SECTION ‘A’ THE POLICY
Layout of this document
- This document comprises two sections and a number of supporting Protocols:
- Section ‘A’: The Policy, which is supported by
- Section ‘B’: A number of associated Annexes containing associated Processes and Protocols.
- Mile High Labs International Limited (MHLI) is a commercial enterprise that is registered in the United Kingdom. It is therefore obliged to protect all personal data it processes in compliance with the General Data Protection Regulations 2018. In addition to these requirements, as a professional company, MHLI is passionate about protecting the personal data[i] and Special Categories of Personal Data[ii] (previously Sensitive Personal Data) of those who interact with them, be that in relation to MHLI’s services and products, those employed by them, and, those who, for whatever reason, share their personal data with the company.
- MHLI is the Data Controller[iii] and is responsible for ensuring that all necessary processes and protocols are in place to ensure that the organisation fully complies with the requirements of the General Data Protection Regulations 2018 (GDPR), the Regulations that govern all aspects of the processing personal data within the European Union.
- The Managing Director of MHLI Ltd has overall responsibility for ensuring that this policy is managed, reviewed and implemented effectively. Day-to-day implementation is the responsibility of the Group Data Protection Officer[iv] (DPO). This Policy applies to ALL offices, businesses and remote working locations within the MHLI European sphere of operation.
MHLI Ltd. Registered with the ICO
- In compliance with requirements of the GDPR and Information Commissioner’s Office, MHLI Ltd is registered with the ICO for the purposes of processing the personal data of employees, clients, customers and others who in the process of business pass personal data to MHLI Ltd.
Intention and application of the document
- This Policy has been published to give shape, form and substance to the MHLI’s desire to fulfil its requirements under GDPR. Its application is fully supported by the Directors and Senior Management of the company. The Policy and its associated processes and protocols fully apply to ALL who are directly employed by Mile High Labs International Limited or who undertake activities related to personal data on behalf of MHLI. Failure to comply with any or all of the requirements of this Policy and its Annexes will result in an investigation of the compliance failure and may lead to disciplinary action being taken. In certain circumstances this may lead to dismissal or the cancellation of contracts.
Who does the policy apply to?
- The policy applies to:
- ALL MHLI Ltd employees.
- Directors and Board Members.
- The management, staff and agents of all MHL Inc. parent and subsidiary companies when working within the European Union sphere of influence or on personal data that may be from time to time shared with them.
- Contractors/Consultants or those who provide services that interface with any or all personal data processed by or that comes into the possession of MHLI.
- Any suspected, actual or potential breach of the policy, whether unintended or otherwise, must be reported immediately (no time delay is permissible) to the relevant manager AND the Data Protection Officer who will take all necessary steps to manage and mitigate the impact of a breach. The DPO will put in place remedial actions to prevent a recurrence of the incident.
GDPR, what is it?
- The GDPR came into force on 25th May 2018 and it replaced the previous Data Protection Act 1998. The introduction of the GDPR 2018 places a higher and more stringent requirement on Data Controllers and Data Processors to protect personal data that comes into their possession. This applies equally to hard copy and electronic formats and combination of the same. Data Controllers must:
- Use personal data only in a way that is consistent with what the Data Subject was informed of and agreed to at the time of gathering the data;
- Keep the data safe;
- Ensure that the Data Subject remains in control of the data at all times; and
- Only keep the data for as long as it is necessary to do so.
- The GDPR reflects the tension between the rights of the Data Subject and that of the Data Controller to, in this case, undertake business activities that require the processing of the personal data belonging to the Data Subject. However, unless there is a legitimate and demonstrable overriding legal or regulatory reason for doing so, the rights of the Data Subject as listed below will always take precedence over the rights of the Data Controller. An example of this would be the passing of personal information relating to a member of MHLI staff to HMRC or if MHLI were directed to pass personal data by a Court of Law.
GDPR EU Legislation – UK Compliance
- GDPR is EU Legislation, however, whatever action results from the BREXIT negotiations, the UK Government has stated that the UK will continue to be fully GDPR compliant or will conform to the pending UK Data Protection Bill, which has been designed to totally mirror EU GDPR regulations and will be brought into law on the UK leaving the EU.
Personal data – what is it?
- The GDPR regulations indicate that personal data is primarily data ‘that relates to a living individual who can be identified from that data or from that data plus other personal data the Data Controller holds on that Data Subject[v] (the person to whom the data relates).
