The purpose of this policy is to set out WeThrive’s approach to data protection and data privacy.
Introduction
The personal data that WeThrive processes to provide these services relates to its customers and other individuals as necessary, including staff and suppliers’ staff.
WeThrive processes the personal data of staff/customers/suppliers and is committed to ensuring that all the personal data that it processes is carried out in accordance with all data protection law. WeThrive ensures that good data protection practice is embedded in the culture of our staff and our organisation.
WeThrive’s other data documentation includes:
Record of Processing Activities (RoPA)
Personal Data Breach Reporting Process
Personal Data Incident Register
Data Subject Rights Procedure
Data Subject Rights Request Register
IT security policies
Appropriate Policy Document (APD) for processing special categories of personal data and criminal records (including allegations) data
‘Data Protection Law’ includes the UK General Data Protection Regulation (GDPR); the UK Data Protection Act 2018 (DPA 2018) and all relevant UK data protection legislation including such legislation that may replace current laws.
Scope
This policy applies to all personal data processed by WeThrive and is part of WeThrive’s approach to compliance with data protection law. All WeThrive staff, partners or third parties who have, or may have access to personal data are expected to have read, understood and comply with this policy and failure to comply may lead to disciplinary action for misconduct, including dismissal or contract termination.
Responsibilities
WeThrive is a data controller and a data processor under the GDPR/DPA 2018.
Key responsibilities are:
All managers are responsible for ensuring personal data is handled in accordance with WeThrive’s policies and procedures and for encouraging best practice in the handling of personal data.
The Data Protection Officer is accountable to the Board of Directors and for ensuring compliance with data protection law can be demonstrated.
Compliance with data protection law is the responsibility of all employees, partners and third parties working on behalf of WeThrive.
The Board of Directors are ultimately accountable for ensuring WeThrive is compliant with data protection law.
WeThrive will ensure that all staff, partners or third parties who handle personal data on its behalf are aware of their responsibilities under this policy and other relevant data protection and information security policies, and that they are adequately trained and supervised. Breaching this policy may result in disciplinary action for misconduct, including dismissal or contract termination. Obtaining (including accessing) or disclosing personal data in breach of WeThrive’s data protection policies may also be a criminal offence.
Data Protection Principles
WeThrive complies with the data protection principles set out below. When processing personal data, it ensures that:
It is processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
It is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
It is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
It is accurate and, where necessary, kept up to date and that reasonable steps will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
It is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).
It is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
WeThrive is responsible for complying with the data protection principles and will demonstrate this in accordance with GDPR Article 5(2) “Accountability” by implementing policies and procedures, technical and organisational measures and keeping documentation such as breach records and Data Subject Rights Request records.
Data Subject Rights
WeThrive has processes in place to ensure that it can facilitate any request made by an individual to exercise their rights under data protection law. All staff have received training and are aware of the rights of data subjects. Staff can identify such a request and know who to send it to.
All requests will be considered without undue delay and satisfied within one calendar month of receipt as far as possible.
WeThrive will ensure the rights as detailed below can be exercised by data subjects.
Informed: The right to be informed about the collection and use of personal data is addressed via company privacy notices.
Subject access: The right to request information about how personal data is being processed, including whether personal data is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:
The purpose of the processing.
The categories of personal data.
The recipients to whom data have been disclosed or which will be disclosed.
The retention period.
The right to lodge a complaint with the Information Commissioner’s Office.
The source of the information if not collected direct from the subject; and
The existence of any automated decision-making.
Rectification: The right to allow a data subject to rectify inaccurate personal data concerning them.
Erasure: The right to have data erased and to have confirmation of erasure, but only where:
The data is no longer necessary in relation to the purpose for which it was collected, or
Where consent is withdrawn, or
Where there is no legal basis for the processing, or
There is a legal obligation to delete data.
Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:
If the accuracy of the personal data is being contested, or
If our processing is unlawful but the data subject does not want it erased, or
If the data is no longer needed for the purpose of the processing but it is required by the data subject for the establishment, exercise or defence of legal claims, or
If the data subject has objected to the processing, pending verification of that objection.
Data portability: the right to receive a copy of personal data which has been provided by the data subject and which is processed by automated means in a format which will allow the individual to transfer the data to another data controller. This would only apply if WeThrive was processing the data using consent or based on a contract.
Object to processing: The right to object to the processing of personal data relying on the legitimate interests processing condition unless WeThrive can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject or for the establishment, exercise or defence of legal claims.
Object to automated profiling: The right to object where solely automated decision-making is being carried out that has legal or similarly significant effects on the data subject.
Special Category Data
This includes the following personal data revealing:
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
An individual’s health
A natural person's sex life or sexual orientation
Criminal convictions or offences
WeThrive will apply additional organisational and technical measures to protect special category data where processed based on risk to the data subject.
WeThrive will only process special category data where it has an Article 6 lawful basis, an Article 9 condition, and a Data Protection Act 2018 condition, or such statutory conditions and provisions as may be in place from time to time for doing so.
Consent
WeThrive understands the conditions of consent as defined in Article 7 of the GDPR and will ensure that:
Consent is a specific, informed and unambiguous indication of the data subjects wishes.
The data subject can withdraw consent at any time.
Withdrawal of consent is as easy as it was to give.
Where information society services are provided to children, consent of the parent/guardian will be obtained based on the age limits defined in the country concerned.
Records of consent are kept as evidence.
The data subject is competent to give consent and is doing so freely without duress.
Security
WeThrive will always assess the risk of processing personal data to the data subject and:
Ensure that personal data is stored securely using software that is kept-up-to-date and supported.
Access to personal data shall be role based, limited to personnel who need access and appropriate security shall be in place to avoid unauthorised sharing of information.
When personal data is deleted, this shall be done safely such that the data is irrecoverable.
Staff are given information security training and information security policies and procedures are adhered to.
Personal data is encrypted where possible at rest and in transit.
Where possible personal data is anonymised or pseudonymised.
All passwords used meet password policy requirements.
Anti-malware protection is deployed on all devices handling personal data.
Data Breaches
WeThrive is dedicated to complying with the requirements for responding to and reporting a data breach. Data breaches can come in many forms, including but not limited to:
Insider threat
Malware attacks
Accidental web exposure
Data in transit
Data breaches will be identified, and, where they present a risk to the data subject, the Information Commissioner’s Office will be notified without undue delay and within 72 hours of them being discovered. Breaches will be assessed, and mitigation will be applied to ensure the breach does not continue or happen again. Data Subjects impacted by this will be notified where there is a high risk to them and/or according to the ICO advice. Any sub processors or data controllers WeThrive use will also be notified as per contractual agreements.
Data Transfers
WeThrive will ensure that any personal data transferred to third countries or third parties in third countries will not be transferred without suitable safeguards which may include:
Standard contract clauses
International Data Transfer Agreement
Binding corporate rules
Adequacy decision
An exception as defined in Article 49 of the GDPR
Data Protection By Design
Data Protection by Design allows for Data Protection to be built into a business’s ethos but ensuring processes, services and other ideas are risk assessed from a GDPR point of view. WeThrive is committed to practicing this throughout the business to ensure systems are built with data protection as the first thought, rather than an afterthought. All staff must declare new processes involving data to ensure this assessment is completed where needed.
Data Retention
Data retention schedule in the records of processing activities shall be implemented to ensure that all information kept for legal, regulatory and business requirements is limited. WeThrive will ensure that processes are in place for secure disposal when data no longer needs to be retained for legal, regulatory and business requirements. A manually executed process is to in place for identifying and ensuring secure removal of data.
Monitoring And Review
This policy was last updated on 22/05/2023 and shall be regularly monitored and reviewed, at least annually.