quote HEE facebook linkedin twitter bracketDetail search file-download keyboard-arrow-down keyboard-arrow-right close event-note
Workforce, training and education

You are here

  1. Home
  2. Data Protection Policy Policy 2021

Data Protection Policy Policy 2021

1. Introduction

1.1 Health Education England (HEE) is required to  process (hold, obtain, record, use, share) certain information about its trainees and members of staff in accordance with its legal obligations under the General Data Protection Regulation (GDPR) 2016 and the Data Protection Act (DPA) 2018.

1.2 HEE may, from time to time, be required to share personal and / or special category  information about its members of staff or trainees within services across HEE and with other third party organisations such as the Department of Health and Social Care (DHSC), Higher Education Institutions (HEIs), clinical placement providers, colleges, faculties, the GMC, NHS Trusts / Health Boards / Health and Social Care Trusts, approved academic researchers and other NHS and government agencies where necessary.  This is to ensure that HEE discharges its responsibilities in that the NHS workforce of today and tomorrow has the right numbers, skills, values, and behaviours at the right time and in the right place.  This will be on a need to know basis only. We may also share information, where necessary, to prevent, detect or assist in the investigation of fraud or criminal activity, to assist in the administration of justice, for the purposes of seeking legal advice or exercising or defending legal rights or as otherwise required by the law.

2. Purpose

2.1 This policy is in place to ensure members of staff are aware of their responsibilities and outlines how HEE complies with the core principles of the GDPR and DPA, which are outlined in section 6 below.  

2.2 Technical and organisational methods for keeping data secure are imperative, and HEE believes that it is good practice to keep clear practical policies, supported by procedures and guidance. This policy complies with the requirements set out in the GDPR and DPA, which came into effect on 25 May 2018.

3. Scope

3.1 This policy is relevant to all departments and functions within HEE and those working on behalf of HEE. It covers all activities carried out that involve the use of personal and / or special category data.

4. Definitions

4.1 Anonymisation

Anonymous information is information which does not relate to an identifiable person or has been modified in such a manner that the data subject is no longer identifiable. Anonymisation is different from pseudonymised data as outlined below.

4.2 Data Protection Act (DPA)

The DPA controls how the personal and / or special category data of living individuals is used by organisations, businesses, or the government.  The DPA is the UKs implementation of the GDPR.

4.3 Data Protection Officer (DPO)

The DPO is a role required by the GDPR. The DPO is responsible for overseeing the implementation of data protection legislation and ensuring compliance with the GDPR and DPA.

4.4 Data Protection Impact Assessment (DPIA)

A DPIA is an evaluation tool mandated by data protection legislation designed to systematically analyse, identify, minimise and address the data protection and privacy risk of a new or significantly changed programme, project, process or system involving personal and / or special category data.

4.5 General Data Protection Regulation (GDPR)

The GDPR is a legal framework that sets guidelines for the processing of personal and / or special category data of living individuals within the European Union (EU).

4.6 Pseudonymisation

Pseudonymisation refers to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. The additional information, or key, must be kept separately and securely and is subject to technical and organisational measures; ensuring that the personal data is not attributed to an identifiable living person. For instance, two separate spreadsheets, each containing half of the data subject’s personal identifiers

4.7 Subject Access Request (SAR)

A SAR can be made to access the personal and / or special category data that an organisation holds about a living individual.  An individual can also request information on how they are using this data, who they are sharing it with and the source from which the data was obtained.

5. Duties

5.1 The Chief Executive Officer (CEO) has overall responsibility for the Data Protection Policy within HEE. The implementation and monitoring of compliance with this policy is delegated to the DPO.  The DPO will report data protection issues directly to HEE’s Executive Team.

5.2 The DPO role includes:

  • Acting as a point of contact for data subjects and the Information Commissioners Office (ICO).
  • Maintaining registrations.
  • Monitoring compliance with data protection legislation.  
  • Monitoring policies, training and audits and raising awareness.   
  • Acting as initial point of contact for any data protection issues which may arise within HEE.
  • Providing reports to the HEE Executive Team as required.
  • Facilitating action in areas identified as being non-compliant.
  • Assisting with complaints concerning data protection breaches.            
  • Providing advice and guidance in relation to DPIAs.

