Linkedin Envelope

Website Terms & Conditions / Privacy Policy

Data protection policy

Introduction

  • Information is a strategic asset of Maritime UK SW that must be managed accordingly.
  • In order to operate efficiently, Maritime UK SW has to collect and use information about people with whom it works and for whom it provides services. These include members of the public, current, past and prospective employees, clients, customers, and suppliers.
  • This policy ensures that Maritime UK SW complies with the Data Protection Act 2018 and all of the provisions in that act, which implement the EU’s General Data Protection Regulation (GDPR) into UK law.
  • This policy applies to the members, Board of Directors, Partners, Employees and contractual third parties and agents of Maritime UK SW.
  • It is the responsibility of all Maritime UK SW staff to exercise appropriate controls to minimise the risk of breach of this policy.
  • Anyone found to be in breach of this policy may be subject to disciplinary actions.

Information processing

  • Maritime UK SW will only process or store information that it has a legal basis for processing. Any information that does not have a legal basis for processing will be prohibited.
  • Maritime UK SW is registered with the Information Commissioner and will pay the requisite fee at least once a year.

Data Protection Principles

  • Maritime UK SW will adhere to the following data protection principles set out in the Data Protection Act.
  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability
  • Processing of Special Categories of data

Processing of Special Categories of data

Special Categories of data is a term that is interchangeable with the term Sensitive personal data.

Maritime UK SW will treat the following types of data as Special Categories of data:

  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Trade union membership
  • Health data
  • Data concerning a natural person’s sex life or sexual orientation

Maritime UK SW will only process Special categories of data when the following circumstances have been met:

Explicit consent has been provided by the data subject.

  • It is necessary for Maritime UK SW to conduct in the field of employment and social security and social protection law.
  • It is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
  • The personal data has been made public by the data subject.
  • It is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  • It is necessary for reasons of substantial public interest, and proportionate to the aim pursued, whilst respecting the essence of the right to data protection and providing for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
  • It is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee.
  • It is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical.
  • Where special category data is processed, this must be done in accordance with the Appropriate Policy Document contained in Appendix A.

Data Protection Officer

  • The Maritime UK SW Cluster Innovation Manager is designated as the Data Protection Officer (DPO)
  • Maritime UK SW will publish the contact details of the DPO on the Maritime UK SW website.
  • The Data Protection Officer will ensure members, Board of Directors, Partners, Employees and contractual third parties and agents of Maritime UK SW comply with the requirements of the Data Protection act / GDPR.
  • The Data Protection Officer will ensure the following functions are conducted.
  • Ensure all comply with the Data Protection Act 2018 / GDPR (the Act).
  • Monitoring of compliance with the Act.
  • Raise awareness / provide training around compliance of the Act.
  • Assign responsibilities for staff involved with data processing.
  • Ensure Data Protection Impact Assessments are carried out & monitor performance against the DPIA.

The Maritime UK SW Chief Executive will be designated as the Senior Information Risk Owner, (SIRO) to take overall ownership of the management of information risks relating to the delivery of the Maritime UK SW’s corporate objectives. 

Access to personal information by the data subject

  • An individual may request a copy of any data held about them, or information about the reasons it is kept and processed and the people to whom it is disclosed. The information must be provided, in clearly understandable terms within I month of the receipt of a valid request.
  • There will be no charge for a standard Subject Access Request. A charge will be levied for a Subject Access request which is deemed to be manifestly unfounded, excessive or a repeated request.
  • A person seeking information will be required to prove their identity and provide sufficient information to enable Maritime UK SW to locate the requested information. The timescale of one month will begin on the day the person provides this information.
  • Information may be withheld where Maritime UK SW isn’t satisfied that the person making the request is who they say they are, or where the requester is an organisation or body that Maritime UK SW isn’t satisfied is authorised to receive the information.
  • Maritime UK SW will disclose, in accordance with Data Protection legislation, all personal information regarding a particular data subject, regardless of the content.
  • Maritime UK SW will redact any third party information from a Subject Access Request disclosure, unless explicit consent has been given from that third party to disclose the information or Maritime UK SW deems it to be reasonable, in all the circumstances, to disclose the information.
  • Maritime UK SW staff must not alter any personal information in order to prevent disclosure under a Subject Access Request.