- The word ‘processing’[vi] is the collective term for any and all activities carried out on the data. The GDPR governs the processing of personal data in any format including hard and electronic formats.
Data Subject Rights
- Data Subjects have eight clear rights. They are as follows:
- The right to be informed: This right gives the Data Subject the right to be informed about what their personal data is being used for. MHLI provides this in the form of a Privacy Notice which is made available prior to gathering the personal data. GDPR states that such information must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- The right of access: Data Subjects residing anywhere in the world have the right to ask any EU-based organisation if they hold or are processing any personal data about them (there is NO geographical limitation placed on the location of the requestor). If the organisation is processing data, the subject can request a copy of that data. This is known as a Subject Access Request (SAR). After having verified the identity of the requestor, the data must be provided in a clear way and must not include code of any type that would render the data meaningless to the Data Subject. A SAR must be complied without delay and within 20 working days of receiving the request; that is, the data requested will be in the possession of the Data Subject, in a format that they request, on or before the 20th working day of the request being received. The request must be completed free of charge. In exceptional circumstances – if the request is considered complex, the time to respond can be extended to 40 working days. However, the Data Subject must be notified of the delay within the initial 20 days. They must also be provided with the reasons for that delay. The Information Commissioner will scrutinise the delay justification, if a complaint is made by the Data Subject in relation to the extension and make a decision as to its validity.
- The right of rectification: The Data Subject can have personal data rectified if it is found to be inaccurate or incomplete. As above, the rectification must be carried out within 20 working days or, where it is complex, within 40 working days. NB: where personal data has been disclosed to third parties you must inform them of the rectification where possible. Where appropriate, the Data Controller must also inform the Data Subject about the third parties to whom the data has been disclosed. Similarly, the DS has the right to be informed as to the source of any personal data that has been transferred to or come into the possession of MHLI. This has implications for the tracking of personal data from such sources as trade shows, exhibitions and third-party sources etc.
- The right to erasure: Also known as the ‘Right to be forgotten’. The broad principle here is to enable a Data Subject to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Erasure must be done thoroughly and completely; it is not acceptable for the data to be removed from the organisation’s computer system but still be recoverable from a backup of the system. Where data has been disclosed to third parties, MHLI must inform those third parties about the requirement to erase personal data that has been shared by them unless it is impossible or involves disproportionate effort to do so. There are also some specific Regulatory and Legislative requirements where the Data Controller can refuse to comply either fully or partially with a request for erasure.
- The right to restrict processing: The DS can at any time and without giving reason require that all processing of their data be restricted or stopped completely. When processing has been restricted by the Data Subject, MHLI may continue to store the data, but cannot further process it. It is vitally important that systems are in place to ensure the restriction is fully respected by all functions that make up the MHLI organisation. If the data has been supplied to third parties, it is the responsibility of the Data Controller to ensure that third parties are aware of the restrictions and fully comply with the rights of the Data Subject.
- The right to data portability: This is a new feature of the GDPR and it permits a Data Subject to obtain their personal data from a Data Controller for their own purposes and use it across a range of different organisations and services. The data must be transferred by MHLI in a safe and secure way and should be provided in a useable format. This right must be complied with within 20 working days or, in the case of a complex request, within 40 working days.
- The right to object: Data Subjects have the right to object to the processing of their personal data including processing carried out for the purposes of profiling or direct marketing. In the case of a request to cease using data for direct marketing, the processing must stop as soon as the objection is received. NB: there are NO exemptions or grounds to refuse or delay this request.
NB: MHLI must inform individuals of their right to object at the point of first communication and in their Privacy Notice. The right to object must be ‘explicitly brought to the attention of a Data Subject and must be presented clearly and separately from other information’.
- Rights in relation to automated decision making and profiling. Data Subjects have the right not to be subject to decisions based solely on automated processing where the decision has legal or similarly significant effects on the individual.
Recruitment and discipline processes
- All of the above have implications in relation to recruitment and wider HR processes.
How does MHLI process personal data?
- MHLI will seek to fully comply with our obligations under the GDP Regulations and we do that in a range of ways. These include:
- Keeping personal data up to date.
- Only collecting personal data that is applicable to our needs.
- Not retaining data that becomes excess to our needs.
- Protecting personal data from loss, misuse, unauthorised access or disclosure.