5.3 The day-to-day responsibilities for enforcing this policy will be devolved to the Information Governance team, system administrators and other nominated personnel such as Information Asset Owners (IAOs) and Information Asset Administrators (IAAs). In order to fulfil their role, the DPO in conjunction with the Executive Team will ensure that regular training is provided to remind these personnel of these responsibilities and the most effective way of ensuring adequate information security and confidentiality.

6. Data Protection Legislation

6.1 Legal framework

6.1.1 This policy has due regard to legislation, including, but not limited to the following:

  • The General Data Protection Regulation (GDPR) 2016.
  • The Data Protection Act (DPA) 2018.

6.1.2 This policy will also have regard to the following guidance.

6.2 Applicable data

6.2.1 For the purpose of this policy, personal data refers to any information relating to a living person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. . The GDPR applies to both automated personal data and to manual filing systems, where personal data is accessible according to specific criteria, as well as to chronologically ordered data and pseudonymised data, e.g. key-coded.

6.2.2 Sensitive personal data is referred to in Data Protection legislation as ‘special category data’ and is personal data that is deemed more sensitive, and therefore needs more protection. In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms for example, by putting them at risk of unlawful discrimination. The following information about an individual is categorised as special category data:

  • race.
  • ethnic origin.
  • politics.
  • religion.
  • trade union membership.
  • genetics.
  • biometrics (where used for ID purposes).
  • health.
  • sex life.
  • sexual orientation.

6.3. Principles

6.3.1 In accordance with the requirements outlined in Data Protection legislation, personal data will be:

  • Processed lawfully, fairly and in a transparent manner in relation to living individuals.
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Kept in a form which permits identification of living individuals for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of the appropriate technical and organisational measures required by Data Protection legislation in order to safeguard the rights and freedoms of living individuals.
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

6.3.2 Data Protection legislation also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”.

6.4. Accountability

6.4.1 In order to meet its accountability obligations HEE will:

  • implement appropriate technical and organisational security measures to demonstrate that data is processed in line with the principles set out in Data Protection legislation.
  • provide comprehensive, clear, and transparent privacy notices.
  • maintain records of processing activity, with regard to the processing of personal and / or special category data.
  • complete DPIAs as required.
  • comply with the rights of individuals (where applicable) as per Data Protection legislation.
  • Notify the Information Commissioners Office (ICO) within 72 hours of any personal data breaches which result in a risk to the rights and freedoms of living individuals.

6.4.2 The technical and organisational security measures that HEE will employ will include but not be limited to:   

Technical security measures

  • Asset management.
  • Access Control e.g. role-based access controls, password complexity / rotation, multi factor authentication.
  • Passwords & Encryptions.
  • Remote Access.
  • Clear Desk & Screen.
  • Secure Disposal.
  • Pseudonymisation / Anonymisation.
  • Penetration testing.
  • Virus scanning.
  • Physical security measures i.e.
  • Mobile device security.
  • Certification (Cyber Essentials PLUS).

Organisational security measures

  • Staff awareness & training.
  • Policies and procedures.
  • Business Continuity Plan / Disaster Recovery.
  • Information risk assessments.
  • Incident reporting.
  • Due diligence & audits.
  • Periodic checks to ensure security measures remain effective.

6.4.3 HEE Privacy Notices will contain:

  • HEEs contact details.
  • The contact details of the DPO.
  • The purpose and legal basis for the processing.
  • The categories of personal data.
  • The recipients of the personal data.
  • Where personal data is transferred to a third country or an international organisation.
  • The retention period of the personal data.
  • Information in relation to the rights of living individuals.
  • The right to lodge a complaint with the ICO.
  • The existence of automated decision making / profiling.

6.4.4 Internal records of processing activities will include the following:

  • Name and details of the organisation
  • Purpose(s) of the processing
  • Description of the categories of individuals and personal and / or special category data
  • Retention schedules
  • Categories of recipients of personal data
  • Description of technical and organisational security measures
  • Details of transfers to third countries, including documentation of the transfer mechanism safeguards in place

6.4.5 HEE will implement measures that meet the principles of data protection by design and data protection by default, such as:

  • Data minimisation.
  • Pseudonymisation / anonymisation.
  • Transparency.
  • Allowing individuals to monitor processing.
  • Continuously creating and improving security features.

