1.1 This policy applies to Judicium Education Ltd and its wholly owned subsidiaries and relates to the data that is shared between the subsidiaries. The subsidiaries are: Judicium Consulting Limited, Judicium Education Support Services Limited, Judicium UK Work permits Limited and Judicium School Services Limited – together known as ‘Judicium’ or ‘we’ or ‘us’.
Registered address: 72 Cannon Street, London, EC4N 6AE
Data Protection Officer: Ioana Williams
Email address: firstname.lastname@example.org
Telephone number: 020 7336 8403
1.2 The General Data Protection Regulation (GDPR) ensures a balance between an individual’s rights to privacy and the lawful processing of personal data undertaken by organisations in the course of their business. It aims to protect the rights of individuals about whom data is obtained, stored, processed or supplied and requires that organisations take appropriate security measures against unauthorised access, alteration, disclosure or destruction of personal data.
1.3 Judicium will protect and maintain a balance between data protection rights in accordance with the GDPR. This policy sets out how we handle the personal data of our suppliers, employees, workers and other third parties.
1.4 This policy does not form part of any individual’s terms and conditions of employment with Judicium and is not intended to have contractual effect. Changes to data protection legislation will be monitored and further amendments may be required to this policy in order to remain compliant with legal obligations.
1.5 All members of staff are required to familiarise themselves with its content and comply with the provisions contained in it. Breach of this policy will be treated as a disciplinary offence which may result in disciplinary action under Judicium’s Disciplinary Policy and Procedure up to and including summary dismissal depending on the seriousness of the breach.
2.1 Personal data is any information relating to an individual where the individual can be identified (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special category data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed.
2.2 Personal data can be factual (for examples a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
2.3 Personal data will be stored either electronically or as part of a structured manual filing system in such a way that it can be retrieved automatically by reference to the individual or criteria relating to that individual.
Special Category Data
2.4 Previously termed “Sensitive Personal Data”, Special Category Data is similar by definition and refers to data concerning an individual Data Subject’s racial or ethnic origin, political or religious beliefs, trade union membership, physical and mental health, sexuality, biometric or genetic data and personal data relating to criminal offences and convictions.
2.5 An individual about whom such information is stored is known as the Data Subject. It includes but is not limited to employees.
2.6 The organisation storing and controlling such information (i.e. Judicium) is referred to as the Data Controller.
2.7 Processing data involves any activity that involves the use of personal data. This includes but is not limited to: obtaining, recording or holding data or carrying out any operation or set of operations on that data such as organisation, amending, retrieving using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.
2.8 Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
2.9 An example of automated processing includes profiling and automated decision making. Automatic decision making is when a decision is made which is based solely on automated processing which produces legal effects or significantly affects an individual. Automated decision making is prohibited except in exceptional circumstances.
Data Protection Impact Assessment (DPIA)
2.10 DPIAs are a tool used to identify risks in data processing activities with a view to reducing them.
2.11 Criminal Records Information
2.12 This refers to personal information relating to criminal convictions and offences, allegations, proceedings, and related security measures.
3. WHEN CAN JUDICIUM PROCESS PERSONAL DATA
Data Protection Principles
3.1 Judicium are responsible for and adhere to the principles relating to the processing of personal data as set out in the GDPR.
3.2 The principles Judicium must adhere to are:-
(1) Personal data must be processed lawfully, fairly and in a transparent manner;
(2) Personal data must be collected only for specified, explicit and legitimate purposes;
(3) Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
(4) Personal data must be accurate and, where necessary, kept up to date;
(5) Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed; and
(6) Personal data must be processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
3.3 Further details on each of the above principles is set out below.
Principle 1: Personal data must be processed lawfully, fairly and in a transparent manner
3.4 Judicium only collect, process and share personal data fairly and lawfully and for specified purposes. Judicium must have a specified purpose for processing personal data and special category of data as set out in the GDPR.
3.5 Before the processing starts for the first time we will review the purposes of the particular processing activity and select the most appropriate lawful basis for that processing. We will then regularly review those purposes whilst processing continues in order to satisfy ourselves that the processing is necessary for the purpose of the relevant lawful basis (i.e. that there is no other reasonable way to achieve that purpose).
3.6 Judicium may only process a data subject’s personal data if one of the following fair processing conditions are met: –
- The processing is necessary for the performance of a contract with the data subject or for taking steps at their request to enter into a contract;
- The data subject has given their consent;
- To protect the data subject’s vital interests;To meet our legal compliance obligations (other than a contractual obligation);
- the purposes of Judicium’s legitimate interests where authorised in accordance with data protection legislation. This is provided that it would not prejudice the rights and freedoms or legitimate interests of the data subject.
