Data Protection &
Confidentiality Policy

Last Updated April 2024
Next Review April 2026
Oxyplus | Info@oxyplus.co,uk

 

1. INTRODUCTION…………………………………………………………………………………………… 3
2. AIMS AND OBJECTIVES…………………………………………………………………………………. 3
3. DEFINITIONS ………………………………………………………………………………………………. 3
4. POLICY STATEMENT …………………………………………………………………………………….. 5
5. SCOPE OF THE POLICY ………………………………………………………………………………….. 7
6. OPERATIONAL PRACTICE …………………………………………………………………………….. 7
7. TRANSFER OF DATA TO A THIRD PARTY………………………………………………. 8
8. RIGHTS OF ACCESS BY INDIVIDUALS …………………………………… 10
9. ROLES AND RESPONSIBILITY………………………………………………………………………… 10
10. SENDING PERSONAL SENSITIVE INFORMATION EXTERNALLY ……….. 12
11. BREACH OF POLICY …………………………………………………………….. 15
12. DEALING WITH A DATA BREACH………………………………………………… 15
13. STAFF TRAINING ………………………………………………………………. 15
APPENDIX I – THE CONDITIONS OF PROCESSING…………………………. 16
APPENDIX II – DATA ACCESS REQUEST ………………………… 21
APPENDIX III – SUBJECT ACCESS REQUEST FURTHER INFORMATION …….. 21

 

Data Protection and Confidentiality Policy

1. Introduction


1.1. OXYplus regards the lawful and correct processing of personal and special
category data (sensitive personal data) as an integral part of its functions and vital for
maintaining confidence between Members, staff and other stakeholders whom we process
personal information/data about and ourselves.
1.2. The EU General Data Protection Regulation (referred to in the rest of this policy as
“GDPR”), gives every living person (or their authorised representative) the right to apply for
access to the personal data which organisations hold about them irrespective of when and
how they were compiled, i.e. electronic and manual records held in a structured file, subject
to certain exemptions. This is called a Data Subject Access Request (see section 8 of this
policy).


2. Aims and Objectives


2.1. This Data Protection Policy explains how OXYplus will meet its legal
obligations concerning confidentiality and information security standards. The requirements
within the policy are primarily based upon the GDPR which is the key piece of legislation
covering information security and confidentiality of personal information. The objectives of
this policy are to: –
• Establish a clear and agreed understanding of what confidentiality means within
OXYplus
• Set out the way in which personal information/data should be protected and
transferred within OXYplus
• Clearly state OXYplus ‘s legal obligations to comply with the GDPR
• Encourage uniformity in practice and ensure that staff, Members and other
stakeholders know what they can expect from OXYplus.


3. Definitions


3.1. Personal information/data relates to a living individual who can be identified from the
information (or from that information and any other information in the possession of OXYplus). This includes:
• Factual information;
• Expressions of opinion about the individual;
• Indication of the intentions of the Data Controller (OXYplus);
• Any other person in relation to the individual concerned;
• Any data where an individual can’t be identified but may come across something later
than allows you to identify.

3.2. Sensitive personal information/data attracts additional protection and is considered by the
Information Commissioner’s Office (ICO) to be any data that could identify a person.
Example of this would include personal data consisting of information such as:
• The racial or ethnic origin of the data subject;
• Political opinions;
• Religious beliefs or other beliefs of a similar nature;
• Membership of a trade union;
• Physical or mental health or condition;
• Sexual life;
• Details of bank account, national insurance number, any ID details such as passport or
driving licence, etc.
Data relating to criminal offences and convictions are addressed separately (as criminal law
lies outside the EU’s legislative competence).
3.3. Personal data must be processed lawfully, fairly and in a transparent manner in relation
to individuals;
The GDPR also requires you to have a “condition” (legal basis) for processing the
personal data:
a) At least one of the conditions in article 6 of the GDPR is met, and
b) In the case of sensitive personal data, at least one of the conditions in article 9 of the
GDPR is also met. (See Appendix I for further detailed information)
For the purpose of clarity, the term “personal data” used throughout this document refers to
personal information/data or sensitive personal information/data as appropriate.
3.4. A record can be in computerised and/or manual form. It may include such documentation
as:
• Hand written notes;
• Letters to and from OXYplus:;
• Electronic records;
• Printouts;
• Photographs;
• Videos and tape recordings.

