Policy on processing sensitive personal data

With effect from 25 May 2018, data protection law requires controllers who process special category (i.e. sensitive) personal data (or personal data relating to criminal convictions and offences) under various parts of the Data Protection Act 2018 to have an “appropriate policy document” in place setting out a number of additional safeguards for this data. 

More specifically,

“The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which—

(a) explains the controller’s procedures for securing compliance with the principles in Article 5 of the GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and

(b) explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.”

All data flows into and out of the council family are being assessed to determine the legal basis under which that data is processed and the results of the assessment are being documented. We are satisfied that we will have a legal basis for holding the personal data we hold, and that we will also have a valid legal basis for disclosing this personal data to third parties where this happens.  Privacy notices are presently being drafted to comply with GDPR requirements (and to reflect the legal basis of processing). Please see www.glasgowlife.org.uk/privacy for further details. We are presently updating our data processor agreements and data sharing agreements to reflect the new legal requirements.

The purposes for which data are collected are clearly set out in the relevant privacy statements.  This includes reference to further use of data for internal management information purposes. A limited set of data is required for research and archiving purposes; Glasgow Life has put in place appropriate safeguards for these activities as required by Article 89 of the GDPR. 

In assessing the data flows, the council family has also taken the opportunity to critically assess the need for each of the data fields in question and where superfluous data was being captured, we have now stopped capturing this.

Glasgow Life continually checks data for accuracy and, where any inaccuracies are discovered, these are promptly corrected and any third party recipients of the inaccurate data notified of the correction.

Glasgow Life only keep personal information for the minimum period amount of time necessary.  Sometime s this time period is set out in the law, but in most cases it is based on business need.  We maintain a records retention and disposal schedule which sets out how long we hold different types of information for.  You can view this on our website at www.glasgowlife.org.uk/rrs.

Glasgow Life on behalf of Glasgow City Council (“the council”) manage the City Archives which are subject to appropriate safeguards in terms of Article 89.  Ongoing management of the council’s records and information is subject to the provisions of a Records Management Plan, which was developed in terms of the Public Records (Scotland) Act 2011 and approved by the Keeper of the Records of Scotland.  It is available online at www.glasgow.gov.uk/rmp.

The Records Management Plan sets out, in much greater detail, the provisions under which the council complies with its obligations under public records legislation, data protection and information security and is complementary to this policy statement.  You can view the council’s records retention and disposal schedule at: www.glasgow.gov.uk/rrds. You can also view the council’s privacy statement at: www.glasgow.gov.uk/privacy.

Glasgow Life has an approved Information Security Policy which sets out roles and responsibilities within the organisation in relation to information security.  Glasgow Life’s policy is aligned to the council’s information security policy and provide at least as many safeguards.  All staff are required to take information security training and this is refreshed annually.  Our ICT systems have appropriate protective measures in place incorporating defence in depth and the systems are subject to external assessment and validation.  We have policies and procedures in place to reduce the information security risks arising from use of hard copy documentation.

We aim to resolve all complaints about the way Glasgow Life processes your personal information. You can contact our data protection officer about any data protection matter but you also have the right to complain to the Information Commissioner’s Office (ICO). Contact details for our data protection officer and the ICO are available on our website at www.glasgowlife.org.uk/privacy/data-protection-concerns.

Please note if your complaint is not about a data protection matter or concerns the handling of your personal information, please contact us using the complaints procedures in place at www.glasgowlife.org.uk/commentsandcomplaints.