Special Category Data
3.7 Judicium may only process special category data if it is entitled to process personal data (using one of the fair processing conditions above) AND one of the following conditions are met:-
The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed on Judicium in the field of employment law, social security law or social protection law. This may include, but is not limited to, dealing with sickness absence, dealing with disability and making adjustments for the same, arranging private health care insurance and providing contractual sick pay;
The data subject has given their explicit consent;
- To protect the data subject’s vital interests;
- To meet our legal compliance obligations (other than a contractual obligation);
- Where the data has been made public by the data subject;
- Where it is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
- Where it is necessary for reasons of public interest in the area of public health;
- The processing in necessary for archiving, statistical or research purposes.
3.8 Judicium identifies and documents the legal grounds being relied upon for each processing activity.
3.9 Where Judicium relies on consent as a fair condition for processing (as set out above), it will adhere to the requirements set out in the GDPR.
3.10 Consent must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them. Explicit consent requires a very clear and specific statement to be relied upon (i.e. more than just mere action is required).
3.11 A data subject will have consented to processing of their personal data if they indicate agreement clearly either by a statement or positive action to the processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity will not amount to valid consent.
3.12 Data subjects must be easily able to withdraw consent to processing at any time and withdrawal must be promptly honoured.
3.13 If explicit consent is required, Judicium will normally seek another legal basis to process that data. However if explicit consent is require the data subject will be provided with full information in order to provide explicit consent.
3.14 Judicium will keep records of consents obtained in order to demonstrate compliance with consent requirements under the GDPR.
Principle 2: Personal data must be collected only for specified, explicit and legitimate purposes
3.15 Personal data will not be processed in any matter that is incompatible with the legitimate purposes.
3.16 Judicium will not use personal data for new, different or incompatible purposes from that disclosed when it was first obtained unless we have informed the data subject of the new purpose (and they have consented where necessary).
Principle 3: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
3.17 Judicium will only process personal data when our obligations and duties require us to. We will not collect excessive data and ensure any personal data collected is adequate and relevant for the intended purposes.
3.18 When personal data is no longer needed for specified purposes, Judicium shall delete or anonymise the data.
Principle 4: Personal data must be accurate and, where necessary, kept up to date
3.19 Judicium will endeavour to correct or delete any inaccurate data being processed by checking the accuracy of the personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out of date personal data.
3.20 Data subjects also have an obligation to ensure that their data is accurate, complete, up to date and relevant. Data subjects have the right to request rectification to incomplete or inaccurate data held by Judicium.
Principle 5: Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed
3.21 Legitimate purposes for which the data is being processed may include satisfying legal, accounting or reporting requirements. Judicium will ensure that they adhere to legal timeframes for retaining data.
3.22 We will take reasonable steps to destroy or erase from our systems all personal data that we no longer require. We will also ensure that data subjects are informed of the period for which data is stored and how that period is determined in our privacy notices.
Principle 6: Personal data must be processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage
3.23 In order to assure the protection of all data being processed, Judicium will develop, implement and maintain reasonable safeguard and security measures. This includes using measures such as: –
- Pseudonymisation (this is where Judicium replaces information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person to whom the data relates cannot be identified without the use of additional information which is meant to be kept separately and secure);
- Ensuring authorised access (i.e. that only people who have a need to know the personal data are authorised to access it);
Adhering to confidentiality principles;
- Ensuring personal data is accurate and suitable for the process for which it is processed.
3.24 Judicium follow procedures and technologies to ensure security and will regularly evaluate and test the effectiveness of those safeguards to ensure security in processing personal data.
3.25 Judicium will only transfer personal data to third party service providers who agree to comply with the required policies and procedures and agree to put adequate measures in place.
Sharing Personal Data
3.26 Judicium will generally not share personal data with third parties unless certain safeguards and contractual arrangements have been put in place. These include if the third party: –
- Has a need to know the information for the purposes of providing the contracted services;
- Sharing the personal data complies with the privacy notice that has been provided to the data subject and, if required, the data subject’s consent has been obtained;
- The third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
- The transfer complies with any applicable cross border transfer restrictions; andA fully executed written contract that contains GDPR approved third party clauses has been obtained.
