Data protection policy
Data Protection policy
The Royal College of Speech and Language Therapists (RCSLT) is committed to protecting members’, employees’ and third parties’ (individually and collectively referred to as “Data Subjects”) privacy with regards to their personal data. Any personal data which we collect, record or use in any way whether it is held on computer media or paper, will be safeguarded ensuring that we comply with the Data Protection Act 2018 and the Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) (“the Regulations”).
“Personal data” is defined as any information relating to an identified or identifiable natural person (data subject) e.g. a name, reference number, address, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or societal identity of that natural person.
The RCSLT is committed to ensuring compliance with the Regulations and fully endorses and will adhere to the principles of data protection as set out in the Regulations. These principles state that personal data must be:
- Fairly and lawfully processed in a transparent way
- Collected and processed for specified, explicit and legitimate purposes and not in any other way which would be incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
- Processed in a manner that ensures appropriate security of personal data
In addition the RCSLT will ensure that personal data
- will be processed in line with the data subject’s rights
- will not be transferred to a country which does not have adequate data protection laws. (see footnote 1)
The RCSLT will ensure that we achieve the above principles by the following actions:
- We will know the types of personal data that we capture
- We will know where it comes from and how it flows round the organisation
- We will know what we use it for and that we are clear on the lawful purpose for its use
- We will inform our data subjects why we hold personal data and what we do with it
- We know who has access to it
- We will keep it safe
- We will keep it up to date
- We will not keep it for longer than is necessary for statutory or business purposes
- We will ensure that data subjects are able to exercise their rights in relation to it
- We will train our staff
- We will do due diligence on our suppliers to ensure that they are compliant with GDPR, and where necessary put appropriate data sharing agreements in place
- We will ensure we have procedures in place to deal with a personal data breach
Lawful basis for processing personal data
The GDPR requires that there must be a lawful basis from Article 6 for processing personal data. The RCSLT is a complex business as a result of its relationships with many different stakeholders. A central information asset register will be maintained by the Data Protection Officer, which will record the lawful basis upon which the RCSLT processes personal data. Where the RCSLT uses consent as the lawful basis, we will ensure that this is made clear and that it is as easy to withdraw consent as it is to give it.
When the RCSLT collects any personal data from you, you will be informed why the data is being collected and what it is intended to be used for. The details will be contained in easily-accessible privacy statements.
Special categories of data
Where the RCSLT collects special categories of data an appropriate lawful basis from both Article 6 and Article 9 of GDPR will always be identified and recorded. Special categories of personal data include: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
RCSLT’s processing of special categories of data includes, but may not be limited to:
- anonymous monitoring of employees’ racial or ethnic origin although this is anonymised very early on in the process, as part of routine Equal Opportunities monitoring
- collection of limited data on individual staff members’ health as part of routine HR management process
- collection of ethnic and racial data of RCSLT members as part of SLT workforce profiling (the data being anonymised before use).
Footnote 1. NB: Appropriate due diligence will always be taken before allowing data to be transferred to a non-EU country. Many international firms have taken steps to ensure that their data processing is done to at least a similar standard as GDPR and have stated this in their privacy policies.
Individuals’ rights and subject access requests
Under the GDPR, individuals have various rights:
- The right to be informed of the data we hold
- Right of access to the data we hold
- Right to rectification of their data
- Right to erasure (“right to be forgotten”) of their data
- Right to restrict processing of their data
- Right to ask for their data in a common computer-readable format (data portability)
- Right to object to their data being held
- Rights in relation to automated decision making and profiling
The RCSLT will ensure that requests from any data subjects on whom we hold personal data are dealt with promptly and efficiently. Any request that is received will be logged, brought to the attention of the DPO and responded to within 30 calendar days. Any extension to this timeframe would be in accordance with current ICO guidance.
The RCSLT has appointed the Director of Performance and Contracts/Company Secretary as Data Protection Officer (DPO), who is registered with the Information Commissioners Office (ICO).
The RCSLT is a Data Controller, which is defined by the GDPR as the person or body which determines the purpose and means of processing of personal data.
Third party firms who process personal data on behalf of or under contract to the RCSLT will be Data Processors and will be required to process RCSLT’s personal data in accordance with the GDPR
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. All incidents which result in a data breach will be investigated internally and examined to see if a personal data breach which is likely to result in a risk to the rights and freedoms of natural persons has occurred. If this is the case, it will be reported to the ICO within 72 hours. The DPO, or, in his absence, another member of the SMT is responsible for activating the RCSLT’s Data Breach procedure.
This policy is supported by appropriate privacy statements and data processing procedures.