Our Responsibilities and Obligations to Data Protection

As we handle personal information about individuals, we have a number of legal obligations to protect that information under the Data Protection Act 1998.
The main purpose of these principles is to protect the interests of the individuals whose personal data is being processed.

In accordance with the law, Process Policy ltd declares that:

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
- We have legitimate grounds for collecting and using the personal data;
- We not use the data in ways that have unjustified adverse effects on the individuals concerned;
- We will be transparent about how we intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
- We will handle people’s personal data only in ways they would reasonably expect and make sure we do not do anything unlawful with the data.

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- We will be clear from the outset about why we are collecting personal data and what we intend to do with it;
- We will comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data;
- We will comply with what the Act says about notifying the Information Commissioner and ensure that if we wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- We will hold personal data about an individual that is sufficient for the purpose we are holding it for in relation to that individual.
- We will not hold more information than we need for that purpose.

Personal data shall be accurate and, where necessary, kept up to date.
- We will take reasonable steps to ensure the accuracy of any personal data we obtain;
- We will ensure that the source of any personal data is clear;
- We will carefully consider any challenges to the accuracy of information;
- We will consider whether it is necessary to update the information.

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- We will review the length of time you keep personal data;
- We will consider the purpose or purposes we hold the information for in deciding whether (and for how long) to retain it;
- We will securely delete information that is no longer needed for this purpose or these purposes;
- We will update, archive or securely delete information if it goes out of date.

Personal data shall be processed in accordance with the rights of data subjects under this Act.
- A right of access to a copy of the information comprised in their personal data;
- A right to object to processing that is likely to cause or is causing damage or distress;
- A right to prevent processing for direct marketing;
- A right to object to decisions being taken by automated means;
- A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;
- A right to claim compensation for damages caused by a breach of the Act.

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- We will design and organise our security to fit the nature of the personal data we hold and the harm that may result from a security breach;
- We will be clear about who in our organisation is responsible for ensuring information security;
- We will make sure we have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff;
- We will be ready to respond to any breach of security swiftly and effectively.

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Sensitive Personal Data
We will not hold sensitive personal data consisting of information as to -
(a) the racial or ethnic origin of the data subject,
(b) his/her political opinions,
(c) his/her religious beliefs or other beliefs of a similar nature,
(d) whether he/she is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his/her physical or mental health or condition,
(f) his/her sexual life,
(g) the commission or alleged commission by him/her of any offence,
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.