ISTC Standard Operating Procedure (SOP)
Data Protection
1 Purpose
This SOP establishes an effective, accountable and transparent framework for ensuring compliance with the requirements of the General Data Protection Regulation (GDPR).
The GDPR is a regulation of the European Union and the European Commission covering the data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. Therefore, GDPR applies to ISTC as a legal requirement where the Center collects and processes personal data of an individual resident in the EU.
ISTC, as it is headquartered in Kazakhstan and has no registered or physical presence in the EU, does not need to follow GDPR, other than where it applies if ISTC collects and processes personal data from EU citizens or residents.
As a predominately EU funded entity and to show good corporate governance as an intergovernmental organisation ISTC has chosen to follow GDPR in respect of all personal data collection and processing.
2 Scope
This SOP applies to all ISTC employees and all third parties responsible for the processing of personal data on behalf of ISTC.
3 Policy statement
ISTC is committed to conducting its operations in accordance with all applicable data protection laws and regulations and in line with the highest standards of ethical conduct.
This SOP sets forth the expected behaviours of ISTC employees and third parties in relation to the collection, use, retention, transfer, disclosure and destruction of any personal data belonging to an ISTC contact (i.e. the data subject).
Personal data is any information (including opinions and intentions) which relates to an identified or identifiable natural person. Personal data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process personal data. An organisation that handles personal data and makes decisions about its use is known as a Data Controller. ISTC, as a Data Controller, is responsible for ensuring compliance with the data protection requirements outlined in this SOP. Non-compliance may expose ISTC to complaints, regulatory action, fines and/or reputational damage. ISTC, as a Data Processor is responsible for ensuring compliance with the requirements of the Data Controller and with the data protection requirements outlined in this SOP. Non-compliance may expose ISTC to complaints, regulatory action, fines and/or reputational damage.
The Secretariat is fully committed to ensuring continued and effective implementation of this policy and expects all ISTC employees and third parties to share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.
3.1 Governance
3.1.1 Data protection and security officer
To demonstrate our commitment to data protection, and to enhance the effectiveness of our compliance efforts, ISTC has appointed a Data Protection Officer. The Data Protection and Security Officer operates with independence and is supported by suitability skilled individuals granted all necessary authority. The Data Protection and Security Officer works with and reports to the Data Privacy Team at ISTC, made up of members of the Secretariat. The Data Protection and Security Officer’s and the Data Privacy Team’s duties include:
· Informing and advising ISTC and its employees who carry out processing pursuant to data protection regulations, national law or EU based data protection provisions;
· Ensuring the alignment of this policy with data protection regulations, national law or EU based data protection provisions;
· Providing guidance with regards to carrying out Data Protection Impact Assessments (DPIAs);
· Acting as a point of contact for and cooperating with Data Protection Authorities (DPAs);
· Determining the need for notifications to one or more DPAs because of ISTC’s current or intended personal data processing activities;
· Making and keeping current notifications to one or more DPAs because of ISTC’s current or intended personal data processing activities;
· The establishment and operation of a system providing prompt and appropriate responses to data subject requests;
· Informing the Secretariat and Governing Board of ISTC of any potential corporate, civil and criminal penalties which may be levied against ISTC and/or its employees for violation of applicable data protection laws.
Ensuring establishment of procedures and standard contractual provisions for obtaining compliance with this SOP by any third party who:
· provides personal data to ISTC;
· receives personal data from ISTC;
· has access to personal data collected or processed by ISTC.
ISTC does not in the normal course of its activities receive personal data from third parties, but from the individual themselves ISTC does not in the normal course of its activities provide personal data to third parties or allow third parties access to personal data collected by ISTC.
3.1.2 Data protection by design
To ensure that all data protection requirements are identified and addressed when designing new systems or processes or services and/or when reviewing or expanding existing systems or processes or services, each of them must go through an approval process before continuing. ISTC staff must ensure that a Data Protection Impact Assessment (DPIA) is conducted, in cooperation with the Data Protection and Security Officer, for all new and/or revised systems or processes for which it has responsibility. The subsequent findings of the DPIA must then be submitted to the Data Privacy Team for review and approval. Where applicable, the any third-party Information Technology (IT) contractors, as part of ISTC’s IT system and application design review process, will cooperate with the Data Protection Officer to assess the impact of any new technology uses on the security of personal data.
3.1.3 Compliance monitoring
To confirm that an adequate level of compliance that is being achieved by ISTC in relation to this SOP, the Data Protection and Security Officer will carry out data protection monitoring for all such services/entities either annually or as the need arises. Monitoring will, as a minimum, assess:
· Compliance with this SOP in relation to the protection of personal data, including:
· The assignment of responsibilities:
ü Raising awareness;
ü Training of employees.
