Data management & Flow Chart
Say So Revised Data Management Policy incorporating GDPR principles - May 2018
1. Lawfulness, fairness and transparency
Transparency: Data obtained and managed by Say So will be processed so that workplace concerns, risks or issues raised can be managed by Say So's client organisations. The data processing will include where necessary the editing or removal of information capable of leading to the identification of the originator. It will therefore by necessity include the enabling of secure transfer of the processed reports to the client organisation. This policy will be posted on Say So website. Fair: The data will not be used for any other reason and all persons providing data will be informed explicitly of how their data will be used and consent sought wherever possible. Lawful: Processing will be fully GDPR compliant.
2. Purpose limitations
Personal data will only be sought for the explicit purpose of assisting or supporting the identification and resolution of workplace concerns raised including any safeguarding action that may be required. Data will only be used for these specific processing purposes and data subjects are hereby made aware of those purposes. Data will not be used or processed for any further purpose without consent.
3. Data minimisation
Data collected on a subject should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In other words, no more than the minimum amount of data will be kept for specific processing.
4. Accuracy
Data will be accurate and where necessary kept up to date. Where known, outcomes will be added to the data subjects collected information for completeness. Reviews of stored information will take place to ensure compliance.
5. Storage limitations
Personal data is kept in a form which permits identification of data subjects for no longer than necessary. In summary, data no longer required will be removed. Data will be subject of weeding, archiving and deletion reviews. Say So pledge to delete personal data according to the following protocol: 1) For any non-crime matter latest date for deletion will be 12 months after data creation or 12 months after any related proceedings. 2) For crime matters personal data will be deleted 6 years after data creation or 6 years after any related proceedings.
6. Integrity and confidentiality
Data will be managed in a manner that affords appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage. Where possible, consent for data to be managed for the purposes explained will be sought. No data capable of identifying an originator will be passed to client companies without explicit consent. Reviews of data security including penetration testing, website shutdown events and business continuity arrangements will feature.