Access to personal information by third parties

  • An organisation may request a copy of any data held about an individual providing the appropriate Data Protection Act exemption is supplied. A formal written exemption form is required in order to supply the information, which will detail a specific legitimate reason to requesting the information.

Information Sharing

Maritime UK SW will only share personal information in the following circumstances

  • There is a legal requirement share information that has an exemption in the Data Protection Act.
  • For the provision of services with partners
  • In situations where there is not a legal exemption to share information, an Information Sharing Agreement will be put into place with the partner.

Information sharing agreements can be put into place for all other Information Sharing situations.

Provision of information

All information will be provided in a common format that is reasonably requested by the data subject.

Information will be provided in a paper format where requested but may be subject to a charge for

materials.

Information will be provided in a portable electronic format when the following criteria are met:

  • The information has been provided to Maritime UK SW by the data subject.
  • The information is being processed on the basis of the data subject’s consent or for the performance of a contract or memorandum of understanding.
  • The information is being processed by automated means.
  • The Information is not in paper format.

Other Information rights

  • An individual may request that data held about them by Maritime UK SW is erased if the following conditions are met:
  • The information was provided with consent and the data subject wishes to withdraw consent.
  • The information was provided with time limited consent, and the time limit has expired.
  • It is no longer necessary for the information to be held.
  • The information was processed on the basis of legitimate interest and there is no overriding legitimate interest to prevent Maritime UK SW erasing the data.  
  • The information is not being lawfully processed by Maritime UK SW.
  • Maritime UK SW will ensure all data erasure requests are completed within one calendar month.

An individual may request that data held about them by Maritime UK SW is rectified if the personal data is inaccurate or incomplete. Maritime UK SW will rectify personal information which is factually incorrect within one month of receiving a data rectification request.  

  • Maritime UK SW will ensure that individuals have the right to object to:
  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.
  • Any data subject can request enforcement of these rights by writing to Maritime UK SW’s Data Protection Officer.

Information retention

  • Maritime UK SW will retain information for 6 years.
  • Personal information stored in electronic format will be securely deleted when it reaches the disposal date.
  • Special Categories of personal information stored in electronic format will be securely deleted when it reaches the disposal date.
  • Personal information stored in paper format will be securely shredded when it reaches the disposal date.

Consent for use of Information

  • Maritime UK SW will ensure that consent arrangements are clear and specific about the intended use of the collected information and that consent is freely given and is not a condition of the provision of a service.
  • Maritime UK SW will ensure that:
  • Consent is obtained from a parent or guardian where the information about a child under the age of 12.
  • If consent is required for using information about a child over the age of 12 years, the consent is provided by the data subject, the parent or guardian.
  • Where possible, consent will be required for a fixed time period at the end of which, either consent will be requested again or the information deleted.
  • That data subjects are made aware of their right to withdraw consent at any time, without any reason needing to be given.
  • Maritime UK SW will document all instances where consent is obtained and ensure that these are formally managed to comply with the data subject’s rights.

Breach management

  • A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • It is the responsibility of all employees to report any suspected data breach to the Data Protection Officer.
  • Maritime UK SW will ensure that the SIRO and the Information Commissioner are informed immediately of any breach that meets the criteria for escalation.

