The Data Protection Act (DPA), Privacy and Electronic Communications Regulations (PECR) are in operation in the UK and SP Science Limited is already registered with the ICO under those regulations.
The EU General Data Protection Regulation (GDPR) came into operation from May 25, 2018. This regulation is far more extensive, than the former regulations, is EU-wide and seeks to protect and enhance the rights of Data Subjects. These rights cover the safeguarding of Personal Data, protection against the unlawful processing of Personal Data and the unrestricted movement of Personal Data within the EU. It should be noted that GDPR does not apply to information already in the public domain such as Companies House data.
SPS issued a GDPR 2018 Privacy Notice both on its website and to all new and active clients, Producers and Distributors on June 8, 2020.
SPS uses the information collected from its clients, Producers and Distributors to provide its Associate Funders with all the relevant technical, financial and Personal Data to make funding proposals for its clients, to provide quotations, to make telephone contact and to email its clients. This document refers to Personal Data. Personal Data is defined as information concerning any living person (a natural person who hereafter will be called the Data Subject) that is not already in the public domain.
Under GDPR, SPS acts both as a “Data Controller” and a “Data Processor”. The Data Controller is a legal entity who determines the purposes for which the data is processed and the way this is done. The Data Processor is the person who processes the personal data on behalf of the data controller. SPS acts on any single client’s instruction and works diligently to ensure that the whole process is, and remains, fully GDPR compliant.
Within SPS, SPS acts as the “Data Controller” and both Dr Alan Green and Ms Sally Chong act as “Data Processors”
Processing data is defined as:
- Obtaining Data;
- Recording Data;
- Organizing or Altering Data;
- Disclosing Data; and
- Erasing/Deleting or Destroying Data.
As a consequence of the above, SPS must document its business processing activities where in involves the use of Personal Data.
SPS’s Compliance with GDPR 2018:
- List all categories of Personal Data that it holds;
- Document where that Personal Data is held;
- Document why that Personal Data is held; and
- Document what security is in place for each piece of Personal Data.
Listing Categories of Personal Data:
SPS obtains Personal Data from its clients, Producers and Distributors in order to match potential and future healthcare needs with any specific client-based healthcare request. The various Personal Data requirements are contained in SPS’s standard documentation:
- Initial Enquiry Form
- DPA-GDPR Statement and Consent
- Asset Liability Statement
- Standard Documentation requirements for:
- Producer Approval
- Distributor Approval
Recording Personal Data:
All the Personal Data obtained from the above documentation is/shall be held on two computer systems.
- The first is accessed by Dr Alan Green, operating in Tottington and Holcombe Brooke.
- The second is accessed by Ms Sally Chong, operating in Chester.
Each Client, Producer and Distributor has a Named Folder on each of the above computers. These Named Folders are backed up at least daily to a secure storage platform provided by Microsoft through Office 365 with storage at Cardiff, Durham and London.
All e-mail communications between SPS and any Client, Producer and/or Distributor or other Third Parties are held on each of the above computers in Named E-Mail Folders, (“In” and “Out”) on each of the above computers. These Named E-Mail Folders are backed up at least daily to a secure storage platform provided by Microsoft through Office 365 with storage at Cardiff, Durham and London.
All e-mail communications are encrypted through the use of Office 365.
Note: SPS does not store Personal Data outside the EEA.
Organizing or Altering Personal Data:
All Personal Data is received by SPS through the standard documentation referred to under the heading, “Listing Categories of Personal Data”.
However, if there are any inaccuracies or further clarifications required to the Personal Data already provided or further Personal Data is necessary, then the Client, Producer and/or Distributor is approached directly by SPS through e-mail (and on occasion direct telephone contact along with an e-mail follow-up) in order to secure the necessary inaccuracy correction or further clarification or further Personal Data. Each set of additional Personal Data acquired through this route is held and stored by SPS as per the description provided under the heading “Recording Personal Data”.
Disclosing Personal Data:
SPS may on occasions pass the clients’ Personal Data to Third Parties exclusively to process information to enable a healthcare solution to be developed or other such contractual arrangement with the Client, Producer and/or Distributor.
SPS will always gain consent for this activity from any Client, Producer and/or Distributor by gaining a date validated signature of the Client, Producer and/or Distributor through the use of SPS’s DPA-GDPR Statement and Consent, attached in Appendix 2.
SPS requires every Third Party to agree to process this Personal Data based on SPS’s instructions and requirements. Such activity will always be consistent with SPS’s Privacy Notice and GDPR.
