1. Purpose and scope

This policy:

Sets out NEOTECMAN SL’s commitment to the confidentiality of personal information and its responsibilities with regard to the disclosure of such information;

Aims to ensure that all staff, whether directly employed or contracted, are aware of their responsibilities towards the confidentiality of personal information; and

Applies to all NEOTECMAN SL staff including temporary and agency, contractors and volunteers and to personal information recorded in any format, including paper, electronic and any other medium.

  1. Responsibilities

All employees, contractors and associates share the responsibility for ensuring that information assets are handled in accordance with this policy.

  1. Definitions

Data: Information as defined by data protection law that is:

Processed electronically i.e. information systems, databases, microfiche, audio and video systems (CCTV) and telephone logging systems;

Recorded with the intention that it shall be processed by equipment; or

Recorded as part of a relevant filing system, i.e. structured, either by reference to individuals or by reference to criteria relating to individuals which is readily accessible.

Data controller: The individual, company or organisation who determines the purpose and the manner in which personal data may be processed.

Data processor: Any person other than an employee of the data controller who processes data on behalf of the organisation.

Data subject: A living individual who is the subject of the processed personal data.

Disclosure: The divulging or provision of access to data.

Personal confidential data: Personal information about identified or identifiable individuals, which should be kept private or secret. Personal includes the General Data Protection Regulation (GDPR)’s definition of personal data, but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’, and is adapted to include ‘sensitive’ as defined in data protection law.

Personal information: Information that relates to a living individual who can be identified from that information or from that information and other information which is in the possession of, or likely to come into the possession of the data controller.

Processing: Using information in the following ways:

Obtaining

Recording

Retrieving

Altering

Disclosing

Destroying

Using

Transmitting

Erasing

Special category personal data (formally known as sensitive personal data): is any information about a person relating to their:

Race

Ethnic origin

Politics

Religion

Trade union membership

Genetics

Biometrics (where used for ID purposes)

Health

Sex life

Sexual orientation

Third party: Any person other than:

The data subject;

The data controller; and

Any data processor or other person authorised to process for the data controller.

  1. Data protection

The principles of data protection

Data protection law sets out the following principles to support good practice and fairness in processing personal information. These principles stipulate that:

Personal data must be processed lawfully, fairly and transparently;

Personal data can only be collected for specific, explicit and legitimate purposes; Personal data must be adequate, relevant and limited to what is necessary for processing;

Personal data must be accurate and kept up to date with every effort to erase or rectify without delay; Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing;

Personal data must be processed in a manner that ensures the appropriate security; and

The controller must be able to demonstrate compliance with the other data protection principles (accountability).

Information security

In order to ensure the confidentiality of personal information, systems and procedures are required to control access to such information. Such controls are essential to ensure that only authorised persons have:

Physical access to computer hardware and equipment;

Access to computer system utilities capable of overriding system and access controls, e.g. administrator rights; and

Access to either electronic or paper records containing confidential information about individuals.

NEOTECMAN SL’s responsibilities for confidentiality and appropriate processing of personal data remain in place even if the processing is being undertaken by a third-party contractor.

Access to personal information

Individuals or persons acting on their behalf with consent have a right of access to data held about them. This includes access to audit trails that indicate who has accessed their personal or confidential data. The subject access procedure is set out in Subject access request procedure document.

  1. Confidentiality

Duty of confidentiality

All staff and contractors must recognise that confidentiality is an obligation. Any breach of confidence, inappropriate use of records or abuse of computer systems may lead to disciplinary procedures and may result in legal proceedings.

Agency/temporary and voluntary staff are also subject to such obligations and must sign a confidentiality agreement as appropriate when working for or on behalf of NEOTECMAN SL.

Staff must be assured that there is a lawful basis before information is shared. Any queries on the legitimacy of sharing information should be directed to Information Security Manager.

Any unlawful personal or confidential data sharing undertaken must be reported as an incident and investigated in line with the Security Incident Management Procedure.

Objections to handling confidential data

Any queries or objections on the handling of personal information will be referred immediately to the Information Security Manager. Where NEOTECMAN SL is acting as a data processor under contract, the query will be referred to the data controller.

  1. Data protection impact assessments (DPIAs)

New initiatives that involve high-risk processing of personal data will be subject to a DPIA to ensure the privacy and security of personal confidential data is maintained.

  1. Information flow mapping

Flows of personal information into and out of NEOTECMAN SL will be mapped into DPIA reports.

  1. Overseas data transfers

Personally identifiable information must not be transferred outside of the EEA unless appropriate assessment of risk has been undertaken and mitigating controls put in place.

NEOTECMAN SL should review the flows of personally identifiable information to understand whether information transferred to external organisations flows outside of the UK and the EEA.

Decisions on whether to transfer personally identifiable information must only be taken by a senior manager that has been authorised to take that decision.

Organisations will need to obtain an assurance statement from third parties that process the personal data of their service users or staff overseas. This assurance may be within the contract between the two organisations or within other terms of processing.

  1. Implementation

The Information Security Manager is responsible for ensuring that relevant staff within NEOTECMAN SL have read and understood this document.

Signature:

Certified by:

Norma Vela Massons

Advocada exercent col. ICAG (Il•lustre Col•legi d’Advocats de Girona)

núm. 3612

Certificada en la formació oficial de Data Protection Officer