· The effectiveness of data protection related operational practices, including:
ü Data subject rights;
ü Personal data transfers;
ü Personal data incident management;
ü Personal data complaints handling;
ü The level of understanding of data protection policies and privacy notices;
ü The currency of data protection policies and privacy notices;
ü The accuracy of personal data being stored;
ü The conformity of data processor activities;
ü The adequacy of procedures for redressing poor compliance and personal data breaches.
The Data Protection and Security Officer, in cooperation with Data Privacy Team, will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame. Any major deficiencies and good practice identified will be reported to, monitored and shared by the ISTC Data Privacy Team.
3.2 Data protection principles
ISTC has adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of personal data:
Principle 1: Lawfulness, Fairness and Transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. This means, ISTC must tell the data subject what processing will occur (transparency), the processing must match the description given to the data subject (fairness), and it must be for one of the purposes specified in the applicable data protection regulation (lawfulness).
Principle 2: Purpose Limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means ISTC must specify exactly what the personal data collected will be used for and limit the processing of that personal data to only what is necessary to meet the specified purpose.
Principle 3: Data Minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means ISTC must not store any personal data beyond what is strictly required.
Principle 4: Accuracy
Personal data shall be accurate and, kept up to date. This means ISTC must have in place processes for identifying and addressing out-of-date, incorrect and redundant personal data.
Principle 5: Storage Limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. This means ISTC must, wherever possible, store personal data in a way that limits or prevents identification of the data subject.
Principle 6: Integrity & Confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage. ISTC must use appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data is maintained at all times.
Principle 7: Accountability
A Data Controller shall be responsible for and be able to demonstrate compliance. This means ISTC must demonstrate that the six data protection principles (outlined above) are met for all personal data for which it is responsible.
3.3 Data collection
3.3.1 Data sources
Personal data should be collected from the data subject and processed as documented in the “ISTC Privacy Policy”.
Personal data could be collected from other sources when the following apply:
· The nature of the business purpose necessitates collection of the personal data from other persons or bodies (e.g. job references);
· The collection must be carried out under emergency circumstances in order to protect the vital interests of the data subject or to prevent serious loss or injury to another person.
If personal data is collected from someone other than the data subject, the data subject must be informed of the collection unless one of the following apply:
· The data subject has received the required information by other means;
· The information must remain confidential due to a professional secrecy obligation;
· A national law expressly provides for the collection, processing or transfer of the personal data.
Where it has been determined that notification to a data subject is required, notification should occur promptly, but in no case later than:
· One calendar month from the first collection or recording of the personal data;
· At the time of first communication if used for communication with the data subject;
· At the time of disclosure if disclosed to another recipient.
3.3.2 Data subject consent
ISTC will obtain personal data only by lawful and fair means and, where appropriate with the knowledge and consent of the individual concerned. Where a need exists to request and receive the consent of an individual prior to the collection, use or disclosure of their personal data, ISTC is committed to seeking such consent. The Data Protection and Security Officer, in cooperation with other ISTC staff, shall establish a system for obtaining and documenting data subject consent for the collection, processing, and/or transfer of their personal data.
3.3.3 Data subject notification
ISTC will, when required by applicable law or contract, or where it considers that it is reasonably appropriate to do so, provide data subjects with information as to the purpose of the processing of their personal data. When the data subject is asked to give consent to the processing of personal data and when any personal data is collected from the data subject, all appropriate disclosures will be made, in a manner that draws attention to them, unless one of the following apply:
· The data subject already has the information;
· A legal exemption applies to the requirements for disclosure and/or consent.
The disclosures may be given electronically or in writing. The associated receipt or form should be retained, along with a record of the facts, date, content, and method of disclosure.
3.3.4 External privacy notices
Any website provided by ISTC will include an online ‘Privacy Policy’ and an online ‘Cookie Banner’ fulfilling the requirements of applicable law.
3.4 Data use
3.4.1 Data processing
ISTC uses the personal data of its contacts for the following broad purposes:
· The operations and administration of ISTC;
· To provide services to ISTC’s funding parties and partners.
The use of a contact’s information should always be considered from their perspective and whether the use will be within their expectations or if they are likely to object. For example, it would clearly be within a contact’s expectations that their details will be used by ISTC to respond to a contact request for information about the Center’s activities. However, it will not be within their reasonable expectations that ISTC would then provide their details to third parties for marketing purposes. ISTC does not provide personal data to third parties for marketing purposes.
ISTC will process personal data in accordance with all applicable laws and applicable contractual obligations. More specifically, ISTC will not process personal data unless at least one of the following requirements are met:
· The data subject has given consent to the processing of their personal data for one or more specific purposes.
· Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
· Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
· Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
· Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
· Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller/Processor or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child).