All data relating to an individual may need to be made available in response to a Subject
Access Request (see section 8 below). Backup data also falls under the GDPR; however, a
search within them should only be conducted if specifically asked for by the data subject.
3.5. Data Subject – means an individual who is the subject of personal data.
3.6. Data Controller – means a person who (either alone or jointly or in common with other
persons) determines the purposes for which and the manner in which any personal data are,
or are to be processed.

3.7. Data Processor – in relation to personal data, means any person who processes that data
on behalf of the data controller other than an employee of the data controller.
3.8. Third Party – in relation to personal data, means any person other than the data subject,
the data controller, or any data processor or other person authorised to process data for data
controller or processor.
3.9. Processing – means recording or holding information or data or carrying out any
operations on that information or data; including organising, altering or adapting it;
disclosing the information or aligning, combining, blocking or erasing it.

 

4. Policy Statement


4.1. The main focus of this policy is to provide guidance about the protection, sharing and
disclosure of Member and staff information, but it is important to stress that maintaining
confidentiality and adhering to data protection legislation applies to all staff and functions
within OXYplus.
4.2. The GDPR requires organisations to register with the Information Commissioner the
categories information they hold about people, and what they do with it.
4.3. The six Data Protection principles that lie at the heart of the GDPR (article 5) and give
the GDPR its strength and purpose. To this end, OXYplus fully endorses and
abides by the principles of data protection. Specifically, the six principles require that
personal data shall be:
1. processed lawfully, fairly and in a transparent manner in relation to individuals;
2. collected for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes; further processing for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes shall not be considered to be incompatible with the initial purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed;
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to
ensure that personal data that are inaccurate, having regard to the purposes for which
they are processed, are erased or rectified without delay;
5. kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal data
may be stored for longer periods insofar as the personal data will be processed solely
for archiving purposes in the public interest, scientific or historical research purposes
or statistical purposes subject to implementation of the appropriate technical and
organisational measures required by the GDPR in order to safeguard the rights and
freedoms of individuals;
6. processed in a manner that ensures appropriate security of the personal data, including
protection against unauthorized or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or organisational measures.
4.4. The controller shall be responsible for, and be able to demonstrate compliance with these
principles (‘accountability’). Personal data is defined in section 3 of this policy.

4.5. Compliance with these principles is the very essence of both compliance with the law
and of good practice. The Information Commissioner’s Office (ICO) has powers to interpret
the principles and, subject to the interpretation provisions of the GDPR, the Information
Tribunal and the courts, to give advice about how to comply with the law, and enforce its
provisions where this is necessary to achieve compliance. Understanding and complying with
the principles is the key to understanding and complying with our responsibilities as a data
controller.
4.6. Therefore, OXYplus will, through appropriate management, and strict
application of criteria and controls:
4.6.1. Ensure that there is a lawful ground for using the personal data;
4.6.2. Ensure that the use of the data is fair and that will meet one of the specified conditions.
(See Appendix I)
4.6.3. Only use OXYplus
to use it. (See Section 3 – Paragraph 3.2)
4.6.4. Only use sensitive personal data where OXYplus has obtained the
individual’s express consent, unless an exception applies.
4.6.5. Explain to individuals, at the time their personal data is collected, how that information
will be used.
4.6.6. Only obtain and use personal data for those purposes which are known to the
individual.
4.6.7. Personal data should only be used for the purpose it was given. If we need to use the
data for other purposes, further consent may be needed.
4.6.8. Only keep personal data that is really relevant to OXYplus.
4.6.9. Where required keep personal data accurate and up to date.
4.6.10. Only keep personal data for as long as is really necessary.
4.6.11. Always adhere to our Subject Access Request Procedure and be receptive to any
queries, requests or complaints made by individuals in connection with their personal data.
4.6.12. Always allow individuals to opt-out of receiving marketing information. OXYplus must always suppress the details of individuals who have opted out of
receiving marketing information.
4.6.13. Will always give an option to “opt out” when consent is needed to share personal data
unless there is a statutory purpose to do so.
4.6.14. Take appropriate technical and organisational security measures to safeguard personal
data.

In addition, OXYplus will ensure that:
4.6.15. There is an employee with specific responsibility for Data Protection in OXYplus (Naomi Johnson is OXYplus Data Protection Officer)
4.6.16. Everyone managing and handling personal data understands that they are
contractually (whether implied or expressly under their terms and conditions of employment)
responsible for following good data protection practice;
4.6.17. Everyone managing and handling personal data is appropriately trained to do so; and
appropriate advice is available. Training and refresher training is a mandatory requirement
for all staff every two years.
4.6.18. everyone managing and handling personal data is appropriately supervised;
4.6.19. Enquiries about handling personal data are promptly and courteously dealt with;
4.6.20. Methods of handling personal data are clearly described (See section 6 – Operational
Practice);
4.6.21. An annual internal audit is to be made of the way personal data is managed by the
Data Owners listed in section 9.3;
4.6.22. Methods of handling personal data are regularly assessed and evaluated;
4.6.23. Performance with handling personal data is regularly assessed and evaluated.