3.27 There may be circumstances where Judicium is required either by law or in the best interests of persons on whom we hold data to pass information onto external authorities, for example an ambulance crew. These authorities are up to date with data protection law and have their own policies relating to the protection of any data that they receive or collect.
3.28 Unless an emergency dictates otherwise, the intention to share data relating to individuals to an organisation outside of Judicium shall be clearly defined within written notifications and details and basis for sharing that data given.
Transfer of Data Outside the European Economic Area (EEA)
3.29 The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined.
3.30 Judicium will not transfer data to another country outside of the EEA without appropriate safeguards being in place and in compliance with the GDPR. All staff must comply with Judicium’s guidelines on transferring data outside of the EEA. For the avoidance of doubt, a transfer of data to another country can occur when you transmit, send, view or access that data in that particular country.
4. DATA SUBJECT’S RIGHTS AND REQUESTS
4.1 Personal data must be made available to data subjects as set out within this policy and data subjects must be allowed to exercise certain rights in relation to their personal data.
4.2 The rights data subjects have in relation to how Judicium handle their personal data are set out below: –
(a) Where consent is relied upon as a condition of processing, to withdraw consent to processing at any time;
(b) Receive certain information about Judicium’s processing activities;
(c) Request access to their personal data that we hold;
(d) Prevent our use of their personal data for marketing purposes;
(e) Ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
(f) Restrict processing in specific circumstances;
(g) Challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
(h) Request a copy of an agreement under which personal data is transferred outside of the EEA;
(i) Object to decisions based solely on automated processing;
(j) Prevent processing that is likely to cause damage or distress to the data subject or anyone else;
(k) Be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
(l) Make a complaint to the supervisory authority; and
(m) In limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine readable format.
4.3 If any request is made to exercise the rights above, it is a requirement for the relevant staff member within Judicium to verify the identity of the individual making the request.
Subject Access Requests
4.4 A Data Subject has the right to be informed by Judicium of the following: –
(a) Confirmation that their data is being processed;
(b) Access to their personal data;
(c) A description of the information that is being processed;
(d) The purpose for which the information is being processed;
(e) The recipients/class of recipients to whom that information is or may be disclosed;
(f) Details of Judicium’s sources of information obtained;
(g) In relation to any Personal Data processed for the purposes of evaluating matters in relation to the Data Subject that has constituted or is likely to constitute the sole basis for any decision significantly affecting him or her, to be informed of the logic of the Data Controller’s decision making. Such data may include, but is not limited to, performance at work, creditworthiness, reliability and conduct.
(h) Other supplementary information
4.5 Any Data Subject who wishes to obtain the above information must notify Judicium in writing of his or her request. This is known as a Data Subject Access Request.
4.6 The request should in the first instance be sent to The Data protection Officer, Ioana Williams on email@example.com.
4.7 Judicium are subject to certain rules and privacy laws when marketing. For example, in most cases a data subject’s prior consent will be required for electronic direct marketing (for example, by email, text or automated calls).
4.8 Judicium will explicitly offer individuals the opportunity to object to direct marketing and will do so in an intelligible format which is clear for the individual to understand. Judicium will promptly respond to any individual objection to direct marketing.
4.9 Some employees may have access to the personal data of other members of staff, suppliers of Judicium in the course of their employment or engagement. If so, Judicium expects those employees to help meet Judicium’s data protection obligations to those individuals. Specifically, you must: –
- Only access the personal data that you have authority to access, and only for authorised purposes;
- Only allow others to access personal data if they have appropriate authorisation;
- Keep personal data secure (for example by complying with rules on access to office premises, computer access, password protection and secure file storage and destruction.
- Not to remove personal data or devices containing personal data from Judicium premises unless appropriate security measures are in place (such as Pseudonymisation, encryption, password protection) to secure the information;
- Not to store personal information on local drives.
5.1 Judicium will ensure compliance with data protection principles by implementing appropriate technical and organisational measures. We are responsible for and demonstrate accountability with the GDPR principles.
5.2 Judicium have taken the following steps to ensure and document GDPR compliance: –
- Data Protection Officer (DPO)
5.3 Please find below details of Judicium’s Data Protection Officer: –
Data Protection Officer: Ioana Williams
Address: Judicium Consulting Ltd, 72 Cannon Street, London, EC4N 6AE
Telephone: 0203 326 9174
5.4 The DPO is responsible for overseeing this data protection policy and developing data-related policies and guidelines.
