Data Protection Policy

Last updated: 5th November 2022

1. Introduction

1.1.         This Data Protection Policy is the overarching policy for data security and protection for “Forever Sci-Fi & Fantasy Ltd” (hereafter referred to as "us", "we", "our", “FS-F&F” and “the Company”).

1.2.         “FS-F&F” is a trademarked abbreviation for the company “Forever Sci-Fi & Fantasy Ltd. All rights reserved. Where the wording, “company” is used in this document, this also refers to the company “Forever Sci-Fi & Fantasy” Ltd.

2. Purpose

2.1.         The purpose of the Data Protection Policy is to support the 10 Data Security Standards, the General Data Protection Regulation (2016), the Data Protection Act (2018), the common law duty of confidentiality and all other relevant national legislation. We recognise data protection as a fundamental right and embrace the principles of data protection by design and by default.

2.2.         This policy covers

2.2.1.     Our data protection principles and commitment to common law and legislative compliance.

2.2.2.     procedures for data protection by design and by default.

3. Scope

3.1.         This policy includes in its scope all data which we process either in hardcopy or digital copy, this includes special categories of data.

3.2.         This policy applies to all staff, including temporary staff and contractors.

4. Principles

4.1.         We will be open and transparent with service users and those who lawfully act on their behalf in relation to their care and treatment. We will adhere to our duty of candour responsibilities as outlined in the Health and Social Care Act 2012.

4.2.         We will establish and maintain policies to ensure compliance with the Data Protection Act 2018, Human Rights Act 1998, the common law duty of confidentiality, the General Data Protection Regulation and all other relevant legislation.

4.3.         We will establish and maintain policies for the controlled and appropriate sharing of service user and staff information with other agencies, taking account all relevant legislation and citizen consent.

4.4.         Where consent is required for the processing of personal data we will ensure that informed and explicit consent will be obtained and documented in clear, accessible language and in an appropriate format. The individual can withdraw consent at any time, unless this is required for legal reasons which will be contained and clearly stated in the contracts (including Model Release Forms).

4.5.         We will undertake annual reviews of our compliance with legal requirements.

4.6.         We acknowledge our accountability in ensuring that personal data shall be:

4.6.1.     Processed lawfully, fairly and in a transparent manner;

4.6.2.     Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

4.6.3.     Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

4.6.4.     Accurate and kept up to date;

4.6.5.     Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);

4.6.6.     Processed in a manner that ensures appropriate security of the personal data.

4.7.         We uphold the personal data rights outlined in the GDPR;

4.7.1.     The right to be informed;

4.7.2.     The right of access;

4.7.3.     The right to rectification;

4.7.4.     The right to erasure;

4.7.5.     The right to restrict processing;

4.7.6.     The right to data portability;

4.7.7.     The right to object;

4.7.8.     Rights in relation to automated decision making and profiling.

4.7.9. In line with legislation, our lead director currently acts as the data protection, to be contacted regarding any concerns and issues.

5. Underpinning policies & procedures

5.1.         This policy is underpinned by the following:

5.1.1.     Data Quality Policy – outlines procedures to ensure the accuracy of records and the correction of errors;

5.1.2.     Record Keeping Policy – details transparency procedures, the management of records from creation to disposal (inclusive of retention and disposal procedures), information handling procedures, procedures for subject access requests, right to erasure, right to restrict processing, right to object, and withdrawal of consent to share;

5.1.3.     Data Security Policy – outlines procedures for the ensuring the security of data including the reporting of any data security breach;

5.1.4.     Network Security Policy – outlines procedures for securing our network;

5.1.5.     Business Continuity Plan –outlines the procedures in the event of a security failure or disaster affecting digital systems or mass loss of hardcopy information necessary to the day to day running of our organisation;

5.1.6.     Staff Data Security Code of Conduct - provides staff with clear guidance on the disclosure of personal information.

6. Data protection by design & by default

6.1.         We shall implement appropriate organisational and technical measures to uphold the principles outlined above. We will integrate necessary safeguards to any data processing to meet regulatory requirements and to protect individual’s data rights. This implementation will consider the nature, scope, purpose and context of any processing and the risks to the rights and freedoms of individuals caused by the processing.