6.4.6 Data Protection Impact Assessments will be undertaken for any new or significantly changed programme, project, process, or system which involves the use of personal and / or special category data.

6.4.7 HEE will comply with the rights requests of living individuals (where applicable) within the statutory timescales prescribed in Data Protection legislation.

6.4.8 HEE members of staff will report personal data breaches / incidents to the IG team within 24 hours of discovery to enable review and investigation to be undertaken prior to reporting the personal data breach / incident to the ICO within 72 hours where it constitutes a risk to the rights and freedoms of individuals.

6.5 Data Protection Officer (DPO)

6.5.1 A DPO has been appointed in order to:

  • inform and advise HEE and its members of staff regarding their obligations to comply with Data Protection legislation.
  • monitor HEE’s compliance with Data Protection legislation, including providing advice and guidance on internal data protection activities and DPIAs and monitoring internal audits and training for all members of staff.  
  • The DPO will report to the highest level of management at HEE which is the Chief Executive / Executive Team.   
  • The DPO will operate independently and will not be dismissed or penalised for performing their tasks.
  • Sufficient resources will be provided to the DPO to enable them to meet their Data Protection legislation obligations. Delegated DPO responsibilities have been assigned to the Information Governance team.

6.6 Lawful processing

6.6.1 Data Protection legislation requires that controllers and organisations that process personal data demonstrate compliance with its provisions. This involves publishing our basis for lawful processing.  

6.6.2 As personal data is processed for the purposes of HEE’s statutory functions, the lawful bases that can be applied are those as listed in Article 6 of the GDPR as follows:

6(1)(a) – Demonstrable consent of the data subject

6(1)(b) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

6(1)(c) – Processing is necessary for compliance with a legal obligation

6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another living individual.  This refers to matters of life and death.

6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6(1)(f) – Processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual. For the legitimate interests of an organisation to apply they should be weighed against the legitimate interests of the individuals whose data is being processed.  In this situation a legitimate interests test may need to be applied.  Where the legitimate interests of individuals outweigh those of the organisation an alternative legal basis must be applied.  

6.6.3 Where HEE processes special categories of personal data, the lawful bases that can be applied for processing such data as listed in Article 9 of the GDPR are as follows:

9(2)(a) – Explicit demonstrable consent of the data subject.

9(2)(b) – Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

9(2)(c) – Processing is necessary to protect the vital interests of the data subject or another individual where the data subject is physically or legally incapable of giving consent.  This refers to matters of life and death.

9(2)(d) – Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.

9(2)(e) – Processing relates to personal data which are manifestly made public by the living individual.

9(2)(f) – Processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity.

9(2)(g) – Processing is necessary for reasons of substantial public interest.

9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

9(2)(i) – Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medical products or medical devices.

9(2)(j) – Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

6.6.4 Please note that not all of the above legal bases will apply for each type of processing activity that HEE may undertake. However, when processing any personal data for any particular purpose, a legal bases within section 6.6.2 of this policy must be applied.  In addition, where special category data is processed a legal basis within section 6.6.3 of this policy must also be applied.

6.7. Consent

6.7.1 Consent must be a positive indication. It cannot be inferred from silence, inactivity, or pre-ticked boxes.

6.7.2 Consent will only be accepted where it is freely given, specific, informed and an unambiguous indication of the individual’s wishes.

6.7.3 Where consent is given, a record will be kept documenting how and when consent was given.

6.7.4 HEE ensures that consent mechanisms meet the standards of Data Protection legislation. Where the standard of consent cannot be met, an alternative legal basis for processing the data must be found, or the processing must cease.

6.7.5 Consent can be withdrawn by the individual at any time.

6.8. The right to be informed

6.8.1 HEE’s privacy notice is available via its website to individuals in regard to the processing of their personal data.  It is written in clear, plain language, which is concise, transparent, easily accessible, and free of charge.

