How we comply with the Data Protection Principles
Lawfulness, fairness, transparency
The data protection principles require us to process personal data lawfully, fairly and in a transparent manner. We must only collect, process and share personal data for specified purposes.
Lawful basis
To ensure that our processing of personal data is lawful, we identify an appropriate lawful basis for our processing, and ensure our processing does not contravene any laws (including common law). Article 6 of GDPR lays out the 6 lawful bases:
6(1)(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
6(1)(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
6(1)(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
6(1)(d) Vital interests: the processing is necessary to protect someone’s life.
6(1)(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6(1)(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Privacy notices
To ensure that our processing of personal data is fair and transparent SEPA has prepared Privacy Notices which explain how we process the personal data that we collect. We publish our general Privacy Policy on our website and more detailed privacy notices for specified processing. It is essential that we process all personal data in accordance with the terms of the relevant Privacy Notice and staff are responsible for ensuring that they are aware of the terms of each Privacy Notice in so far as it is relevant to the performance of your duties.
The information contained within the Privacy Notices must be accessible to the individual Data Subjects whose personal data we process.
Personal data provided by third parties
When personal data is not collected directly from the data subject (for example, when it is obtained from a third party or publicly available source), we have specific obligations on the privacy information we must provide to the data subject. In these circumstances, staff should consult the DPO.
Purpose Limitation
We must be clear about what our purposes for processing are from the start, and we need to record our purposes as part of our documentation obligations and specify them in our privacy notices.
- Staff can only use the personal data for a new purpose if either this is compatible with our original purpose, we get consent, or we have a clear obligation or function set out in law.
Data Minimisation
We must ensure that personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed
- Staff may only process personal data when performing their job duties requires it. Staff cannot process personal data for any reason unrelated to their job duties.
- Staff should not collect excessive personal data and should ensure that any personal data they collect is required for the intended purpose for which they will process it.
- Staff must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the relevant SEPA policy.
Accuracy
The data protection principles require that personal data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
- Staff will ensure that the personal data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it.
- Staff must check the accuracy of any personal data at the point of collection and at regular intervals afterwards.
Storage and retention
We must ensure that personal data is not kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
- Staff must ensure that all personal data that they process as part of their work duties are stored in SEPA’s systems (or, for paper records, either on the SEPA’s premises or formally transferred to SEPA’s offsite storage) in accordance with relevant policies and guidelines. No personal data should be held anywhere else.
Compliance with retention policies
SEPA maintains retention policies and procedures (as part of the relevant policies and procedures) to ensure personal data is deleted after a reasonable time following the end of the purposes for which it was being held unless law requires such data to be kept for a minimum time.
We also provide Data Subjects with information concerning data retention periods in our Privacy Notices, where applicable.
Security, integrity and confidentiality
Protection Personal Data
Personal data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.
Staff must
- perform their work duties in such a way as to protect the personal data that we hold
- follow all procedures and technologies we put in place to maintain the security of all personal data from the point of collection to the point of destruction. Staff must also comply with the requirements of all Relevant Policies and Guidelines and any directions issued by the DPO; and
- not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain to protect personal data.
Reporting a Security Breach involving Personal Data
Data protection law may require SEPA to notify any personal data breach to the Information Commissioner's Office and, in certain instances, the individual data subjects affected.
We have put in place procedures to deal with any suspected personal data breach and will make appropriate notifications where we are legally required to do so.
If staff know or suspect that a personal data breach has occurred, staff should not attempt to investigate the matter themselves. Immediately contact the designated email address in accordance with the security incident procedure. Staff should preserve all evidence relating to the potential personal data breach.
The contact details for reporting personal data breaches are:
- Email – securitybreach@sepa.org.uk
- Telephone: 03000 996 699
Note that personal data breaches should be notified immediately if staff become aware of them i.e. on a 24/7 basis.
Accountability
The accountability principle requires us to take responsibility for what we do with personal data and how we comply with the other principles. We must have appropriate measures and records in place to be able to demonstrate our compliance.