Suppliers and partners

  • Where an organisation processes personal data for Maritime UK SW, Maritime UK SW will ensure that its contract with that organisation contains clauses in which the supplier or partner guarantees that they will process that data in accordance with Data Protection legislation.
  • Any contract with any organisation that processes personal data for Maritime UK SW must set out:
  • The subject matter and duration of the processing.
  • The nature and purpose of the processing.
  • The type of personal data and categories of data subject; and
  • The obligations and rights of the controller.
  • Any contract with any organisation that processes personal data for Maritime UK SW must also include as a minimum the following terms, requiring the data processor (i.e. the partner organisation) to:
  • Only act on the written instructions of Maritime UK SW.
  • Ensure that people processing the data are subject to a duty of confidence.
  • Take appropriate measures to ensure the security of processing.
  • Only engage sub-processors with the prior consent of the controller and under a written contract.
  • Assist Maritime UK SW in providing subject access and allowing data subjects to exercise their rights.
  • Assist Maritime UK SW in meeting its Data Protection Act obligations.
  • To delete or return all personal data to Maritime UK SW as requested at the end of the contract.
  • Submit to audits and inspections.
  • A supplier or partner cannot enlist or change a sub-processor without the consent of Maritime UK SW or, where general consent has already been given, without notifying Maritime UK SW in advance.
  • Any organisation that processes personal data for Maritime UK SW must have an approved breach management process, including clauses requiring appropriate escalation to Maritime UK SW and the Information Commissioner as soon as a breach becomes known.

Privacy notices

  • Maritime UK SW will ensure that privacy notices are displayed at the point of collection of any information, both physical and electronic.

Audit trails

  • Maritime UK SW will ensure that all IT systems that process personal data will have audit trails which keep a log of the following activities:
  • Additions of personal records
  • Changes to personal records
  • Deletions of personal records
  • The audit trails must have their integrity protected by technical controls and must be kept for a minimum of 12 months. Maritime UK SW must make the audit trails available to the Information Commissioner on request.

Information security

  • Maritime UK SW will apply appropriate security measures to protect the data it controls.

Complaints

Any complaint or concern expressed by an individual in connection with the Data Protection Act must be reported to the Data Protection Officer immediately. The Data Protection Officer will investigate the complaint and take the appropriate action. If a compensation payment is requested for a breach of the Data Protection Act legislation, this will be dealt with by the Senior Information Risk Officer (SIRO).

 

There are several ways to contact the Data Protection Officer or to raise a complaint regarding Data Protection:

Email: whitta@pasdfreeport.com

Or in writing to:
Data Protection Officer
Plymouth and South Devon Freeport
Suite 8
Endeavour House,
2 Vivid Approach
Plymouth
PL1 4RW

  1. Data Protection Complaint Resolution – Stage 1
    • We will provide a written response to formal complaints within 10 working days. The response will say whether the complaint is upheld and the action we propose to take to resolve it. If the complaint is not upheld the response will set out the steps the complainant can take if they remain unsatisfied.

  2. Investigating the Complaint
    • The Data Protection Officer will investigate the complaint.

  3. Data Protection Complaint resolution – Stage 2
    • If the complainant is not happy with our stage 1 response, our decision will be reviewed by a senior officer, generally this will be the Chief Executive.

  4. Decision Letter (Final Response)
    • Following investigation of a stage 2 complaint the Chief Executive will write to the complainant setting out their decision which will be final. If the complaint is upheld it will set out the action we propose to take to resolve it.

Complaint Recording

  • Maritime UK SW will maintain a record of all formal Data Protection complaints received including details of the complainant, brief details of the complaint, the stage it reached and any action we have promised to take to resolve it. Any personal details will be held in accordance with our Data Protection policy.

Responsibilities

  • The Cluster Innovation Manager will be responsible for the operation of the Data Protection complaints procedure. The Chief Executive will be accountable to the Board of Directors for any Data Protection Complaints.

Appendix A: Safeguards in relation to processing of Special Category Data

Maritime UK SW recognises its obligations to comply with the requirements laid down in the General Data Protection Regulation and the Data Protection Act 2018.

Share this page

Share via Reddit

Share via LinkedIn

Share via email

As part of Maritime UK SW’s statutory and corporate functions, we may process Special Category Data and Criminal Conviction Data. In accordance with Schedule 1 Part 4 of the Data Protection Act, this document, explains how Maritime UK SW complies with the Data Protection Principles when processing Special Category Data and Criminal Conviction data and also Maritime UK SW’s policy in relation to the retention and erasure of this information.