There are some circumstances in which personal data may be further processed for purposes that go beyond the original purpose for which the personal data was collected. When making a determination as to the compatibility of the new reason for processing, guidance and approval must be obtained from the Data Protection and Security Officer before any such processing may commence.
· In any circumstance where consent has not been gained for the specific processing in question, ISTC will address the following additional conditions to determine the fairness and transparency of any processing beyond the original purpose for which the personal data was collected: Any link between the purpose for which the personal data was collected and the reasons for intended further processing.
· The context in which the personal data has been collected, in particular regarding the relationship between data subject and the Data Controller.
· The nature of the personal data, in particular whether special categories of data are being processed, or whether personal data related to criminal convictions and offences are being processed.
· The possible consequences of the intended further processing for the data subject.
· The existence of appropriate safeguards pertaining to further processing, which may include encryption, anonymisation or pseudonymisation.
3.4.2 Special categories of data
ISTC will only process special categories of data (also known as sensitive data) where the data subject expressly consents to such processing or where one of the following conditions apply:
· The processing relates to personal data which has already been made public by the data subject;
· The processing is necessary for the establishment, exercise or defence of legal claims;
· The processing is specifically authorised or required by law;
· The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
· Further conditions, including limitations, based upon national law related to the processing of genetic data, biometric data or data concerning health.
In any situation where, special categories of data are to be processed, prior approval must be obtained from the Data Protection and Security Officer, and the basis for the processing clearly recorded with the personal data in question. Where special categories of data are being processed, ISTC will adopt additional protection measures.
3.4.3 Children’s data
Children under the age of 14 are unable to consent to the processing of personal data for information society services (any service normally provided for payment, by electronic means and at the individual request of a recipient of services). Consent must be sought from the person who holds parental responsibility over the child. However, it should be noted that where processing is lawful under other grounds, consent need not be obtained from the child or the holder of parental responsibility.
In the normal course of ISTC’s activities the only personal data collected from children would be in relation to the inclusion of the children of ISTC staff and former staff in the medical insurance scheme.
3.4.4 Data quality
ISTC will adopt all necessary measures to ensure that the personal data it collects, and processes is complete and accurate in the first instance and is updated to reflect the current situation of the data subject. The measures adopted by ISTC to ensure data quality include:
· Correcting personal data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the data subject does not request rectification;
· Keeping personal data only for the period necessary to satisfy the permitted uses or applicable statutory retention period;
· The removal of personal data if in violation of any of the data protection principles or if the personal data is no longer required;
· Restriction, rather than deletion of personal data, insofar as:
ü a law prohibits erasure;
ü erasure would impair legitimate interests of the data subject;
ü the data subject disputes that their personal data is correct and it cannot be clearly ascertained whether their information is correct or incorrect.
3.4.5 Profiling & automated decision making
ISTC will only engage in profiling and automated decision-making where it is necessary to enter into, or to perform, a contract with the data subject or where it is authorised by law. Where ISTC utilises profiling and automated decision-making, this will be disclosed to the relevant data subjects. In such cases the data subject will be given the opportunity to:
· Express their point of view.
· Obtain an explanation for the automated decision.
· Review the logic used by the automated system.
· Supplement the automated system with additional data.
· Have a human carry out a review of the automated decision.
· Contest the automated decision.
Object to the automated decision-making being carried out. ISTC must also ensure that all profiling and automated decision-making relating to a data subject is based on accurate data.
ISTC in the normal course of its activities does not carry out profiling of individuals and does not use automated decision making processes.
3.4.6 Digital marketing
As a rule, ISTC does not use digital marketing in the normal course of its activities. Should there be a change in this regard ISTC will not send promotional or direct marketing material to an ISTC contact through digital channels such as mobile phones, e-mail and the Internet, without first obtaining their consent. ISTC would not carry out a digital marketing campaign without obtaining prior Consent from the data subject. Where personal data (e.g. case studies or photographs) processing is approved for digital marketing purposes, the data subject must be informed at the point of first contact that they have the right to object, at any stage, to having their data processed for such purposes. If the data subject puts forward an objection, digital marketing related processing of their personal data must cease immediately, and their details should be kept on a suppression list with a record of their opt-out decision, rather than being completely deleted. It should be noted that where digital marketing is carried out in a ‘business to business’ context, there is no legal requirement to obtain an indication of Consent to carry out digital marketing to individuals provided that they are given the opportunity to opt-out.