6.8.2 In relation to personal data obtained directly from individuals, at the time of collection they should be provided with the information laid out in section 6.4.3 of this policy.  In addition, where personal data is not obtained directly from individuals, the following information should also be provided:

  • The source of the personal data.

6.9 The right of access

6.9.1 Individuals have the right to obtain confirmation that their personal data is being processed.  Individuals have the right to submit a SAR to gain access to their personal data.

6.9.2 HEE will verify the identity of the person making the request before any information is supplied.

6.9.3 A copy of the information will be supplied to the individual free of charge; however, HEE may impose a ‘reasonable fee’ to comply with requests for further copies of the same information.

6.9.4 Where a SAR has been submitted electronically, the information will be provided in a commonly used electronic format.

6.9.5 Where a request is manifestly unfounded, excessive, or repetitive, a reasonable fee will be charged.

6.9.6 All fees will be based on the administrative cost of providing the information.

6.9.7 All requests will be responded to without delay and at the latest, within one month of receipt.

6.9.8 In the event of numerous or complex requests, the period of compliance will be extended by no more than a period of two months. The individual will be informed of this extension and will receive an explanation as to why the extension is necessary, within one month of the receipt of the request.

6.9.9 Where a request is manifestly unfounded or excessive, HEE holds the right to refuse to respond to the request. The individual will be informed of this decision and the reasoning behind it, as well as their right to complain to the supervisory authority and to a judicial remedy, within one month of the refusal.

6.9.10 In the event that a large quantity of information is being processed about an individual HEE will ask the individual to specify the details of the information that the request is in relation to.

6.10 The right to rectification

6.10.1 Individuals are entitled to have any inaccurate or incomplete personal data rectified.

Where the personal data in question has been disclosed to third parties, HEE will inform them of the rectification where practicable.

6.10.2 Where appropriate, HEE will inform the individual about the third parties to whom the personal data has been disclosed.

6.10.3 Requests for rectification will be responded to within one month; this will be extended by no more than a period of a further two months where the request for rectification is complex.

6.10.4 Where no action is taken in response to a request for rectification, HEE will explain the reason for this to the individual and will inform them of their right to complain to the supervisory authority and to a judicial remedy.

6.11 The right to erasure

6.11.1 Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

6.11.2 Individuals have the right to erasure in the following circumstances:

  • where the personal data is no longer necessary in relation to the purpose for which it was originally collected / processed.
  • when the individual withdraws their consent.
  • when the individual objects to the processing and there is no overriding lawful basis to continue the processing.
  • the personal data was unlawfully processed.
  • the personal data is required to be erased in order to comply with a legal obligation.
  • the personal data is processed in relation to the offer of information society services to a child.

6.11.3 HEE has the right to refuse a request for erasure where the personal data is being processed for the following reasons:

  • to exercise the right of freedom of expression and information.
  • to comply with a legal obligation for the performance of a task in the public interest or the exercise of official authority.
  • for public health purposes in the public interest.
  • for archiving purposes in the public interest, scientific research, historical research, or statistical purposes.
  • the exercise or defence of legal claims.

6.11.4 Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it involves disproportionate effort to do so.

6.11.5 Where personal data has been made public within an online environment, HEE will inform other organisations who process the personal data to erase links to and copies of the personal data in question.

6.12 The right to restrict processing

6.12.1 Individuals have the right to block or suppress HEE’s processing of personal data.

In the event that processing is restricted, HEE will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future.

6.12.2 HEE will restrict the processing of personal data in the following circumstances:

  • where an individual contests the accuracy of the personal data, processing will be restricted until HEE has verified the accuracy of the data.
  • where an individual has objected to the processing and HEE is considering whether its legitimate interests override those of the individual.
  • where processing is unlawful, and the individual opposes erasure and requests restriction instead.
  • where HEE no longer needs the personal data, but the individual requires the data to establish, exercise or defend a legal claim.

6.12.3 If the personal data in question has been disclosed to third parties, HEE will inform them about the restriction on the processing of the personal data, unless it involves disproportionate effort to do so.

6.12.4 HEE will inform individuals when a restriction on processing has been lifted.

6.13 The right to data portability

6.13.1 Individuals have the right to obtain and reuse their personal data for their own purposes across different services.