- We will do this by ensuring that appropriate physical, technical, electronic and operational data security measures are in place and that our staff are suitably trained and managed with regard to the processes and protocols required to comply with the Regulations.
What is the legal basis that allows MHLI to process personal data?
- The GDPR requires that a legal justification be established before personal data is processed; this is dependent upon the use to which the data will be put by MHLI. This protects both the Data Subject and the Data Controller by ensuring that personal data will only be used for the purposes that the Data Subject has explicitly agreed to. These are:
- Processing is necessary for the purposes of the legitimate interests pursued by MHLI or a third party except where such interests are overridden by the interests, rights or freedoms of the data subject.
- Explicit, informed and verifiable consent is given by the data subject.
- Processing is necessary for MHLI to comply with Legal or Regulatory requirements.
How does MHLI use personal data?
- MHLI will use personal data:
- To enable us to provide professional business-related services.
- To enable employee management and administration and for those who from time to time provide services to MHLI as consultants or contractors.
- To comply with organisational Legal and Regulatory requirements placed upon MHLI.
- For direct marketing purposes including informing the DS of MHLI product news, events, activities and services – direct marketing will only be undertaken with prior, informed, express and verifiable consent; this consent can be removed by the Data Subject at any time. NB: a DS may opt out of receiving marketing materials yet still remain a customer of MHLI.
Data sharing agreements
- MHLI is a standalone enterprise registered in the United Kingdom and is the sole Data Controller for all personal data that it processes or is processed on its behalf. MHLI is therefore responsible for the safety and security of that data. Data sharing is defined as the disclosure of personal data by MHLI to any third-party organisation; this includes but is not limited to MHLI’s parent and subsidiary organisations. An example of this would be the sharing of the personal data (name etc.) of a private individual, a client who had made a complaint about a product or services supplied by MHLI with MHL Inc. For this reason, MHLI complaints procedure will be based upon a ‘Complaint Number’ which will be allocated to each individual complaint. This number can be shared with the MHL Inc. allowing the complaint to be dealt with effectively but access to the remainder of the complainant’s personal details to remain restricted.
- Data Sharing may be considered appropriate when the Data Subject has given informed, express and verifiable consent to the data sharing taking place with that specified organisation or a third party, or where there is a justified UK or EU compliant legal or regulatory requirement on MHLI to do so.
- Data Sharing Agreements (DSA) must be in writing, retained as a record of permission and adequately address the following issues:
- The informed and express consent of the Data Subject.
- The purpose for sharing.
- The organisations with whom the data will be shared.
- The geographical location of the organisation with whom the data will be shared.
- The data items to be shared.
- The quality of the data – accuracy, relevance and useability.
- Data security.
- Retention and disposal of the data.
- The Data Subjects rights to exercise their rights.
When will personal data be shared with third parties?
- Personal data will be treated as strictly confidential and will only be shared with third parties when:
- MHLI has the Data Subject’s express, informed and verifiable consent in writing to do so; or
- When there is a UK or EU Legal or Regulatory requirement for that sharing to take place.
- MHLI may use other organisations to provide a service such as cloud-based IT management software and applications for administrative support, the bulk storage of data, website hosting, or for necessary IT support. The organisations selected and appointed to provide these services will only be engaged if they can demonstrate that they are fully GDPR compliant and that they have signed a contract with MHLI to the effect that they fully comply with the data security policies and processes prescribed by MHLI.
Retention and disposal of personal data
- MHLI is committed to processing personal data in a responsible and compliant manner. It has developed and will maintain a compliant Retention and Disposal Schedule which will delineate the timescales for the retention or disposal of personal data; this will apply equally to data held in hard-copy, electronic versions and any combination of the same. In the case of hard copy data, it will only be disposed of onsite either by self-shredding or by contracting the services to a reputable service provider. The Retention and Disposal Schedule will also govern:
- Who is responsible to authorise the disposal of personal data;
- How the disposal will be undertaken; and
- How the disposal will be recorded and signed off.
- The retention requirements of personal data vary greatly dependent upon the type of data that is being processed. MHLI will use the guidance provided by the ICO to inform this process. There are three broad areas:
- The Regulatory, Legislative;
- Operational requirements placed upon MHLI;
- The Data Subject’s agreement to the information that is being processed. However, Data Subjects have the right to require MHLI to cease processing their data at any time, and MHLI will do that providing there is no Legal, Regulatory or operational requirement to prevent it.