3.5 Data retention
To ensure fair processing, personal data will not be retained by ISTC for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. The length of time for which ISTC services/entities need to retain personal data is set out in ISTC’s Data Retention Schedule (Appendix A). This considers the legal and contractual requirements, both minimum and maximum, that influence the retention periods set forth in the schedule. All personal data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
3.6 Data protection
ISTC will adopt physical, technical, and organisational measures to ensure the security of personal data. These measures are contained in SOP - Information and Technology Policies and Procedures. This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment. A summary of the personal data related security measures is provided below:
· Prevent unauthorised persons from gaining access to data processing systems in which personal data are processed;
· Prevent persons entitled to use a data processing system from accessing personal data beyond their needs and authorisations;
· Ensure that personal data in the course of electronic transmission during transport cannot be read, copied, modified or removed without authorisation;
· Ensure that access logs are in place to establish whether, and by whom, the personal data was entered into, modified on or removed from a data processing system;
· Ensure that in the case where processing is carried out by a Data Processor, the data can be processed only in accordance with the instructions of the Data Controller;
· Ensure that personal data is protected against undesired destruction or loss;
· Ensure that personal data collected for different purposes can and is processed separately;
· Ensure that personal data is not kept longer than necessary.
In addition, to confirm that an adequate level of compliance that is being achieved by ISTC in relation to SOP - Data Protection, the Data Protection and Security Officer will carry out data protection monitoring for all procedures involving the collection and processing of personal data either annually or as the need arises as described in the Appendix B.
Data Protection Impact Assessment (DPIA) is to be completed before any new procedure is introduced or any significant change made to an existing procedure in accordance with SOP - Data Protection. The final outcomes should be integrated back into procedure as described in the Appendix C.
3.7 Data subject requests
The Data Protection and Security Officer will establish a system to enable and facilitate the exercise of data subject rights related to:
· Information access;
· Objection to processing;
· Objection to automated decision-making and profiling;
· Restriction of processing;
· Data portability;
· Data rectification;
· Data erasure.
If an individual makes a request relating to any of the rights listed above ISTC will consider each such request in accordance with all applicable data protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature. Data subjects are entitled to obtain, based upon a request made in writing/e-mail to: the Data Protection and Security Officer.
It should be noted that situations may arise where providing the information requested by a data subject would disclose personal data about another individual. In such cases, information must be redacted or withheld as may be necessary or appropriate to protect that person’s rights. Detailed guidance for dealing with requests from data subjects can be found in ISTC’s Data Subject Access Rights Policy and Procedure (Appendix E).
3.8 Law enforcement requests & disclosures
In certain circumstances, it is permitted that personal data be shared without the knowledge or consent of a data subject. This is the case where the disclosure of the personal data is necessary for any of the following purposes:
· The prevention or detection of crime.
· The apprehension or prosecution of offenders.
· The assessment or collection of a tax or duty.
· By the order of a court or by any rule of law.
If ISTC processes personal data for one of these purposes, then it may apply an exception to the processing rules outlined in this policy but only to the extent that not doing so would be likely to prejudice the case in question. If ISTC receives a request from a court or any regulatory or law enforcement authority for information relating to an ISTC contact, you must immediately notify the Data Protection and Security Officer who will provide comprehensive guidance and assistance.
3.9 Data protection training
All ISTC employees that have access to personal data will have their responsibilities under this policy outlined to them as part of their staff induction training. In addition, ISTC will receive regular Data Protection training and procedural guidance.
3.10 Data transfers
ISTC may transfer personal data to internal or third-party recipients located in another country where that country is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects. Where transfers need to be made to countries lacking an adequate level of legal protection (i.e. third countries), they must be made in compliance with an approved transfer mechanism. ISTC may only transfer personal data where one of the transfer scenarios listed below applies:
· The data subject has given Consent to the proposed transfer.
· The transfer is necessary for the performance of a contract with the data subject
· The transfer is necessary for the implementation of pre-contractual measures taken in response to the data subject’s request.
· The transfer is necessary for the conclusion or performance of a contract concluded with a third party in the interest of the data subject.
· The transfer is legally required on important public interest grounds.
· The transfer is necessary for the establishment, exercise or defence of legal claims.
· The transfer is necessary in order to protect the vital interests of the data subject
3.11 Complaints handling
Data subjects with a complaint about the processing of their personal data, should put forward the matter in writing to the Data Protection and Security Officer. An investigation of the complaint will be carried out to the extent that is appropriate based on the merits of the specific case. The Data Protection and Security Officer will inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the issue cannot be resolved through consultation between the data subject and the Data Protection and Security Officer, then the data subject may, at their option, seek redress through mediation, binding arbitration, litigation, or via complaint to the Data Protection Authority within the applicable jurisdiction.
3.12 Breach reporting
Any individual who suspects that a personal data breach has occurred due to the theft or exposure of personal data must immediately notify the Data Protection Officer providing a description of what occurred. Notification of the incident can be made via e-mail, by calling. The Data Protection and Security Officer will investigate all reported incidents to confirm whether or not a personal data breach has occurred. If a personal data breach is confirmed, the Data Protection and Security Officer will follow the relevant ISTC ‘Data Breach Policy and Procedure’ (Appendix D) based on the criticality and quantity of the personal data involved. For severe personal data breaches, ISTC’s Data Privacy Team will initiate and chair an emergency response team to coordinate and manage the personal data breach response.