6.13.2 Personal data can be easily moved, copied, or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability.

6.13.3 The right to data portability only applies in the following cases:

  • to personal data that an individual has provided to a Controller.
  • where the processing is based on the individual’s consent or where processing is carried out by automated means.

6.13.4 Personal data will be provided in a structured, commonly used, and machine-readable form.

6.13.5 HEE will provide the information free of charge.

6.13.6 Where feasible, data will be transmitted directly to another organisation at the request of the individual.

6.13.7 HEE is not required to adopt or maintain processing systems which are technically compatible with other organisations.

6.13.8 In the event that the personal data concerns more than one individual, HEE will consider whether providing the information would prejudice the rights of any other individual.

6.13.9 HEE will respond to any requests for portability within one month.

6.13.10 Where the request is complex, or a number of requests have been received, the timeframe can be extended by no more than a period of two months, ensuring that the individual is informed of the extension and the reasoning behind it within one month of the receipt of the request.

6.13.11 Where no action is being taken in response to a request, HEE will, without delay and at the latest within one month, explain to the individual the reason for this and will inform them of their right to complain to the supervisory authority and to a judicial remedy.

6.14 The right to object

6.14.1 HEE will inform individuals of their right to object at the first point of communication, and this information will be outlined in the privacy notice and explicitly brought to the attention of the data subject, ensuring that it is presented clearly and separately from any other information.

6.14.2 Individuals have the right to object to the following:

  • processing based on legitimate interests or the performance of a task in the public interest.
  • direct marketing.
  • processing for purposes of scientific or historical research and statistics.

6.14.3 Where personal data is processed for the performance of a legal task or legitimate interests:

  • an individual’s grounds for objecting must relate to his or her particular situation.
  • HEE will stop processing the individual’s personal data unless the processing is for the establishment, exercise or defence of legal claims, or, where HEE can demonstrate compelling legitimate interests for the processing, which override the interests, rights and freedoms of the individual.

6.14.4 Where personal data is processed for direct marketing purposes:

  • HEE will stop processing personal data for direct marketing purposes as soon as an objection is received.
  • HEE cannot refuse an individual’s objection regarding personal data that is being processed for direct marketing purposes.

6.14.5 Where personal data is processed for research purposes:

  • the individual must have grounds relating to their particular situation in order to exercise their right to object.
  • where the processing of personal data is necessary for the performance of a public interest task, HEE is not required to comply with an objection to the processing of the data.

6.14.6 Where the processing activity is outlined above, but is carried out online, HEE will offer a method for individuals to object online.

6.15 Privacy by design and DPIAs

6.15.1 HEE will act in accordance with the GDPR by adopting a privacy by design approach and implementing technical and organisational measures which demonstrate how HEE has considered and integrated data protection, confidentiality, and privacy considerations into processing activities.

6.15.2 DPIAs will be used to identify the most effective method of complying with HEE’s data protection obligations and meeting individuals’ expectations of privacy.

6.15.3 DPIAs will allow HEE to identify and resolve problems with data protection, confidentiality and privacy at an early stage, thus reducing associated costs and preventing damage from being caused to HEE’s reputation which might otherwise occur.

6.15.4 A DPIA must be completed  prior to implementing new technologies or when the processing activity is new or significantly changed and involves the use of personal and / or special category data, especially where the processing is likely to result in a high risk to the rights and freedoms of individuals.

6.15.5 High risk processing includes, but is not limited to, the following:

  • systematic and extensive processing activities, such as profiling.
  • large scale processing of personal / special categories of data or personal which is in relation to criminal convictions or offences.
  • monitoring of a publicly accessible area on a large scale.

6.15.6 HEE will ensure that all DPIAs include the following information:

  • a description of the processing operations and the purposes of processing.
  • an assessment of the necessity and proportionality of the processing in relation to the purpose.
  • the legal bases for processing the personal and / or special category data.
  • the technical and organisational security measures employed to protect the personal and / or special category data.an outline of the risks to individuals.
  • the measures implemented in order to address the identified risks.

