DATA PROTECTION FACTSHEET AND PROCEDURE
INTRODUCTION:
When provided with personal information by our customers, they have the right to expect us to
respect and protect it and ensure they are not put at unnecessary risk. FBT have a legal and moral
duty to ensure that personal data is used appropriately and adequately protected.
WHAT IS DATA PROTECTION?
The General Data Protection Regulations (GDPR) came into existence in May 2018, replacing the
Data Protection Regulations 1998. These new Regulations build on the previous foundation of data
protection by:
a) Enhancing the individuals rights ove3r their personal data
b) Protecting individuals from erroneous or mis- use of their personal data
c) Providing individuals, the right to be forgotten
The Information Commissioner’s Office enforces the GDPR and can fine firms like us significant sums
for failure to comply. The following are criminal offences and as such you can be held accountable.
a) Accessing personal data that you have no right to access (i.e. accessing your neighbour’s
medical records)
b) Obtaining, disclosing, selling, or advertising for sale personal data without permission of the
Data Controller (i.e., the customer)
WHY IS DATA PROTECTION ESSENTIAL?
If personal data is not handled appropriately and falls into the hands of the wrong individuals, then it
can be used for thing such as identity theft and financial crim, causing significant issues for the
economy and for the individuals affected.
WHAT IS PERSONAL DATA AND PERSONAL SENSITIVE DATA?
Personal data is data which relates to a living individual who an be identified from such data, or from
that data and other information which is in the possession of is likely to come into a person’s
possession. Personal data included factual information about a person as well as a recorded opinion
about a person.
Sensitive personal data is persona data about an individual’s physical or mental health or condition,
sexual life, racial or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature,
trade union membership, commission or alleged commission of any offence, or anu proceedings for
any offence committed or alleged to have been committed.
For this document, the term ‘personal data’ includes personal data and sensitive personal data as
FBT expect all data to be treated to the same high standard.
What does GDPR mean to FBT?
Uphold 8 specific individual rights as follows:
1. The Right to be informed.
Most organisations will update of produce a Data Privacy Policy. This sets out clearly to the
customer what data we collect and process and for what purpose.
2. The Right to Access
Each customer hat the right to access the data we hold on them. Called a Subject Access
Request, it is our responsibility to provide the information we hold back to the customer
within a reasonable time period ( expected to be within 1 month).
3. The Right to Rectify
The customer has the right to request that any incorrect information is rectified as soon a
possible ( i.e., date of birth or spelling of name).
4. The Right to Erasure
This is the c customers right to request all the personal and sensitive date that we hold on
them is forgotten. It could be the individual withdraws their consent for us to process the
data, or there is no lawful reason for us to hold the data anymore.
5. The Right to restrict Processing
When processing is restricted, FBT are permitted to store personal date but not further
process it. We can retain just enough information about the individual to ensure that the
restriction is respected in future.
6. The right to Data Portability
The right to data portability allows individuals to obtain and reuse their personal data for
their own purposes across different services
7. The Right to Object
Individuals will have the right to stop the processing for personal data if they can show there
is no legitimate need to have collected. For example, if we were to ask customers for their
current salary
8. Rights in Relation to Automated Decision Making and Profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging
decision is taken without human intervention.
Head Office must be informed immediately if any of these rights are not being met.
What this means in Practice?
Everybody has a responsibility to ensure that personal data is treated properly and is adequately
protected.
a) Follow local procedures, they are in place to protect the customer, the healthcare
practitioner and FBT.
b) Treat all personal data with respect.
c) Read the Information Security factsheet for further detailed information
d) Only record personal information where necessary. Where possible information should be
anonymised.
e) Personal details should not be written down as part of a documented procedure
f) Do not disclose personal data to anybody other than the client
g) Ensure all information is accurate
h) If a customer requests to see their personal information refer to Head Office.