4 Roles and responsibilities
4.1 Implementation
The Secretariat and staff of ISTC must ensure that all ISTC employees responsible for the processing of personal data are aware of and comply with the contents of this policy. In addition, ISTC will make sure all third parties engaged to process personal data on their behalf (i.e. their data processors) are aware of and comply with the contents of this policy. Assurance of such compliance must be obtained from all third parties, whether companies or individuals, prior to granting them access to personal data controlled by ISTC.
4.2 Support, Advice and Communication
For advice and support in relation to this policy, please contact the Data Protections and Security Officer.
5 Review
This policy will be reviewed by the Data Protection and Security Officer/Data Privacy Team every three years, unless there are any changes to regulations or legislation that would enable a review earlier.
6 Records management
Staff must maintain all records relevant to administering this policy and procedure in electronic form in a recognised ISTC recordkeeping system.
All records relevant to administering this policy and procedure will be maintained for a period of 5 years.
7 Terms and definitions
General Data Protection Regulation (GDPR): The General Data Protection Regulation (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data.
Data Processor: the entity that processes data on behalf of the Data Controller.
Data Protection Authority: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union.
Data Protection and Security Officer (DPSO): an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.
Data subject: a natural person whose personal data is processed by a controller or processor.
Personal data: any information related to a natural person or ‘data subject’, that can be used to directly or indirectly identify the person.
Privacy Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data.
Processing: any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Profiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour.
Regulation: a binding legislative act that must be applied in its entirety across the Union.
Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.
8 Related legislation and documents
9 Feedback and suggestions
ISTC employees may provide feedback and suggestions about this document to the Chief Administrative Officer.
10 Effectivity:
This procedure is effective October 1, 2020
David Cleave, Executive Director
Appendix A – Data Retention Schedule
|
Personal data record category |
Mandated retention period |
Record owner |
|
Financial Records |
|
|
|
Financial documents |
See archives policy |
Finance |
|
Financial statements |
Permanent |
Finance |
|
Statutory and Governing Board |
||
|
Agreement Statute, Financial Regulations, etc |
Permanent |
ED Office |
|
Board documents |
Permanent |
ED Office |
|
Board meeting minutes |
Permanent |
ED Office |
|
HR: Employee Records |
|
|
|
Employee Records |
Duration of employment and/or to provide references in the future |
HR |
|
Contracts |
|
|
|
Signed |
Permanent |
Procurement |
|
Contract amendments |
Permanent |
Procurement |
|
Successful tender documents |
Permanent |
Procurement |
|
Unsuccessful tenders’ documents |
Permanent |
Procurement |
|
Conference, workshop and seminar documents |
|
|
|
Individual attendees registration documents |
Cleared after the conclusion of the event |
Organiser of the event |
Appendix B
Data Protection Monitoring
To confirm that an adequate level of compliance that is being achieved by ISTC in relation to SOP - Data Protection, the Data Protection and Security Officer will carry out data protection monitoring for all procedures involving the collection and processing of personal data either annually or as the need arises. Assessment:
|
Area to be monitored |
Assessed |
Observations |
|
Compliance with this SOP in relation to the protection of personal data, including: |
|
|
|
The assignment of responsibilities: ü Raising awareness; ü Training of employees. |
|
|
|
The effectiveness of data protection related operational practices, including: |
|
|
|
Data subject rights;
|
|
|
|
Personal data transfers;
|
|
|
|
Personal data incident management;
|
|
|
|
Personal data complaints handling;
|
|
|
|
The level of understanding of data protection policies and privacy notices;
|
|
|
|
The currency of data protection policies and privacy notices;
|
|
|
|
The accuracy of personal data being stored;
|
|
|
|
The conformity of data processor activities;
|
|
|
|
The adequacy of procedures for redressing poor compliance and personal data breaches.
|
|
|
|
Sign off and record outcomes |
||
|
Item |
Name/position/date |
Notes |
|
Assessment made: |
Data Protection and Security Officer |
|
|
DPO advice provided: |
|
|
|
Summary of DPO advice: |
||
|
DPO advice accepted or overruled by: |
Chief Administrative Officer |
If overruled, you must explain your reasons |
|
Comments: |
||
Appendix C
Data Protection Impact Assessment
DPIA to be completed before any new procedure is introduced or any significant change made to an existing procedure in accordance with SOP - Data Protection. The final outcomes should be integrated back into procedure.