6.15.7 Where a DPIA indicates high risk data processing, HEE will consult the ICO to seek its opinion as to whether the processing operation complies with Data Protection legislation.  Where the risk(s) cannot be mitigated by reasonable means and the rights and freedoms of individuals may be affected the ICO may prohibit processing.

6.16 Data breaches

6.16.1 The term ‘personal data breach’ refers to a breach of security which has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

6.16.2 The IG team, with delegated responsibility of the DPO, will ensure that all members of staff are made aware of, and understand, what constitutes a data breach as part of their mandatory training and via ad-hoc training sessions as requested.

6.16.3 Where a breach is likely to result in a risk to the rights and freedoms of individuals, the ICO and the Department of Health and Social Care ((DHSC) (where applicable) will be informed.

6.16.4 All notifiable breaches will be reported to the ICO and the DHSC (where applicable) within 72 hours of HEE becoming aware of them.

6.16.5 The risk of the breach having a detrimental effect on the individual, and the need to notify the ICO, will be assessed on a case-by-case basis by the IG team using the ‘Guide to the Notification of Data Security and Protection Incidents’ issued by NHS Digital.

6.16.6 In the event that a breach is likely to result in a high risk to the rights and freedoms of an individual, HEE will notify the individuals concerned directly.

6.16.7 In the event that a breach is sufficiently serious, the public will be notified without undue delay.

6.16.8 Effective and robust breach detection, investigation and internal reporting procedures are in place at HEE, which facilitate decision-making in relation to whether the ICO, an individual or the public need to be notified.

6.16.9 Within a breach notification, the following information will be outlined:

  • the nature of the personal data breach, including the categories and approximate number of individuals and records concerned.
  • the name and contact details of the DPO.
  • an explanation of the likely consequences of the personal data breach.
  • a description of the proposed measures and actions taken to be taken to deal with the personal data breach.
  • where appropriate, a description of the measures taken to mitigate any possible adverse effects.

6.16.10 Failure to report a breach when required to do so may result in a fine from the ICO.

6.17 Data security

6.17.1 It is good practice to mark records that contain personal and / or special category data with the classification Official-Sensitive: Personal.  This classification marker indicates that the information is sensitive and must not be handled freely.

6.17.2 At the end of the working day, or when leaving the office during the day, all  paper records containing personal and / or special category information will be secured in lockable commercial office furniture (a locked filing cabinet, drawer or safe), with restricted access.

6.17.3 Paper records containing personal and / or special category data will not be left unattended or in clear view anywhere with general access.

6.17.4 Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed up off-site.

6.17.5 Where data is saved on removable storage or a portable device, the device will be kept in a locked filing cabinet, drawer or safe when not in use.

6.17.6 Memory sticks will not be used to hold personal information unless they are HEE issued, password-protected and fully encrypted.

6.17.7 All electronic devices are password-protected to protect the information on the device in case of theft.

6.17.8 Where possible, HEE enables electronic devices to allow the remote blocking or deletion of data in case of theft.

6.17.9 All HEE members of staff are provided with their own secure login and password, and every computer regularly prompts users to change their password.

6.17.10   Personal and / or special category data should be shared via an appropriate SharePoint link however when emails are used to share personal and / or special category data the data held within attachments must be password-protected where there are unsecure servers between the sender and the recipient.

6.17.11 Relevant / sensitive circular emails are sent blind carbon copy (bcc), to ensure that email addresses are not disclosed to other recipients.

6.17.12 When sending confidential information by fax, members of staff will always check that the recipient is correct before sending.

6.17.13 When conducting face to face meetings, telephone calls or virtual meetings which involve the discussion of personal and / or special category data specific attention should be paid as to who is able to overhear the conversation.  Where there is a possibility that unauthorised individuals may be able to overhear sensitive conversations, a secure environment should be utilised.

6.17.14 Where personal information that could be considered private or confidential is taken off the premises, either in electronic or paper format HEE members of staff should take extra care to follow the same procedures for security.  Paper records containing personal and / or special category data should not be used unless necessary.  When paper records are

required for use at home, they should be locked away when not in use and should be destroyed confidentially with a crosscut or confetti-cut shredder.  Failing this, documents should be secured at home until members of staff return to the office when these records should be placed in a confidential waste bin.  All paper records should be destroyed in line with HEEs Records Management Policy.  All personal and / or special category data should be transported and stored securely.   The person taking the information from HEE premises accepts full responsibility for the security of the data.