5. Scope of the Policy


The scope of this policy extends to:
• Member records
• Human Resources records
• Financial records

6. Operational Practice


6.1. Each employee at OXYplus should:
6.1.1. Stop and consider whether they should be accessing or disclosing personal data before
they do so.
6.1.2. Make sure that they have verified that the person they are passing data on to is who
they say they are and that they are authorised to receive it.
6.1.3. Not discuss information about colleagues, Members and other stakeholders with
unauthorised colleagues, family or friends, or Members.

6.1.4. Not access OXYplus business records containing personal data other than
for a specific business purpose. This may also be an offence under GDPR and the College
may be prosecuted by ICO.
6.1.5. Avoid providing any specific detail about individuals that might lead to their
identification when using information for reports or monitoring purposes unless they have
given written permission for it to be used.
6.1.6. Not express unsubstantiated personal opinions in file notes, e-mails or other means of
communication; Individuals may have a right to see the information and may exercise that
right.
6.1.7. Give careful consideration to the use of e-mail distribution lists and use the blind
carbon copy (BCC) option especially when sending out e-mails to large numbers of
recipients.
6.1.8. Always remember to consult their manager, and if necessary the Data Protection
Officer for their input before starting any projects involving the processing of personal data.
6.1.9. Always consider data security and the risks associated with losing personal data, before
downloading/printing any personal data.
6.1.10. Never share their computer password or write it down. Doing so could result in the
unauthorised accessing of personal data and, therefore, a serious security breach.
6.1.11. Always secure their screen when leaving their computer by pressing the Windows key
and ‘L’ simultaneously – even if it’s only for a few minutes – and remember to log off at the
end of the day.
6.1.12. Take care not to leave documents containing personal data on the printer, photocopier
or scanner. Please note fax machines should not be used to transmit personal data as the ICO
consider it out-dated and insecure.
6.1.13. Make sure that personal data cannot be seen or accessed by unauthorised individuals
either in or out of the office and store it securely in a lockable cabinet. If sensitive data is
taken out of a building, it needs to be in a locked bag. When travelling by car papers must
always be transported in the boot of the car. Papers must not be left in the car overnight;
when at home in locked bag or secured cabinet.
6.1.16. Remember to dispose of confidential waste and paper copies containing personal data
in special bins or by shredding.
6.1.17. Ensure personal data extracted for OXYplus use is stored on encrypted
memory sticks or other suitable encrypted storage. Refer to the IT Department if encryption
is required. Data uploaded to any third-party web-storage must be treated with the same level
of security and permission must be sought in advance of any upload – see 6.1.17 below.
6.1.18. Staff may extract data only with approval from your head of department and the
control of the data whilst extracted is the joint responsibility of the “data extractor” and their
manager.

6.1.19. Data Breach – (See paragraph 6.1.12)

 

7. Transfer of Data to a Third Party


7.1. Before personal data is transferred, a Data Processing or Data Sharing Agreement should
be in place between OXYplus and the third party.
A Data Sharing Agreement is required when:
Whenever a controller shares data with another organisation/s.
By ‘data sharing’ we mean the disclosure of data from OXYplus to a third-party
organisation or organisations. Data sharing can take the form of:
• a reciprocal exchange of data;
• one or more organisations providing data to a third party or parties;
• several organisations pooling information and making it available to each other;
• several organisations pooling information and making it available to a third party or
parties;
• exceptional, one-off disclosures of data in unexpected or emergency situations; or
A Data Processing contract is required when:
Whenever a controller uses a processor (a third party who processes personal data on behalf
of the controller).
Either agreement should clearly state the Third Party’s obligation to treat the data in
accordance with the provisions of the contract, the reasons for the transfer, the time period,
what it is required for, how it will be processed and what actions will be taken to delete data
when no longer needed. OXYplus Data Sharing and Data Processing Templates
are available on Knowledge Manager.
7.2. Data sharing and data processing agreements are managed within Directorates and staff
should ensure that they have checked that the appropriate agreement is in place before
organising a transfer of personal data. If you are in doubt which document should be used,
please consult the Data Protection Officer.
7.3. Note that data sharing and data processing agreements are only valid for the data transfer
within the EEA and anything else is not permissible (unless special arrangements are made).
Where data is to be transferred outside of the EEA then EU Model Contract Clauses must be
in place.
7.4. Once an agreement is in place, data that is to be transferred through email, upload sites,
USB sticks, CD-ROMs or similar formats should be secured. Only encrypted USB sticks
should be used. All data files should also be password protected and preferably zipped and
encrypted. Where relevant, no such device should be sent through the open post – a secure
courier service must always be used. The recipient should be clearly stated (See section 10).