|
Completed by: |
|
|
Subject / new procedure |
|
|
Step 1: Identify the need for a DPIA Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarize why you identified the need for a DPIA. |
|
|
|
|
|
Step 2: Describe the processing Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved? |
|
|
|
|
|
Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover? |
||||||||||
|
|
||||||||||
|
Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)? |
||||||||||
|
|
||||||||||
|
Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly? |
||||||||||
|
|
||||||||||
|
Step 3: Consultation process Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts? |
||||||||||
|
|
||||||||||
|
Step 4: Assess necessity and proportionality Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimization? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers? |
||||||||||
|
|
||||||||||
|
Step 5: Identify and assess risks Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary. |
Likelihood of harm |
Severity of harm |
Overall risk |
|
||||||
|
|
Remote, possible or probable |
Minimal, significant or severe |
Low, medium or high |
|
||||||
|
Step 6: Identify measures to reduce risk Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5 |
||||||||||
|
Risk |
Options to reduce or eliminate risk |
Effect on risk |
Residual risk |
Measure approved |
||||||
|
|
|
Eliminated reduced accepted |
Low medium high |
Yes/no |
||||||
|
Step 7: Sign off and record outcomes |
||||||||||
|
Item |
Name/position/date |
Notes |
||||||||
|
Measures approved by: |
|
Integrate actions back into project plan, with date and responsibility for completion |
||||||||
|
DPO advice provided: |
|
DPO should advise on compliance, step 6 measures and whether processing can proceed |
||||||||
|
Summary of DPO advice: |
||||||||||
|
DPO advice accepted or overruled by: |
|
If overruled, you must explain your reasons |
||||||||
|
Comments: |
||||||||||
|
Consultation responses reviewed by: |
|
If your decision departs from individuals’ views, you must explain your reasons |
||||||||
|
Comments: |
||||||||||
|
This DPIA will kept under review by: |
|
The DPO should also review ongoing compliance with DPIA |
||||||||
Appendix D
GDPR Breach Policy and Procedure
1. Introduction
1.1 The ISTC collects, holds, processes, and shares personal data, a valuable asset that needs to be suitably protected.
1.2 Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security.
1.3 Compromise of information, confidentiality, integrity, or availability may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative non- compliance, and/or financial costs.
1.4 This policy and procedure has been prepared in accordance with the requirements of SOP - Data Protection.
2. Purpose and Scope
2.1 The ISTC complies with Data Protection legislation[1] to have in place an institutional framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility.
2.2 This policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across the ISTC.
2.3 This policy relates to all personal and special categories (sensitive) data held by the ISTC regardless of format.
2.4 This policy applies to all staff and fellows at the ISTC. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of the ISTC.
2.5 The objective of this policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.
3. Definitions / Types of breach
3.1 For the purpose of this policy, data security breaches include both confirmed and suspected incidents.
3.2 An incident in the context of this policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to the ISTC’s information assets and / or reputation.
3.3 An incident includes but is not restricted to, the following:
3.3.1 loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad / tablet device, or paper record);
3.3.2 equipment theft or failure;
3.3.3 system failure;
3.3.4 unauthorised use of, access to or modification of data or information systems;
3.3.5 attempts (failed or successful) to gain unauthorised access to information or IT system(s);
3.3.6 unauthorised disclosure of sensitive / confidential data; \
3.3.7 website defacement;
3.3.8 hacking attack;
3.3.9 unforeseen circumstances such as a fire or flood;
3.3.10 human error;
3.3.11 ‘blagging’ offences where information is obtained by deceiving the organisation who holds it.
4. Reporting an incident
4.1 Any individual who accesses, uses or manages the ISTC’s information is responsible for reporting data breach and information security incidents immediately to the Data Protection and Security Officer (DPO) at privacy@istc.int.
4.2 If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.
4.3 The report must include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved. An Incident Report should be completed as part of the reporting process.
4.4 All staff should be aware that any breach of Data Protection legislation may result in the ISTC’s Disciplinary Procedures being instigated.
5. Containment and recovery
5.1 The DPO will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.
5.2 An initial assessment will be made by the DPO in liaison with the Secretariat to establish the severity of the breach and who will take the lead investigating the breach, as the Investigator (this will depend on the nature of the breach; in some cases it could be the DPO).
5.3 The Investigator will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.
5.4 The Investigator will establish who may need to be notified as part of the initial containment and will inform the police, where appropriate.
5.5 Advice from experts across the ISTC may be sought in resolving the incident promptly.
5.6 The Investigator, in liaison with the relevant officer(s) will determine the suitable course of action to be taken to ensure a resolution to the incident.
6. Investigation and risk assessment
6.1 An investigation will be undertaken by the Investigator immediately and wherever possible, within 24 hours of the breach being discovered / reported.