SPS may disclose a Client’s, Producer’s and/or Distributor’s Personal Data to meet its legal obligations, regulations or valid governmental request. SPS may also enforce its Terms and Conditions, including investigating potential violations of its Terms and Conditions, in order to detect, prevent or mitigate fraud or security or technical issues; or to protect against imminent harm to the rights, property or safety of SPS, Third Parties, its Clients, Producers, Distributors and/or the wider community.
Erasing/Deleting or Destroying Personal Data:
SPS processes any Clients’, Producers’ and/or Distributors’ Personal Data throughout the Term of any commercial arrangement between the Client, Producer and/or Distributor and/or other Third Party that SPS has introduced to that Client, Producer or Distributor.
SPS will continue to store any Clients’, Producers’ and/or Distributors’ Personal Data for six years after any commercial arrangement has expired in order to meet any legal obligations. After that period the Clients’, Producers’ and/or Distributors’ Personal Data will be deleted.
If any Client, Producer and/or Distributor requests access to, the return and/or erasure of any Personal Data, then this will be considered under the terms of GDPR and upon full proofs of identification of the Client, Producer and/or Distributor. SPS’s GDPR 2018 Privacy Notice, attached in Appendix 6, covers the process required in relation to SPS’s response to any Client, Producer and/or Distributor for access, return and/or erasure of any Personal Data relating to that Client, Producer and/or Distributor.
SPS has a Breach Reporting process and utilizes a Breach Notification Form. The Breach Notification Form may be obtained from SPS with a direct enquiry.
SPS understands that a Personal Data breach is much broader than just the loss of Personal Data. It also includes a breach of security leading to the destruction, loss, alteration, unauthorized disclosure or, access to Personal Data. In this regard SPS has implemented a series of firewalls. All mobile phone communications are undertaken through the use of dedicated non-personal equipment. Finally, each of the two computers referred to under the heading “Recording Personal Data” are protected by AVG internet and virus protection.
All Personal Data breaches are reported to SPS’s Data Protection Officer. Any breach notification will detail:
- The nature of the Personal Data breach, including:
- The categories and approximate number of individuals concerned; and
- The categories and approximate number of personal data records concerned.
- The name and contact details of SPS’s Data Protection Officer.
- A description of the likely consequences of the breach.
- A description of the measure SPS takes or proposes to take in order to deal with the breach and to mitigate any possible adverse effects.
Third-Party Requirements under GDPR:
Under GDPR SPS’s Third Parties are also classified initially as “Data Processors”.
As a “Data Controller”, SPS ensures that any Third Parties have any Client’s, Producers’ and/or Distributors’ consent to process their Personal Data. This is done through the consent obtained by issuing the DPA-GDPR form, (obtained on application), and gaining the dated signatures of the Client, Producer and/or Distributor and/or their approved representative(s).
NOTE: On occasion a Third Party may wish to have their own equivalent to SPS’s DPA-GDPR form signed-off by the Client, Producer and/or Distributor.
Although SPS begins as the sole “Data Controller” at some stage in the process the Third Party may become a “Data Controller” too.
However, SPS notes that it remains responsible as a “Data Controller” for the data it passes to any Third Party.
Communicating and Marketing:
SPS does not use the Personal Data collected from any Client, Producer and/or Distributor for the purposes of marketing and/or PR, unless specifically approved by the Client, Producer and/or Distributor.
SPS does not sell any client’s Personal Data.
At completion of a Client’s, Producer’s and/or Distributor’s commercial activity in which SPS has been involved, SPS may request completion of its “Recommendation Form”, (obtained on application). This form also consents SPS to utilize the Client’s, Producer’s and/or Distributor’s recommendation and publish this on SPS’s website as a Case Study.
In the event that any Client, Producer and/or Distributor makes a complaint about how its Personal Data is being/has been processed by SPS or any Third Party, the complaint is/will be directed to SPS’s Managing Director.
SPS must respond within 30 days. If SPS does not respond to the Client, Producer and/or Distributor within that time-frame then the Client, Producer and/or Distributor may take that complaint to the ICO.
The details for each of these contacts that are issued to the client in SPS’s 2018 GPRD Privacy Notice are:
SP Science Limited, attention of the Managing Director, 1, Avallon Close, Tottington, Bury, Lancashire, BL8 3LW. Telephone +44 (0) 3301 332 484 or email firstname.lastname@example.org
ICO Wycliffe House, Water Lane, Wilmslow, SK9 5AF Telephone +44 (0) 303 123 1113 or email: https://ico.org.uk/global/contact-us/email/