Data Protection and Compliance with the General
Data Protection Regulation (England) Policy
Aim and Scope of Policy
The policy, which is in line with UK data protection laws, Bloomsbury Surveyors is
committed to safeguarding the personal data of our clients, employees, and partners.
This policy outlines our duties and responsibilities under the General Data Protection
Regulation (GDPR) and sets forth the procedures we follow to ensure that personal
data is handled appropriately and securely.
To comply with these regulations the Surveying provider must have good
governance of record keeping resulting in records that are comprehensively fit for
purpose and securely maintained.
Bloomsbury Surveyors recognises that it must keep full, accurate, up-to-date records
on work being carried out, staff and other aspects concerning the running of the
service in line with data protection, confidentiality, secure storage and authorised
access policies and procedures.
Bloomsbury Surveyors also understands that all records required for the protection
of people receiving work and for the effective and efficient running of the surveying
service should be collected, maintained and kept according to the Data Protection
Act 2018 and the General Data Protection Regulation (GDPR).
This data protection policy applies to all manual and digital records kept by the
service in relation to people receiving work, including those involved with them,
whose personal data might be found on their records. This includes all staff and any
third parties (agencies and professionals) with whom anyone’s personal data
information held by the service might have to be disclosed or shared.
The policy is used with other relevant record-keeping and information governance
policies.
Policy Statement
Bloomsbury Surveyors recognises it must keep all records required for the protection
and wellbeing of people receiving work, and those for the effective and efficient
running of the surveying service such as staff records to comply currently with the
Data Protection Act 2018 and the General Data Protection Regulation (GDPR),
which came into force in May 2018.
In line with its registration under the Data Protection Act, and to comply with GDPR,
the service understands that it will be accountable for the processing, management
and regulation, and storage and retention of all personal data held in the form of
manual records and on computers.
This means that all personal data obtained and held by Bloomsbury Surveyors to
carry out its activities as a registered survey provider must:
• have been obtained fairly and lawfully.
• be held for specified and lawful purposes as an organisation that is carrying out
a public duty.
• be processed in recognition of people’s data protection rights, which are
described in GDPR in terms of the right:
– to be informed
– to have access
– for the information to be accurate and for any inaccuracies to be
corrected
– to have information deleted (eg if inaccurate or inappropriately included)
– to restrict the processing of the data to keep it fit for its purpose only.
– to have the information sent elsewhere as requested or consented to (eg
in any transfer situation)
– to object to the inclusion of any information (eg if considered to be
irrelevant)
– to regulate any automated decision-making and profiling of one’s
personal data.
• be adequate, relevant, and not excessive in relation to the purpose for which it is
being used.
• be kept accurate and up to date, using whatever recording means are used or
agreed (eg manual or electronic)
• not be kept for longer than is necessary for its given purpose (eg in line with
agreed retention protocols for each type of record)
• have appropriate safeguards against unauthorised use, loss or damage with
clear procedures for investigating any breaches of the data security.
• comply with the relevant GDPR procedures for international transferring of
personal data.
In line with the Data Protection Act 2018 and the GDPR, Bloomsbury Surveyors has
a data controller and a nominated data protection officer, who is responsible for the
safekeeping and safeguarding of all personal data held by Bloomsbury Surveyors.
Procedures
Bloomsbury Surveyors has taken the following steps to protect everyone’s personal
data, which it holds or to which it has access so that it complies with current data
protection laws and GDPR.
1. It appoints or employs staff with specific responsibilities for:
a. the processing and controlling of data
b. the comprehensive reviewing and auditing of its data protection systems
and procedures
c. overviewing the effectiveness and integrity of all the data that must be
protected
There are clear lines of responsibility and accountability for these different roles.
Note:
How these roles and data protection functions are organised and distributed in
an organisation will vary, but it is important to specify who is responsible for
what.
2. It provides information to people who use services and others involved in their
work on their data protection rights, national data opt-out policy, how it uses their
personal data and how it protects it. The information includes the actions people
who use services and staff can take if they think that their data has been
compromised in any way (eg through the complaints procedure or grievance
procedure in the case of staff).
3. It provides its staff with information and training to make them aware of the
importance of protecting people’s personal data, to teach them how to do this,
and to understand how to treat information confidentially.
4. It can account for all personal data it holds, where it comes from, and who it is
and might be shared with.
5. It carries out risk assessments as part of its reviewing activities to identify any
vulnerabilities in its personal data handling and processing, and to take
measures to reduce the risks of mishandling and potential breaches of data
security. The procedure includes an assessment of the impact of both use and
potential misuse of personal data in and by the service.
6. It recognises the importance of seeking individuals’ consent for obtaining,
recording, using, sharing, storing, and retaining their personal data, and
regularly reviews its procedures for doing so, including the audit trails that are
needed and are followed for all consent decisions.
7. It has policies and procedures for enabling people who use services and/or staff
to have access to their personal information, and for the making of subject
access requests that are in line with GDPR.
8. It has the appropriate mechanisms for detecting, reporting, and investigating
suspected or actual personal data breaches, including security breaches. It is
aware of its duty to report significant breaches that cause significant harm to the
affected individuals to the Information Commissioner and is aware of the
possible consequences (eg fine).
Training
New staff must read and understand the policies on data protection and
confidentiality as part of their induction.
All staff receive training covering basic information about confidentiality, data
protection and access to records.
Training in the correct method for entering information in an individual’s records is
given to all construction staff.
The nominated data controller/auditors/protection officers for the construction are
trained appropriately in their roles under GDPR.
All staff who need to use the computer system are trained to protect individual’s
private data, to ensure data security, and to understand the consequences to them
as individuals and the organisation of any potential lapses and breaches of the
service’s policies and procedures.