Changes to data protection law
New data protection legislation is coming into force in 2018 which aims to further protect people’s privacy and prevent data breaches. The new law applies to all public bodies, businesses and other organisations that process personal data. The legislation comprises the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018 and the new Data Protection Act (DPA) 2018 which is expected to come into force on 6 May 2018. Our company activities can be referred to as ‘Fairfield Farm Trust, ‘Fairfield Farm College’, ‘FFC’, ‘our’, ‘us’ or ‘we’.
The GDPR builds on existing data protection laws. It gives enhanced protection for personal data and imposes stricter obligations on those who process personal data. The new obligations include:
When an individual’s personal data is collected, they must be given more information about how it will be used through enhanced privacy notices also individuals have much stronger rights to have their personal data corrected, erased and/or provided to them.
What is personal data?
Personal data is any information that relates to an identified or identifiable living person (e.g. student, staff member, member of the public, or customer). It generally includes their name, address, phone number, date of birth, place of birth, place of work, dietary preferences, opinions, opinions about them, whether they are members of a trade union, their political beliefs, ethnicity, religion or sexuality (as well as other information about them). Information which indirectly identifies a person will also be personal data. This would be the case where a single piece of information could not be used to identify a person but could do so in combination with other data or identifiers.
Who needs to comply with the new requirements?
The GDPR applies to both ‘Controllers’ and ‘Processors’.
A Controller is the person/ organisation which, solely or with others, determines the purposes and means of processing personal data.
A Processor is the person/organisation which processes the personal data on behalf of the Controller. In most of Fairfield Farm College’s contracts, Fairfield Farm College is the Controller and the supplier is the Processor.
Are you a supplier for Fairfield Farm College?
If you are a supplier you will need to complete an Assurance Statement as you may be processing data on behalf of Fairfield Farm College. Fairfield Farm College must make sure that suppliers will implement appropriate technical and organisational measures to comply with the GDPR. For that reason, Fairfield Farm College is asking all suppliers to complete and return an Assurance Statement (see link below).
Our Commitment to Data Protection
Our GDPR preparation started in September 2017 and as part of this process we are reviewing (and updating where necessary) all of our internal processes, procedures, data systems and documentation to ensure that we are ready when GDPR comes into force.
Our GDPR Principles are:
- Data is processed fairly and lawfully
- Data is processed only for specified and lawful purposes
- Processed data is adequate, relevant and not excessive
- Processed data is accurate and, where necessary, kept up to date
- Data is not kept longer than necessary
- Data is processed in accordance with an individual’s consent and rights
- Data is kept secure
- Data is not transferred to countries outside of the European Economic Area (‘EEA’) without adequate protection
Need more information?
The Information Commissioners Office can supply more details about GDPR. Visit their website: www.ico.org.uk.