The Royal College of Speech and Language Therapists (RCSLT) is committed to protecting members’, employees’ and third parties’ (individually and collectively referred to as “Data Subjects”) privacy with regards to their personal data. Any personal data which we collect, record or use in any way whether it is held on computer media or paper, will be safeguarded ensuring that we comply with the Data Protection Act 2018 and the Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) (“the Regulations”).
“Personal data” is defined as any information relating to an identified or identifiable natural person (data subject) e.g. a name, reference number, address, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or societal identity of that natural person.
The RCSLT is committed to ensuring compliance with the Regulations and fully endorses and will adhere to the principles of data protection as set out in the Regulations. These principles state that personal data must be:
In addition the RCSLT will ensure that personal data
The RCSLT will ensure that we achieve the above principles by the following actions:
The GDPR requires that there must be a lawful basis from Article 6 for processing personal data. The RCSLT is a complex business as a result of its relationships with many different stakeholders. A central information asset register will be maintained by the Data Protection Officer, which will record the lawful basis upon which the RCSLT processes personal data. Where the RCSLT uses consent as the lawful basis, we will ensure that this is made clear and that it is as easy to withdraw consent as it is to give it.
When the RCSLT collects any personal data from you, you will be informed why the data is being collected and what it is intended to be used for. The details will be contained in easily-accessible privacy statements.
Where the RCSLT collects special categories of data an appropriate lawful basis from both Article 6 and Article 9 of GDPR will always be identified and recorded. Special categories of personal data include: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
RCSLT’s processing of special categories of data includes, but may not be limited to:
Footnote 1. NB: Appropriate due diligence will always be taken before allowing data to be transferred to a non-EU country. Many international firms have taken steps to ensure that their data processing is done to at least a similar standard as GDPR and have stated this in their privacy policies.
Under the GDPR, individuals have various rights:
The RCSLT will ensure that requests from any data subjects on whom we hold personal data are dealt with promptly and efficiently. Any request that is received will be logged, brought to the attention of the DPO and responded to within 30 calendar days. Any extension to this timeframe would be in accordance with current ICO guidance.
The RCSLT has appointed the Director of Performance and Contracts/Company Secretary as Data Protection Officer (DPO), who is registered with the Information Commissioners Office (ICO).
The RCSLT is a Data Controller, which is defined by the GDPR as the person or body which determines the purpose and means of processing of personal data.
Third party firms who process personal data on behalf of or under contract to the RCSLT will be Data Processors and will be required to process RCSLT’s personal data in accordance with the GDPR.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. All incidents which result in a data breach will be investigated internally and examined to see if a personal data breach which is likely to result in a risk to the rights and freedoms of natural persons has occurred. If this is the case, it will be reported to the ICO within 72 hours. The DPO, or, in his absence, another member of the SMT is responsible for activating the RCSLT’s Data Breach procedure.
This policy is supported by appropriate privacy statements and data processing procedures.