7.5. If data is sent via a courier the intended recipient must be advised when to expect the
data. The recipient must confirm safe receipt as soon as the data arrives. The sender is
responsible for ensuring that the confirmation is received, and liaising with the courier
service if there is any delay in the receipt of the data.
7.6. Data must not be transferred outside of the company network other than to an authorised
recipient, such as a partner or contractor. If sent via the internet, all personally identifiable
data must be either password protected and/or encrypted. The company currently
recommends the use of password protected MS Office documents as our preferred encryption
method. Please seek help from the IT Department if you need to install and use this.
7.7. The transfer of data to an employee’s personal cloud account, memory stick, email
account or similar will be viewed as a serious breach of the GDPR and company policy. This
may result in disciplinary action and/or enforcement action by the Information
Commissioner’s Office.


8. Rights of Access by Individuals


8.1. Under the GDPR, any living person, who is the subject of personal data held and
processed by OXYplus, has a right to apply for access to that information. This is
known as a subject access request.
8.2. An individual does not have the right to access information recorded about someone else,
unless they are an authorised representative.
8.3. It is important that the Data Processor ensures that third party information is removed
from the record prior to release to the applicant unless the third party has given their consent
to the release of the information.
8.4. What is a subject access request?
8.4.1. The GDPR ensures transparency of processing personal data by obliging data
controllers to explain to individuals how their data will be used, and by providing the right of
data subjects to access that information.
8.4.2. A data subject may make a formal request to any organisation to have a copy of all data
in which that person may be identified. There is a need for transparency of processing to
ensure that individuals can identify those organisations which have access to and process
their data. This enables them to understand how their personal information is to be used and
to exercise their rights over the processing of that information.
8.4.3. The importance of the right of subject access in Data Protection law cannot be
overestimated; it is often only by exercising the right to see their information that individuals
can determine whether other breaches of legislation have occurred. Data subjects are often
interested in documentation which may be about them, but they have not seen.
8.4.4. Because of the importance of the subject access rights, complaints about an
organisation’s failure to comply with a request for subject access are taken very seriously by
the Information Commissioner. Such complaints are dealt with as a matter of priority and
may often lead to a full-scale investigation into an organisation’s procedures and practices.

8.5 Finding and checking the requested information: If a member of staff receives a subject
access request for information it is important that they do not respond to the query direct, but
instead liaise immediately, with the Data Protection Officer who will manage the agreed
process within the thirty-day window.

 

9. Roles and Responsibility


OXYplus has a duty to ensure that the requirements of the GDPR are upheld.
9.1. Data Protection Officer
The Head of Governance has been appointed to the post of Data Protection Officer.
Responsibilities include:
• Ensuring compliance with legislation principles;
• Progressing the Data Protection Action Plan;
• Ensuring notification of processing of personal data to the information commissioner
is up to date;
• Providing guidance and advice to staff in relation to compliance with legislative
requirements;
• Reporting on any breaches of Data Protection legislation.
In the Data Protection Officer’s absence advice can be gained from http://www.ico.gov.uk/
9.2. Data Owners
Managers are responsible for information held manually and electronically within their
departmental functions and for development of procedures in relation to same. As Data
Owners their responsibilities within parameters of this guidance include:
• Department Heads should be aware of their responsibilities to their staff and other
individuals by becoming familiar with the Data Protection Policy.
• Informing the Data Protection Officer of any changes in the processing of personal
data;
• Identifying and justifying how sets of data are used;
• Identifying all personal data for which they are responsible and;
• Agreeing who can have access to the data.
9.3. Human Resources
9.3.1. Human Resources is responsible for ensuring staff are aware of their obligations by
producing relevant policies and providing training for existing staff.
9.3.2. All staff handling personal information about Members, staff, or individuals from other
organisations are required to complete the online data protection training and read the policy,
raising any questions and understanding them.