5.5 Please contact the DPO with any questions about the operation of this Data Protection Policy or the GDPR or if you have any concerns that this policy is not being or has not been followed. In particular, you must always contact the DPO in the following circumstances: –
(a) If you are unsure of the lawful basis being relied on by Judicium to process personal data;
(b) If you need to rely on consent as a fair reason for processing (please see below the section on consent for further detail);
(c) If you need to draft privacy notices or fair processing notices;
(d) If you are unsure about the retention periods for the personal data being processed.
(e) If you are unsure about what security measures need to be put in place to protect personal data;
(f) If there has been a personal data breach.
(g) If you are unsure on what basis to transfer personal data outside the EEA;
(h) If you need any assistance dealing with any rights invoked by a data subject;
(i) Whenever you are engaging in a significant new (or a change in) processing activity which is likely to require a data protection impact assessment or if you plan to use personal data for purposes other than what it was collected for;
(j) If you plan to undertake any activities involving automated processing or automated decision making;
(k) If you need help complying with applicable law when carrying out direct marketing activities;
(l) If you need help with any contracts or other areas in relation to sharing personal data with third parties.
Personal Data Breaches
5.6 The GDPR requires Judicium to notify any applicable personal data breach to the Information Commissioner’s Office (ICO).
5.7 We have put in place procedures to deal with any suspected personal data breach and will notify data subjects or any applicable regulator where we are legally required to do so.
5.8 If you know or suspect that a personal data breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the person designated as the key point of contact for personal data breaches our DPO.
Transparency and Privacy Notices
5.9 Judicium will provide detailed, specific information to data subjects. This information will be provided through Judicium’s privacy notices which are concise, transparent, intelligible, easily accessible and in clear and plain language so that a data subject can easily understand them. Privacy notices sets out information for data subjects about how Judicium use their data and Judicium’s privacy notices are tailored to suit the data subject.
5.10 Whenever we collect personal data directly from data subjects, including for human resources or employment purposes, we will provide the data subject with all the information required by the GDPR including the identity of the data protection officer, Judicium’s contact details, how and why we will use, process, disclose, protect and retain personal data.
5.11 When personal data is collected indirectly (for example from a third party or publically available source), we will provide the data subject with the above information as soon as possible after receiving the data. Judicium will also confirm whether that third party has collected and processed data in accordance with the GDPR.
5.12 Notifications shall be in accordance with ICO guidance and, where relevant, be written in a form understandable by those defined as “children” under the GDPR
Privacy by Design
5.13 Judicium adopt a privacy be design approach to data protection to ensure that we adhere to data compliance and to implement technical and organisational measures in an effective manner.
5.14 Privacy by design is an approach that promotes privacy and data protection compliance from the start. To help us achieve this, Judicium takes into account the nature and purposes of the processing, any cost of implementation and any risks to rights and freedoms of data subjects when implementing data processes.
Data Protection Impact Assessments (DPIAs)
5.15 In order to achieve a privacy by design approach, Judicium conduct DPIAs for any new technologies or programmes being used by Judicium which could affect the processing of personal data. In any event Judicium carries out DPIAs when required by the GDPR in the following circumstances: –
- For the use of new technologies (programs, systems or processes) or changing technologies;
- For the use of automated processing;
- For large scale processing of special category data;
- For large scale, systematic monitoring of a publicly accessible area (through the use of CCTV).
5.16 Our DPIAs contain:-
- A description of the processing, its purposes and any legitimate interests used;
- An assessment of the necessity and proportionality of the processing in relation to its purpose;
- An assessment of the risk to individuals; and
- The risk mitigation measures in place and demonstration of compliance.
5.17 Judicium are required to keep full and accurate records of our data processing activities. These records include: –
- The name and contact details of Judicium;
- The name and contact details of the Data Protection Officer;
- Descriptions of the types of personal data used;
- Description of the data subjects;
Details of Judicium’s processing activities and purposes;
- Details of any third party recipients of the personal data;
- Where personal data is stored;
- Retention periods; and
- Security measures in place.
5.18 Judicium will ensure all relevant personnel have undergone adequate training to enable them to comply with data privacy laws.
Judicium through its data protection officer regularly test our data systems and processes in order to assess compliance. These are done through data audits which take place annually in order to review use of personal data.
Staff should refer to the following policies that are related to this data protection policy:-
- Judicium Information Security policy.
We will monitor the effectiveness of this and all of our policies and procedures and conduct a full review and update as appropriate.
Our monitoring and review will include looking at how our policies and procedures are working in practice to reduce the risks posed to Judicium.