Accessing personal data
- There are two broad avenues for people to access personal data. They are as follows:
- Subject Access Request (SAR) – A request made directly by the Data Subject for access to their personal data.
- Third Party Access Request – A request made by anyone other than the Data Subject for personal data belonging relating to another data subject.
- The difference being that a Data Subject can exercise their rights under the Regulations to obtain access to their personal data by making an SAR, however, a person or organisation making a Third Party Access Request must have an explicit and justifiable Legal or Regulatory authority to have access to the personal data before the Data Controller can make personal data available to them.
- The response procedures and protocols for responding to an SAR and a Third-Party Access Request is outlined at the attached Annexes.
- If MHLI wishes to use a Data Subject’s personal data for a new purpose (not covered by the use expressly agreed by the DS with MHLI before providing the data), then MHLI is required to provide the DS with a notice fully explaining this new use, purposes and processing conditions and seek the agreement of the DS before any processing takes place. NB: If permission is not granted then the new use is not permitted. The notification and request process and support documentation must be recorded and logged for future use in the event of a complaint or review.
Will Data Subjects be informed about any data breaches that impact them?
- Yes, MHLI will do this in compliance with GDPR requirements.
How do you make a complaint relating to the processing of your data?
- There are two options by which a data subject can exercise their rights, make requests for further information, or make a complaint in relation to MHLI’s processing of their personal data.
- Option 1. To Mile High Labs International Ltd
The Data Protection Officer
Mile High Labs International Ltd
Unit 2 Falcon Way
Adelaide Industrial Estate
Belfast BT12 6SQ
Telephone: +44 (0)28 9099 5253
- Option 2. To the Information Commissioner’s Office
The Information Commissioner’s Office – Northern Ireland
14 Cromac Place
Belfast BT7 2JB
Telephone: +44 (0)28 9027 8757
Breaches in Security
- If, despite the security measures that have been put in place (Information Security Policy), a suspected, actual or potential breach in data security occurs, it is essential that it is dealt with effectively and expeditiously. A breach may arise from a theft, a deliberate attack on MHLI data processing, unauthorised use of personal data by a member of staff, accidental loss or equipment failure. No matter how the breach occurs, all MHLI management, staff, employees and contractors MUST respond appropriately by:
- Reporting the breach without delay to their Manager AND the Data Protection Officer or, in their absence, the Director of Finance or the MD.
- Follow the processes laid out in the Personal Data Breach Protocol including the notification of the DS and the ICO if deemed to fall within their requirements.
- Record their actions in the Data Breach Audit Log.
- Identify the potential scope, source, impact and risk of the breach on the Data Subject and the organisation.
- Review associated Policies, Processes, Protocols and retraining requirements.
- Retrain all staff.
GDPR Induction, training and performance
- It is a requirement of employment with MHLI that ALL staff and those who supply services on a contracted or consultancy basis fully comply with the requirements of this and other associated Policies. In order to do that effectively, it is vital that training and information be supplied to ALL of the above individuals before they commence any activities that bring them into contact with personal data. Training is mandatory. Attendance will be formally recorded, as will the outcomes of any competency tests undertaken by participants. Training interventions will be as follows:
- Induction / On-boarding of new members of staff. It is essential that all new full and part-time joiners be made aware of the competencies (skills and knowledge) requirements under GPDR.
- Initial training for ALL existing members of staff.
- Refresher training conducted on an annual basis and when a change in legislation or process makes upskilling necessary.
- Overview training for any contractor or service supply staff who may have contact with or access to personal data of any type.
- Training will include a multi choice knowledge test.
- A Training Register will be completed for each training intervention. This will include:
- The content of the training.
- The date and duration of the training.
- The name of the person who delivered the training.
- The name and business identifier of those who attend the training.
Pre-planned Data Protection Audits
- It is essential that MHLI DPO undertakes regular Data Protection Audits in order to:
- Keep pace with changes in GDPR and related legislation;
- Maintain high levels of GDPR compliance; and to
- Ensure that processes, procedures and protocols are applied effectively across the organisation.
- DPA Compliance Audits will be undertaken on a minimum of a sixth-monthly unannounced basis to allow an effective understanding of GDPR performance to be developed. An audit report will be furnished to the MD outlining performance, any remedial action to be taken and this will form part of the ongoing ISO QA reports.
SECTION ‘B’ Annexes
GDPR principles lay out the responsibilities placed on a Data Controller to process data. The following are extracted from Article 5 of the Regulations. The GDPR requires that personal data be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Collected for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Using appropriate technical or organisational measures.