9.3.3. Newly recruited staff are required to read Data Protection and confidentiality Policy
provided in the Induction Pack and to complete the online data protection training within the
first month of joining the company.
9.4. All Staff, Volunteers and Contractors
9.4.1. Maintaining confidentiality and adhering to data protection legislation applies to all
staff and directorates, including Volunteers, within OXYplus. OXYplus will take all necessary steps to ensure that everyone managing and processing
personal data understands that they are contractually responsible for following good data
protection practice and where appropriate, bound by a common law duty of confidence.
9.4.2. These responsibilities and common law duties apply equally to all transient staff
including all volunteers (i.e. Representatives, Committee Members, Project Members,
Stewards, any person engaging in a voluntary activity for OXYplus), temporary
staff, workers/consultants engaged to carry out work on behalf of OXYplus, work
experience Members/graduates. Further responsibilities include:
• Observing all guidance and codes of conduct in relation to obtaining, using and
disclosing personal data;
• Obtaining and processing personal information only for specified purposes;
• Only accessing personal information that is specifically required to carry out their
work;
• Recording information correctly in both manual and electronic records;
• Ensuring any personal information held is kept secure;
• Ensuring that personal data is not disclosed in any form to any unauthorised third
party
• Ensuring sensitive personal information is sent securely. (See Section 10)
9.4.3. Failure to adhere to any guidance in this policy could result in staff individually being
criminally liable for deliberate unlawful disclosure under the GDPR. This may result in
criminal prosecution and/or disciplinary action (including the potential of gross-misconduct
dismissal).
9.5. The Information Commissioner Office (ICO)
The Information Commissioner’s Office is responsible for overseeing compliance e.g.
investigating complaints, issuing codes of practice and guidance, maintaining a register of
data protection officers. Any failure to comply with GDPR may lead to investigation by the
ICO which could result in serious financial or other consequences for the company.

 

10. Sending Personal Sensitive information externally


10.1. Member Data
10.1.1. Through its Member management systems, OXYplus processes personal
information daily to assist its Members and provide services.

10.1.2. The GDPR requires that all organisations have appropriate security in place to protect
personal information against unlawful or unauthorised use or disclosure, and accidental loss,
destruction or damage.
10.1.3. The following guidance set out how personal or sensitive information should be
processed to ensure data is properly secured. This includes the transferring, storage and
disposal of information and information held on our behalf by contractors.
10.1.4. If you have personal information that is currently stored or transferred insecurely, you
must secure it immediately.
10.2. Confidentiality
10.2.1. All staff have a duty to ensure that information about Members, staff and sensitive
non-personal information is handled appropriately. Sensitive information should only be
made available to people authorised to view it.
10.2.2. The following principles should be followed wherever you communicate sensitive
personal information:
• Justify the purpose for sharing the information
• Do not use information that personally identifies individuals unless necessary.
• Information should be disclosed on a “need to know‟ basis
• If unsure then seek guidance on appropriate action from the Data Protection Officer.
10.3. Face to face
Personal information should not be shared in front of others. Staff should ensure that they are
not disclosing or requesting the disclosure of sensitive information about themselves in front
of others, e.g. in reception areas or in a format, that could be viewed by others.
10.4. Telephone
Personal information should only be disclosed over the telephone to a third-party where the
following procedure has been adhered to:
10.4.1. The identity of the other party has been confirmed by verification. The type of
verification will differ by service and the sensitivity of the information being disclosed. For
queries by Members we require their name, address, zip code and Member number. For third
parties we require consent from the Member before releasing / confirming that they are a
Member of the company.
10.4.2. The reason for requesting the information has been established and is appropriate.
10.4.3. Where appropriate, contact details have been requested and their identity checked by
calling the person back via the main switchboard of the organisation that they represent and
asking for the person by name.
10.4.4. Provide personal information only to the person who requested it.

