- Purpose and scope
Sets out NEOTECMAN SL’s commitment to the confidentiality of personal information and its responsibilities with regard to the disclosure of such information;
Aims to ensure that all staff, whether directly employed or contracted, are aware of their responsibilities towards the confidentiality of personal information; and
Applies to all NEOTECMAN SL staff including temporary and agency, contractors and volunteers and to personal information recorded in any format, including paper, electronic and any other medium.
All employees, contractors and associates share the responsibility for ensuring that information assets are handled in accordance with this policy.
Data: Information as defined by data protection law that is:
Processed electronically i.e. information systems, databases, microfiche, audio and video systems (CCTV) and telephone logging systems;
Recorded with the intention that it shall be processed by equipment; or
Recorded as part of a relevant filing system, i.e. structured, either by reference to individuals or by reference to criteria relating to individuals which is readily accessible.
Data controller: The individual, company or organisation who determines the purpose and the manner in which personal data may be processed.
Data processor: Any person other than an employee of the data controller who processes data on behalf of the organisation.
Data subject: A living individual who is the subject of the processed personal data.
Disclosure: The divulging or provision of access to data.
Personal confidential data: Personal information about identified or identifiable individuals, which should be kept private or secret. Personal includes the General Data Protection Regulation (GDPR)’s definition of personal data, but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’, and is adapted to include ‘sensitive’ as defined in data protection law.
Personal information: Information that relates to a living individual who can be identified from that information or from that information and other information which is in the possession of, or likely to come into the possession of the data controller.
Processing: Using information in the following ways:
Special category personal data (formally known as sensitive personal data): is any information about a person relating to their:
Trade union membership
Biometrics (where used for ID purposes)
Third party: Any person other than:
The data subject;
The data controller; and
Any data processor or other person authorised to process for the data controller.
- Data protection
The principles of data protection
Data protection law sets out the following principles to support good practice and fairness in processing personal information. These principles stipulate that:
Personal data must be processed lawfully, fairly and transparently;
Personal data can only be collected for specific, explicit and legitimate purposes; Personal data must be adequate, relevant and limited to what is necessary for processing;
Personal data must be accurate and kept up to date with every effort to erase or rectify without delay; Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing;
Personal data must be processed in a manner that ensures the appropriate security; and
The controller must be able to demonstrate compliance with the other data protection principles (accountability).
In order to ensure the confidentiality of personal information, systems and procedures are required to control access to such information. Such controls are essential to ensure that only authorised persons have:
Physical access to computer hardware and equipment;
Access to computer system utilities capable of overriding system and access controls, e.g. administrator rights; and
Access to either electronic or paper records containing confidential information about individuals.
NEOTECMAN SL’s responsibilities for confidentiality and appropriate processing of personal data remain in place even if the processing is being undertaken by a third-party contractor.
Access to personal information
Individuals or persons acting on their behalf with consent have a right of access to data held about them. This includes access to audit trails that indicate who has accessed their personal or confidential data. The subject access procedure is set out in Subject access request procedure document.
Duty of confidentiality
All staff and contractors must recognise that confidentiality is an obligation. Any breach of confidence, inappropriate use of records or abuse of computer systems may lead to disciplinary procedures and may result in legal proceedings.
Agency/temporary and voluntary staff are also subject to such obligations and must sign a confidentiality agreement as appropriate when working for or on behalf of NEOTECMAN SL.
Staff must be assured that there is a lawful basis before information is shared. Any queries on the legitimacy of sharing information should be directed to Information Security Manager.
Any unlawful personal or confidential data sharing undertaken must be reported as an incident and investigated in line with the Security Incident Management Procedure.
Objections to handling confidential data
Any queries or objections on the handling of personal information will be referred immediately to the Information Security Manager. Where NEOTECMAN SL is acting as a data processor under contract, the query will be referred to the data controller.
- Data protection impact assessments (DPIAs)
New initiatives that involve high-risk processing of personal data will be subject to a DPIA to ensure the privacy and security of personal confidential data is maintained.
- Information flow mapping
Flows of personal information into and out of NEOTECMAN SL will be mapped into DPIA reports.
- Overseas data transfers
Personally identifiable information must not be transferred outside of the EEA unless appropriate assessment of risk has been undertaken and mitigating controls put in place.
NEOTECMAN SL should review the flows of personally identifiable information to understand whether information transferred to external organisations flows outside of the UK and the EEA.
Decisions on whether to transfer personally identifiable information must only be taken by a senior manager that has been authorised to take that decision.
Organisations will need to obtain an assurance statement from third parties that process the personal data of their service users or staff overseas. This assurance may be within the contract between the two organisations or within other terms of processing.
The Information Security Manager is responsible for ensuring that relevant staff within NEOTECMAN SL have read and understood this document.
Norma Vela Massons
Advocada exercent col. ICAG (Il•lustre Col•legi d’Advocats de Girona)
Certificada en la formació oficial de Data Protection Officer