NB: Article 5(2) requires that: “The Data Controller (MHLI) shall be responsible for, and be able to demonstrate, compliance with the principles.”
Lawful Basis for Processing
Under the GDPR, MHLI must have lawful reason for processing personal data and they MUST be able to adequately demonstrate (justify) that reason when asked. There are six lawful bases available to MHLI and each are of equal importance but not all are applicable to every contextual need. The application is determined by the relationship between MHLI and the Data Subjects whose data they process. The reasons are as follows:
- Consent: The Regulations require a high standard of consent by the Data Subject:
- Consent MUST be opt-in rather than opt-out: GDPR specifically bans ‘pre-ticked’ opt-in boxes on websites.
- The consent statement must be clear, concise and unambiguous.
- Vague or blanket generic consent is not allowed – separate consent statements must be obtained for separate things – marketing separate from sales-related permission to process.
- The Data Subject must be made aware of the purpose that the data will be used for before the data is gathered. An effective and clear Privacy Notice will greatly assist in meeting this requirement.
- Consent statements must be kept clear from any other documentation such as terms and conditions etc.
- It is vitally important that clear records exist that demonstrate and confirm that permission was granted by the Data Subject.
- The consent of the Data Subject for processing of their Personal Data can be withdrawn at any time. It is vital that the Data Subject is told before they consent that they have the right to withdraw consent and that the process is simple and fool proof. It is vitally important that the Data Controller can demonstrate prior informed consent was established.
- The processing is necessary for the performance of a contract:
For example: if you need to process information in order to prepare and submit a contract. This again should be documented as the lawful basis.
- The processing is necessary for compliance with a legal obligation.
For example: where an employer is obliged to disclose employee salary details to HMRC.
- The processing is necessary to protect the vital interests of the Data Subject or some other person.
For example: To protect someone’s life.
- The processing is necessary for the performance of a task carried out in the public interest. For example: The interests are normally set out in law.
- The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party.
Legitimate interests is the most flexible lawful basis for processing but it may not always be the most appropriate. There are three elements:
- MHLI can identify a legitimate interest;
- MHLI can demonstrate that processing is necessary to fulfil the legitimate interest; and
- MHLI can balance those legitimate interests against the Data Subject’s interests, rights and freedoms?
[i] Personal Data: Is any information relating to a living individual who can be identified by the data directly or indirectly. Personal data can be held in electronic and hard copy formats. GDPR widens the definition of personal data to include ‘outline identifiers’ such as Internet Protocol (IP) addresses.
[ii] Special Categories of Personal Data: was previously referred to as ‘Sensitive Personal Data’. GDPR defines special categories as: ‘Personal data that reveals racial or ethnic origins, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.’
[iii] Data Controller: The Data Controller is the legal entity that determines the purpose and manner in which personal data will be processed.
[iv] Data Protection Officer: The person appointed by MHLI to ensure the day-to-day management of the GDPR compliance activities are implemented and maintained to ensure compliance throughout the organisation. They report directly to the MD in all GDPR associated matters.
[v] Data Subject: The Data Subject is the living person to whom the data refers. In the context of MHLI this will include all employees, contractors, suppliers, customers, clients and all who share their personal data with MHLI.
[vi] Processing: Includes: gathering, storage, using, sharing, altering or disposal of personal data.
 Personal Data: Is any information relating to a living individual who can be identified by the data directly or indirectly. Personal data can be held in electronic and hard copy formats. GDPR widens the definition of personal data to include ‘outline identifiers’ such as Internet Protocol (IP) addresses.
 Special Categories of Personal Data: was previously referred to as ‘Sensitive Personal Data’. GDPR defines special categories as: ‘Personal data that reveals racial or ethnic origins, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.’
 Data Controller: The Data Controller is the legal entity that determines the purpose and manner in which personal data will be processed.
 Data Protection Officer: The person appointed by MHLI to ensure the day-to-day management of the GDPR compliance activities are implemented and maintained to ensure compliance throughout the organisation. They report directly to the MD in all GDPR associated matters.
 Data Subject: The Data Subject is the living person to whom the data refers. In the context of MHLI this will include all employees, contractors, suppliers, customers, clients and all who share their personal data with MHLI.
 Processing: Includes: gathering, storage, using, sharing, altering or disposal of personal data.