10.4.5. Do not leave any confidential information on voicemail or answering machines as it
may be accessible by others. Please remember that by confirming an individual is a Member
of OXYplus you are releasing personal information as defined by the GDPR.
10.4.6. When in conversation take precautions to ensure that information is not shared
inappropriately with others, e.g. when using mobile phones, travelling on trains, etc.
10.4.7. Sensitive personal information should not be sent via text messaging as it may be
accessible by others.
10.5. Email
Email services should be used as follows:
10.5.1. Sensitive information relating to a single individual can be sent via email attachment
to the subject of the information if they have requested it to be sent by email or with their
agreement and it is encrypted. The exception for this is when the recipient has stated that they
want to receive the information without encryption. A record must be kept of this.
Documents containing sensitive personal information cannot be sent to third parties without
encryption and should not be contained within the body of an email but attached as an
encrypted document.
10.5.2. Care should be taken when addressing email messages to ensure a correct, current
address is used and the email is only copied to those with a legitimate interest.
10.5.3. If information is transmitted and not received by the intended recipient, check that
contact details and email address are correct for the receiving party before re-sending.
10.5.4. Consider the impact on individuals of the data being lost or misdirected. Where
information is provided in bulk or where the information is of a sensitive nature make an
assessment on the protection to be applied. If in doubt, send information in an encrypted
attachment to the email.
10.5.5. Avoid putting sensitive personal information about more than one person in an email
as this will lead to difficulties in maintaining accurate and relevant individual client or staff
records.
10.5.6. When transferring data be aware of who has permission to view your emails or who
might be able to view your recipient’s inbox.
10.5.7. Where email and personal data are stored or accessed on any mobile device, such
device must be protected with a password/PIN/finger print or other secure login means.


11. Breach of Policy


In the event that an employee fails to comply with this policy, the matter may be considered
as misconduct and dealt with in accordance with the OXYplus’s Disciplinary
Policy and procedure.

 

12. Dealing with a Data Breach


12.1. If a data breach is suspected staff should immediately
• Notify their manager
• Notify the Data Protection Officer by filling in part one of the ‘Information Security
Incident or Breach Reporting Form which can be found on the Knowledge Manager
under “Data Protection”
12.2. Following notification, OXYplus will take the following actions urgently: –
• Implement a recovery plan, including damage limitation;
• Assess the risks associated with the breach;
• Inform the appropriate people and organisations that the breach has occurred;
• Where required report the breach to the ICO;
• Review our response and update our information security


13. Staff Training


All OXYplus staff are required to complete e-learning GDPR Data Protection
training modules every two years. Please contact your Data Protection Officer if you wish to
refresh your training.
New starters will be provided access to the e-learning GDPR training modules by the
Facilities Directorate when they start and requested to complete this within the first two
weeks of their role.

 

Appendix I The Conditions of Processing


This section explains the conditions that need to be satisfied before you may process personal
data. In brief – what does the GDPR say about the “conditions for processing”?
The first data protection principle requires, among other things, that OXYplus
must be able to satisfy one or more “conditions for processing” in relation to its processing of
personal data. Many (but not all) of these conditions relate to the purpose or purposes for
which it intends to use the information.
The conditions for processing take account of the nature of the personal data in question. The
conditions that need to be met are more exacting when the information being processed is
sensitive personal data, such as information about an individual’s health or trade union
membership.
However, the ICO view is that in determining if there is a legitimate purpose for processing
personal data, the best approach is to focus on whether what the organisation intend to do is
fair. If it is, then it is likely to be possible to identify a condition for processing that fits that
purpose.
Being able to satisfy a condition for processing will not on its own guarantee that the
processing is fair and lawful – fairness and legality must still be looked at separately. So it
makes sense to ensure that what the organisation wants to do with personal data is fair and
lawful before worrying about the conditions for processing set out in the Act.
In more detail…What are the conditions for processing?
The conditions for processing are set out in Article 6 and 9 to the GDPR. Unless a relevant
exemption applies, at least one of the following conditions must be met whenever personal
data is processed:
(a) Consent: the individual has given clear consent for you to process their personal data for a
specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or
because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not
including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or
for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the
legitimate interests of a third party unless there is a good reason to protect the individual’s
personal data which overrides those legitimate interests.

 

What is the “legitimate interests” condition?


The GDPR recognises that organisations may have legitimate reasons for processing personal
data that the other conditions for processing do not specifically deal with. The “legitimate
interests” condition is intended to permit such processing, provided certain requirements are
met.
The first requirement is that OXYplus must need to process the information for
the purposes of its legitimate interests or for those of a third party to whom it discloses it.
The second requirement, once the first has been established, is that these interests must be
balanced against the interests of the individual(s) concerned. The “legitimate interests”
condition will not be met if the processing is unwarranted because of its prejudicial effect on
the rights and freedoms, or legitimate interests, of the individual. The OXYplus’s
legitimate interests do not need to be in harmony with those of the individual for the
condition to be met. However, where there is a serious mismatch between competing
interests, the individual’s legitimate interests will come first.
Finally, the processing of information under the legitimate interest condition must be fair and
lawful and must comply with all the data protection principles.
What conditions need to be met in respect of sensitive personal data?
At least one of the conditions must be met whenever personal data is processed. However, if
the information is sensitive personal data, at least one of several other conditions must also be
met before the processing can comply with the first data protection principle. These other
conditions are as follows:
(a) the data subject has given explicit consent to the processing of those personal data for one
or more specified purposes, except where Union or Member State law provide that the
prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) the processing is necessary for the purposes of carrying out the obligations and exercising
specific rights of the controller or of the data subject in the field of employment and social
security and social protection law in so far as it is authorised by Union or Member State law
or a collective agreement pursuant to Member State law providing for appropriate safeguards
for the fundamental rights and the interests of the data subject;
(c) the processing is necessary to protect the vital interests of the data subject or of another
natural person where the data subject is physically or legally incapable of giving consent;
(d) the processing is carried out in the course of its legitimate activities with appropriate
safeguards by a foundation, association or any other not-for-profit body with a political,
philosophical, religious or trade union aim and on condition that the processing relates solely
to the members or to former members of the body or to persons who have regular contact
with it in connection with its purposes and that the personal data are not disclosed outside
that body without the consent of the data subjects;

