The purpose of this document is to demonstrate the management board’s commitment to the protection of personal data.
The Board of Directors and management of Medico Digital Solutions Ltd located at 18 Soho Square, London operates primarily in the business of medical marketing.
We are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information and information-related assets relevant to meet the purpose and goals of the organisation. This includes the handling of personal data or “Personally Identifiable Information” (PII).
Furthermore, we are committed to ensuring compliance with the European Union General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA) 1998 and any other data protection legislation or regulation relevant to our business operations.
In complying with the above-mentioned legislation and regulation, the organisation makes commitments to implement policies and processes related to that compliance and to make staff and relevant third parties aware of their responsibilities when handling personal data.
This policy will be reviewed regularly to respond to any changes in the business, its risk assessment or risk treatment plan, and at least annually.
The key definitions of terms used within or referred to by this policy are based upon those in the GDPR or other recognised documentation and are contained in Annex A.
Our Data Protection Officer has overall responsibility for the day-to-day implementation of this policy.
This policy will be reviewed regularly to respond to any changes in the business, its risk assessment or risk treatment plan, and at least annually.
All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.
Training is provided on a regular basis and when specific trigger events occur e.g. threats or incidents affecting all or part of the organisation, its supply chain or other Interested Parties that might impact the organisation financially or reputationally.
It will cover:
Completion of this training is compulsory and where appropriate will be evidenced by task completion in the ISMS.online platform.
Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation and is required under GDPR. Whenever personal data is being collected we will document and provide a Privacy Notice in line with the requirements of Article 13 of the GDPR.
A template privacy notice is located within the ISMS.online platform.
We will ensure any use of personal data is justified using at least one of the conditions for processing (described further below) and this will be specifically documented in the ISMS.online platform. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.
We will process personal data in compliance with all eight data protection principles.
We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.
In most cases where we process sensitive personal data, we will require the data subject's explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to identify clearly what the relevant data is, why it is being processed and to whom it will be disclosed.
We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening. Under GDPR, processing of personal data is lawful only if at least one of the following apply:
Our Terms of Business contains a Privacy Notice to clients on data protection. The notice:
The data that we collect is subject to active consent by the data subject. This consent can be revoked at any time.
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate, you should record the fact that the accuracy of the information is in dispute and inform the Data Protection Officer.
Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.
A data subject may also request that their data is transferred directly to another system. This must be done for free.
A data subject may request that any information held on them be deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The Data Protection Officer will be responsible for conducting Privacy Impact Assessments (PIA) and ensuring that all IT and other relevant projects
commence with a privacy plan. ISMS.online provides a PIA framework that is used for managing the process and documenting the approach.When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
No data may be transferred outside of the EEA without first discussing it with the data protection officer. Specific consent from the data subject must be obtained prior to transferring their data outside the EEA.
We must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the Data Protection Officer will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
The organisation has a documented “Information Security Policy” and a set of subordinate security policies and controls relating to our management of data and information security. These are held within the ISMS.online platform.
We must not retain personal data for longer than is necessary. What is “necessary” will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines.
Data retention schedules will be maintained showing the minimum and maximum periods of retention for each data set.
Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
All individual staff members are responsible for playing their part in maintaining the confidentiality, integrity and availability of personal data in compliance with the GDPR, DPA and organisational policies, standards and procedures.
You must familiarise yourself with the requirements contained in this policy and any other relevant security policy and comply with any requirements relating to the proper handling and security of personal data.
You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the Data Protection Officer or the HR Department so that they can update your records.
You must familiarise yourself with the organisational responsibilities detailed above and ensure that you comply with these whenever you are handling personal data. Special care and attention must be given when handling sensitive personal data.
You must abide by any request from an individual not to use their personal data for direct marketing purposes. Notify the Data Protection Officer about any such request if it falls outside of the normal processes or you have any reason to be unsure about the appropriate practice.
Contact the Data Protection Officer for advice on direct marketing before starting any new direct marketing activity to ensure compliance with all relevant data protection and other legislation.
All members of staff have an obligation to report actual or potential data protection weaknesses, events and incidents where compliance may be breached. This allows us to:
The reporting of such weaknesses, events and incidents will be managed through our Information Security Incident Management processes.
Everyone must observe this policy. The Data Protection Officer has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.