Data Protection Policy

Date Created: 05/01/21
Date of Review: 23/06/23
Version: 1.4
Review Due: 23/06/24

1. General

This policy provides a framework for ensuring that ShinyMind meets its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 18).

ShinyMind complies with data protection legislation guided by the six data protection principles. In summary, they require that personal data is: 

1.1. processed fairly, lawfully and in a transparent manner.
1.2. used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes. 
1.3. adequate, relevant, and limited to what is necessary. 
1.4. accurate and, where necessary, up to date. 
1.5. not kept for longer than necessary; and 
1.6. kept safe and secure. 

In addition, the accountability principle requires us to be able to evidence our compliance with the above six principles and make sure that we do not put individuals at risk because of processing their personal data. Failure to do so, can result in breach of legislation, reputational damage, or financial implications due to fines.

2. Scope

2.1. This policy applies to all the processing of personal data carried out by ShinyMind including processing carried out by joint controllers, contractors, and processors. 
2.2. To meet our obligations, we put in place appropriate and effective measures to make sure we comply with data protection law. 
2.3. Our staff have access to a number of policies, operational procedures and guidance to give them appropriate direction on the application of the data protection legislation.

3. Information covered by Data Protection Legislation 

3.1. The UK GDPR definition of “personal data” includes any information relating to an identified or identifiable natural living person. 
3.2. Pseudonymised personal data is covered by the legislation, however anonymised data is not regulated by the UK GDPR or DPA 18, providing the anonymisation has not been done in a reversible way. 
3.3. A higher level of security should be provided for ‘special category personal data’, such as data relating to ethnic or racial origin, religious beliefs, physical or mental health, sexual life, political opinions, trade union membership, or the commission or alleged commission of criminal offences.

4. Our Commitment

4.1. ShinyMind is committed to transparent, lawful, and fair proportionate processing of personal data. This includes all personal data we process about customers, staff or those who work or interact with us. 
4.2. We publish a privacy notice on our website and app and provide timely notices where this is required. We track and make available any changes in our privacy notice. We also publish a staff privacy notice and keep it up to date. 

5. Our responsibilities

5.1. We require all staff to undertake mandatory training on information governance and security which they re-take every year. In addition, all staff are required to attend a more detailed data protection training module as part of their induction. 
5.2. We consider personal data breach incidents and have a reporting mechanism that is communicated to all staff. We assess whether we need to report breaches to the ICO as the Regulator of DPA. We take appropriate action to make data subjects aware if needed. 
5.3. The DPO is responsible for handling subject access requests and other information rights requests. 
5.4. We have a procedure to assess processing of personal data perceived to be high risk, that needs a Data Protection Impact Assessment (DPIA) carried out, and processes to assist staff in ensuring compliance and privacy by design is integral part to any product, project or service we offer. 
5.5. We keep records of our processing activities (ROPA) 
5.6. We produce policies and guidance on information management and compliance that we communicate to staff and contractors including:

  • IT Security Policy 
  • Privacy Policy

6. Monitoring 

Compliance with this policy will be monitored by the DPO.

7. Glossary 

Personal data: any information relating to an identifiable living individual who can be identified from that data or from that data and other data. This includes not just being identified by name but also by any other identifier such as ID number, location data or online identifier, or being singled out by any factors specific to the physical, physiological, genetic, mental, cultural or social identity of the individual. 

Processing: anything that is done with personal data, including collection, storage, use, disclosure, and deletion. 

Special category personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation. 

Controller: the organisation (or individual) which, either alone or jointly with another organisation (or individual) decides why and how to process personal data. The Controller is responsible for compliance with the DPA and GDPR. 

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. 

Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.