(e) the processing relates to personal data which are manifestly made public by the data
subject;
(f) the processing is necessary for the establishment, exercise or defence of legal claims or
whenever courts are acting in their judicial capacity;
(g) the processing is necessary for reasons of substantial public interest, on the basis of Union
or Member State law which shall be proportionate to the aim pursued, respect the essence of
the right to data protection and provide for suitable and specific measures to safeguard the
fundamental rights and the interests of the data subject;
(h) the processing is necessary for the purposes of preventive or occupational medicine, for
the assessment of the working capacity of the employee, medical diagnosis, the provision of
health or social care or treatment or the management of health or social care systems and
services on the basis of Union or Member State law or pursuant to contract with a health
professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) the processing is necessary for reasons of public interest in the area of public health, such
as protecting against serious cross-border threats to health or ensuring high standards of
quality and safety of health care and of medicinal products or medical devices, on the basis of
Union or Member State law which provides for suitable and specific measures to safeguard
the rights and freedoms of the data subject, in particular professional secrecy;
(j) the processing is necessary for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance with Article 89(1) based on
Union or Member State law which shall be proportionate to the aim pursued, respect the
essence of the right to data protection and provide for suitable and specific measures to
safeguard the fundamental rights and the interests of the data subject.

When is processing “necessary”?


Many of the conditions for processing depend on the processing being “necessary” for the
particular purpose to which the condition relates. This imposes a strict requirement, because
the condition will not be met if the organisation can achieve the purpose by some other
reasonable means or if the processing is necessary only because the organisation has decided
to operate its business in a particular way.


What is meant by “consent”?


One of the conditions for processing is that the individual has consented to their personal data
being collected and used in the manner and for the purposes in question.
The circumstances of each case will need to be examined to decide whether consent has been
given. In some cases, this will be obvious, but in others the particular circumstances will need
to be examined closely to decide whether they amount to an adequate consent.

The GDPR defines an individual’s consent as:
“…any freely given specific and informed indication of his wishes by which the data subject
signifies his agreement to personal data relating to him being processed”.
The fact that an individual must “signify” their agreement means that there must be some
active communication between the parties. An individual may “signify” agreement other than
in writing, but consent should not be inferred if an individual does not respond to a
communication – for example, from a failure to return a form or respond to an electronic read
receipt.
Consent must also be appropriate to the age and capacity of the individual and to the
particular circumstances of the case. For example, if OXYplus intends to
continue to hold or use personal data after the relationship with the individual ends, then the
initial consent to the processing of personal data should cover this.
Even when consent has been given, it will not necessarily last forever. Although in most
cases consent will last for as long as the processing to which it relates continues, the
individual may be able to withdraw consent, depending on the nature of the consent given
and the circumstances in the information is collected or used. Withdrawing consent does not
affect the validity of anything already done on the understanding that consent had been given.
Whether consent has been given is an issue that should be reviewed as the relationship with
an individual develops, or as the individual’s circumstances change.
Consent obtained under duress or on the basis of misleading information does not adequately
satisfy the condition for processing.
The GDPR distinguishes between:
• The nature of the consent required to satisfy the first condition for processing; and
• The nature of the consent required to satisfy the condition for processing sensitive
personal data, which must be “explicit”.
This suggests that the individual’s consent should be absolutely clear. It should cover the
specific processing details; the type of information (or even the specific information); the
purposes of the processing; and any special aspects that may affect the individual, such as
any disclosures that may be made.
For these reasons OXYplus should not rely exclusively on consent to legitimise
its processing. In the Information Commissioner’s Office view it is better to concentrate on
making sure individuals are treated fairly rather than on obtaining consent in isolation.
Consent is the first in the list of conditions for processing set out in the Act, but each
condition provides an equally valid basis for processing personal data.
For further information you can contact the ICO hotline which gives advice to the public and
organisations on data protection/confidentiality or visit the link below:-
http://www.ico.gov.uk/

