
- Genetics
- Biometrics (where used for identification)
- Health
- Sex life or orientation
LOCSU has written guidance and templates on GDPR for LOCs to help them understand the changes and actions that they need to take.
General Data Protection Regulation (GDPR) guidance Part 1 (Mar 2018)
General Data Protection Regulation (GDPR) guidance Part 2 (Apr 2018)
GDPR Data Audit template (Apr 2018)
Practices should refer to the guidance from the Optical Confederation issued in July 2018:
Changes to Data Protection Law Information and Guidance
Registration with the Information Commissioner’s Office (ICO)
The Information Commissioner’s Office (ICO) is the independent supervisory authority set up to promote and oversee compliance with data protection legislation in the UK. Under the 2018 Regulations, organisations that determine the purpose for which personal data is processed (data controllers) must pay the ICO a data protection fee unless they are exempt.
LOCSU’s guidance is that LOCs should register as Data Controllers with the ICO. This is due to them not being not-for-profit organisation and, as such, not being exempt. In addition, personal data is shared between two data controllers, for instance, with the GOC when running CET courses.
LOCSU recommends that personal email addresses are not used for LOC work and that domain-based emails are obtained eg. chair@countyloc.co.uk. Role based emails are also useful in succession planning as change of email notifications do not need to be distributed. When a committee member steps down, the LOC should ensure that access to any shared LOC records is revoked and members delete any stored LOC contacts and data from their records.
Privacy and Electronic Communications Regulations (PECR)
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.
There are specific rules on:
- Marketing calls, emails, texts and faxes
- Cookies (and similar technologies)
- Keeping communications services secure
- Customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings
Electronic and Telephone Marketing
PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies.
You will often need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you.
Cookies and Similar Technologies
You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent can be implied but must be knowingly given.
The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device.
A template for Data protection and privacy policy can be found here.