6.2 The Investigator will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
6.3 The investigation will need to take into account the following:
6.3.1 the type of data involved;
6.3.2 its sensitivity;
6.3.3 the protections are in place (e.g. encryptions);
6.3.4 what has happened to the data (e.g. has it been lost or stolen;
6.3.5 whether the data could be put to any illegal or inappropriate use;
6.3.6 data subject(s) affected by the breach, number of individuals involved and the potential effects on those data subject(s);
6.3.7 whether there are wider consequences to the breach.
7. Notification
7.1 The Investigator and / or the DPO, in consultation with relevant colleagues will establish whether the Data Protection Authority will need to be notified of the breach, and if so, notify them within 72 hours of becoming aware of the breach, where feasible.
7.2 Every incident will be assessed on a case by case basis; however, the following will need to be considered:
7.2.1 whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms under Data Protection legislation[2];
7.2.2 whether notification would assist the individual(s) affected (e.g. could they act on the information to mitigate risks?);
7.2.3 whether notification would help prevent the unauthorised or unlawful use of personal data;
7.2.4 whether there are any legal / contractual notification requirements;
7.2.5 the dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and work.
7.3 Individuals whose personal data has been affected by the incident, and where it has been considered likely to result in a high risk of adversely affecting that individual’s rights and freedoms, will be informed without undue delay. Notification will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact the Center for further information or to ask questions on what has occurred.
7.4 The Investigator and / or the DPO must consider notifying third parties such as the police, insurers, banks or credit card companies, and trade unions. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
7.5 A record will be kept of any personal data breach, regardless of whether notification was required.
8 Evaluation and response
8.1 Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
8.2 Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
8.3 The review will consider:
8.3.1 where and how personal data is held and where and how it is stored;
8.3.2 where the biggest risks lie including identifying potential weak points within existing security measures;
8.3.3 whether methods of transmission are secure; sharing minimum amount of data necessary;
8.3.4 staff awareness;
8.3.5 implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security.
8.4 If deemed necessary, a report recommending any changes to systems, policies and procedures will be considered by the Secretariat.
9. Policy Review
9.1 This policy will be updated as necessary to reflect best practice and to ensure compliance with any changes or amendments to relevant legislation.
10. Approval
This document was approved and came into effect September 2020
Appendix E
GDPR Data Subject Access Policy and Procedure
1. Introduction
ISTC processes (including collecting, storing and transmission) different types of personal data about individuals who have been in contact with the Center to fulfil its role and to meet its legal obligations. ISTC has a responsibility to protect this information and ensure its confidentiality, integrity and availability. This document sets out ISTC’s policy and procedures relating to responding to subject access requests, that is, requests from individuals to access their own personal data. This policy and procedure have been prepared in accordance with the requirements of SOP - Data Protection.
2. Scope and Purpose
2.1 Scope of this policy and procedure
ISTC defines a ‘personal subject access request’ as a request in any form received by a member of staff where the data subject expresses a request to access some or all of their personal data.
ISTC’s Subject Access Request policy and procedure applies to permanent employees, and third parties who act as a data processor on behalf of the Center. For the purposes of this document, “ISTC staff” refers to both permanent employees and third-party data processors.
2.2 Purpose of this policy and procedure
The ISTC’s Data Protection Policy requires that a procedure will be developed and maintained for dealing with subject access requests. This document contains the procedures to establish the methodology for handling a request from an individual who wishes to exercise their right to access their personal data.
3. Rights of the Data Subject
3.1 Right to Access
Under Article 15 of the Regulation (EU) 2016/679 (known as the General Data Protection Regulation (GDPR), an individual has a right to access personal data which has been collected concerning them by the Center. Article 15 allows an individual to access that personal data and be provided with the following information;
(a) The purposes of the processing;
(b) The categories of personal data concerned;
(c) The recipients or categories of recipients concerned, in particular recipients in third countries (where applicable), and the safeguards in place relating to the transfer of personal data;
(d) Retention periods;
(e) Information on the rights of the individual to have their personal data rectified, restricted, erased or objected to;
(f) The right to lodge a complaint with a Supervisory Authority;
(g) If personal data have not been collected directly, the source of the personal data;
(h) The existence of automated decision making and/or profiling relating to the personal data;
Where a controller processes a large amount of data in relation to the data subject, prior to providing the information, the Center may request the data subject to specify the information to which the request relates (Recital 63, GDPR).
3.2 Right to Portability
Where the right to access requires personal data to be provided in a commonly used form, the right to portability goes further under Article 20 and requires the Center to provide the information to the data subject “in a structured, commonly used and machine-readable format” so it can be transferred to another controller “without hindrance.”
The right to portability applies to the following:
• Personal data processed by automated means;
• Personal data provided to the controller;
• Only where the legal basis is for consent or data is being processed to fulfil a contract;
This right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and, in particular, copyright protecting the software. However, the result of those considerations should not be a refusal to provide information to the data subject.