 

Appendix II Data Access Request Form


Please note that whilst it is not obligatory to complete this form but information contained
within it would help the OXYplus to respond to your request in the most efficient
manner.
Name:
Date of Birth:
Address:
Telephone Number:
By completing this form you are making a request under the General Data Protection
Regulation for information held about you by the that you are eligible to receive.
Required information:

By signing below you indicate that you are the data subject named above. The OXYplus cannot accept requests from anyone else such as family clients regarding your
personal data. We may need to contact you for further identifying information before with
your request. You warrant that you are the data subject and will fully indemnify us for all
losses, cost and expenses if you are not.

Data subject’s signature……………………….. Date…………………….

 

Appendix III Subject Access Requests – Further Information


1.0 What is a valid subject access request?


• It must be in writing. A request sent by e-mail or fax is as valid as one sent in
hard copy. Reasonable adjustments should be made if a disabled person finds it
impossible or unreasonably difficult to make a subject access request in writing.
• It must request access to their personal information (held either manually or
electronically) and not to information relating to other people.
• If a request does not mention the GDPR specifically or even say that it is a
subject access request, it is nevertheless valid and should be treated as such if it is
clear that the individual is asking for their own personal data.
• It may be restricted to only limited information (but need not be).
• It must be made by the data subject (or by a person authorised by the data
subject). OXYplus will take reasonable steps to verify that the person
making the subject access request is the data subject.
• It must be complied with within 30 calendar days from the date of receipt


2. Finding and checking the requested information


If an employee receives a subject access request for information, the request should
immediately be sent to the Data Protection Officer who within thirty days will go through the
following process: –
• Notify each department manager of the request and ask them to search all of the
systems for personal data relating to the individual;
• Collate all information and ensure on the requesters personal data is disclosed
(redacting any third party data);
• Securely send the response to the verified address of the data subject;
• Retain a copy of the disclosed data.


3. Denial of Access


The GDPR includes various exemptions which specify the circumstances in which an
organisation can refuse to provide access to personal data.
Access can be refused if OXYplus has previously complied with an identical or
similar request in relation to the same individual, unless a reasonable interval has elapsed
between compliance with one request and the receipt of another.
OXYplus can also refuse to provide the data if the effort in doing so would be
disproportionate.
There are a number of other instances when OXYplus may refuse access.

3.1 Access to all or part of a record will be denied if one or more of these conditions
exist:-
a) In the opinion of the relevant professional the information to be disclosed would be
likely to cause serious harm to the physical or mental health of the applicant or any
other person.
b) If the information forms part of legal advice given to the client by a solicitor acting
on behalf of OXYplus and is therefore covered by legal professional
privilege.
c) The release of data would jeopardise the prevention or detection of crime, or the
apprehension or prosecution of offenders;
d) The data is contained in a confidential reference provided by OXYplus;
e) The request records OXYplus’s intention in relation to any negotiations
with that person, and the release of the data would prejudice negotiations;
f) The data relates to management forecasting or management planning and its release
would prejudice OXYplus’s business activities;
g) The person has requested access to data which relates to research and the results of
the research have not been published in a manner which identifies individuals
3.2 Notification of any refusal to grant access will be given as soon as possible, in writing.
OXYplus will record the reason for this decision, and will also fully explain the
reason to the applicant unless doing so would itself disclose information which would be
subject to the exemption.
3.3 Even if OXYplus is aware that the applicant has received a copy of the
information from another source, it must provide a copy of the information if held.


4 Exemptions

4.1 OXYplus has to protect the rights and other legal rights of other individuals
when responding to a subject access request. If the release of personal data would reveal
information which relates to and identified another person (third party) for example, where a
relative has provided certain information, this information will be withheld unless consent
from the third-party individual is obtained, and it would not be reasonable in the
circumstances to release the data without their consent.
4.2 If the release of personal data is likely to cause serious harm to the data subject’s physical
or mental health or of any other person it may be withheld.
4.3 There is an exemption in the GDPR that allows personal information to be disclosed for
the purposes of preventing or detecting fraud and for attempting to secure the apprehension
of offenders, but there are limits on what can be released. When a decision is made to release
personal data for this purpose, a detailed record of the reason why should be kept.