6.2.         We shall uphold the principles of data protection by design and by default from the beginning of any data processing and during the planning and implementation of any new data process.

6.3.         All new systems used for data processing will have data protection built in from the beginning of the system change.

6.4.         All existing data processing has been recorded on our Record of Processing Activities. Each process has been risk assessed and is reviewed annually.

6.5.         We ensure that, by default, personal data is only processed when necessary for specific purposes and that individuals are therefore protected against privacy risks.

6.6.         In all processing of personal data, we use the least amount of identifiable data necessary to complete the work it is required for and we only keep the information for as long as it is required for the purposes of processing or any other legal requirement to retain it.

6.7.         Where possible, we will use pseudonymised data to protect the privacy and confidentiality of our staff and those we support.

7.     Specific measures for data protection

7.1   We do not list complete details of all our security measures and locations of processing data. This is primarily to reduce the ability of malicious individuals/entities from defeating these measures. E.g., we never detail passwords, or right them down anywhere.

7.2   The company only stores personal data long term on on-line servers. Any devices/documents used to initially record the data, will have these data deleted, after the data has been uploaded to our on-line storage systems.

7.3   Any disposal of paper, digital, other, contained personal data, will be securely disposed of. E.g., paper documents shredded before being disposed of in a manner not accessible to the public. Digital files being deleted, will also have these documents deleted from “digital bins” so they can’t be recovered by others.

7.3   We only use reputable and established online servers to store our records, and will pay a monthly or annual subscription as long as possible to maintain these. In the event the company can no longer pay to use established servers, all personal detail records will be deleted.

7.4   No personal on-line drives are, or should ever, be used, to store personal data.

7.5.  The digital locations of the on-line drives being used are not written down, but are definitely not the personal accounts of any individuals. They are restricted and “sole use” drives for the specific uses of this company. They are still available for any legally required audits. E.g., by the UK’s National Audit Office.

7.3   The on-line data storage systems we use require at least “two factor” authentication.

7.4   The number of people who have access to data storage will be strictly controlled and segmented as necessary. A maximum of two employees (including one Director) will have access to data storage segments containing personal information (this maximum limit does not apply to non-personal company data).

7.5   Passwords used for accessing data records must be between ten digits, and up to 100 digits long, including a combination of letters, numbers, lower and upper castes and special characters.

7.6   Our systems mean that whenever anyone attempts to access critical data storage records (i.e. those containing personal data), alerts are received by the company, and reviewed promptly for any required actions. In the event of any data breach, the relevant authorities will be informed, and we will act to prosecute those responsible.

7.7   We do not keep copies of personal ID documentation (e.g. passports, driving licences, birth certificates, etc.) for anybody. Where these are required to be sighted, e.g., to ensure someone’s age is 18 or over, and/or to prove someone is legally in the UK; the employee on the day is only allowed to view them on the day and confirm they saw the ID. No company employee, representative or director is allowed to take photos, or keep copies in any format, or in any other way, of the IDs of others.

8. Responsibilities

8.1.         Our designated Data Security and Protection Lead is the lead director. The key responsibilities of the lead are:

8.1.1.     To ensure the rights of individuals in terms of their personal data are upheld in all instances and that data collection, sharing and storage is in line with the Caldicott Principles (see: https://www.gov.uk/government/publications/the-caldicott-principles);

8.1.2.     To define our data protection policy and procedures and all related policies, procedures and processes and to ensure that sufficient resources are provided to support the policy requirements.

8.1.3.     To monitor information handling to ensure compliance with law, guidance and the organisation’s procedures and liaising with senior management and DPO to fulfil this work.

8.1.4.     Liaising, if required, with the Information Commissioner’s Office (ICO).

9. Approval

9.1.         This policy has been approved by the undersigned and will be reviewed at least annually.

Name: Abdul T. Khan

Role/status: Director

Signature: Abdul T. Khan

Review Date: 5th November 2022

Approval Date: 5th November 2022