A1 What is Data Processing?

The GDPR defines this as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

A2 What is Special Category Data?

The GDPR defines this as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

A3 What is Criminal Conviction Data?

The GDPR defines this as personal data relating to criminal convictions and offences or related security measures. The Data Protection Act adds that this also includes allegations of the commission of offences, criminal proceedings and sentencing.

A4 The scope of data processing which is subject to this Policy as set out in the Data Protection Act

  • 1, Part 1, para. 1: Employment, social security, and social protection.
  • 1, Part 2, para. 6: Statutory etc. and government purposes.
  • 1, Part 2, para. 7: Administration of justice.
  • 1, Part 2, para. 8: Equality of opportunity or treatment.
  • 1, Part 2, para. 9: Racial and ethnic diversity at senior levels of organisations
  • 1, Part 2, para. 10: Preventing or detecting unlawful acts.
  • 1, Part 2, para. 11: Protecting the public against dishonesty
  • 1, Part 2, para. 12: Regulatory requirements relating to unlawful acts and dishonesty etc.
  • 1, Part 2, para. 14: Preventing fraud.
  • 1, Part 2, para. 18: Safeguarding children and of individuals at risk.
  • 1, Part 2, para.19: Safeguarding of economic well-being of certain individuals.
  • 1, Part 2, para. 21: Occupational pensions
  • 1, Part 2, para. 24: Disclosure to elected representatives

A5       Procedures for securing compliance with the Data Protection Principles in relation to the processing of Special Category and Criminal Conviction Data

Principle 1- Lawfulness, Fairness and Transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Maritime UK SW will:

  • ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful.
  • only process personal data fairly and will ensure that data subjects are not misled about the purposes of any processing.
  • ensure that data subjects receive full privacy information so that any processing of personal data is transparent.

Principle 2 – Purpose Limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Maritime UK SW will:

  • Only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in an appropriate privacy notice.
  • Not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose, that is compatible, we will inform the data subject first.

Principle 3 – Data Minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Maritime UK SW will only collect personal data necessary for the relevant purpose and ensure it is not excessive. We will only process information necessary for and proportionate to our purposes. Where personal that is not relevant to our stated purposes data is provided to, or obtained by us, we will erase it.

Principle 4 – Accuracy
Personal data shall be accurate and, where necessary, kept up to date.
Maritime UK SW will ensure that the personal data we hold is accurate and kept up to date as necessary. Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that it is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.

Principle 5 – Storage Limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Maritime UK SW will only keep personal data in identifiable form as long as is necessary, for the purposes for which it is collected. When information is no longer in use it is retained only for the periods set out in our corporate retention schedule. These periods are determined variously by the needs of the business, relevant legislative and regulatory requirements and the requirements or guidelines of the National Archives.

Once we no longer need personal data it shall be deleted or rendered permanently anonymous.

Principle 6 – Integrity and Confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Maritime UK SW will ensure that there are appropriate organisational and technical measures in place to protect personal data.

Electronic information is processed within systems which have been subjected to robust Data Protection Impact Assessments.

  • Hard copy information is processed within our secure premises.
  • Our electronic systems and physical storage have appropriate access controls applied.
  • The systems we use to process personal data allow us to erase or update personal data at any point in time.

Principle 7 – The Accountability Principle
The controller shall be responsible for, and be able to demonstrate, compliance with these principles.

  • Maritime UK SW will:
  • ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request.
  • carry out a Data Protection Impact Assessment for any high-risk personal data processing and consult the Information Commissioner if appropriate.
  • ensure that a Data Protection Officer is appointed to provide independent advice and monitoring of the Maritime UK SW’s personal data handling, and that this person has access to report to the highest management level of Maritime UK SW.
  • have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with Data Protection Law

A6       Data Controller’s policies in relation to the Retention and Erasure of Personal

            Data
Where special category or criminal convictions personal data is processed, Maritime UK SW will ensure that:-

  • there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data
  • where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous.
  • data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.