This document sets out Neurodivergent Labour’s understanding and general policy on adhering to the General Data Protection Regulations (GDPR).

The six principles of GDPR

  1. Personal data shall be processed lawfully, fairly and in a transparent manner.
  2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
  4. Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted immediately.
  5. Personal data must be kept in an identifiable format for no longer than is necessary.
  6. Personal data must be kept secure.

The core principle is ‘Accountability’.

The exemptions

Organisations can process data outside of the GDPR rules if it is related to:

  • freedom of expression and freedom of information
  • public access to official documents
  • national identification numbers
  • processing of employee data
  • processing for archiving purposes and for scientific or historical research and statistical purposes
  • secrecy obligations
  • churches and religious associations.

The lawful conditions that can be used to justify processing data

The processing of ‘personal data’ can go ahead, so long as one or more of the following reasons are proven:

  • – the individual has consented to processing for one or more specific purposes. This is one of the most commonly used conditions under previous data protection laws. It has become tougher under GDPR and is covered in more detail in this activity.
  • – the organisation can prove that it is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
  • – the controller has a legal obligation to perform such processing. For example, passing information onto HMRC.
  • – the organisation can prove that processing is necessary in order to protect the vital interests of the individual or another person.
  • – it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • – it is in the legitimate interest of the controller or a third party to do so, but it must not be at the expense of the interests, rights or freedoms of the individual.

The processing of ‘sensitive personal data’ can go ahead, so long as one or more of the following reasons are proven:

  • – explicit consent of the data subject has been obtained.
  • – it is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement.
  • – it is necessary to protect the vital interests of a data subject/individual or another person where the individual is physically or legally incapable of giving consent.
  • – the processing is carried out in the course of the legitimate activities of a charity or not-for-profit body, with respect to its own members, former members, or persons with whom it has regular contact in connection with its purposes.
  • – processing relates to personal data manifestly made public by the individual.
  • – processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.
  • – processing is necessary for reasons of substantial public interest on the basis of EU or member state law which is proportionate to the aim pursued and which contains appropriate safeguards.
  • – processing is necessary for the purposes of medical treatment, for assessing the working capacity of employees or the provision, treatment or management of health or social care systems and services.
  • – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats lo health or ensuring high standards of healthcare and of medicinal products or medical devices.
  • – processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes.

An individual’s rights under the GDPR

to be informed – Individuals should be entitled to a minimum set of information concerning the purposes for which their personal data will be processed.

  • – Individuals can request access to their personal data and GDPR puts obligations on controllers to comply with such requests, where applicable and to supply this data free of charge if the request is reasonable. This must be carried out within one month of receiving the request.
  • – Individuals can request a controller rectify any errors in their personal data where applicable, and this must be carried out within one month of receiving the request.
  • – Individuals can request the deletion or removal of personal data where there is no compelling reason for its continued processing.
  • – Individuals can ‘block’ or suppress processing of personal data.
  • – Individuals can obtain and reuse their personal data for their own purposes across different services.
  • – Individuals can object to: 1) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), 2) direct marketing (including profiling), and 3) processing for purposes of scientific/historical research and statistics.
  • – Individuals have the right not to be subject to a decision when it is: 1) based on automated processing or 2) it produces a legal effect or similarly legal effect on the individual.
  • – Individuals should not be evaluated in any material sense, solely on the basis on automated processing of their personal data.

Personal data will be held securely. In the case of manual data this could be in filing cabinets, locked cupboards or rooms with access restricted to named individuals or categories of individual only. In the case of electronic information, access will be subject to reasonable controls, which might include passwords, encryption, compartmentalised access and access logs. Reasonable steps will be taken to detect and prevent unauthorised access. There are regular backups to ensure that important data cannot be lost as the result of malfunctioning of a single machine. Advice on recommended retention periods for certain classes of data can be ascertained from Neurodivergent Labour by contacting us at info@ndlabour.com