As outlined in the ISTC’s Data Protection Policy, it is expected that this right will apply only to a small number of data subjects based on the lawful basis for the processing carried out by the Center.
4. Subject Access Request Requirements
4.1 Format of Response
The Center must provide a copy of the personal data to the data subject. In line with Article 15 of the GDPR, where the data subject submits an access request by electronic means, the information should be provided to the data subject by electronic means, unless otherwise requested by the data subject.
4.2 Costs
A SAR should be provided to the data subject free of charge. However, for additional copies provided to the data subject, the Center may charge a reasonable fee or where access requests are “manifestly unfounded or excessive” taking into account the administrative costs of providing the information as outlined under Article 15 and Article 12 of the GDPR.
4.3 Subject Access Request Form
The Center provides a Subject Access Request Form to individuals who inquire about their personal data. The form gives information to data subjects about how to make a valid subject access request. The form is included in Appendix A of this document.
4.4 Exemptions
A subject access request may be refused where it is deemed “manifestly unfounded or excessive, in particular because of its repetitive character." The burden of demonstrating the manifestly unfounded or excessive character will rest with the Center as outlined under Article 12 of the GDPR.
There are other instances where the Center may decide to refuse the request. Examples of reasons to refuse a request include where the requester is involved in a claim against the Center, seeking compensation, and the information requested reveals details of the organisation’s decision process in relation to their claim; or if releasing the personal data requested would mean that the personal data of another individual would be unfairly disclosed.
4.5 Refusing a Request
Under Article 12 of the GDPR, where the Center refuses to respond to a subject access request, the Center shall inform the data subject without delay and at the latest within one month of receipt of the request of the following:
• Reasons for refusing to respond;
• The right to lodge a complaint with the Data Protection Authority;
• The right to seek a judicial remedy.
4.6 Deleting data
It is an offence under the GDPR to delete data that is the subject of an access request. Under no circumstances should the data be deleted even if it has been retained for a period longer than the Center retention schedule permits.
4.7 Data Processors
Where the Center uses a data processor, then it must notify the processor of the subject access request and ensure that contractual arrangements are in place to guarantee that such requests are dealt with efficiently by all data processors.
5. Review & Update
This policy and procedure will be reviewed and updated annually or more frequently, if necessary to ensure any changes to the ISTC’s organisation structure and operations are properly reflected in the policy.
6. Approval
This document was approved and came into effect September 2020
Subject Access Request Form
Requests for Access to Personal Data under Article 15 of the General Data Protection Regulation (GDPR) 2018.
Under the GDPR, you may receive a copy of your personal data held by ISTC electronically or in manual filing systems simply by submitting a subject access request. Access requests can be submitted by written or electronic means. You may use the ISTC’s subject access request application form, write a letter, or submit your request using other electronic means, such as an email. You may also submit a request verbally, although a written request is preferable if possible, so that there can be no doubt as to the details of the request.
All written applications along with proof of identity should be addressed to: the Data Protection and Security Officer at ISTC in writing or by email to: privacy@istc.int
To help us answer your request please be as specific as possible about the information you wish to see and give as much information as you can to help us find it.
You are legally entitled to a decision regarding your request within 30 days of ISTC receiving your request. However, every effort will be made by the Data Protection and Security Officer to deal with your request as soon as possible, and you will receive an acknowledgement on receipt of your application, which will outline the deadline for your particular request.
If you are unhappy with the decision of the Data Protection and Security Officer, you have the right to complain to the relevant Data Protection Authority who will investigate the matter for you.
Important: A photocopy of your proof of identity (E.g. passport or driver’s licence) and a photocopy of proof of address must accompany this Access Request Form (see Note below).
|
Section A - please complete this section |
||
|
Full Name |
|
|
|
Postal address |
|
|
|
E-mail* |
|
|
|
Telephone* |
|
|
|
* we may need to contact you to discuss your Access Request |
||
|
|
||
|
Section B - please complete this section |
|
|
|
I, ...........................................................[insert name] wish to have access to data that I believe the ISTC retains on me as outlined below
|
||
|
Please include any relevant information to assist us
|
||
|
Signed
|
|
|
|
Date
|
|
|
|
|
||
|
Checklist |
Yes |
No |
|
Completed the Access Request Form in full? |
|
|
|
Attached a photocopy of proof of your identity and address? |
|
|
|
Signed and dated the Access Request Form? |
|
|
If you have ticked No to any question above the ISTC cannot process your request. Please return this form to: Data Protection and Security Officer, ISTC Email: privacy@istc.int
Note: we require proof of the applicant’s identity and address to ensure that the person making this access request is acting legitimately.
[1] The General Data Protection Regulation (GDPR) and related EU and national legislation
[2] Individual Rights: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual- rights/