6.17.15 Before sharing data, all members of staff will ensure:

  • they are permitted to share it i.e. a legal basis for sharing has been identified and the recipient of the data is authorised to receive it
  •  that adequate security is in place to protect it.
  •  the recipient of the data has been outlined in a privacy notice.

6.17.16 Under no circumstances are visitors allowed access to confidential or personal information. Visitors to areas of HEE containing sensitive information must always be supervised.

6.17.17 The physical security of HEE’s buildings and storage systems, and access to them, is reviewed on a termly basis. If an increased risk in vandalism / burglary / theft is identified, extra measures to secure data storage will be put in place.

6.17.18 HEE takes its duties under Data Protection legislation seriously and any unauthorised disclosure may result in disciplinary action.

6.17.19 The DPO is responsible for the monitoring of continuity and recovery measures which are in place to ensure the security of protected data.

6.18 Publication of information

  • 6.18.1 HEE displays publication scheme on its website outlining classes of information that will be made routinely available, including:policies and procedures
  • lists and registers
  • annual reports  

6.18.2 Classes of personal information specified in the publication scheme are made available quickly and easily on request.

6.18.3 HEE will not publish any personal information, including photos, on its website without the demonstrable consent of the affected individual.

6.18.4 When uploading information to HEE’s website, members of staff are considerate of any metadata or deletions which could be accessed in documents and images on the site.

6.19 Photography

6.19.1 HEE understands that recording images of identifiable individuals constitutes as processing personal information, so it is done in line with Data Protection legislation.

16.19.2 HEE will always indicate its intentions for taking photographs and will retrieve demonstrable consent prior to publication.

16.19.3 If HEE wishes to use images / footage of individuals in a publication, such as HEE’s website, demonstrable consent will be sought for the particular usage.

6.20 Data retention

6.20.1 Data will not be kept for longer than is necessary.

6.20.2 Unrequired personal and / or special category data will be deleted as soon as practicable and in accordance with HEEs Records Management Policy.

6.20.3 Some educational records relating to former trainees or members of staff may be kept for an extended period for legal reasons, but also to enable the provision of references or academic transcripts and in accordance with HEEs Records Management Policy.

6.20.4 Paper documents will be shredded or pulped, and electronic memories erased or destroyed, once the data reaches the end of its retention period.

7. Equality Analysis

7.1 As a public body, HEE will give due regard to the need to avoid discrimination and promote equality of opportunity for all members of staff when making policy decisions and implementing this Policy and procedures.

7.2 HEE will also be monitoring the outcome of this policy (on an anonymous basis) to sure there are no underlying themes relating to equality or any other characteristics that suggest any organisation or policy bias.

8. Education and Training Requirements

8.1 All members of staff will undertake mandatory data security awareness training on an annual basis.

8.2 Ongoing data security training and updated training and guidance material will be provided by the Information Governance team.  

9. Monitoring Compliance and Effectiveness

9.1 HEE’s Data Protection Officer will instruct the IG team to undertake data protection audits in order to monitor compliance with the policy.  

9.2 Compliance with this policy will also be monitored by the Information Governance Steering Group together with internal audits where necessary.  

9.3 The DPO is responsible for the monitoring, revision, and update of this policy document on a tri-annual basis, or sooner should the need arise.

10. Associated Documentation

10.1 This policy will be implemented in conjunction with the following other HEE policies:

  • Records Management Policy
  • Information Governance Policy
  • Information Risk Management Policy
  •  Information Security Policy
  • Acceptable Use Policy
  • Incident Reporting Policy
  • Clear Desk and Screen Policy
  • Data Protection Impact Assessment Policy

11.    References

  • The General Data Protection Regulation (GDPR) 2016
  • The Data Protection Act (DPA) 2018
  • The Information Commissioners Office – Guide to the UK General Data Protection Regulation (GDPR)
  • The Information Commissioners Office – Guide to Data Protection

 

Return to the top of the page.